Some literature also use the term Process Control

Transcription

1 A Formal Approach for Internal Controls Complance n Busness Processes Koumars Namr 1, Nenad Stojanovc 2 1 SAP Research Center CEC Karlsruhe, SAP AG, Vncenz-Preßntz-Str Karlsruhe, Germany Koumars.Namr@sap.com 2 FZI Karlsruhe, Had-und-Neu-Str Karlsruhe, Germany Nenad.Stojanovc@fz.de Abstract. Regulatory complance requrements n the area of Internal Controls such as Sarbanes Oxley Act force enterprses to dentfy, shape and document ther busness processes. In ths context enterprses requre mechansms to ensure that ther busness processes mplement and fulfll complance requrements ndependently from busness level requrements. In ths paper we present a novel approach for the modelng and mplementaton of Internal Controls n busness processes. The approach s based on the formal modelng of Internal Controls, thus t can serve as the bass for usage of logc mechansms n the complance verfcaton process. The man dea s the ntroducton of a semantc layer n whch the process nstances are nterpreted accordng to gven control statements, wthout changng the orgnal (busness-goal drven) busness processes. Keywords: BPM, Regulatory Complance, Formal Verfcaton, Semantc Technologes 1 Introducton The advent of regulatory complance requrements n the area of Internal Controls such as Sarbanes Oxley Act 2002 (SOX) [ 1] requres the mplementaton of an effectve Internal Controls system n enterprses as a management responsblty. In ths context COSO (Commttee of Sponsorng Organzatons of the Treadway Commsson) has proposed an ntegrated framework [ 2], whch s recognzed by regulaton bodes and audtors as a de facto standard for realzng the Internal Controls System. COSO defnes the Internal Controls as a process desgned to provde reasonable assurance regardng the achevement of objectves n effectveness and effcency of operatons, relablty of fnancal reportng and complance wth applcable laws and regulatons. Followng s a summary of the Internal Controls process: Identfy all the sgnfcant accounts n the company. Identfy for those accounts all relevant busness processes affectng them. Defne for each relevant busness process a set of control objectves specfc to the enterprse that must hold for that process. Contnuously assess the rsks for the enterprse by ther dentfcaton for each control objectve. Desgn and mplement based on the rsk assessment a set of effectve controls n order to prevent or detect the occurrence of the dentfed rsks. The controls must be tested and used n daly operatons.

2 Snce the realzaton and effectveness of the above process nvolves dfferent roles such as nternal and external audtors together wth consultants, the ntroducton and operatons of Internal Controls complance (.e. SOX 404) s consdered to be expensve and tme consumng [ 3]. An approach s requred to brng a hgher level of adaptablty, reusablty and usablty n Internal Controls complance process. The adaptablty s defned as an easy and fast way for ntroducton of new or changed controls on busness processes. The reusablty s related to the possblty to descrbe the controls on the conceptual level n order to abstract from the concrete mplementaton detals of the controls. The usablty addresses the need of brdgng the gap between the non-techncal audtng consultants and techncal people realzng the controls mplementaton. Ths paper ntroduces an abstracton layer above a busness process, n whch the controls are formally modeled and evaluated aganst exstng process models and nstances. It descrbes a novel, semantcally-drven approach for the automaton of Internal Controls n an enterprse, based on ther conceptual separaton from Busness Process Management (BPM). In ths semantc layer the controls are formally modeled and evaluated aganst exstng process nstances. We see several advantages of such an approach: - It enables usage of formal methods, lke nference, for the verfcaton of a busness process s complance to Internal Controls and SOX complance. - Consequently, the complance wll be performed automatcally, based on the current state of parameters (nstances) of a busness process - Moreover, the conceptual descrpton of control condtons ensures the flexblty of the approach,.e. the changes of the controls wll not affect the changes n the desgn and executon of the orgnal busness processes. - Fnally, through another abstracton layer ntroduced on the top of the complances defnton, we ensure that non-experts can bult on top of the doman model provded. We are mostly concerned wth automaton of the so called Applcaton Controls (AC) 1, whch control busness processes to support fnancal control objectves and to prevent or detect unauthorzed transactons. However, the approach provdes a general framework that can be appled wth respect to any other complance doman usng BPM technology. The paper s organzed as follows: We start wth a motvatng scenaro for a new, flexble approach for complance management. In the thrd secton we ntroduce the doman model of Internal Controls/SOX complance. In the fourth secton we present our approach usng the enttes ntroduced n the doman model, whereas the ffth secton explans ts mplementaton archtecture. Related lterature s dscussed n secton sx. Concludng remarks and some future research questons are gven n the last secton. 1 Some lterature also use the term Process Control

3 2. Motvatng Scenaro We use the Purchase-To-Pay Process (P2P) delvered by an ERP product as an example. The process starts by creatng the request for a purchase order (PO) and ends when the payment of that PO s recorded n Accountng. An excerpt of P2P s llustrated n Fgure 1. Fgure 1 Purchase-To-Pay (P2P) Process: an excerpt The Internal Controls complance of P2P depends on enterprse specfc rsk assessment. Table 1 shows an excerpt of the rsk assessment carred out by audtng consultants of two dfferent enterprses. It shows ther dfferent control objectves, rsks and controls on the same standard P2P-Process. Table 1 Rsk assessment on Purchase-To-Pay-Process (P2P) for 2 dfferent enterprses Control Objectve Rsk Applcaton Control Prevent Unauthorzed creaton of unauthorzed use POs and payments for not exstng supplers Ensure adequate Supply of materals Poor demand plannng n the producton POs hgher than 5000 Euro must be double approved (Double-Check-Control). No POs hgher than 5000 Euro wll be approved at once. Realzng the above ntroduced controls for each enterprse on the same standard P2P-Process provded by an ERP-provder means ndvdual customzaton of the software mplementng the P2P for each enterprse. Ths results n two completely dfferent varant types, although from the busness objectve pont of vew these varants are equvalent: namely there busness objectve s to purchase goods. 3 Doman Model for Internal Controls Complance One of the man ssues n the separaton of the busness and control objectves of a busness process s that busness objectves and control objectves for a busness process have dfferent lfe cycles and stakeholders. Fgure 2 llustrates how we see the relatonshp between BPM and Internal Controls Management: The desgn of a control should control the way a busness process s executed. A (re)desgn of a busness process causes an update of rsk assessment on a busness process, whch may lead to a new/updated set of controls ncl. new tests. The busness process 3

4 montorng and verfcaton technques may be used to assess the effectve desgn of controls and can serve as an nput to Complance certfcaton. Fgure 2 Relatons between BPM and Internal Controls Management Based on ths vew, we ntroduce a set of models for mplementng the Internal Controls process. The enttes and ther relatons to each other provde the termnology used to formulate logcal statements representng the controls constranng the behavor of a busness process. The approach tself s presented n the next secton. We enrch n followng the enttes resulted through our analyss of (manly not ITrelated) COSO by addtonal enttes. These addtonal enttes wll enable the model to serve us as an operatonal bass for our approach later. Only those parts of COSO necessary for understandng our approach are presented Fgure 3a. It shows the upper model of requred enttes for Internal Controls process ntroduced n chapter 1. Applcaton Control - Busness Process Model An Applcaton Control (AC) controls dfferent dmensons of the way a busness process s enacted, namely the executon of ts actvtes, the Busness Documents nvolved and the agents performng an actvty ncludng ther authortes (See Fgure 3b). For each AC at least one Recovery Acton must have been desgned, whch reacts on the volaton of a control. It does not change the desgned busness process logc; t rather blocks the transacton and may send a notfcaton to an assgned responsble agent. Fgure 3a - The upper doman model of the Internal Controls Complance Fgure 3b - Relatonshp between an Applcaton Control and a Busness Process

5 Applcaton Control Strategy Model An Applcaton Control Strategy defnes the way a control montors the behavor of one or more actvtes nsde a busness process (Fgure 4). In order to become actve an AC requres to be trggered accordng to the state of the process parameters n a scope. We defne further two elements of an AC strategy: scope and pattern based conceptually on the work done by Dwyer et al [ 5]. Although ther patterns are manly used for defnng formal requrements on program specfcatons, they can be appled to nternal controls complance and the montorng requrements there. For a detaled descrpton of the scopes and patterns and ther semantcs please refer to [ 5]. Fgure 4 A Sem-formalzaton of the control mplementaton Example: Double-Check control for the frst enterprse (see Table 1) can be mapped to followng strategy: ControlTrgger = Actvty Select Suppler Scope = Between the actvty Select Suppler and actvty Send PO Control Pattern = Bounded Exstence of n=2 on actvty Approve PO 4 The Approach In order to realze the separaton of the busness and control objectves presented n Fgure 2, our approach ntroduces another layer above busness process model called Semantc Process Mrror. Accordng to assessed rsks, a set of Applcaton Controls s defned on that layer. Fnally, by executng a busness process, the semantc process layer wll be contnually updated wth nformaton needed for the evaluaton of defned controls n order to ensure that complance test wll pass. The approach spans over there phases: Phase 1: Semantc process mrror desgn phase SemantcMrror represents a semantc layer placed on the top of the (usual) syntactcal descrpton of a busness process (.e. workflow). In ths phase a model of the busness process accordng to Fgure 3b wll be stored n the SemantcMrror. It wll be used later durng the phase 2 and 3 to nfer whether the process s desgned and executed accordng to a set of declaratvely desgned ACs n phase 2. Phase 2: Applcaton control desgn phase 5

6 In the followng we present a set of formalzatons needed for the automatc evaluaton of ACs. Control statement CS s a logcal statement that descrbes how to carry out an AC ac n a busness process bp: CS(ct, bp, ac(x, cp),gs(bp, scope(m)), acton ) := R O(ct) V(bp, ac(x, cp), GS(bp, scope)) Actvty(bp, acton ), R where the formula for CS expresses that f a volaton V for the gven ac occurs (s true) after occurrence O of a ControlTrgger ct on a Guarded Sequence GS, then the correspondng recovery acton acton wll be nstantated and executed on current R nstance of bp (the nstance that generated the volaton). We descrbe the parameters mentoned above: Guarded Sequence s a sequence of actvtes, whch are along the scope of the AC strategy of an ac n a bp. The values for the volaton of a control are calculated by evaluatng the statement ac on the SemantcMrror,.e. f the statement ac can be nferred from the set of facts contaned n the SemantcMrror. An AC ac expresses that a control pattern cp (See Fgure 4) must hold f the logcal condton on an entty x holds: ac(x, cp) := condton(x) cp, x {BusnessDocument, Agent) We show the formalzaton of the control pattern (cp) BoundedExstence of n (see Fgure 4) for an actvty C n the scope of actvtes defned by GS(bp,scope): BoundedExstence( n,c,gs (bp,scope)) : = ( = 0,..,n (, j= 0,..,n C InstanceOf(C, C)) C,C C! = C ) ( j j n = 0,..,n C C GS (bp, scope)) Example: Appled on the Double-check control n the P2P-Process (see scenaro) the statement ac looks as follows: PO BusnssDocument(PO) Amount(PO,amount) greater(amount,5000) BoundedExstence(2, ApprovePO,GS DoubleCheck Phase 3: Busness process executon phase (P2P,Between(SelectSuppl er,sendpo))) Ths phase enables the bdrectonal nteracton between BPM and nternal controls management (see Fgure 1): The SemantcMrror wll be updated by nformaton about the current nstance of the busness process enacted and f an AC s volated, the recovery acton defned n the control statement wll be executed. Ths approach enables dynamcal applcaton of the controls durng executon phase of a busness process. There s a mnmum overlap between busness process desgn and complance desgn. Thus new applcaton controls can be desgned for

7 busness processes by addng new control statements nto SemantcMrror, whle the orgnal desgn of the busness process remans unchanged, what s one of the man advantages of our approach. 5 Implementaton Besde the conceptual soundness, one of the challenges n such a knd of approaches s the possblty for ther effcent and scalable mplementaton. There are two open ssues that have to be dscussed from the mplementaton pont of vew: 1) How to desgn and execute the busness processes and 2) How to mplement the SemantcMrror. Regardng the frst ssue, we have selected to mplement a prototype based on JBoss jbpm 2. The bass for the mplementaton of SemantcMrror s the formal model of the Internal Controls (see secton 3). We have decded to mplement the control statements (CS) as Event-Condton-Acton (ECA) rules. The Dwyer patterns and scopes [ 5] can be mapped to ECA rules, thus the control patterns and scopes can be mapped to them. We use JBoss Rule Engne (aka as Drools) mplementng the RETE-Algorthm. Further, we are currently n the process of desgnng a Doman specfc language (DSL) [ 7] based on the proposed model for Internal Controls for the audtors. The DSL expressons entered n the Internal Controls Desgn Tool (see Fgure 5) wll be mapped to the control patterns and consequently n ECA-rules before they are added nto SemantcMrror. Fgure 5 llustrates the archtecture of the prototype. Fgure 5 Archtecture of the prototype For the task of updatng the SemantcMrror durng executon tme of busness processes (Phase 3 of the approach), we use facltes provded by jbpm Engne 2 JBoss, 7

8 mplementng the command software desgn pattern [ 6]: jbpm provdes the possblty to regster (durng desgn-tme) a so called ActonHandler to each nodeclass (actvty) of a Process defnton (called jpdl n jbpm) wth addtonal custom functonalty. Our mplementaton of the ActonHandler-Interface (SemantcMrrorSynchronzer) obtans a reference to the SemantcMrror and the current nstance of the executon context provded automatcally by the jbpm Process Engne to SemantcMrrorSynchronzer s added to the SemantcMrror. 6 Related Work On a conceptual level our work s related to [ 4], where a taxonomy of rsks n busness processes s provded. It does not explctly state how a rsk s postoned nsde the Internal Controls complance doman and leaves the semantc lnk between rsks, busness process desgn and executon open. In [ 8] and [ 9] the logc behnd the oblgatons and permssons on a busness process s made explct n the form of temporal deontc assgnments that can be used n busness process desgn respectvely ther contracts. In these approaches, the constrants on busness process would be desgned nto the busness process, whle we show how a desgned constrant can be appled durng executon tme on busness processes. The work done n [ 10] usng Aspect Orented Programmng (AOP) technques to extend the functonalty of BPEL s closed to the separaton of Internal Controls complance concerns from BPM. Software provders also offer related solutons for complance management. [ 11] gves an overvew and dscusses the current software products n ths area and ther lmtatons. However to our best knowledge, there s no approach whch shows how Internal Controls could be declaratvely formulated n terms of ntroducng a specfc doman model for Internal Controls and showng an approach to formally declare and apply the controls separately from processes. 7 Future Research and Concluson In ths paper we ntroduced a semantc based approach for conceptual modelng of Internal Controls requred by regulaton such as SOX. They are captured as declaratve rules and deployed durng executon-tme on busness processes. We bult the model based on the de facto Internal Controls standard called COSO. Usng ths approach, new applcaton controls can be defned on busness processes wthout changng the orgnal busness logc of processes. The approach wll enable defnton of the controls outsde of the workflow. One concern n ths context s the fact that although n our approach the recovery actons do not change the orgnal busness logc of the process, we have to verfy the approach wth results n the area of adaptve workflows [ 12]. Further we plan to detal the formalzaton and apply t to BPMN as target process modelng envronment. Regardng the proposed archtecture and the SemantcMrror synchronzaton

9 component we have to analyze and valdate the performance affectng ts real feasblty. Another ssue that must be addressed s the nter-control dependency: n order to become effectve, a well-desgned control may depend on exstence, effectve desgn and operaton of other controls. Ths ssue s actually also mentoned drectly by law [ 13]. Further COSO (and also law) calls n ths context to manage the change n the enterprse, whch means among others that a new or redesgned busness process should always be followed by a new rsk assessment (and possbly new or updated set of controls). Today ths s carred out mostly manually. We consder brngng a hgher level of automaton n ths approach as an open research queston. References 1. Pub. L Stat. 754, Sarbanes Oxley Act (2002) 2. Commttee of Sponsorng Organzatons of the Treadway Commsson (COSO), Internal Control Integrated Framework, T. Hartman, Foley & Lardner LLP, The Cost of Beng Publc n the Era of Sarbanes- Oxley, June zur Muehlen, Mchael; Rosemann, Mchael. Integratng Rsks n Busness Process Models. In: Proceedngs of the 2005 Australasan Conference on Informaton Systems (ACIS 2005), Manly, Sydney, Australa, November 30-December 2, M. Dwyer, G. Avrunn, J. Corbett, Patterns n Property Specfcaton for Fnte-State Verfcaton. In Proceedngs of the 21st Internatonal Conference on Software Engneerng, pages , May E. Gamma, R. Helm, R. Johnson and J. Vlssdes, Desgn Patterns: Element of Reusable Object Orented Software, Addson-Wesley, Marjan Mernk, Jan Heerng, and Anthony M. Sloane. When and how to develop domanspecfc languages. ACM Computng Surveys, 37(4): , S. Goederter and J. Vanthenen, Desgnng Complant Busness Processes from Oblgatons and Permssons, 2nd Workshop on Busness Processes Desgn (BPD'06), Proceedngs, Gudo Governator, Zoran Mlosevc, and Sahza Sadq. Complance checkng between busness processes and busness contracts 10th Internatonal Enterprse Dstrbuted Object Computng Conference (EDOC 2006). IEEE Press, 2006, pp Charf, A. and Mezn, M. Hybrd Web Servce Composton: Busness Processes Meet Busness Rules. In Proceedngs of the 2nd Internatonal Conference on Servce Orented Computng (2004) 11. R. Agrawal, Ch. Johnson, J. Kernan, F. Leymann: Tamng Complance wth Sarbanes- Oxley Internal Controls Usng Database Technology. Proc. 22nd Int l. Conf. on Data Engneerng ICDE 2006 (Altanta, GA, USA, Aprl 3 7, 2006) 12. M. Rechert and P. Dadam, ADEPTflex Supportng Dynamc Changes of Workflows Wthout Losng Control, Journal of Intellgent Informaton Systems, 10(2) (1998) 13. Publc Company Accountng Oversght Board (PCAOB), PCAOB Accountng Standard No. 2, paragraph 12 9