Add to collection(s) Add to saved
  1. Business
  2. Management

Semantic Specification and Automated Enforcement of Internal

advertisement 
Semantic Specification and
Automated Enforcement of
Internal Controls within
Accounting Systems
Dr. Graham Gal University of Massachusetts at Amherst
Dr. Guido Geerts, University of Delaware
Dr. William McCarthy Michigan State University
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Presentation Outline
• Internal Controls
– Nature
– Monitoring and Evaluation
• Internal Controls and Management
– Responsibilities
• Business States and Transitions
• Integrate Definitions into the REA Ontology
• Implications for monitoring
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Internal Controls
• Nature of internal controls
– Process to provide reasonable assurance
concerning the achievement of objectives
• Effective and Efficient Operations
• Reliability of Financial Reporting
• Compliance with applicable laws
– “Being in Control”
– Types
• Application Level
• Control Environment
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Internal Controls
• Evaluation of internal controls
– Sarbanes Oxley act of 2002
• Sec. 103 (a) (2) (iii) testing of internal control structure
and procedures
– (II) (aa) reasonable detail and fairly reflect the transactions …
– (II) (bb) reasonable assurance that transactions are recorded
as necessary (reporting)
• Sec. 302 (a) (3) report(s)… fairly present … results of
operations [transactions]
– (5) (A) … deficiencies … prevent the ability to record, process
• Sec. 404 Management Assessment of Internal Controls
– (a) (2) … effectiveness of internal control structure and
procedures
– (b) report on the assessment made by management
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
• Monitoring
Internal Controls
– Ongoing versus Separate Evaluations (COSO Framework)
• Building in versus Adding on
• Closer to the operation of the control
– Direct versus indirect
• Application versus General
• Entity Level Controls
• Control Environment
–
–
–
–
–
Incentives
Commitment to Competence
Organizational Structure
Assignment of Authority and Responsibility
Human Resources Policies and Practices
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
E
N
T
E
R
P
R
I
S
E
Operational
Objectives
Compliance
Objectives
Reporting
Objectives
F/S, Tax, …
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
E
N
T
E
R
P
R
I
S
E
Management and Control
 Establish Objectives for firm in relation to stakeholders’
requirements
 Define or quantify these objectives
o Be a major supplier of … ⇒ achieve 40% market share
o Cut production costs ⇒ At X level of production costs will be
Y
o Provide customer service ⇒ Delivery within 3 days of order
 Formulate policies to establish path to achieve these
objectives
o Transition from current state to future state in which firm
characteristics are closer to objectives than current state.
o Monitor these transitions and make an assessment that
policies are being adhered to
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
These states can be of
types:
1) Completely not
allowed
2) Completely allowed
3) Unsure
Activities that create the
new state
Value Modeling and Business Ontologies
Workshop
14th World Continuous Monitoring and Reporting Symposium
– Rutgers University
February 9th & 10th, 2009
Activities
• Activities to further specific applications
– Send an invoice
– Receive a payment
– Look for possible vendors
– Obtain/Send a quote
– Receive/Send merchandise
• Activities that set the tone for the applications
– Establish formal job descriptions
– Establish formal skills and knowledge levels
– Delineate formal lines of responsibility
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
November 2nd and 3rd 2007
Activities
• Activities are organized around various business processes
(transaction cycles) or subsystems
– Acquisition, Revenue, Hiring, etc.
• Each business process consists of:
– Groups of activities that correspond to steps that need
completion and may have temporal dependencies
– Role(s) allowed to perform the activity
– Business object whose state the activity alters
• Management General or Specific Authorization for the
execution of activities consistent with attainment of objectives
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
General Business Process Phases
• Planning
– Activities to decide what action to take for acquiring or selling a good, service, and/or right.
• Identification
– Activities to exchange data among potential parties in order to establish a one-to-one linkage.
• Negotiation
– Activities to achieve an explicit, mutually understood, and agreed upon goal of a business
collaboration and associated terms and conditions.
• Actualization
– Activities necessary for the execution of the results of the negotiation for an actual business
transaction.
• Post-Actualization
– Activities associated exchanges of information that occur between the parties after the agreed
upon good, service, and/or right is deemed to have been delivered
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Role Based Access Control
• Management established areas of
responsibility within firm to perform activities
– Sales Department, Purchasing, Manufacturing,
Human Resources
• Hierarchical structure of responsibility and
authority
– Vice President, Sales VP, Manager, …..
– Authority to Delegate
– Authority to Perform
• Segregation of incompatible functions
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
General Roles and Activity
Roles
0..*
0..*
Activity
Types
Vice President
Negotiation
Manager
Clerk
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Actualization
General Roles and Activity II
Roles
Delegate
Perform
Employee
Types
Activity
Types
Vice President
Manager
Negotiation
Actualization
Clerk
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Business Objects
• Management authorization or permission for a
specific role (or hierarchy) to perform activities on
a business object
– A sales manager can negotiate sales prices and delivery
terms for inventory sales
– A sales manager can delegate to a sales clerk authority
to actualize transfer of inventory
– A sales clerk can actualize the transfer of inventory per
negotiated terms
– A purchasing manager can negotiate purchase prices
and delivery terms for raw material purchases
– A warehouse clerk can actualize receipt of raw
materials inventory
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Objects, Roles, and Activities
Management Policy
February 9th & 10th, 2009
Value
and Business
Ontologies
14thModeling
World Continuous
Monitoring
and
Workshop
Reporting Symposium – Rutgers University
Objects, Roles, Employee Types,
and Activity Types
Management Policy
February 9th & 10th, 2009
Value
and Business
Ontologies
14thModeling
World Continuous
Monitoring
and
Workshop
Reporting Symposium – Rutgers University
Examples

•
P.Delegate.Negotiation.Sales (BOT.Resource.Inventory, RT.Delegate, ET.VPSales, AT.Negotiate.Sales)

•
A Sales Manager can perform the negotiation sales prices and
delivery terms for inventory sales
P.Perform.Negotiation.Sales(BOT.Resource.Inventory, RT.Perform, ET.SalesManager, AT.Negotiate.Sales)

•
The Vice President of Sales can delegate the task of negotiating
sales prices and delivery terms
A Sales Clerk can perform the actualization the transfer
of inventory per negotiated terms
P.Perform.Actualize.Sales(BOT.Event.Sale, RT.Perform,ET.Clerk.SalesClerk, AT.Actualize.Sales)
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Examples

The Vice President of Sales delegates the authority to negotiate
sales to the Sales Manager
• Delegate(eЄEmployeeType, eЄEmployeeType,aЄActivityType)
• Delegate(ET.VicePresidentSales, ET.SalesManager, AT.Negotiate.Sales)

A Sales Manager delegates the authority to actualize a sale to a
Sales Clerk
• Delegate(ET.SalesManager, ET.SalesClerk,AT.Actualize.Sales)
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Important Notes
• Adding activities to the process has only local
effects (Plan, Control, and Evaluate)
– AddActivity(AA.Actualize.Sales, ReCalculatePrice)
• As Roles are connected to Activities when an
employee is assigned to a role they inherit the
permissions to perform the activity
– Segregation of duties is integrated into
permissions as opposed to ad hoc specifications
• Declarative Specification of controls as
constraints are side effect free
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Connection of Permissions
• Activity connections
– Temporal – Order of permissions is restricted
• Negotiation of a purchase (state) must occur before
Actualization of a purchase (state)
– Inclusive – Once Activity has occurred another
activity must occur
• Get a hotdog from a street vendor ⇒ pay for hotdog
– Exclusive – Once an activity has occurred another
activity cannot occur
• Failed Negotiation ⇒ Actualization cannot occur
– No restrictions
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Permissions on Permissions
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Permissions on Permissions
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
OCL Representations
• Temporal Order of Permissions
Acquisition:: P. Actualize.Purchase (BOT.Event.Purch ase , R.Clerk.Purcha seCl erk , AT. Actualize.Purchase )
Acquisition:: P.P. Actualize.Purchase (BOT.Event.Purch a se , R.Perform. ET.Clerk.PurchaseC lerk ,
AT. Actualize.Purchase )
PRE : Negotiate.Purchase.state = ‘Complete’
• Inclusive Permissions
Delivery
if (state.revenue.negotiation) then actualization.date – negotiation.date < 7
• Exclusive Permissions
Segregation of Duties
Transfer::P.Actualize.Transfer(BOT.event.assign,RT.Manager.HumanResources, AT.Actualize.Transfer)
Post: Remove(employee.E.jobtype) and Assign(employee.E.jobtype) = new job type
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
REA Ontology
Resource
Type
policy
policy
typifies
specifies
specifies
participate
Economic
Commitment
Agent Type
reciprocal
specifies
Event Type
typifies
fulfills
typifies
Economic
Resource
stockflow
Economic
Event
provide
Economic
Agent
receive
duality
February 9th & 10th, 2009
policy
Value Modeling and Business Ontologies
Workshop
The Extension to the Ontology
• Include constraints on future states
• The states represent adherence to
management policy
– State Transitions toward objectives
• General business process model
• Perceptions of Monitoring
• Rod Brennan - Siemens
February 9th & 10th, 2009
Value Modeling and Business Ontologies
Workshop
Continuous Monitoring
• Exceptions to constraints represent violations
of management policy and therefore evidence
about the state of controls
• Declarative aspect of constraints allows
different approaches to different violations
– Preventive – do not allow state
– Detective – note existence of state
• Evaluation of the quality of controls depends
on the amount of evidence
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
IA
ERd
SF
DE
D
ERi
SF
EA
IA4
IE
IA3
IA2 IA1
IA5
IA
IA6
Exceptions
To Activity
Policy Templates
Constraint Violations and Continuous Monitoring
February 9th & 10th, 2009
Value
and Business
Ontologies
14thModeling
World Continuous
Monitoring
and
Workshop
Reporting Symposium – Rutgers University
Evaluation of Internal Controls
E
N
T
E
R
P
R
I
S
E
Compare
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
I
D
E
A
L
E
N
T
E
R
P
R
I
S
E
Future Research
• Specify REA ontology in First Order Logic
• Specify more complete set of internal controls
in FOL
• Connect business processes
• Integrate continuous monitoring structures
• Integrate continuous reporting requirements
QUESTIONS?
Value Modeling and Business Ontologies
14 World Continuous Monitoring and Reporting Symposium –Workshop
Rutgers University
February
9th & 10th, 2009
th
Related documents
Confession Unit
Confession Unit
English Essentials 9th & 10th - Admissions Ticket-Lori
English Essentials 9th & 10th - Admissions Ticket-Lori
North Central Accredited
North Central Accredited
English Essentials 9th & 10th - Admissions Ticket Rubric
English Essentials 9th & 10th - Admissions Ticket Rubric
The data were collected from 88 school children in Vermont
The data were collected from 88 school children in Vermont
Parent letter to sign 9th grade - Somerset Academy Silver Palms
Parent letter to sign 9th grade - Somerset Academy Silver Palms
Competitive Event Entry Form
Competitive Event Entry Form
Download
advertisement