Semantic Specification and Automated Enforcement of Internal Controls within Accounting Systems Dr. Graham Gal University of Massachusetts at Amherst Dr. Guido Geerts, University of Delaware Dr. William McCarthy Michigan State University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Internal Controls – Nature – Monitoring and Evaluation Internal Controls and Management – Responsibilities Business States and Transitions Integrate Definitions into the REA Ontology Implications for monitoring Presentation Outline Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Nature of internal controls – Process to provide reasonable assurance concerning the achievement of objectives Effective and Efficient Operations Reliability of Financial Reporting Compliance with applicable laws – “Being in Control” – Types Application Level Control Environment Internal Controls Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Evaluation of internal controls – Sarbanes Oxley act of 2002 Sec. 103 (a) (2) (iii) testing of internal control structure and procedures – ( II) (aa) reasonable detail and fairly reflect the transactions … – (II) (bb) reasonable assurance that transactions are recorded as necessary (reporting) Sec. 302 (a) (3) report(s)… fairly present … results of operations [transactions] – (5) (A) … deficiencies … prevent the ability to record, process Sec. 404 Management Assessment of Internal Controls – (a) (2) … effectiveness of internal control structure and procedures – (b) report on the assessment made by management Internal Controls Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Monitoring – Ongoing versus Separate Evaluations (COSO Framework) Building in versus Adding on Closer to the operation of the control – Direct versus indirect Application versus General Entity Level Controls Control Environment – Incentives – Commitment to Competence – Organizational Structure – Assignment of Authority and Responsibility – Human Resources Policies and Practices Internal Controls Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

ENTERPRISEENTERPRISE ENTERPRISEENTERPRISE Operational Objectives Reporting Objectives F/S, Tax, … Compliance Objectives Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

 Establish Objectives for firm in relation to stakeholders’ requirements  Define or quantify these objectives o Be a major supplier of … ⇒ achieve 40% market share o Cut production costs ⇒ At X level of production costs will be Y o Provide customer service ⇒ Delivery within 3 days of order  Formulate policies to establish path to achieve these objectives o Transition from current state to future state in which firm characteristics are closer to objectives than current state. o Monitor these transitions and make an assessment that policies are being adhered to Management and Control 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

14th World Continuous Monitoring and Reporting Symposium – Rutgers University These states can be of types: 1)Completely not allowed 2)Completely allowed 3)Unsure Activities that create the new state February 9 th & 10 th, 2009 Value Modeling and Business Ontologies Workshop

Activities to further specific applications – Send an invoice – Receive a payment – Look for possible vendors – Obtain/Send a quote – Receive/Send merchandise Activities that set the tone for the applications – Establish formal job descriptions – Establish formal skills and knowledge levels – Delineate formal lines of responsibility Activities November 2nd and 3rd th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Activities are organized around various business processes (transaction cycles) or subsystems – Acquisition, Revenue, Hiring, etc. Each business process consists of: – Groups of activities that correspond to steps that need completion and may have temporal dependencies – Role(s) allowed to perform the activity – Business object whose state the activity alters Management General or Specific Authorization for the execution of activities consistent with attainment of objectives Activities 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Planning – Activities to decide what action to take for acquiring or selling a good, service, and/or right. Identification – Activities to exchange data among potential parties in order to establish a one-to-one linkage. Negotiation – Activities to achieve an explicit, mutually understood, and agreed upon goal of a business collaboration and associated terms and conditions. Actualization – Activities necessary for the execution of the results of the negotiation for an actual business transaction. Post-Actualization – Activities associated exchanges of information that occur between the parties after the agreed upon good, service, and/or right is deemed to have been delivered General Business Process Phases 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Management established areas of responsibility within firm to perform activities – Sales Department, Purchasing, Manufacturing, Human Resources Hierarchical structure of responsibility and authority – Vice President, Sales VP, Manager, ….. – Authority to Delegate – Authority to Perform Segregation of incompatible functions Role Based Access Control 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

General Roles and Activity 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 Roles Activity Types Vice President Manager Clerk Negotiation Actualization 0..*

General Roles and Activity II 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 Vice President Manager Clerk Negotiation Actualization Roles Employee Types Activity Types Delegate Perform

Management authorization or permission for a specific role (or hierarchy) to perform activities on a business object – A sales manager can negotiate sales prices and delivery terms for inventory sales – A sales manager can delegate to a sales clerk authority to actualize transfer of inventory – A sales clerk can actualize the transfer of inventory per negotiated terms – A purchasing manager can negotiate purchase prices and delivery terms for raw material purchases – A warehouse clerk can actualize receipt of raw materials inventory Business Objects 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Objects, Roles, and Activities Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 Management Policy

14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Objects, Roles, Employee Types, and Activity Types Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 Management Policy

 The Vice President of Sales can delegate the task of negotiating sales prices and delivery terms P.Delegate.Negotiation.Sales (BOT.Resource.Inventory, RT.Delegate, ET.VPSales, AT.Negotiate.Sales)  A Sales Manager can perform the negotiation sales prices and delivery terms for inventory sale s P.Perform.Negotiation.Sales(BOT.Resource.Inventory, RT.Perform, ET.SalesManager, AT.Negotiate.Sales)  A Sales Clerk can perform the actualization the transfer of inventory per negotiated terms P.Perform.Actualize.Sales(BOT.Event.Sale, RT.Perform,ET.Clerk.SalesClerk, AT.Actualize.Sales) Examples 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

 The Vice President of Sales delegates the authority to negotiate sales to the Sales Manager Delegate(eЄEmployeeType, eЄEmployeeType,aЄActivityType) Delegate(ET.VicePresidentSales, ET.SalesManager, AT.Negotiate.Sales)  A Sales Manager delegates the authority to actualize a sale to a Sales Clerk Delegate(ET.SalesManager, ET.SalesClerk,AT.Actualize.Sales) Examples 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Adding activities to the process has only local effects (Plan, Control, and Evaluate) – AddActivity(AA.Actualize.Sales, ReCalculatePrice) As Roles are connected to Activities when an employee is assigned to a role they inherit the permissions to perform the activity – Segregation of duties is integrated into permissions as opposed to ad hoc specifications Declarative Specification of controls as constraints are side effect free Important Notes Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Activity connections – Temporal – Order of permissions is restricted Negotiation of a purchase (state) must occur before Actualization of a purchase (state) – Inclusive – Once Activity has occurred another activity must occur Get a hotdog from a street vendor ⇒ pay for hotdog – Exclusive – Once an activity has occurred another activity cannot occur Failed Negotiation ⇒ Actualization cannot occur – No restrictions Connection of Permissions Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Permissions on Permissions Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Permissions on Permissions Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Temporal Order of Permissions Acquisition::P.Actualize.Purchase(BOT.Event.Purchase, R.Clerk.PurchaseClerk, AT.Actualize.Purchase) Acquisition::P.P.Actualize.Purchase(BOT.Event.Purchase, R.Perform. ET.Clerk.PurchaseClerk, AT.Actualize.Purchase) PRE : Negotiate.Purchase.state = ‘Complete’ Inclusive Permissions Delivery if (state.revenue.negotiation) then actualization.date – negotiation.date < 7 Exclusive Permissions Segregation of Duties Transfer::P.Actualize.Transfer(BOT.event.assign,RT.Manager.HumanResources, AT.Actualize.Transfer) Post: Remove(employee.E.jobtype) and Assign(employee.E.jobtype) = new job type OCL Representations Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

REA Ontology Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 reciprocal Economic Event Economic Resource Economic Agent stockflow provide receive Economic Commitment fulfills duality Resource Type typifies specifies Event Type Agent Type specifies typifies participate policy

Include constraints on future states The states represent adherence to management policy – State Transitions toward objectives General business process model Perceptions of Monitoring Rod Brennan - Siemens The Extension to the Ontology Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Exceptions to constraints represent violations of management policy and therefore evidence about the state of controls Declarative aspect of constraints allows different approaches to different violations – Preventive – do not allow state – Detective – note existence of state Evaluation of the quality of controls depends on the amount of evidence Continuous Monitoring 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

ER i IE SF IA D ER d DE SF IA EA Time Activity t1 Activity t2 Activity t3 Activity tn Exceptions To Activity Policy Templates IA 1 IA 2 IA 3 IA 4 IA 6 IA 5 Constraint Violations and Continuous Monitoring 14th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009

Evaluation of Internal Controls 14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 ENTERPRISEENTERPRISE IDEALIDEAL ENTERPRISEENTERPRISE Compare

Specify REA ontology in First Order Logic Specify more complete set of internal controls in FOL Connect business processes Integrate continuous monitoring structures Integrate continuous reporting requirements Future Research

14 th World Continuous Monitoring and Reporting Symposium – Rutgers University Value Modeling and Business Ontologies Workshop February 9 th & 10 th, 2009 QUESTIONS?