Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr.

Semantic Specification and Automated Enforcement of

Internal Controls within Accounting Systems

Dr. Graham Gal University of Massachusetts at Amherst Dr. Guido Geerts, University of Delaware

Dr. William McCarthy Michigan State University

Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009

• Internal Controls– Nature– Monitoring and Evaluation

• Internal Controls and Management – Responsibilities

• Business States and Transitions• Integrate Definitions into the REA Ontology• Implications for monitoring

Presentation Outline


• Nature of internal controls– Process to provide reasonable assurance

concerning the achievement of objectives• Effective and Efficient Operations• Reliability of Financial Reporting• Compliance with applicable laws

– “Being in Control”– Types

• Application Level• Control Environment

Internal Controls


• Evaluation of internal controls– Sarbanes Oxley act of 2002

• Sec. 103 (a) (2) (iii) testing of internal control structure and procedures

– (II) (aa) reasonable detail and fairly reflect the transactions … – (II) (bb) reasonable assurance that transactions are recorded

as necessary (reporting)

• Sec. 302 (a) (3) report(s)… fairly present … results of operations [transactions]

– (5) (A) … deficiencies … prevent the ability to record, process

• Sec. 404 Management Assessment of Internal Controls– (a) (2) … effectiveness of internal control structure and

procedures– (b) report on the assessment made by management

Internal Controls


• Monitoring– Ongoing versus Separate Evaluations (COSO Framework)

• Building in versus Adding on• Closer to the operation of the control

– Direct versus indirect• Application versus General • Entity Level Controls• Control Environment

– Incentives– Commitment to Competence– Organizational Structure– Assignment of Authority and Responsibility– Human Resources Policies and Practices

Internal Controls


ENTERPRISE

ENTERPRISE

OperationalObjectives

ReportingObjectives

F/S, Tax, …

ComplianceObjectives


Establish Objectives for firm in relation to stakeholders’ requirements

Define or quantify these objectiveso Be a major supplier of … achieve 40% market share⇒o Cut production costs At X level of production costs will be Y⇒o Provide customer service Delivery within 3 days of order ⇒

Formulate policies to establish path to achieve these objectiveso Transition from current state to future state in which firm

characteristics are closer to objectives than current state.o Monitor these transitions and make an assessment that policies

are being adhered to

Management and Control

14th World Continuous Monitoring and Reporting Symposium – Rutgers University



These states can be of types:1) Completely not

allowed2) Completely allowed3) Unsure

Activities that create the new state

February 9th & 10th, 2009Value Modeling and Business Ontologies

Workshop

• Activities to further specific applications– Send an invoice– Receive a payment– Look for possible vendors– Obtain/Send a quote– Receive/Send merchandise

• Activities that set the tone for the applications– Establish formal job descriptions – Establish formal skills and knowledge levels– Delineate formal lines of responsibility

Activities

November 2nd and 3rd 200714th World Continuous Monitoring and Reporting Symposium – Rutgers University


• Activities are organized around various business processes (transaction cycles) or subsystems– Acquisition, Revenue, Hiring, etc.

• Each business process consists of:– Groups of activities that correspond to steps that need

completion and may have temporal dependencies– Role(s) allowed to perform the activity– Business object whose state the activity alters

• Management General or Specific Authorization for the execution of activities consistent with attainment of objectives

Activities



• Planning– Activities to decide what action to take for acquiring or selling a good, service, and/or right.

• Identification– Activities to exchange data among potential parties in order to establish a one-to-one

linkage.

• Negotiation– Activities to achieve an explicit, mutually understood, and agreed upon goal of a business

collaboration and associated terms and conditions.

• Actualization– Activities necessary for the execution of the results of the negotiation for an actual

business transaction.

• Post-Actualization– Activities associated exchanges of information that occur between the parties after the

agreed upon good, service, and/or right is deemed to have been delivered

General Business Process Phases



• Management established areas of responsibility within firm to perform activities– Sales Department, Purchasing, Manufacturing,

Human Resources• Hierarchical structure of responsibility and

authority– Vice President, Sales VP, Manager, …..– Authority to Delegate– Authority to Perform

• Segregation of incompatible functions

Role Based Access Control



General Roles and Activity



Roles ActivityTypes

Vice President

Manager

Clerk

Negotiation

Actualization

0..* 0..*

General Roles and Activity II



Vice President

Manager

Clerk

Negotiation

Actualization

Roles EmployeeTypes

ActivityTypes

Delegate

Perform

• Management authorization or permission for a specific role (or hierarchy) to perform activities on a business object– A sales manager can negotiate sales prices and delivery terms

for inventory sales– A sales manager can delegate to a sales clerk authority to

actualize transfer of inventory– A sales clerk can actualize the transfer of inventory per

negotiated terms– A purchasing manager can negotiate purchase prices and

delivery terms for raw material purchases– A warehouse clerk can actualize receipt of raw materials

inventory

Business Objects




Objects, Roles, and Activities


Management Policy


Objects, Roles, Employee Types, and Activity Types


Management Policy

The Vice President of Sales can delegate the task of negotiating sales prices and delivery terms

• P.Delegate.Negotiation.Sales (BOT.Resource.Inventory, RT.Delegate, ET.VPSales, AT.Negotiate.Sales)

A Sales Manager can perform the negotiation sales prices and delivery terms for inventory sales

• P.Perform.Negotiation.Sales(BOT.Resource.Inventory, RT.Perform, ET.SalesManager, AT.Negotiate.Sales)

A Sales Clerk can perform the actualization the transfer of inventory per negotiated terms

• P.Perform.Actualize.Sales(BOT.Event.Sale, RT.Perform,ET.Clerk.SalesClerk, AT.Actualize.Sales)

Examples



The Vice President of Sales delegates the authority to negotiate sales to the Sales Manager

• Delegate(eЄEmployeeType, eЄEmployeeType,aЄActivityType)• Delegate(ET.VicePresidentSales, ET.SalesManager, AT.Negotiate.Sales)

A Sales Manager delegates the authority to actualize a sale to a Sales Clerk

• Delegate(ET.SalesManager, ET.SalesClerk,AT.Actualize.Sales)

Examples



• Adding activities to the process has only local effects (Plan, Control, and Evaluate)– AddActivity(AA.Actualize.Sales, ReCalculatePrice)

• As Roles are connected to Activities when an employee is assigned to a role they inherit the permissions to perform the activity– Segregation of duties is integrated into

permissions as opposed to ad hoc specifications• Declarative Specification of controls as

constraints are side effect free

Important Notes


• Activity connections– Temporal – Order of permissions is restricted

• Negotiation of a purchase (state) must occur before Actualization of a purchase (state)

– Inclusive – Once Activity has occurred another activity must occur

• Get a hotdog from a street vendor pay for hotdog⇒

– Exclusive – Once an activity has occurred another activity cannot occur

• Failed Negotiation Actualization cannot occur⇒

– No restrictions

Connection of Permissions


Permissions on Permissions


Permissions on Permissions


• Temporal Order of PermissionsAcquisiti on::P.Actual ize.Purchase(BOT.Event.Purchase, R.Clerk.PurchaseClerk, AT.Actual ize.Purchase)

Acquisiti on::P.P.Actual ize.Purchase(BOT.Event.Purchase, R.Perform. ET.Clerk.PurchaseClerk, AT.Actual ize.Purchase)

PRE : Negoti ate.Purchase.state = ‘Complete’

• Inclusive PermissionsDelivery if (state.revenue.negotiation) then actualization.date – negotiation.date < 7

• Exclusive PermissionsSegregation of Duties

Transfer::P.Actualize.Transfer(BOT.event.assign,RT.Manager.HumanResources, AT.Actualize.Transfer)

Post: Remove(employee.E.jobtype) and Assign(employee.E.jobtype) = new job type

OCL Representations


REA Ontology


reciprocal

Economic Event

Economic Resource

Economic Agent

stockflow provide

receive

Economic Commitment

fulfills

duality

Resource Type

typifiesspecifies

Event Type

Agent Typespecifies

specifies

typifies

typifies

participate

policy

policy

policy

• Include constraints on future states

• The states represent adherence to management policy– State Transitions toward objectives

• General business process model • Perceptions of Monitoring

• Rod Brennan - Siemens

The Extension to the Ontology


• Exceptions to constraints represent violations of management policy and therefore evidence about the state of controls

• Declarative aspect of constraints allows different approaches to different violations– Preventive – do not allow state– Detective – note existence of state

• Evaluation of the quality of controls depends on the amount of evidence

Continuous Monitoring



ERi IESF

IA

D

ERd DESF

IA

EA

Time

Activityt1

Activityt2

Activityt3

Activitytn

ExceptionsTo ActivityPolicy Templates

IA1IA2IA3IA4

IA6

IA5

Constraint Violations and Continuous Monitoring



Evaluation of Internal Controls



ENTERPRISE

IDEAL

ENTERPRISE

Compare

• Specify REA ontology in First Order Logic• Specify more complete set of internal controls

in FOL• Connect business processes• Integrate continuous monitoring structures• Integrate continuous reporting requirements

Future Research



QUESTIONS?

Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr.

Documents

evaluation internal

business ontologies

th world continuous

objectives o transition

control direct

university of delaware

necessary reporting

current state