audit by mamapeirong


									               Alert Driven Process Integration and Exception Handing:
               A Case Study on Audit Confirmation with Web Services

                  Mandy Y.S. Tong1 and Dickson K.W. Chiu1,2, Senior Member, IEEE
                          Department of Computer Science, Hong Kong Baptist University
                         Dickson Computer Systems, 7 Victory Avenue, Kowloon, Hong Kong

                          Abstract                            outstanding account balances. However, it is often quite
                                                              difficult to collect back adequate confirmations on time
    Information technology has recently been employed         for a reliable audit process, especially if a client’s busi-
widely in different industries. However, in the audit         ness partners are from overseas.
profession, there is limited adoption of contemporary             If an auditor cannot receive adequate confirmations,
information technologies. Besides automating regular          they have to use alternative and less precise methods to
audit processes, which mainly involves streamlining the       verify whether the account balances provided are accu-
communications across different organizations (such as        rate. These alternative procedures include checking
the client and its business partners), the monitoring of      documents of various purchase order, invoices, delivery
the overall process as well as exception handling is          note, shipping documents, and receipt/payment for rel-
crucial to the process quality and responsiveness. In         evant outstanding balances, which are usually manual
this paper, we apply our earlier framework of e-service       and much more time-consuming. This needs a few
enactment and enforcement for requirements elicitation        hours to a few days depending on the size of the com-
and use the concept of alert management for process           pany. As the audit fee of an assignment is based on
modeling, together with a Web service based imple-            time, further automation can help save the audit fee. For
mentation for data and process integration. We illus-         the audit firm, it can have more time to deal with other
trate our approach to an Alert-driven Audit Manage-           assignments.
ment System (ADAMS) with a case study on the audit                To approach this problem, we identify the need for
confirmation process, which requires the most automa-         not just automating the regular process, which mainly
tion of work.                                                 involves streamlining the communications across dif-
                                                              ferent organizations. In addition, the monitoring of the
1. Introduction                                               overall audit process as well as exception handling is
    Information systems have been playing a more and          crucial to the process quality and responsiveness.
more important role in various industries. However, in        Therefore, we adapt our earlier framework of e-service
the audit profession, there is limited adoption of con-       enactment and enforcement [3] for the requirements
temporary information technologies [5]. Currently,            elicitation and use the concept of alert management [4]
there are some audit software packages that can help          for process modeling, together with a Web services
auditors to perform audit assignments. However, be-           based implementation for the data and process integra-
cause each audit assignment have its own characteris-         tion of our Alert-driven Audit Management System
tics, it is necessary for auditors to device an audit plan-   (ADAMS).
ning for each assignment [7]. Therefore, such audit
                                                              2. Background and Related Work
software packages may not be suitable for each audit
assignment; and sometimes, the packaged software may               Although every audit project is unique, the audit
be useful for part of the audit assignment but not for the    process is similar for most engagements [1] and nor-
whole assignment. So, currently, not many audit firms         mally consists of four stages: Preliminary Review,
adopt such audit software [1], especially because such        Fieldwork, Audit Report, and Follow-up Review. The
software packages are very costly. In particular, those       bulk of the tedious work in the stage Fieldwork and is
software packages cannot handle the cross-                    the main target for further automation. In particular,
organizational collaboration among the clients and their      there are usually strict professional guidelines for pro-
business partners required in typical audit processes [6].    cesses in this stage. The Hong Kong Institution of Cer-
    To perform an audit assignment, it is necessary for       tified Public Accountant (HKICPA) has a clear stand-
auditors to send out requests to selected client’s busi-      ard for auditor to obtain audit confirmation. The guide-
ness partners (debtors and creditors) to confirm their        lines of HKSA 500 and HKSA 505 [8] instruct auditors

to get sufficient appropriate and external confirmation             cation and collaboration. We further propose the use of
in the audit process. HKSA 505 paragraph 13 stated                  an Alert Management System (AMS) [4] to manage
that “external confirmation of an account receivable                processes with urgencies and deadlines. We adapt these
provides reliable and relevant audit evidence regarding             frameworks to audit process collaboration, especially
the existence of the account as at a certain date. Con-             for the purpose of cross-organization communication in
firmation also provides audit evidence regarding the                order to enhance the efficiency of the audit confirma-
operation of cutoff procedures.” If auditors cannot get             tion process. According to best of our knowledge, there
sufficient audit confirmations, it is required to perform           have not been reports on such integration in the litera-
alternative audit procedures (HKSA 505 paragraph 31).               ture, employing the concept of alerts and events using
Further, Warren [2] points out that sufficient audit con-           Web services as an implementation framework, espe-
firmations are important in the audit procedure. There-             cially on how exceptions are handled in this domain.
fore, it is critical for auditors to obtain sufficient audit
confirmations in order to improve the efficiency of the             3. System Architecture for Exception Han-
audit assignment.                                                      dling
    To better illustrate the target part of the audit pro-
                                                                                                                                          Clients’ Business
cess studied, we use a case of auditing a company in-                                                                                     Partners
corporated in Hong Kong trading watches. Once the                            Auditors on mobile

company receives the order from its creditor, the pur-                                            Internet

chasing department contacts its debtors for the required
parts. After getting the confirmation from the debtors,                   Client Accounts                                                                         Alert
                                                                             Information                                                                       Management
the company confirms the order. The company then                                System

                                                                                                       Web Services Interface
waits for the supplier to ship the parts to them assem-
bling partners for assemble processes. When the assem-                     Confirmation                                                        Process
                                                                           System                                                             Enactor
bling processes is done, the company arranges for the                                                                                                            ECA Rules,
                                                                                                                                                              Scheduling Rules,
shipment of the finished good from the subcontractor to                   Access Administration
                                                                                                                                                              Event Repository,
                                                                                                                                                              Event Subsciption
the clients. Therefore, in the business, the company                                                                             Timer

does not hold any inventory. Most of its creditors and                    Job and Assignment
debtors are from foreign countries, e.g., debtors and
subcontractors of the company are mostly from China
and Hong Kong, while creditors are mostly from Mid-                 Figure 2. Alert-driven Audit Management System Architecture
dle East region, America, and European countries. Fig-
ure 1 shows an overview of the audit confirmation pro-                  Based on the requirements, Figure 2 depicts the
cess, which is currently often carried out manually or              overall system architecture for our Alert-driven Audit
semi-automatically.                                                 Management System (ADAMS). The architecture sup-
                                                Client’s Debtors/   porting the process enactment and exception handling is
                                                                    characterized with event-condition-action (ECA) rules
                                                                    driven by events. The ECA rules, business entities,
                       Enquiry for the
                                                Request for
                                                                    event repository, and event subscriber events are stored
                                                                    in a database. The collaboration process enactor carries
                                                                    out enactment requirements, while the requirement en-
                         Confirm re-sent
  Auditor                of confirmation            System          forcer detects and handles exceptions. The event han-
                                                                    dler collects internal events from the collaboration pro-
                   Updated the
                   AR/AP                                            cess enactor and external events from the Web Service
                   report                          Updated
                                                   information      interface. Some events trigger alerts, which are handled
                   Report for
                   balance not
                   yet confirmed
                                     Balance                        by the Alert Management System (AMS). The status
  Report of                          input
  client seeking                                                    monitor allows relevant users to view the progress of

                                                                    audit assignments
 Admin. Staff                                  CPA Firm’s Clients
                         help                                           During the samples selection procedure, there may
                                                                    be some exceptional case happened. The system will
         Figure 1. Audit Confirmation Process Overview
                                                                    automatically select the business partners whose out-
    Our earlier work [3] employs Web services to inter-             standing balance larger than 5% when selecting sam-
face process enactment, exception detectors, and excep-             ples. The 5% of outstanding balance being chosen is
tion handlers within and across organizations by sup-               due to the industry normal practice. Therefore, the sys-
porting the appropriate cross-organizational communi-               tem should not pre-set the criteria of adjusting the per-

centage of being chosen as sample for the client. Each                                       Otherwise, the senior manager can keep the sample
adjustment of the criteria for samples selection should                                      selected by the system and let the system to send out the
be done by partner or senior manager of the audit firm.                                      confirmation requests.
In this section, we highlight how the AMS further helps                                          Extremely low confirmation response rate – This
the exception handling by alerting the relevant profes-                                      may be caused by the low accessibility or utilization of
sional upon some special circumstances.                                                      the Internet in some less developed regions of the
                                                                                             world. For example, if most of the client’s business
    Samples Selection
                                                                                             partners are from Africa or South America, they may
                        At least one
                                                                                             have difficulties in accessing Internet to reply the con-
                        sample selected
                                                                                             firmation. Therefore, in such case, the response rate for
                                                            One sample or more than
   No. of Sample
                                                            one sample selected              the audit confirmation may be very low. To avoid the
                                                                                             delay of the assignment, the system will automatically
                                    Normal Process
                                                           More than one
                                                                                             send the response report to the auditor day by day au-
             No sample selected                                            Only one sample
                                                                           selected          tomatically in order to let auditor have a better control.
   Rearrangement by
                                                                                             Also, the AMS can be adjusted to send the reminder
                                                           Error made in the balance
                                                                                             alert (including automated fax) to business partners 2
                                                           input process                     weeks before the deadline (instead of 1 week) so that
                                                                                             the business partners may have more time to reply to
                                  Ask client to re-input       Yes
                                  the balance                                                the confirmation. For this exceptional situation, the
                                                                           No                AMS will send an alert to auditor and let them have a
                                                           Send message to auditor and
                                                                                             better control and monitoring of the progress of audit
                                                           select samples manually
                                                                                             confirmation received.
                                                                                                 A high quality of integration to streamline the pro-
             Figure 3.Exception Handling Process                                             cess integration is required the timely participation of
                                                                                             both human (especially professional decision) and sys-
     No sample selected by the system - In some case,                                        tems. Here, the AMS plays an active role for the task
there may be no sample selected by the system because                                        notification and overall process monitoring. In particu-
all business partners have a very low balance which                                          lar, the auditors are better informed upon exceptions
cannot reach the conditional level of 5% of the total                                        happened, so that they can have a faster response to the
balance. In this situation, the AMS will send an alert                                       exceptional situation. Figure 3 summarizes the excep-
message to the senior manager. The senior manager will                                       tion handling procedure facilitated by AMS [4].
review the circumstances and see if it is necessary to
rearrange the preset condition (particularly the value                                       4. Web Services Based Integration
5% according to the guidelines). As each audit assign-
                                                                                                 The audit firm can provide Web services to inter-
ment have its own special nature, it is not suitable to
                                                                                             face different process enactment systems, enforcement
preset the system to automatically change the condition
                                                                                             system, and exception handling by supporting the re-
without the approval of the senior manager of the audi-
                                                                                             quired communication and interfacing. Web services
                                                                                             offer a unified platform for both manual and program-
     Only one sample selected - In some case, there
                                                                                             matic interfaces. If a client and its business partners are
may be only one sample selected by the system. This
                                                                                             higher technologically enabled, Web services further
may caused by a significant balance from one business
                                                                                             automate the data and process integration of the
partners or when the client makes a wrong data entry.
                                                                                             ADAMS with their existing accounting systems. At the
For example, if one debtor/creditor occupies 95% of the
                                                                                             same time, other users can also access the ADAMS
total balance, it will become the only sample selected.
                                                                                             with the client Web pages provided by the audit firm on
In this situation, the AMS will send an alert to the sen-
                                                                                             top of these Web services.
ior manager to review the situation and see if it is nec-
                                                                                                 Once the auditor receives the engagement from the
essary to select more samples (manually).
                                                                                             client, the accounts for the client and its business part-
     Only a few samples selected - In this case, it may
                                                                                             ners are activated by the system manager. The system
not necessary for the system to send out more confirma-
                                                                                             can offer the key services to client and its business
tions. However, the senior manager must make the final
                                                                                             partners to automatically send or adjust the balance
professional decision. Therefore, the AMS will send out
                                                                                             entered or to change the contact information. In order to
an alert to the senior manager and ask. If the senior
                                                                                             provide security and to increase the trust between the
manager thinks that it is necessary to reset the condi-
                                                                                             involved parties, the system will generate a password
tion, he can change the preset system requirements.

for each client and its business partners to call back the   man and programmatic processes does not exclude the
relevant Web services (electronic certificates are used      support of business partners who have poor Internet
later when they are adopted widely). Also, for each          access or automation and revert to manual or semi-
amendment made by the client or its business partners,       automatic processes. We expect all these advantages
a reference will be generated and logged.                    can offset the development and maintenance costs of
    The Web services for the client include three key in-    for the automation, which may be high for the small and
terfaces designed for the function of entering balance,      medium size (SME) audit firms [6].
adjusting balance, and adjusting contact information.            To further develop the research and prototype, secu-
The system will assign a secret reference number for         rity and reliability problems are critical. For example,
each amendment of information of the system. The user        the system has to ensure the outstanding balance is in-
must input the reference number in order to amend the        put by the client’s accountant. It is difficult for the sys-
information input last time. Therefore, the reference        tem to confirm whether the work is done by an author-
number can be used as a security code in order to fur-       ized person or the data is supplied by a reliable system
ther control the amendment of information. The key           in another organization. We are exploring the use of
Web services for the client’s debtors/creditors include      Role Based Access Control (RBAC) and ontology to
two interfaces for the function of balance confirmation      approach this problem.
and balance adjustment.                                          Besides sending audit confirmation to client’s busi-
                                                             ness partners, it is also necessary for the auditor to au-
5. Discussions and Conclusion                                tomate the request for bank confirmation about the bank
    In this paper, motivated by the inadequate process       account balances through Web services. However,
and data integration for the audit profession, we have       proper authorization from the client is required and
proposed a solution based on alerts and Web services.        trust issues arise. Privacy issues then also arise too. We
We have illustrated our approach with the audit confir-      are looking into the adoption issues and plan to evaluate
mation process, which requires the most of manual            our approach from feedback questionnaires of the vari-
work and professional decisions. We have also advo-          ous stakeholders. We are also interested in the applica-
cated the adaptation of a methodology for eliciting          tion of our methodology in other professional domains,
knowledge of the requirements into business rules in         such as insurance and legal applications.
ECA format, to facilitate the implementation with an
AMS and Web services in an e-service environment.            References
    By using this solution, auditors can have a better       [1] Ferdinand A. Gul. Hong Kong Auditing: Economic The-
control and monitoring of the overall process. In partic-        ory and Practice, 2005.
ular, the AMS sends alert messages to the auditor upon       [2] Carl S Warren. Confirmation Informativeness. Journal of
exceptions. By getting known the exceptional situation           Accounting Research, 1974
in a real time, it can help to improve the responsiveness    [3] Dickson K. W. Chiu, S.C. Cheung, Sven Till. An Archi-
of professional work of the auditor. In addition, the            tecture for E-Contract Enforcement in an E-service En-
AMS helps remind the confirmation response of the                vironment. In Proc. HICSS36, CDROM, 10 pages, IEEE
client’s business partners. This saves the tedious work          Computer Press, 2003
                                                             [4] Dickson K. W. Chiu, Benny W. C. Kwok, Ray L. S.
of the auditor and help increase the response rate.
                                                                 Wong, S.C. Cheung, Eleanna Kafeza. Alert-driven E-
    We have also employed contemporary Web services              service Management. In Proc. HICSS37, CDROM, 10
technology to provide further chance of automation via           pages, IEEE Computer Press, 2004 (Best Paper Award).
programmatic process and data integration, in particular     [5] T McCollum. Continuous Auditing on the Rise. The
with the accounting systems of the clients and their             Internal Auditor. 63(4): 15-17, Aug 2006.
business partners. A key advantage is such automation        [6] Ruth M Kaye, Jim Molzahn, Elizabeth J Folsom. The
and integration reduces human error in data entry and            Value of Automation. The Internal Auditor 63(3): 85-88,
paper work. In addition, faster response of the audit            Jun 2006.
confirmation process, which is the main bottleneck,          [7] Stuart Manson, Sean McCartney, Michael Sherer. Audit
                                                                 automation as control within audit firms. Accounting,
improves the overall efficiency of the auditing assign-
                                                                 Auditing & Accountability Journal 14(1):109, 2001.
ment. This further enables the auditor to have a better      [8] Hong Kong Institution of Certified Public Accountant.
planning to the audit assignments on hand and job allo-          Hong Kong Standard on Auditing. November 2004.
cation, thereby reducing human costs. Further, electron-         Available:
ic messages, instead of postal exchanges, save not only
time but also the postage costs. On the other hand, the
unified platform of Web services supporting both hu-


To top