ICS Monitoring Agent
Monitor internal control system - four-eyes, segregation of duties, detect control gaps.
Checks control activities (four-eyes principle, approvals), monitors segregation of duties, detects transaction anomalies via ML, identifies control gaps and creates the ICS report.
Score Dashboard
What This Agent Does
The internal control system (ICS) is the backbone of Finance governance. It ensures the four-eyes principle is observed, no person holds all roles in a process (segregation of duties) and unusual transactions are detected. In practice, the ICS is often only spot-checked - at year-end when the statutory auditor comes.
The Decision Layer makes ICS monitoring a continuous process. The agent continuously checks whether control activities are observed, monitors segregation of duties, detects transaction anomalies via ML and identifies control gaps. On control failure, immediate escalation occurs - not only at the next audit.
The result: continuous ICS monitoring instead of samples. Segregation-of-duties violations are detected in real time. The ICS report for the statutory auditor is generated automatically. And control gaps are identified before they cause damage.
Micro-Decision Table
Check control activities Are four-eyes principle and approvals being observed? Rules Engine Auditor
Checklist check against defined control points
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Challengeable by: Auditor
Check segregation of duties Are there personnel conflicts with function separations? Rules Engine Auditor
Authorisation matrix matching
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Challengeable by: Auditor
Transaction monitoring Are there unusual transaction patterns? AI Agent Auditor
ML-based anomaly detection
Decision Record
Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.
Challengeable by: Auditor
Monitor authorisation changes Were authorisations changed without approval? Rules Engine Auditor
Audit log analysis
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Challengeable by: Auditor
Identify control gaps Are there processes without adequate controls? AI Agent Auditor
Gap analysis against target control framework
Decision Record
Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.
Challengeable by: Auditor
Risk assessment per control area How high is the risk in each control area? AI Agent Auditor
Scoring by frequency and severity of control failures
Decision Record
Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.
Challengeable by: Auditor
Escalation on control failure Must immediate action be taken on a control failure? Human Auditor
Compliance decision with potentially severe consequences
Decision Record
Challengeable: Yes - via manager, works council, or formal objection process.
Challengeable by: Auditor
Create ICS report Is the ICS status report generated? Rules Engine
Aggregation of all control checks
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Action proposals Which measures are recommended to close control gaps? Human
Strategic assessment of measures
Decision Record
Challengeable: Yes - via manager, works council, or formal objection process.
Follow-up tracking Are open measures implemented promptly? Rules Engine
Workflow-based tracking with deadline monitoring
Decision Record
Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.
Decision Record and Right to Challenge
Every decision this agent makes or prepares is documented in a complete decision record. Affected parties (employees, suppliers, auditors) can review, understand, and challenge every individual decision.
Prerequisites
- Defined control framework (COSO, COBIT or equivalent)
- Access to authorisation systems and audit logs
- Transaction data from ERP for anomaly detection
- Configured segregation-of-duties matrix
Governance Notes
GoBD-relevant: the ICS is an essential part of proper bookkeeping. Per HGB Paragraph 289 Abs. 4 (or Paragraph 315 Abs. 4 for groups), capital-market-oriented companies must describe the ICS in the management report. The statutory auditor reviews the ICS as part of the financial audit per ISA 315.
Segregation-of-duties violations can indicate fraud and must be documented and escalated. Continuous ICS monitoring is a significant contribution to compliance per AO Paragraph 146 (record-keeping regulations).
§203 StGB-relevant data is encrypted end-to-end and never passed to AI models in plain text.
Process Documentation Contribution
Infrastructure Contribution
The ICS Monitoring Agent is the central control monitoring instance for all Finance agents. The segregation-of-duties check is used by every agent that implements approval processes. The anomaly detection delivers data to the Fraud Detection Agent. The control framework forms the foundation for the entire Finance governance.
Builds Decision Logging and Audit Trail used by the Decision Layer for traceability and challengeability of every decision.
Related Agents
Procedural Documentation Agent
Keep procedural documentation automatically current - detect changes, generate drafts, close gaps.
Fraud Detection Agent
Detect duplicate invoices, phantom vendors, expense fraud and AI-fake invoices.
Annual Statement Preparation Agent
Prepare annual financial statements - orchestrate checklist, draft notes, answer auditor queries.
Frequently Asked Questions
Does every company need a formal ICS?
Capital-market-oriented companies must describe the ICS in their management report. For all others: a functioning ICS is part of proper bookkeeping per HGB. Even without a statutory obligation, it reduces risks and eases the financial audit.
How does the agent detect segregation-of-duties violations?
The agent checks the authorisation matrix against defined function separations. When the same person can create, approve and pay orders, a SoD violation is flagged. Temporary delegation arrangements are considered and documented.
Can the agent also monitor controls in IT systems?
Yes, where IT systems provide audit logs. The agent monitors authorisation changes, system access and configuration-relevant changes. For deeper IT controls (network security, patch management), a specialised IT audit agent is needed.
Implement This Agent?
We assess your finance process landscape and show how this agent fits your infrastructure.