Скачать презентацию Semantic Specification and Automated Enforcement of Internal Controls Скачать презентацию Semantic Specification and Automated Enforcement of Internal Controls

010020c3e4252e7f556e7647a7ebae2d.ppt

  • Количество слайдов: 31

Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr. Guido Geerts, University of Delaware Dr. William Mc. Carthy Michigan State University February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Presentation Outline • Internal Controls – Nature – Monitoring and Evaluation • Internal Controls Presentation Outline • Internal Controls – Nature – Monitoring and Evaluation • Internal Controls and Management – Responsibilities • Business States and Transitions • Integrate Definitions into the REA Ontology • Implications for monitoring February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Internal Controls • Nature of internal controls – Process to provide reasonable assurance concerning Internal Controls • Nature of internal controls – Process to provide reasonable assurance concerning the achievement of objectives • Effective and Efficient Operations • Reliability of Financial Reporting • Compliance with applicable laws – “Being in Control” – Types • Application Level • Control Environment February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Internal Controls • Evaluation of internal controls – Sarbanes Oxley act of 2002 • Internal Controls • Evaluation of internal controls – Sarbanes Oxley act of 2002 • Sec. 103 (a) (2) (iii) testing of internal control structure and procedures – (II) (aa) reasonable detail and fairly reflect the transactions … – (II) (bb) reasonable assurance that transactions are recorded as necessary (reporting) • Sec. 302 (a) (3) report(s)… fairly present … results of operations [transactions] – (5) (A) … deficiencies … prevent the ability to record, process • Sec. 404 Management Assessment of Internal Controls – (a) (2) … effectiveness of internal control structure and procedures – (b) report on the assessment made by management February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

• Monitoring Internal Controls – Ongoing versus Separate Evaluations (COSO Framework) • Building • Monitoring Internal Controls – Ongoing versus Separate Evaluations (COSO Framework) • Building in versus Adding on • Closer to the operation of the control – Direct versus indirect • Application versus General • Entity Level Controls • Control Environment – – – Incentives Commitment to Competence Organizational Structure Assignment of Authority and Responsibility Human Resources Policies and Practices February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

E N T E R P R I S E Operational Objectives Compliance Objectives E N T E R P R I S E Operational Objectives Compliance Objectives Reporting Objectives F/S, Tax, … February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop E N T E R P R I S E

Management and Control Establish Objectives for firm in relation to stakeholders’ requirements Define or Management and Control Establish Objectives for firm in relation to stakeholders’ requirements Define or quantify these objectives o Be a major supplier of … ⇒ achieve 40% market share o Cut production costs ⇒ At X level of production costs will be Y o Provide customer service ⇒ Delivery within 3 days of order Formulate policies to establish path to achieve these objectives o Transition from current state to future state in which firm characteristics are closer to objectives than current state. o Monitor these transitions and make an assessment that policies are being adhered to Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

These states can be of types: 1) Completely not allowed 2) Completely allowed 3) These states can be of types: 1) Completely not allowed 2) Completely allowed 3) Unsure Activities that create the new state Value Modeling and Business Ontologies Workshop 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University February 9 th & 10 th, 2009

Activities • Activities to further specific applications – Send an invoice – Receive a Activities • Activities to further specific applications – Send an invoice – Receive a payment – Look for possible vendors – Obtain/Send a quote – Receive/Send merchandise • Activities that set the tone for the applications – Establish formal job descriptions – Establish formal skills and knowledge levels – Delineate formal lines of responsibility Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th November 2 nd and 3 rd 2007

Activities • Activities are organized around various business processes (transaction cycles) or subsystems – Activities • Activities are organized around various business processes (transaction cycles) or subsystems – Acquisition, Revenue, Hiring, etc. • Each business process consists of: – Groups of activities that correspond to steps that need completion and may have temporal dependencies – Role(s) allowed to perform the activity – Business object whose state the activity alters • Management General or Specific Authorization for the execution of activities consistent with attainment of objectives Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

General Business Process Phases • Planning – Activities to decide what action to take General Business Process Phases • Planning – Activities to decide what action to take for acquiring or selling a good, service, and/or right. • Identification – Activities to exchange data among potential parties in order to establish a one-to-one linkage. • Negotiation – Activities to achieve an explicit, mutually understood, and agreed upon goal of a business collaboration and associated terms and conditions. • Actualization – Activities necessary for the execution of the results of the negotiation for an actual business transaction. • Post-Actualization – Activities associated exchanges of information that occur between the parties after the agreed upon good, service, and/or right is deemed to have been delivered Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

Role Based Access Control • Management established areas of responsibility within firm to perform Role Based Access Control • Management established areas of responsibility within firm to perform activities – Sales Department, Purchasing, Manufacturing, Human Resources • Hierarchical structure of responsibility and authority – Vice President, Sales VP, Manager, …. . – Authority to Delegate – Authority to Perform • Segregation of incompatible functions Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

General Roles and Activity Roles 0. . * Activity Types Vice President Negotiation Manager General Roles and Activity Roles 0. . * Activity Types Vice President Negotiation Manager Clerk Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th Actualization

General Roles and Activity II Roles Delegate Perform Employee Types Vice President Manager Clerk General Roles and Activity II Roles Delegate Perform Employee Types Vice President Manager Clerk Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th Activity Types Negotiation Actualization

Business Objects • Management authorization or permission for a specific role (or hierarchy) to Business Objects • Management authorization or permission for a specific role (or hierarchy) to perform activities on a business object – A sales manager can negotiate sales prices and delivery terms for inventory sales – A sales manager can delegate to a sales clerk authority to actualize transfer of inventory – A sales clerk can actualize the transfer of inventory per negotiated terms – A purchasing manager can negotiate purchase prices and delivery terms for raw material purchases – A warehouse clerk can actualize receipt of raw materials inventory Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

Objects, Roles, and Activities Management Policy February 9 th & 10 th, 2009 Value Objects, Roles, and Activities Management Policy February 9 th & 10 th, 2009 Value Modeling and Business Ontologies 14 th World Continuous Monitoring and Workshop Reporting Symposium – Rutgers University

Objects, Roles, Employee Types, and Activity Types Management Policy February 9 th & 10 Objects, Roles, Employee Types, and Activity Types Management Policy February 9 th & 10 th, 2009 Value Modeling and Business Ontologies 14 th World Continuous Monitoring and Workshop Reporting Symposium – Rutgers University

Examples P. Delegate. Negotiation. Sales (BOT. Resource. Inventory, RT. Delegate, ET. VPSales, AT. Negotiate. Examples P. Delegate. Negotiation. Sales (BOT. Resource. Inventory, RT. Delegate, ET. VPSales, AT. Negotiate. Sales) • A Sales Manager can perform the negotiation sales prices and delivery terms for inventory sales P. Perform. Negotiation. Sales(BOT. Resource. Inventory, RT. Perform, ET. Sales. Manager, AT. Negotiate. Sales) • • The Vice President of Sales can delegate the task of negotiating sales prices and delivery terms A Sales Clerk can perform the actualization the transfer of inventory per negotiated terms P. Perform. Actualize. Sales(BOT. Event. Sale, RT. Perform, ET. Clerk. Sales. Clerk, AT. Actualize. Sales) Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

Examples The Vice President of Sales delegates the authority to negotiate sales to the Examples The Vice President of Sales delegates the authority to negotiate sales to the Sales Manager • Delegate(eЄEmployee. Type, aЄActivity. Type) • Delegate(ET. Vice. President. Sales, ET. Sales. Manager, AT. Negotiate. Sales) A Sales Manager delegates the authority to actualize a sale to a Sales Clerk • Delegate(ET. Sales. Manager, ET. Sales. Clerk, AT. Actualize. Sales) Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

Important Notes • Adding activities to the process has only local effects (Plan, Control, Important Notes • Adding activities to the process has only local effects (Plan, Control, and Evaluate) – Add. Activity(AA. Actualize. Sales, Re. Calculate. Price) • As Roles are connected to Activities when an employee is assigned to a role they inherit the permissions to perform the activity – Segregation of duties is integrated into permissions as opposed to ad hoc specifications • Declarative Specification of controls as constraints are side effect free February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Connection of Permissions • Activity connections – Temporal – Order of permissions is restricted Connection of Permissions • Activity connections – Temporal – Order of permissions is restricted • Negotiation of a purchase (state) must occur before Actualization of a purchase (state) – Inclusive – Once Activity has occurred another activity must occur • Get a hotdog from a street vendor ⇒ pay for hotdog – Exclusive – Once an activity has occurred another activity cannot occur • Failed Negotiation ⇒ Actualization cannot occur – No restrictions February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Permissions on Permissions February 9 th & 10 th, 2009 Value Modeling and Business Permissions on Permissions February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Permissions on Permissions February 9 th & 10 th, 2009 Value Modeling and Business Permissions on Permissions February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

OCL Representations • Temporal Order of Permissions Acquisition: : P. Actualize. Purchase(BOT. Event. Purchase, OCL Representations • Temporal Order of Permissions Acquisition: : P. Actualize. Purchase(BOT. Event. Purchase, R. Clerk. Purchase. Clerk, AT. Actualize. Purchase) Acquisition: : P. P. Actualize. Purchase(BOT. Event. Purchase, R. Perform. ET. Clerk. Purchase. Clerk, AT. Actualize. Purchase) PRE : Negotiate. Purchase. state = ‘Complete’ • Inclusive Permissions Delivery if (state. revenue. negotiation) then actualization. date – negotiation. date < 7 • Exclusive Permissions Segregation of Duties Transfer: : P. Actualize. Transfer(BOT. event. assign, RT. Manager. Human. Resources, AT. Actualize. Transfer) Post: Remove(employee. E. jobtype) and Assign(employee. E. jobtype) = new job type February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

REA Ontology Resource Type policy typifies specifies participate Economic Commitment Agent Type reciprocal specifies REA Ontology Resource Type policy typifies specifies participate Economic Commitment Agent Type reciprocal specifies Event Type typifies fulfills typifies Economic Resource stockflow Economic Event provide Economic Agent receive duality February 9 th & 10 th, 2009 policy Value Modeling and Business Ontologies Workshop

The Extension to the Ontology • Include constraints on future states • The states The Extension to the Ontology • Include constraints on future states • The states represent adherence to management policy – State Transitions toward objectives • General business process model • Perceptions of Monitoring • Rod Brennan - Siemens February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Continuous Monitoring • Exceptions to constraints represent violations of management policy and therefore evidence Continuous Monitoring • Exceptions to constraints represent violations of management policy and therefore evidence about the state of controls • Declarative aspect of constraints allows different approaches to different violations – Preventive – do not allow state – Detective – note existence of state • Evaluation of the quality of controls depends on the amount of evidence Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th

Ac 1 2 3 ity t tiv Ac n IA ERd SF DE D Ac 1 2 3 ity t tiv Ac n IA ERd SF DE D ERi SF e Tim EA IE IA 5 IA IA 4 IA 3 IA 2 IA 1 IA 6 Exceptions To Activity Policy Templates Constraint Violations and Continuous Monitoring February 9 th & 10 th, 2009 Value Modeling and Business Ontologies 14 th World Continuous Monitoring and Workshop Reporting Symposium – Rutgers University

Evaluation of Internal Controls E N T E R P R I S E Evaluation of Internal Controls E N T E R P R I S E Compare Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th I D E A L E N T E R P R I S E

Future Research • Specify REA ontology in First Order Logic • Specify more complete Future Research • Specify REA ontology in First Order Logic • Specify more complete set of internal controls in FOL • Connect business processes • Integrate continuous monitoring structures • Integrate continuous reporting requirements

QUESTIONS? Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop QUESTIONS? Value Modeling and Business Ontologies 14 World Continuous Monitoring and Reporting Symposium Workshop – Rutgers University February 9 th & 10 th, 2009 th