
010020c3e4252e7f556e7647a7ebae2d.ppt
- Количество слайдов: 31
Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr. Guido Geerts, University of Delaware Dr. William Mc. Carthy Michigan State University February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Presentation Outline • Internal Controls – Nature – Monitoring and Evaluation • Internal Controls and Management – Responsibilities • Business States and Transitions • Integrate Definitions into the REA Ontology • Implications for monitoring February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Internal Controls • Nature of internal controls – Process to provide reasonable assurance concerning the achievement of objectives • Effective and Efficient Operations • Reliability of Financial Reporting • Compliance with applicable laws – “Being in Control” – Types • Application Level • Control Environment February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Internal Controls • Evaluation of internal controls – Sarbanes Oxley act of 2002 • Sec. 103 (a) (2) (iii) testing of internal control structure and procedures – (II) (aa) reasonable detail and fairly reflect the transactions … – (II) (bb) reasonable assurance that transactions are recorded as necessary (reporting) • Sec. 302 (a) (3) report(s)… fairly present … results of operations [transactions] – (5) (A) … deficiencies … prevent the ability to record, process • Sec. 404 Management Assessment of Internal Controls – (a) (2) … effectiveness of internal control structure and procedures – (b) report on the assessment made by management February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
• Monitoring Internal Controls – Ongoing versus Separate Evaluations (COSO Framework) • Building in versus Adding on • Closer to the operation of the control – Direct versus indirect • Application versus General • Entity Level Controls • Control Environment – – – Incentives Commitment to Competence Organizational Structure Assignment of Authority and Responsibility Human Resources Policies and Practices February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
E N T E R P R I S E Operational Objectives Compliance Objectives Reporting Objectives F/S, Tax, … February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop E N T E R P R I S E
Management and Control Establish Objectives for firm in relation to stakeholders’ requirements Define or quantify these objectives o Be a major supplier of … ⇒ achieve 40% market share o Cut production costs ⇒ At X level of production costs will be Y o Provide customer service ⇒ Delivery within 3 days of order Formulate policies to establish path to achieve these objectives o Transition from current state to future state in which firm characteristics are closer to objectives than current state. o Monitor these transitions and make an assessment that policies are being adhered to Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
These states can be of types: 1) Completely not allowed 2) Completely allowed 3) Unsure Activities that create the new state Value Modeling and Business Ontologies Workshop 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University February 9 th & 10 th, 2009
Activities • Activities to further specific applications – Send an invoice – Receive a payment – Look for possible vendors – Obtain/Send a quote – Receive/Send merchandise • Activities that set the tone for the applications – Establish formal job descriptions – Establish formal skills and knowledge levels – Delineate formal lines of responsibility Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th November 2 nd and 3 rd 2007
Activities • Activities are organized around various business processes (transaction cycles) or subsystems – Acquisition, Revenue, Hiring, etc. • Each business process consists of: – Groups of activities that correspond to steps that need completion and may have temporal dependencies – Role(s) allowed to perform the activity – Business object whose state the activity alters • Management General or Specific Authorization for the execution of activities consistent with attainment of objectives Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
General Business Process Phases • Planning – Activities to decide what action to take for acquiring or selling a good, service, and/or right. • Identification – Activities to exchange data among potential parties in order to establish a one-to-one linkage. • Negotiation – Activities to achieve an explicit, mutually understood, and agreed upon goal of a business collaboration and associated terms and conditions. • Actualization – Activities necessary for the execution of the results of the negotiation for an actual business transaction. • Post-Actualization – Activities associated exchanges of information that occur between the parties after the agreed upon good, service, and/or right is deemed to have been delivered Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
Role Based Access Control • Management established areas of responsibility within firm to perform activities – Sales Department, Purchasing, Manufacturing, Human Resources • Hierarchical structure of responsibility and authority – Vice President, Sales VP, Manager, …. . – Authority to Delegate – Authority to Perform • Segregation of incompatible functions Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
General Roles and Activity Roles 0. . * Activity Types Vice President Negotiation Manager Clerk Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th Actualization
General Roles and Activity II Roles Delegate Perform Employee Types Vice President Manager Clerk Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th Activity Types Negotiation Actualization
Business Objects • Management authorization or permission for a specific role (or hierarchy) to perform activities on a business object – A sales manager can negotiate sales prices and delivery terms for inventory sales – A sales manager can delegate to a sales clerk authority to actualize transfer of inventory – A sales clerk can actualize the transfer of inventory per negotiated terms – A purchasing manager can negotiate purchase prices and delivery terms for raw material purchases – A warehouse clerk can actualize receipt of raw materials inventory Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
Objects, Roles, and Activities Management Policy February 9 th & 10 th, 2009 Value Modeling and Business Ontologies 14 th World Continuous Monitoring and Workshop Reporting Symposium – Rutgers University
Objects, Roles, Employee Types, and Activity Types Management Policy February 9 th & 10 th, 2009 Value Modeling and Business Ontologies 14 th World Continuous Monitoring and Workshop Reporting Symposium – Rutgers University
Examples P. Delegate. Negotiation. Sales (BOT. Resource. Inventory, RT. Delegate, ET. VPSales, AT. Negotiate. Sales) • A Sales Manager can perform the negotiation sales prices and delivery terms for inventory sales P. Perform. Negotiation. Sales(BOT. Resource. Inventory, RT. Perform, ET. Sales. Manager, AT. Negotiate. Sales) • • The Vice President of Sales can delegate the task of negotiating sales prices and delivery terms A Sales Clerk can perform the actualization the transfer of inventory per negotiated terms P. Perform. Actualize. Sales(BOT. Event. Sale, RT. Perform, ET. Clerk. Sales. Clerk, AT. Actualize. Sales) Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
Examples The Vice President of Sales delegates the authority to negotiate sales to the Sales Manager • Delegate(eЄEmployee. Type, aЄActivity. Type) • Delegate(ET. Vice. President. Sales, ET. Sales. Manager, AT. Negotiate. Sales) A Sales Manager delegates the authority to actualize a sale to a Sales Clerk • Delegate(ET. Sales. Manager, ET. Sales. Clerk, AT. Actualize. Sales) Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
Important Notes • Adding activities to the process has only local effects (Plan, Control, and Evaluate) – Add. Activity(AA. Actualize. Sales, Re. Calculate. Price) • As Roles are connected to Activities when an employee is assigned to a role they inherit the permissions to perform the activity – Segregation of duties is integrated into permissions as opposed to ad hoc specifications • Declarative Specification of controls as constraints are side effect free February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Connection of Permissions • Activity connections – Temporal – Order of permissions is restricted • Negotiation of a purchase (state) must occur before Actualization of a purchase (state) – Inclusive – Once Activity has occurred another activity must occur • Get a hotdog from a street vendor ⇒ pay for hotdog – Exclusive – Once an activity has occurred another activity cannot occur • Failed Negotiation ⇒ Actualization cannot occur – No restrictions February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Permissions on Permissions February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Permissions on Permissions February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
OCL Representations • Temporal Order of Permissions Acquisition: : P. Actualize. Purchase(BOT. Event. Purchase, R. Clerk. Purchase. Clerk, AT. Actualize. Purchase) Acquisition: : P. P. Actualize. Purchase(BOT. Event. Purchase, R. Perform. ET. Clerk. Purchase. Clerk, AT. Actualize. Purchase) PRE : Negotiate. Purchase. state = ‘Complete’ • Inclusive Permissions Delivery if (state. revenue. negotiation) then actualization. date – negotiation. date < 7 • Exclusive Permissions Segregation of Duties Transfer: : P. Actualize. Transfer(BOT. event. assign, RT. Manager. Human. Resources, AT. Actualize. Transfer) Post: Remove(employee. E. jobtype) and Assign(employee. E. jobtype) = new job type February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
REA Ontology Resource Type policy typifies specifies participate Economic Commitment Agent Type reciprocal specifies Event Type typifies fulfills typifies Economic Resource stockflow Economic Event provide Economic Agent receive duality February 9 th & 10 th, 2009 policy Value Modeling and Business Ontologies Workshop
The Extension to the Ontology • Include constraints on future states • The states represent adherence to management policy – State Transitions toward objectives • General business process model • Perceptions of Monitoring • Rod Brennan - Siemens February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop
Continuous Monitoring • Exceptions to constraints represent violations of management policy and therefore evidence about the state of controls • Declarative aspect of constraints allows different approaches to different violations – Preventive – do not allow state – Detective – note existence of state • Evaluation of the quality of controls depends on the amount of evidence Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th
Ac 1 2 3 ity t tiv Ac n IA ERd SF DE D ERi SF e Tim EA IE IA 5 IA IA 4 IA 3 IA 2 IA 1 IA 6 Exceptions To Activity Policy Templates Constraint Violations and Continuous Monitoring February 9 th & 10 th, 2009 Value Modeling and Business Ontologies 14 th World Continuous Monitoring and Workshop Reporting Symposium – Rutgers University
Evaluation of Internal Controls E N T E R P R I S E Compare Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th I D E A L E N T E R P R I S E
Future Research • Specify REA ontology in First Order Logic • Specify more complete set of internal controls in FOL • Connect business processes • Integrate continuous monitoring structures • Integrate continuous reporting requirements
QUESTIONS? Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th