Abstract
In this paper we report on the approach we have
developed and the lessons we have learned in an
implementation of the monitoring and control layer
for continuous monitoring of business process
controls (CMBPC) in the US internal IT audit
department of Siemens Corporation. The architecture
developed by us implements a completely independent
CMBPC system running on top of Siemens' own
enterprise information system which has read-only
interaction with the application tier of the
enterprise system. Among our key conclusions is that
"formalizability" of audit procedures and audit
judgment is grossly underestimated. Additionally,
while cost savings and expedience force the
implementation to closely follow the existing and
approved internal audit program, a certain level of
reengineering of audit processes is inevitable due
to the necessity to separate formalizable and
non-formalizable parts of the program. Our study
identifies the management of audit alarms and the
prevention of the alarm floods as critical tasks in
the CMBPC implementation process. We develop an
approach to solving these problems utilizing the
hierarchical structure of alarms and the role-based
approach to assigning alarm destinations. We also
discuss the content of the audit trail of CMBPC.
Users
Please
log in to take part in the discussion (add own reviews or comments).