Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens

In this paper we report on the approach we have developed and the lessons we have learned in an implementation of the monitoring and control layer for continuous monitoring of business process controls (CMBPC) in the US internal IT audit department of Siemens Corporation. The architecture developed by us implements a completely independent CMBPC system running on top of Siemens’ own enterprise information system which has read-only interaction with the application tier of the enterprise system. Among our key conclusions is that “formalizability” of audit procedures and audit judgment is grossly underestimated. Additionally, while cost savings and expedience force the implementation to closely follow the existing and approved internal audit program, a certain level of reengineering of audit processes is inevitable due to the necessity to separate formalizable and non-formalizable parts of the program. Our study identifies the management of audit alarms and the prevention of the alarm floods as critical tasks in the CMBPC implementation process. We develop an approach to solving these problems utilizing the hierarchical structure of alarms and the role-based approach to assigning alarm destinations. We also discuss the content of the audit trail of CMBPC.