Internal audit & controls
Controls get tested continuously instead of once a year, transactions get screened against policy as they happen, the evidence for every control assembles itself, and exceptions land in a queue instead of in a post-mortem. The annual audit stops being an archaeology dig.
Overview
Internal controls get tested the way a smoke detector gets tested: once a year, reluctantly, usually right before it matters. The control either operated all year or it didn't, but nobody checks until audit season, when a team reconstructs twelve months of evidence from memory and email. By the time a control failure surfaces, the money is already gone and the only thing left to do is write the finding. Annual testing of a continuous risk is theater, and everyone in the room knows it.
This agent tests continuously. It screens transactions against control policies as they happen (approval limits, segregation of duties, duplicate payments, unusual vendors, out-of-pattern expenses), maintains the control matrix and gathers the operating evidence automatically, and routes exceptions to a review queue the moment they occur instead of the quarter they're discovered. It flags. It does not block, reverse, or adjudicate. A human owns every disposition. When the auditors arrive, the evidence is already assembled, time-stamped, and complete, which is the difference between an audit that confirms your controls and an audit that goes looking for why you don't have any.
Capabilities
- Screens transactions against control policies in near real time: approval thresholds, segregation of duties, duplicate or split payments, new or unusual vendors, out-of-policy expenses
- Maintains the control matrix and gathers operating evidence continuously, so control effectiveness is demonstrable on any date rather than reconstructed at year-end
- Detects anomalies against historical patterns (round-dollar entries, off-hours postings, vendor-bank-detail changes, unusual journal entries) and ranks them by risk
- Routes every exception to a human review queue with the supporting detail attached, flagging and documenting without ever blocking, reversing, or adjudicating on its own
- Tracks remediation of open findings to closure, with owners, due dates, and an evidence trail for each
- Assembles the audit evidence package (control narratives, test results, exception logs, remediation history) on demand, formatted to the auditor's request
Example Output
Controls monitor, weekly exception summary
Transactions screened this week: 1,847 across AP, payroll, expense, and journal entries. 1,838 clean. 9 exceptions flagged and routed.
Exceptions by risk (routed to review queue):
High:
- Vendor bank-detail change followed by immediate payment. Vendor "Meridian Consulting" bank account updated June 16 at 2:14pm; a $48,000 payment released to the new account June 16 at 2:51pm, same user initiating both. A classic business-email-compromise pattern. The payment was within approval limits, so no control blocked it. Routed to the controller and flagged for callback verification before any further payment. Status: under review.
- Segregation-of-duties break. The same user created a new vendor and approved its first invoice ($12,400). Policy requires separate parties. Routed to the controller.
Medium:
- Possible duplicate payment. Two payments to "Apex Logistics," same amount ($3,180), 9 days apart, different invoice numbers. May be a legitimate recurring charge or a duplicate. Routed for confirmation.
- Three expense reports with out-of-policy items (first-class airfare, alcohol over per-diem). Routed to the managers for approval or rejection.
Low:
- Three off-hours journal entries (posted after 9pm). All by the controller during the close; pattern-consistent and likely fine. Logged for visibility, no action requested.
Open findings tracker: 4 prior findings open. 1 closed this week (the AP approval-limit gap, remediated and evidenced). 3 on track against due dates.
Status: All exceptions in the review queue with supporting detail. The vendor-bank-change item flagged as the priority for human attention today. Nothing blocked or reversed by the agent; every disposition awaits a person.
Agent Workflow
Load control policies and the control matrix
The agent ingests your control policies and control matrix (approval limits, segregation-of-duties rules, expense policy, materiality thresholds) so it screens against your actual controls, not a generic template.
Screen transactions continuously
The agent screens transactions against those policies in near real time across AP, payroll, expense, and journal entries, so a control break is caught the day it happens rather than the quarter it's sampled.
Detect anomalies against historical patterns
Beyond the explicit rules, the agent compares transactions against historical patterns and flags the statistical outliers (round-dollar entries, off-hours postings, vendor-bank changes, unusual entries), ranked by risk.
Route exceptions to the human queue
Every exception routes to a human review queue with the full supporting detail attached. The agent documents and flags; it never blocks a payment, reverses an entry, or decides an exception on its own.
Gather and time-stamp control evidence
The agent gathers and time-stamps the operating evidence for each control as it runs, so control effectiveness is demonstrable on any date instead of reconstructed under deadline.
Track remediation to closure
For every open finding, the agent tracks the owner, the due date, and the remediation evidence, and chases the items still open, so findings close rather than linger to the next audit.
Assemble the audit package on demand
When the auditors ask, the agent assembles the evidence package (control narratives, test results, exception logs, remediation history) formatted to their request list, turning audit prep from a project into an export.
Report and recalibrate
The agent reports the weekly exception summary and trend to the controller and audit committee, and recalibrates its thresholds as policies change and patterns shift, so the screen stays tuned to current risk.