Abstract
In this paper we report on the approach we have developed and the lessons we have learned in an implementation of the monitoring and control layer for continuous monitoring of business process controls (CMBPC) in the US internal IT audit department of Siemens Corporation. The architecture developed by us implements a completely independent CMBPC system running on top of Siemens' own enterprise information system which has read-only interaction with the application tier of the enterprise system. Among our key conclusions is that "formalizability" of audit procedures and audit judgment is grossly underestimated. Additionally, while cost savings and expedience force the implementation to closely follow the existing and approved internal audit program, a certain level of reengineering of audit processes is inevitable due to the necessity to separate formalizable and non-formalizable parts of the program. Our study identifies the management of audit alarms and the prevention of the alarm floods as critical tasks in the CMBPC implementation process. We develop an approach to solving these problems utilizing the hierarchical structure of alarms and the role-based approach to assigning alarm destinations. We also discuss the content of the audit trail of CMBPC.
| Original language | English (US) |
|---|---|
| Pages (from-to) | 137-161 |
| Number of pages | 25 |
| Journal | International Journal of Accounting Information Systems |
| Volume | 7 |
| Issue number | 2 |
| DOIs | |
| State | Published - Jun 2006 |
All Science Journal Classification (ASJC) codes
- Management Information Systems
- Accounting
- Finance
- Information Systems and Management
Keywords
- Automation
- Continuous auditing
- Continuous monitoring of business processes
- Control settings
- Controls
- Formalization
- Monitoring
- Reengineering