Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Semantic Specification and Automated Enforcement of Internal by yurtgc548

VIEWS: 4 PAGES: 31

									             Semantic Specification and
             Automated Enforcement of
              Internal Controls within
                Accounting Systems
                Dr. Graham Gal University of Massachusetts at Amherst
                         Dr. Guido Geerts, University of Delaware
                     Dr. William McCarthy Michigan State University



                             Value Modeling and Business Ontologies
February 9th & 10th, 2009                  Workshop
                            Presentation Outline
  • Internal Controls
        – Nature
        – Monitoring and Evaluation
  • Internal Controls and Management
        – Responsibilities
  • Business States and Transitions
  • Integrate Definitions into the REA Ontology
  • Implications for monitoring
                               Value Modeling and Business Ontologies
February 9th & 10th, 2009                    Workshop
                            Internal Controls
  • Nature of internal controls
        – Process to provide reasonable assurance
          concerning the achievement of objectives
              • Effective and Efficient Operations
              • Reliability of Financial Reporting
              • Compliance with applicable laws
        – “Being in Control”
        – Types
              • Application Level
              • Control Environment

                              Value Modeling and Business Ontologies
February 9th & 10th, 2009                   Workshop
                            Internal Controls
 • Evaluation of internal controls
       – Sarbanes Oxley act of 2002
          • Sec. 103 (a) (2) (iii) testing of internal control structure
            and procedures
                    – (II) (aa) reasonable detail and fairly reflect the transactions …
                    – (II) (bb) reasonable assurance that transactions are recorded
                      as necessary (reporting)
             • Sec. 302 (a) (3) report(s)… fairly present … results of
               operations [transactions]
                    – (5) (A) … deficiencies … prevent the ability to record, process
             • Sec. 404 Management Assessment of Internal Controls
                    – (a) (2) … effectiveness of internal control structure and
                      procedures
                    – (b) report on the assessment made by management
                                 Value Modeling and Business Ontologies
February 9th & 10th, 2009                      Workshop
                             Internal Controls
 • Monitoring
       – Ongoing versus Separate Evaluations (COSO Framework)
          • Building in versus Adding on
          • Closer to the operation of the control
       – Direct versus indirect
          • Application versus General
          • Entity Level Controls
          • Control Environment
                    –   Incentives
                    –   Commitment to Competence
                    –   Organizational Structure
                    –   Assignment of Authority and Responsibility
                    –   Human Resources Policies and Practices
                                  Value Modeling and Business Ontologies
February 9th & 10th, 2009                       Workshop
                  E                                                  E
                  N                                                  N
                  T                                                  T
                  E                  Operational                     E
                  R                  Objectives                      R
                  P                                                  P
                  R                                                  R
                  I                  Compliance                      I
                  S                  Objectives                      S
                  E                                                  E



            Reporting
            Objectives



            F/S, Tax, …
                            Value Modeling and Business Ontologies
February 9th & 10th, 2009                 Workshop
                 Management and Control
    Establish Objectives for firm in relation to stakeholders’
     requirements
    Define or quantify these objectives
       o Be a major supplier of … ⇒ achieve 40% market share
       o Cut production costs ⇒ At X level of production costs will be
         Y
       o Provide customer service ⇒ Delivery within 3 days of order
    Formulate policies to establish path to achieve these
     objectives
       o Transition from current state to future state in which firm
         characteristics are closer to objectives than current state.
       o Monitor these transitions and make an assessment that
         policies are being adhered to
                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                                                                                    These states can be of
                                                                                   types:
                                                                                   1) Completely not
                                                                                       allowed
                                                                                   2) Completely allowed
                                                                                   3) Unsure




                               Activities that create the
                               new state


                                        Value Modeling and Business Ontologies
February 9th & 10th, 2009                               Workshop
   14th World Continuous Monitoring and Reporting Symposium – Rutgers University
                                          Activities
 • Activities to further specific applications
    – Send an invoice
    – Receive a payment
    – Look for possible vendors
    – Obtain/Send a quote
    – Receive/Send merchandise
 • Activities that set the tone for the applications
    – Establish formal job descriptions
    – Establish formal skills and knowledge levels
    – Delineate formal lines of responsibility


                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University     November 2nd and 3rd 2007
                                          Activities
 • Activities are organized around various business processes
   (transaction cycles) or subsystems
    – Acquisition, Revenue, Hiring, etc.
 • Each business process consists of:
    – Groups of activities that correspond to steps that need
       completion and may have temporal dependencies
    – Role(s) allowed to perform the activity
    – Business object whose state the activity alters
 • Management General or Specific Authorization for the
   execution of activities consistent with attainment of objectives



                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
       General Business Process Phases
• Planning
     – Activities to decide what action to take for acquiring or selling a good, service, and/or right.

• Identification
     – Activities to exchange data among potential parties in order to establish a one-to-one linkage.

• Negotiation
     – Activities to achieve an explicit, mutually understood, and agreed upon goal of a business
       collaboration and associated terms and conditions.

• Actualization
     – Activities necessary for the execution of the results of the negotiation for an actual business
       transaction.

• Post-Actualization
     – Activities associated exchanges of information that occur between the parties after the agreed
       upon good, service, and/or right is deemed to have been delivered



                                       Value Modeling and Business Ontologies
 February 9th & 10th, 2009
   th                                                  Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                Role Based Access Control
• Management established areas of
  responsibility within firm to perform activities
    – Sales Department, Purchasing, Manufacturing,
      Human Resources
• Hierarchical structure of responsibility and
  authority
    – Vice President, Sales VP, Manager, …..
    – Authority to Delegate
    – Authority to Perform
• Segregation of incompatible functions

                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                General Roles and Activity

                                      0..*                         0..*         Activity
                      Roles
                                                                                 Types



                 Vice President
                                                                       Negotiation

                    Manager
                                                                                           Actualization

                      Clerk




                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
             General Roles and Activity II
                                               Employee                           Activity
                  Roles
                                                Types                              Types


                                            Vice President
                Delegate


                Perform                        Manager                          Negotiation

                                                                                              Actualization
                                                  Clerk




                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                               Business Objects
• Management authorization or permission for a
  specific role (or hierarchy) to perform activities on
  a business object
     – A sales manager can negotiate sales prices and delivery
       terms for inventory sales
     – A sales manager can delegate to a sales clerk authority
       to actualize transfer of inventory
     – A sales clerk can actualize the transfer of inventory per
       negotiated terms
     – A purchasing manager can negotiate purchase prices
       and delivery terms for raw material purchases
     – A warehouse clerk can actualize receipt of raw
       materials inventory

                                        Value Modeling and Business Ontologies
 February 9th & 10th, 2009
   th                                                   Workshop
 14 World Continuous Monitoring and Reporting Symposium – Rutgers University
            Objects, Roles, and Activities
                                   Management Policy




                            ValuethModeling and Business Ontologies
                               14 World Continuous Monitoring and
February 9th & 10th, 2009                  Workshop
                             Reporting Symposium – Rutgers University
 Objects, Roles, Employee Types,
       and Activity Types
                                   Management Policy




                            ValuethModeling and Business Ontologies
                               14 World Continuous Monitoring and
February 9th & 10th, 2009                  Workshop
                             Reporting Symposium – Rutgers University
                                            Examples
       The Vice President of Sales can delegate the task of negotiating
        sales prices and delivery terms
•       P.Delegate.Negotiation.Sales (BOT.Resource.Inventory, RT.Delegate, ET.VPSales, AT.Negotiate.Sales)


       A Sales Manager can perform the negotiation sales prices and
        delivery terms for inventory sales
•       P.Perform.Negotiation.Sales(BOT.Resource.Inventory, RT.Perform, ET.SalesManager, AT.Negotiate.Sales)



       A Sales Clerk can perform the actualization the transfer
        of inventory per negotiated terms
•       P.Perform.Actualize.Sales(BOT.Event.Sale, RT.Perform,ET.Clerk.SalesClerk, AT.Actualize.Sales)




                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                                          Examples
    The Vice President of Sales delegates the authority to negotiate
     sales to the Sales Manager
• Delegate(eЄEmployeeType, eЄEmployeeType,aЄActivityType)
• Delegate(ET.VicePresidentSales, ET.SalesManager, AT.Negotiate.Sales)



    A Sales Manager delegates the authority to actualize a sale to a
     Sales Clerk
• Delegate(ET.SalesManager, ET.SalesClerk,AT.Actualize.Sales)




                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                            Important Notes
  • Adding activities to the process has only local
    effects (Plan, Control, and Evaluate)
        – AddActivity(AA.Actualize.Sales, ReCalculatePrice)
  • As Roles are connected to Activities when an
    employee is assigned to a role they inherit the
    permissions to perform the activity
        – Segregation of duties is integrated into
          permissions as opposed to ad hoc specifications
  • Declarative Specification of controls as
    constraints are side effect free
                             Value Modeling and Business Ontologies
February 9th & 10th, 2009                  Workshop
                Connection of Permissions
  • Activity connections
        – Temporal – Order of permissions is restricted
              • Negotiation of a purchase (state) must occur before
                Actualization of a purchase (state)
        – Inclusive – Once Activity has occurred another
          activity must occur
              • Get a hotdog from a street vendor ⇒ pay for hotdog
        – Exclusive – Once an activity has occurred another
          activity cannot occur
              • Failed Negotiation ⇒ Actualization cannot occur
        – No restrictions
                            Value Modeling and Business Ontologies
February 9th & 10th, 2009                 Workshop
              Permissions on Permissions




                            Value Modeling and Business Ontologies
February 9th & 10th, 2009                 Workshop
              Permissions on Permissions




                            Value Modeling and Business Ontologies
February 9th & 10th, 2009                 Workshop
                            OCL Representations
  • Temporal Order of Permissions
  Acquisition:: P. Actualize.Purchase (BOT.Event.Purch ase , R.Clerk.Purcha seCl erk , AT. Actualize.Purchase )

  Acquisition:: P.P. Actualize.Purchase (BOT.Event.Purch a se , R.Perform. ET.Clerk.Purcha seC lerk ,
      AT. Actualize.Purchase )
  PRE : Negotiate.Purchase.state = ‘Complete’

  • Inclusive Permissions
  Delivery
    if (state.revenue.negotiation) then actualization.date – negotiation.date < 7

  • Exclusive Permissions
  Segregation of Duties



  Transfer::P.Actualize.Transfer(BOT.event.assign,RT.Manager.HumanResources, AT.Actualize.Transfer)
  Post: Remove(employee.E.jobtype) and Assign(employee.E.jobtype) = new job type


                                           Value Modeling and Business Ontologies
February 9th & 10th, 2009                                Workshop
                                    REA Ontology
  Resource                                                                       policy
  Type


                                   policy


                    specifies                                                        specifies
 typifies                                                                                            Agent Type
                                                                            participate
                                            Economic
                                            Commitment
                      reciprocal
                                                                specifies       Event Type       policy

                                                     fulfills                                             typifies

                                                                    typifies

    Economic          stockflow              Economic                            Economic
                                                                 provide
    Resource                                 Event
                                                                                 Agent
                                                                 receive
                                                duality




                                      Value Modeling and Business Ontologies
February 9th & 10th, 2009                           Workshop
          The Extension to the Ontology
  • Include constraints on future states

  • The states represent adherence to
    management policy
        – State Transitions toward objectives

  • General business process model
  • Perceptions of Monitoring
              • Rod Brennan - Siemens



                            Value Modeling and Business Ontologies
February 9th & 10th, 2009                 Workshop
                     Continuous Monitoring
  • Exceptions to constraints represent violations
    of management policy and therefore evidence
    about the state of controls
  • Declarative aspect of constraints allows
    different approaches to different violations
        – Preventive – do not allow state
        – Detective – note existence of state
  • Evaluation of the quality of controls depends
    on the amount of evidence
                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
                                                   IA
                            ERd   SF   DE

                                         D         EA                                     IA2 IA1
                                                                                    IA3
                            ERi   SF    IE                                    IA4
                                                   IA                   IA5
                                                                  IA6




                                                                                          Exceptions
                                                                                          To Activity
                                                                                          Policy Templates


                        Constraint Violations and Continuous Monitoring

                                       Value Modeling and Business Ontologies
                                         14th World Continuous Monitoring and
February 9th & 10th, 2009                             Workshop
                                        Reporting Symposium – Rutgers University
          Evaluation of Internal Controls

              E                                                                     E
              N                                                                 I   N
              T                                                                 D   T
              E                                                                 E   E
              R                                Compare                          A   R
              P                                                                 L   P
              R                                                                     R
              I                                                                     I
              S                                                                     S
              E                                                                     E



                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University
             Future Research
• Specify REA ontology in First Order Logic
• Specify more complete set of internal controls
  in FOL
• Connect business processes
• Integrate continuous monitoring structures
• Integrate continuous reporting requirements
                            QUESTIONS?


                                       Value Modeling and Business Ontologies
February 9th & 10th, 2009
  th                                                   Workshop
14 World Continuous Monitoring and Reporting Symposium – Rutgers University

								
To top