Feature. Business Process Management Systems. The Internal Control Perspective



Similar documents
Technical Paper. What is a. Process-Based. Application?

Transaction Processing and Enterprise Resource Planning Systems. Goal of Transaction Processing. Characteristics of Transaction Processing

Change by Successful Projects Csaba Deák Associate Professor University of Miskolc

UltimaX EDM for Microsoft Dynamics AX TM

Accounting information systems and business process : part 1

Business Process Management

Feature. Applications of Business Process Analytics and Mining for Internal Control. World

Chapter 5 Information Technology and Changing Business Processes

SAP Supply Chain Management Elinor Castell Solution Owner Transportation, SAP SE

Making the Case for BPM: A Benefits Checklist

1905 Harney Street, Suite 700 Omaha, NE in Highly Integrated Organizations 21 Large Omaha Firms

26/10/2015. Enterprise Information Systems. Learning Objectives. System Category Enterprise Systems. ACS-1803 Introduction to Information Systems

1. Global E Business and Collaboration. Lecture 2 TIM 50 Autumn 2012

<Insert Picture Here> Looking to Reduce Operating Costs? Automate Your Expense Processing with PeopleSoft Travel and Expenses 9.1

A Study into the Critical Success Factors when Implementing Business Process Management Systems

THE IMPACT OF BUSINESS PROCESS MANAGEMENT ON ORGANIZATIONAL STRATEGY

Info Net LAMAR SOFTWARE, INC. Enterprise Resource Planning. Efficiency. Productivity. Flexibility

can you simplify your infrastructure?

Supply chain management with Microsoft Dynamics GP. Microsoft Dynamics GP: The proven solution for efficiency and insight across your business.

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Plug IT In 1 Business processes and business process management

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

Carnegie Mellon University Master of Science in Information Technology Software Engineering (MSIT-SE) MSIT Project (17-677) Approval Form

Internal Controls. A short presentation from Your Internal Audit Department

Do You Need ERP? The Magnum Group Technical Publications Division

ERP s Automated Workflows Deploy Advanced Business Processes

About ERP Software Whitepaper

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

The need for optimization: Getting the most from Microsoft Dynamics GP

7 keys to unlocking a modern Business Continuity Management approach

DOCUMATION S PURCHASE TO PAY (P2P) SUITE

Automated Invoice/P2P Processing

October 4, Mr. Peter Kalikow Chairman Metropolitan Transportation Authority 347 Madison Avenue New York, New York Re: Report 2001-F-23

Automated Invoice/P2P Processing

Sage MAS 90 and 200. Extended Enterprise Suite S

Expense Module Security

JD EDWARDS ENTERPRISEONE PROCUREMENT MANAGEMENT

Process Management for Effective Disposition of State Land in Korea

4 Key Tools for Managing Shortened Customer Lead Times & Demand Volatility

Alexander Nikov. 2. Information systems and business processes. Learning objectives

ASSET ARENA PROCESS MANAGEMENT. Frequently Asked Questions

Business Process Management and the Clinical Trial Process

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Supply Chain Management Build Connections

IPPF Practice Guide. Auditing Application Controls

COMPANY... 3 SYSTEM...

A Foundation for Understanding Enterprise Resource Planning Systems

How To Understand And Understand The Concept Of Customer Relationship Management

Information Security and Governance in ERP Implementation (JD Edwards)

For more information about UC4 products please visit Automation Within, Around, and Beyond Oracle E-Business Suite

End to End Secured e-tendering Solutions. Procurement ERP From MobileERP

Change Management in the Hungarian Corporate Practice

GXS Product Portfolio Overview On-Demand Supply Chain Management for Your Extended Enterprise

Apparel Importing/Manufacturing ERP Solutions

PROJECT MANAGEMENT IN ENTERPRISE RESOURCE PLANNING (ERP) IMPLEMENTATION

Sarbanes-Oxley Control Transformation Through Automation

ENTERPRISE RESOURCE PLANNING SYSTEMS

Overview. Responsibility

mysap ERP FINANCIALS SOLUTION OVERVIEW

COMPARATIVE STUDY BETWEEN TRADITIONAL AND ENTERPRISE RISK MANAGEMENT A THEORETICAL APPROACH

Aplicor assumes no liability with respect to the use of the information contained herein which is provided as is and there are no warranties of any

DELIVERED WITH LOGIC.

How To Use An It System For Logistics

Seradex White Paper. Engineering Change Process. A Discussion of Issues in the Manufacturing OrderStream

Agile Manufacturing for ALUMINIUM SMELTERS

Epicor Vantage GLOBAL ENTERPRISE RESOURCE PLANNING

PROCUREMENTS SOLUTIONS FOR FINANCIAL MANAGERS

Field Service and Repair Center Software

WHITE PAPER ERP+BPM = Process efficiency and agility

40 Tips for Evaluating and Purchasing New ERP and Business Management Software

Chapter 2. The Development of Enterprise Resource Planning Systems

E-Business: How Businesses Use Information Systems

idocuments Solutions Overview Enterprise financial management & workforce solutions June 2015

Audit Report: Most Contracts Executed Timely but Contract Project Managers Could Use Better Tools and Guidance

GEN-18 Shifting the Paradigm on BPM Software

Cronacle. Introduction

Making Automated Accounts Payable a Reality

Concepts in Enterprise Resource Planning. 2 nd Edition. Business Functions, Processes, and Data Requirements

Methods and Technologies for Business Process Monitoring

IBM Cognos Controller

Harness the power of ReQlogic

Available online at ScienceDirect. The 4th International Conference on Electrical Engineering and Informatics (ICEEI 2013)

Improving Process Intelligence With Predictive Analytics

5 Ways Senior Finance Executives are Improving Visibility Across the Procure-to-Pay Cycle

Oracle Network Logistics

An Enterprise Resource Planning Solution (ERP) for Mining Companies Driving Operational Excellence and Sustainable Growth

Business Management Made Simpler

GENPACT partners with Automation Anywhere to deliver Robotic Process Automation (RPA) An Automation Anywhere Case Study

CAFT is a user-friendly web-based application that allows you to apply one-time or recurring Automated Funds Transfer (AFT) transactions

Turn Your Business Vision into Reality with Microsoft Dynamics GP

BPR or ERP - What Comes First?

AGILEPOINT FOR SALESFORCE GO BEYOND DATA SHARING

White Paper. Regulatory Compliance and Database Management

Field Service and Repair Center Software for Sage 100 ERP

Can you afford another day without Managed File Transfer (MFT)?

APPLICATION OF INFORMATION TECHNOLOGY AS ERP IN SILK INDUSTRY

There are a number of reasons why more and more organizations

The Ecommerce Edge: The Benefits of an Integrated Business Management Software Suite

Business ByDesign. The SAP Business ByDesign solution helps you optimize project management

Transcription:

Feature Business Process Management Systems: The Internal Control Perspective Joseph Natovich, Ph.D., CPA, is on the faculty of College of Management, Tel Aviv, Israel, and a partner in the consulting firm Tiuv Consultants. He has published papers on IT auditing and control in various professional journals and has taught in several academic institutions both in Israel and the US. During the last decade, organizations have become more aware of the importance of their business processes in terms of effectiveness, efficiency and compliance. As a consequence, business process management (BPM) has gained much attention. However, while current literature on BPM focuses mainly on the operational and functional aspects, 1, 2 there is little discussion about its effect on organizational internal controls. Understanding managerial and technological principles is of great importance for auditors, since they must be taken into consideration when internal control systems are designed or evaluated. The purpose of this article is to introduce BPM to the internal control expert community and to examine the internal control perspective of BPM. The article will focus on major control concepts such as authorization, segregation of duties, application controls and auditability, and will analyze how each concept is handled by BPM systems vis-a-vis traditional event-based systems. What Is Business Process Management? BPM has evolved from business process reengineering (BPR) and has been largely impacted by the lessons learned from the low rate of success of BPR. 3 BPR s externally led, radical, one-step-event approach to process improvement has evolved into an inherent, ongoing and gradual practice with BPM. BPM s main principles are the following: 4, 5 Processes provide a competitive advantage Good design of business processes is critical to the success of the organization. For example, bid preparation, a process that is usually conducted under time pressure, requires crossorganizational coordination involving finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender. Processes require management Organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, are cross-organizational, involving several functions within the organization. For example, a raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, processes may be impaired due to a lack of coordination among the units. To prevent this problem, BPM emphasizes the need to manage the process end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing the control, monitoring and measurement of processes at work. Processes should be agile In the modern business world, change is constantly occurring. Therefore, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Ironically, automated processes based on information systems are usually more difficult and expensive to change. Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications. Business Process Management Systems The BPM principles have inspired the development of process-oriented technologies. Business process management systems (BPMS) integrate various information technologies to support comprehensive management of business processes from design through measurement and optimization. 6 It may be noted that since workflow is the main technology used in BPM, the terms BPM and BPMS are frequently used synonymously with each other. Like enterprise resource planning (ERP) systems, BPMS are enterprise systems involved in supporting routine organizational actions. 1

However, several differences may be noted, principally the fact that, while ERP systems are data-centric, BPMS are process-centric. 7 BPMS usually include the following modules: Visual tools enabling process modeling and simulation to evaluate prospect performance Workflow automation platform upon which the process is executed according to its design Enterprise application integration (EAI) module Online process monitoring displays A visual model of a sample process can be seen in figure 1. Figure 1 Sample Process Map for Purchasing Initate Request Purchase Requisition Manager If > $1,000 GM Must Approve Control Sufficient Funds? The operational benefits of these systems relate to several organizational levels: Improving coordination and cooperation among the different functions involved Increasing the automation of the process Cutting elapsed execution time Reducing maintenance costs Improving customer satisfaction Given the features and benefits of a BPM system, it is not surprising that it has become one of the more exciting areas in IT. A growing number of organizations worldwide are successfully implementing BPMS-based processes. 8 In addition, a range of suppliers (e.g., Savvion, Ultimus, Filenet) offer BPMS solutions. Leading manufacturers of ERP systems, including SAP and Oracle, have also begun to integrate BPM into their systems. GM Purchase Items Purchasing Disapprove Word Print PO? Notify Initiator If Not Approved End BPM and Internal Controls The use of BPMS enables an organization not only to implement more effective business processes, but also to significantly improve its internal control. Authorization, segregation of duties, application control and auditability 9, 10 have been accepted as the standard of IT internal control. A comparison between BPMS and traditional event-based systems (such as ERP) with respect to these control concepts is summarized in figure 2. Control Concept Authorization Segregation of duties Application control Auditability Figure 2 Control Concepts for Event-based Systems vs. BPMS Traditional Event-based Systems Part of access control system Assigned by activity type Require ad hoc controls within applications Time-consuming and costly management approval Limited mechanism of assigning tasks for approval Menu-driven work Potential of errors, such as selecting a wrong task, failure to perform a task or an object identification error Transaction-based system Does not provide monitoring of process status Require an ad hoc audit trail to link between transactions within a process BPMS Part of process rules and role definition Assigned by various case factors Complete authorization definition Speed up approval time and cost by work flow technology Various models of task assignment for approval, to eliminate bottlenecks Task-list-guided work Include elimination of potential errors of tasks and object selection Process-based system Include built-in, continuous, visual process monitoring Include a built-in process log Authorization BPMS strengthen the authorization mechanism and prevent potential threats. Authorization restricts employees and allows them to perform only predetermined activities according to their roles. 2

In event-based systems, authorization control is based on activity types. Each user or group is granted access only to certain activity types. The problem with this system is that, in reality, authority may be defined not only by the type of action, but also in terms of other parameters, such as the monetary amount of the activity, the subject of the activity and preconditions. To solve these problems, system developers add ad hoc complementary authorization controls and restrictions within the application code. However, this is a complex and expensive solution, required merely because the regular authorization mechanism is inadequate. In BPMS, authorizations are not separate from the process, but are derived directly from the roles of the employees and their authority as defined in the process. 11 Authorization is not granted per activity type, but at the single incident level. In other words, the system grants a one-time authorization for the execution of a specific activity. The authorization is granted on the basis of the organization s business process rules. In principle, authorization for an identical activity type may be granted in each incident to a different employee. For example, in the customer service process, if a customer contacts the organization with a request for billing information, he/she is then, according to the business rules, transferred to a financial function. If the client is interested in a new product, he/she is transferred to marketing. Or, in the case of a problem with the product, the customer is transferred to technical support. The authorization is granted at the level of a specific action, solely to the function to which the task was routed. Although all those involved are dealing with a single type of activity response to a customer s inquiry in BPMS, they are not authorized to take action unless the task has been routed to them. Moreover, each authorization for the execution of an action within the process is granted to the relevant individual for a temporary period only, and is revoked immediately upon the action s completion. To sum up, authorizations in BPMS are granted solely to the correct user to perform the correct task for the right time frame. Segregation of Duties Thanks to BPM technology, a higher degree of segregation of duties can be applied without impairing the efficiency of processes. Clearly, proper segregation of duties, especially between the execution and authorization of business actions, is an important component of internal control. Unfortunately, this type of internal control consumes expensive work time of the authorized executives and, therefore, is considered very costly. Furthermore, the number of steps required to complete the process is increased, inevitably lengthening the process. This problem is exacerbated by the fact that in many cases authorization by managers creates a bottleneck and delays the completion of the process. Therefore, it is hardly surprising that some have viewed managerial involvement in a process as overhead and argued that although internal controls should be subject to costbenefit considerations, the designers are not always aware of the real cost they impose. 12 Therefore, to avoid process cost and delay, BPR refrains from using managerial authorization and prefers to rely on detection controls on an after-the-fact basis, via such things as analytical reports, comparisons and reconciliations. From the control perspective, however, after-the-fact detection controls are clearly less effective than preventive controls within the process. BPMS offer a superior solution. They substantially reduce the cost of authorization within the process. The activities are transferred for authorization instantly via an electronic form system. The manager receives an e-mail notifying him/ her of the new task, and the A higher degree of inspection and authorization are performed directly in an segregation of duties electronic form. According can be applied. to the manager s decision approval or rejection the electronic form is transferred to the next step in the process. As a result, the authorization process may be completed in just a few minutes. The efficiency and low cost of electronic authorization allows for the use of executive authorizations within the process and even extends their use to enhance segregation of duties and control. In addition, the electronic task routing of BPM enables several innovative, flexible mechanisms to authorize actions, e.g., delegating authority to comanagers, a pool of authorizing managers or a sequential authorization pool. These mechanisms are highly beneficial to reduce bottlenecks when managers are overburdened or unavailable. To conclude, BPMS allow organizations to maintain sufficient segregation of duties and authorization controls while reducing cost and delays. 3

Application Control The proactive automation of the workflow in BPMS strengthens the computerized application controls, ensuring the accuracy of the process flow. One of the most significant differences between event-based systems and BPMS is the proactive nature of BPMS. Event-based systems, such as ERP, consist of a collection of computerized business transactions, usually organized in menus. However, in these systems, the process itself is usually not automated the user must identify the required action to be executed, according to the organizational procedures, and then select it from the system s action menu. Failure to recognize the required action may result in an error in the process. 13 This can be illustrated through, for example, the shipping of goods. After the goods are delivered, the accountant receives a copy of the packing slip signed by the customer. The reception of this document should signal the accountant to select the action of issuing an invoice and to charge the customer s account. If the accountant fails to select the correct action to perform, whether accidental or deliberate, it may disrupt the entire process. Several types of errors are liable to occur: Execution of redundant actions (e.g., the accountant issues a sales invoice to the customer although a signed packing slip has not been received) Failure to execute a required action (e.g., the accountant forgets to issue the invoice or performs a different action by mistake) Failure to select the correct object (e.g., the wrong packing slip is selected from the computerized list, charging a different customer or charging the correct client, but for a different packing slip that has not yet been supplied) The proactive process management of BPM eliminates such a problem. The user is not required to identify the action for execution, nor is he/she required to select the correct action from long menu lists. As soon as the system identifies that, according to the defined business rules, the preconditions of a specific user task are fulfilled, this task is sent to the user s personal task list. It will remain in his/her task list until it is executed. An example of a task list can be seen in figure 3. The proactive automation of the process in BPMS, in accordance with the organization s procedures and business rules, constitutes preventive and application control, thwarting potential errors and omissions: Figure 3 Task List for Execution The procedures cannot be circumvented and users cannot execute a different action from those appearing in their task list. Until the task has been executed, it remains in the task list and it cannot be deleted. Moreover, reminder messages are sent to the user until the task is performed. Each task in the task list encapsulates the required objects to complete the task, thus preventing identification errors. Auditability BPMS provide process monitoring and tracking systems and a full process log that serve as a built-in audit trail (see figure 4). Initate Begin Bill Wallace Figure 4 Process Monitoring Screen Supervisor Ann Puck If > $1,000 GM Must Approve Controller GM Laura Singer Fred Heflin Sufficient Funds? Purchase Items Purchasing AESERVER_WF Disapprove Ship and Inventory Notify Initiator If Not Approved End Print PO, Shipping and Receiving 4

Since traditional systems are transaction-based and handle each transaction and business document separately, it is difficult to audit processes end to end. Therefore, in such systems, proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred in the system is maintained. 14 BPMS, by contrast, are process-based and, therefore, audit trails are a built-in feature. All incidents and steps of a process are documented and linked to each other in the order they occurred. The story in each case can easily be tracked. From the auditor s perspective, BPMS support continuous auditability of business processes, while they are active and afterward. Conclusion As a new technology and managerial approach, BPM may have a significant impact on the internal controls of organizations. Segregation of duties, especially between task performance and authorization, is no longer considered overhead; instead, it is an effective and efficient preventive control. Also, BPM introduces a new type of one-time access control and proactive workflow automation. In addition, monitoring and audit trail become built-in features that are seamlessly implemented. Since BPM technology is relatively new, it is difficult to identify and analyze its full impact on internal controls. Nevertheless, from accumulated observation and forecasts of IT analysts for the coming years, this technology is expected to play a growing role in improving organizational operations and have a major influence on strengthening organizations internal control systems. Endnotes 1 Cardoso, J.; R.P. Bostrom; A. Sheth; Workflow Management Systems and ERP Systems: Differences, Commonalities, and Applications, Information Technology and Management, vol. 5, 2004, p. 319-338 2 Reijers, H.A.; M. Song; B. Jeong; On the Performance of Workflow Processes With Distributed Actors: Does Place Matter?, 5 th International Conference BPM, Brisbane, Australia, September 2007, p. 32-47 3 Hammer, M.; J. Champy; Reengineering the Corporation, A Manifesto for Business Revolution, Harper-Collins, 1993 4 Armistead, C.; J.P. Pritchard; S. Machin; Strategic Business Process Management of Organizational Effectiveness, Long Range Planning, vol. 32, no. 1, 1999, p. 96-106 5 Smith, H.; P. Fingar; Business Process Management, The 3 rd Wave, Meghan-Kiffer Press, 2003 6 Khan R.; Business Process Management A Practical Approach, Meghan-Kiffer Press, 2004 7 Op cit, Cardoso, Bostrom and Sheth 8 Yi, Z.; Z. Yong; W. Wang; Modeling and Analyzing of Work Flow Authorization Management, Journal of Network and Systems Management, vol. 12, no. 4, December 2004, p. 507-535 9 IT Governance Institute (ITGI), CobiT 4.1, 2007, www.itgi.org 10 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control Integrated Framework, May 1994 11 Op cit, Yi, Yong and Wang 12 Op cit, Hammer and Champy 13 Natovich, J.; M. A Vasarhelyi; Business Process Modeling From the Control Perspective: The AI Planning Approach, International Journal of Intelligent Systems in Accounting Finance and Management, vol. 6, no. 4, 1997, p. 121-133 14 Weber, R.; Information Systems Control and Audit, Prentice-Hall, USA, 1999 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information