In this paper we report on the appr

In this paper we report on the approach we have developed and the lessons we have learned in an
implementation of the monitoring and control layer for continuous monitoring of business process controls
(CMBPC) in the US internal IT audit department of Siemens Corporation. The architecture developed by us
implements a completely independent CMBPC system running on top of Siemens’ own enterprise
information system which has read-only interaction with the application tier of the enterprise system.
Among our key conclusions is that “formalizability” of audit procedures and audit judgment is grossly
underestimated. Additionally, while cost savings and expedience force the implementation to closely follow
the existing and approved internal audit program, a certain level of reengineering of audit processes is
inevitable due to the necessity to separate formalizable and non-formalizable parts of the program. Our
study identifies the management of audit alarms and the prevention of the alarm floods as critical tasks in
the CMBPC implementation process. We develop an approach to solving these problems utilizing the
hierarchical structure of alarms and the role-based approach to assigning alarm destinations. We also
discuss the content of the audit trail of CMBPC.
© 2006 Elsevier Inc. All rights reserved