Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr. Guido Geerts, University of Delaware Dr. William McCarthy Michigan State University Value Modeling and Business Ontologies Workshop February 9 th & 10 th , 2009
31
Embed
Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Semantic Specification and Automated Enforcement of
Internal Controls within Accounting Systems
Dr. Graham Gal University of Massachusetts at Amherst Dr. Guido Geerts, University of Delaware
Dr. William McCarthy Michigan State University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Internal Controls– Nature– Monitoring and Evaluation
• Internal Controls and Management – Responsibilities
• Business States and Transitions• Integrate Definitions into the REA Ontology• Implications for monitoring
Presentation Outline
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Nature of internal controls– Process to provide reasonable assurance
concerning the achievement of objectives• Effective and Efficient Operations• Reliability of Financial Reporting• Compliance with applicable laws
– “Being in Control”– Types
• Application Level• Control Environment
Internal Controls
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Evaluation of internal controls– Sarbanes Oxley act of 2002
• Sec. 103 (a) (2) (iii) testing of internal control structure and procedures
– (II) (aa) reasonable detail and fairly reflect the transactions … – (II) (bb) reasonable assurance that transactions are recorded
as necessary (reporting)
• Sec. 302 (a) (3) report(s)… fairly present … results of operations [transactions]
– (5) (A) … deficiencies … prevent the ability to record, process
• Sec. 404 Management Assessment of Internal Controls– (a) (2) … effectiveness of internal control structure and
procedures– (b) report on the assessment made by management
Internal Controls
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Monitoring– Ongoing versus Separate Evaluations (COSO Framework)
• Building in versus Adding on• Closer to the operation of the control
– Direct versus indirect• Application versus General • Entity Level Controls• Control Environment
– Incentives– Commitment to Competence– Organizational Structure– Assignment of Authority and Responsibility– Human Resources Policies and Practices
Internal Controls
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
ENTERPRISE
ENTERPRISE
OperationalObjectives
ReportingObjectives
F/S, Tax, …
ComplianceObjectives
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Establish Objectives for firm in relation to stakeholders’ requirements
Define or quantify these objectiveso Be a major supplier of … achieve 40% market share⇒o Cut production costs At X level of production costs will be Y⇒o Provide customer service Delivery within 3 days of order ⇒
Formulate policies to establish path to achieve these objectiveso Transition from current state to future state in which firm
characteristics are closer to objectives than current state.o Monitor these transitions and make an assessment that policies
are being adhered to
Management and Control
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
These states can be of types:1) Completely not
allowed2) Completely allowed3) Unsure
Activities that create the new state
February 9th & 10th, 2009Value Modeling and Business Ontologies
Workshop
• Activities to further specific applications– Send an invoice– Receive a payment– Look for possible vendors– Obtain/Send a quote– Receive/Send merchandise
• Activities that set the tone for the applications– Establish formal job descriptions – Establish formal skills and knowledge levels– Delineate formal lines of responsibility
Activities
November 2nd and 3rd 200714th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Activities are organized around various business processes (transaction cycles) or subsystems– Acquisition, Revenue, Hiring, etc.
• Each business process consists of:– Groups of activities that correspond to steps that need
completion and may have temporal dependencies– Role(s) allowed to perform the activity– Business object whose state the activity alters
• Management General or Specific Authorization for the execution of activities consistent with attainment of objectives
Activities
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Planning– Activities to decide what action to take for acquiring or selling a good, service, and/or right.
• Identification– Activities to exchange data among potential parties in order to establish a one-to-one
linkage.
• Negotiation– Activities to achieve an explicit, mutually understood, and agreed upon goal of a business
collaboration and associated terms and conditions.
• Actualization– Activities necessary for the execution of the results of the negotiation for an actual
business transaction.
• Post-Actualization– Activities associated exchanges of information that occur between the parties after the
agreed upon good, service, and/or right is deemed to have been delivered
General Business Process Phases
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Management established areas of responsibility within firm to perform activities– Sales Department, Purchasing, Manufacturing,
Human Resources• Hierarchical structure of responsibility and
authority– Vice President, Sales VP, Manager, …..– Authority to Delegate– Authority to Perform
• Segregation of incompatible functions
Role Based Access Control
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
General Roles and Activity
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Roles ActivityTypes
Vice President
Manager
Clerk
Negotiation
Actualization
0..* 0..*
General Roles and Activity II
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Vice President
Manager
Clerk
Negotiation
Actualization
Roles EmployeeTypes
ActivityTypes
Delegate
Perform
• Management authorization or permission for a specific role (or hierarchy) to perform activities on a business object– A sales manager can negotiate sales prices and delivery terms
for inventory sales– A sales manager can delegate to a sales clerk authority to
actualize transfer of inventory– A sales clerk can actualize the transfer of inventory per
negotiated terms– A purchasing manager can negotiate purchase prices and
delivery terms for raw material purchases– A warehouse clerk can actualize receipt of raw materials
inventory
Business Objects
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Objects, Roles, and Activities
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Management Policy
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Objects, Roles, Employee Types, and Activity Types
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Management Policy
The Vice President of Sales can delegate the task of negotiating sales prices and delivery terms
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Adding activities to the process has only local effects (Plan, Control, and Evaluate)– AddActivity(AA.Actualize.Sales, ReCalculatePrice)
• As Roles are connected to Activities when an employee is assigned to a role they inherit the permissions to perform the activity– Segregation of duties is integrated into
permissions as opposed to ad hoc specifications• Declarative Specification of controls as
constraints are side effect free
Important Notes
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Activity connections– Temporal – Order of permissions is restricted
• Negotiation of a purchase (state) must occur before Actualization of a purchase (state)
– Inclusive – Once Activity has occurred another activity must occur
• Get a hotdog from a street vendor pay for hotdog⇒
– Exclusive – Once an activity has occurred another activity cannot occur
• Failed Negotiation Actualization cannot occur⇒
– No restrictions
Connection of Permissions
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Permissions on Permissions
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Permissions on Permissions
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Temporal Order of PermissionsAcquisiti on::P.Actual ize.Purchase(BOT.Event.Purchase, R.Clerk.PurchaseClerk, AT.Actual ize.Purchase)
Post: Remove(employee.E.jobtype) and Assign(employee.E.jobtype) = new job type
OCL Representations
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
REA Ontology
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
reciprocal
Economic Event
Economic Resource
Economic Agent
stockflow provide
receive
Economic Commitment
fulfills
duality
Resource Type
typifiesspecifies
Event Type
Agent Typespecifies
specifies
typifies
typifies
participate
policy
policy
policy
• Include constraints on future states
• The states represent adherence to management policy– State Transitions toward objectives
• General business process model • Perceptions of Monitoring
• Rod Brennan - Siemens
The Extension to the Ontology
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
• Exceptions to constraints represent violations of management policy and therefore evidence about the state of controls
• Declarative aspect of constraints allows different approaches to different violations– Preventive – do not allow state– Detective – note existence of state
• Evaluation of the quality of controls depends on the amount of evidence
Continuous Monitoring
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
ERi IESF
IA
D
ERd DESF
IA
EA
Time
Activityt1
Activityt2
Activityt3
Activitytn
ExceptionsTo ActivityPolicy Templates
IA1IA2IA3IA4
IA6
IA5
Constraint Violations and Continuous Monitoring
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
Evaluation of Internal Controls
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009
ENTERPRISE
IDEAL
ENTERPRISE
Compare
• Specify REA ontology in First Order Logic• Specify more complete set of internal controls
in FOL• Connect business processes• Integrate continuous monitoring structures• Integrate continuous reporting requirements
Future Research
14th World Continuous Monitoring and Reporting Symposium – Rutgers University
Value Modeling and Business Ontologies WorkshopFebruary 9th & 10th, 2009