ICS Monitoring Agent
Monitor internal control system - four-eyes, segregation of duties, detect control gaps.
Checks control activities (four-eyes principle, approvals), monitors segregation of duties, detects transaction anomalies via ML.
Analyse your process
Rule-based SoD violations, anomalies detected by AI, control gaps assessed by compliance
The agent validates segregation of duties and four-eyes rules deterministically against the authorisation matrix, detects unusual transaction patterns via AI anomaly detection, and escalates identified control gaps to the compliance officer.
Outcome: Control coverage raised from 5 to 100 percent of transactions, internal-control report generation from 10 to 2 working days, and early detection of control failures within the same business day.
The mechanics distinguish between predictable rule violations and patterns that only AI analysis makes visible:
60 percent of companies rate their own control system as ineffective
Only around 40 percent of companies rate their own internal control system as effective - according to a Deloitte study among listed and large non-listed companies. At the same time, corporate governance law requires management to establish a monitoring system that detects existential threats early. (US: SOX Section 302/404 imposes comparable requirements for publicly traded companies.) The gap between obligation and effectiveness almost always arises at the same point: the ICS is defined but never continuously monitored.
Periodic Testing Misses Control Failures Between Cut-Off Dates
Most organisations test their ICS quarterly or at year-end. What happens between testing dates stays invisible. An approval limit is temporarily raised and never reset. A delegation arrangement suspends the four-eyes principle for three weeks. A new employee receives authorisations that violate the segregation-of-duties matrix.
These are not edge cases. They are the norm in organisations whose control system relies on manual, periodic testing. The statutory auditor assesses ICS effectiveness per ISA 315 and adjusts the audit scope accordingly. An ICS that only works at the cut-off date leads to extended testing and higher audit fees.
Continuous monitoring closes this time window. Every transaction is checked against defined control activities - not once a quarter, but at every posting.
Missing Segregation of Duties Causes the Largest Individual Losses
Segregation of duties is one of the most effective controls against fraud. According to the ACFE Report to the Nations 2024, more than 50 percent of all cases of Occupational Fraud are attributable to missing or circumvented internal controls - structured segregation of duties is one of the most effective countermeasures. The consequence: the average loss per case, according to ACFE 2024, is around USD 1.7 million, based on an analysis of 1,921 documented fraud cases across 138 countries.
A concrete scenario: an employee in procurement creates a vendor, enters the purchase order and approves the invoice for payment. Three roles, one person. In an ERP system with organically grown authorisation structures, this conflict often goes undetected for years because nobody systematically checks the authorisation matrix against actual role assignments.
The ICS Monitoring Agent checks at every transaction whether the executing person has a segregation-of-duties conflict. Not as a sample, but comprehensively. Every conflict is documented and escalated according to defined thresholds.
Continuous Monitoring Shifts Audit Logic from Sampling to Full Population
The COSO framework defines monitoring as a stand-alone component of the internal control system - equal in rank to control environment, risk assessment, control activities and information. In practice, monitoring is the component most frequently neglected because it generates the highest ongoing effort.
An agent changes this equation. It checks control activities rule-based: was the four-eyes principle observed, is the approval within the limit, does the authorisation match the matrix. Simultaneously, it detects anomalies in transaction data - unusual posting patterns, clusters just below approval thresholds, conspicuous timestamps.
The result is an ICS report based not on samples but on the examination of every single transaction. For the statutory auditor, this means: reliable evidence of control system effectiveness across the entire audit period.
The Decision Layer Separates Automated Control from Human Escalation
Not every ICS decision lends itself to automation. Checking the four-eyes principle against a checklist - that is a rule engine, tier 1. Detecting anomalies in transaction data - that requires AI analysis, tier 2. But the decision of how to escalate when a control failure is detected stays with the human.
This separation is not a technical detail. It is the prerequisite for the statutory auditor to accept automated monitoring as audit evidence. Every control check is documented: what was checked, what the result was, what action follows. On failure, the agent logs the affected transactions, the nature of the violation and the escalation path.
The compliance officer decides on the corrective measure. The agent monitors whether the decided measure is implemented. This creates a closed loop - from control definition through testing to follow-up.
Micro-Decision Table
Who decides in this agent?
10 decision steps, split by decider
Check control activities Are four-eyes principle and approvals being observed? Rules Engine Auditor
Checklist check against defined control points
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Challengeable by: Auditor
Check segregation of duties Are there personnel conflicts with function separations? Rules Engine Auditor
Authorisation matrix matching
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Challengeable by: Auditor
Transaction monitoring Are there unusual transaction patterns? AI Agent Auditor
ML-based anomaly detection
Decision Record
Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.
Challengeable by: Auditor
Monitor authorisation changes Were authorisations changed without approval? Rules Engine Auditor
Audit log analysis
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Challengeable by: Auditor
Identify control gaps Are there processes without adequate controls? AI Agent Auditor
Gap analysis against target control framework
Decision Record
Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.
Challengeable by: Auditor
Risk assessment per control area How high is the risk in each control area? AI Agent Auditor
Scoring by frequency and severity of control failures
Decision Record
Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.
Challengeable by: Auditor
Escalation on control failure Must immediate action be taken on a control failure? Human Auditor
Compliance decision with potentially severe consequences
Decision Record
Challengeable: Yes - via manager, works council, or formal objection process.
Challengeable by: Auditor
Create ICS report Is the ICS status report generated? Rules Engine
Aggregation of all control checks
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Action proposals Which measures are recommended to close control gaps? Human
Strategic assessment of measures
Decision Record
Challengeable: Yes - via manager, works council, or formal objection process.
Follow-up tracking Are open measures implemented promptly? Rules Engine
Workflow-based tracking with deadline monitoring
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Decision Record and Right to Challenge
Every decision this agent makes or prepares is documented in a complete decision record. Affected parties (employees, suppliers, auditors) can review, understand, and challenge every individual decision.
Does this agent fit your process?
We analyse your specific finance process and show how this agent fits into your system landscape. 30 minutes, no preparation needed.
Analyse your processGovernance Notes
GoBD-relevant: the ICS is an essential part of proper bookkeeping. Per HGB Paragraph 289 Abs. 4 (or Paragraph 315 Abs. 4 for groups), capital-market-oriented companies must describe the ICS in the management report. The statutory auditor reviews the ICS as part of the financial audit per ISA 315.
Segregation-of-duties violations can indicate fraud and must be documented and escalated. Continuous ICS monitoring is a significant contribution to compliance per AO Paragraph 146 (record-keeping regulations).
§203 StGB-relevant data is encrypted end-to-end and never passed to AI models in plain text.
Process Documentation Contribution
Assessment
Prerequisites
- Defined control framework (COSO, COBIT or equivalent)
- Access to authorisation systems and audit logs
- Transaction data from ERP for anomaly detection
- Configured segregation-of-duties matrix
Infrastructure Contribution
The ICS Monitoring Agent is the central control monitoring instance for all Finance agents. The segregation-of-duties check is used by every agent that implements approval processes. The anomaly detection delivers data to the Fraud Detection Agent. The control framework forms the foundation for the entire Finance governance.
Builds Decision Logging and Audit Trail used by the Decision Layer for traceability and challengeability of every decision.
What this assessment contains: 9 slides for your leadership team
Personalised with your numbers. Generated in 2 minutes directly in your browser. No upload, no login.
- 1
Title slide - Process name, decision points, automation potential
- 2
Executive summary - FTE freed, cost per transaction before/after, break-even date, cost of waiting
- 3
Current state - Transaction volume, error costs, growth scenario with FTE comparison
- 4
Solution architecture - Human - rules engine - AI agent with specific decision points
- 5
Governance - EU AI Act, GoBD/statutory, audit trail - with traffic light status
- 6
Risk analysis - 5 risks with likelihood, impact and mitigation
- 7
Roadmap - 3-phase plan with concrete calendar dates and Go/No-Go
- 8
Business case - 3-scenario comparison (do nothing/hire/automate) plus 3×3 sensitivity matrix
- 9
Discussion proposal - Concrete next steps with timeline and responsibilities
Includes: 3-scenario comparison
Do nothing vs. new hire vs. automation - with your salary level, your error rate and your growth plan. The one slide your CFO wants to see first.
Show calculation methodology
Hourly rate: Annual salary (your input) × 1.3 employer burden ÷ 1,720 annual work hours
Savings: Transactions × 12 × automation rate × minutes/transaction × hourly rate × economic factor
Quality ROI: Error reduction × transactions × 12 × EUR 260/error (APQC Open Standards Benchmarking)
FTE: Saved hours ÷ 1,720 annual work hours
Break-Even: Benchmark investment ÷ monthly combined savings (efficiency + quality)
New hire: Annual salary × 1.3 + EUR 12,000 recruiting per FTE
All data stays in your browser. Nothing is transmitted to any server.
ICS Monitoring Agent
Initial assessment for your leadership team
A thorough initial assessment in 2 minutes - with your numbers, your risk profile and industry benchmarks. No vendor logo, no sales pitch.
All data stays in your browser. Nothing is transmitted.
Related Pages
Related Agents
Annual Statement Preparation Agent
Prepare annual financial statements - orchestrate checklist, draft notes, answer auditor queries.
Fraud Detection Agent
Detect duplicate invoices, phantom vendors, expense fraud and AI-fake invoices.
Procedural Documentation Agent
Keep procedural documentation automatically current - detect changes, generate drafts, close gaps.
Frequently Asked Questions
Does every company need a formal ICS?
Capital-market-oriented companies must describe the ICS in their management report. For all others: a functioning ICS is part of proper bookkeeping per HGB. Even without a statutory obligation, it reduces risks and eases the financial audit.
How does the agent detect segregation-of-duties violations?
The agent checks the authorisation matrix against defined function separations. When the same person can create, approve and pay orders, a SoD violation is flagged. Temporary delegation arrangements are considered and documented.
Can the agent also monitor controls in IT systems?
Yes, where IT systems provide audit logs. The agent monitors authorisation changes, system access and configuration-relevant changes. For deeper IT controls (network security, patch management), a specialised IT audit agent is needed.
What Happens Next?
30 minutes
Initial call
We analyse your process and identify the optimal starting point.
1 week
Discover
Mapping your decision logic. Rule sets documented, Decision Layer designed.
3-4 weeks
Build
Production agent in your infrastructure. Governance, audit trail, cert-ready from day 1.
12-18 months
Self-sufficient
Full access to source code, prompts and rule versions. No vendor lock-in.
Implement This Agent?
We assess your finance process landscape and show how this agent fits your infrastructure.