Smart auditing: Innovative compliance checking in customs controls

(1)

Tilburg University

Smart auditing

Bukhsh, F.A.

Publication date: 2015 Document Version

Publisher's PDF, also known as Version of record

Link to publication in Tilburg University Research Portal

Citation for published version (APA):

Bukhsh, F. A. (2015). Smart auditing: Innovative compliance checking in customs controls. CentER, Center for Economic Research.

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal

Take down policy

If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

(2)

SMART AUDITING

(3)

(4)

SMART AUDITING

Innovative Compliance Checking In Customs

Controls

Proefschrift

ter verkrijging van de graad van doctor aan Tilburg University op gezag van de rector magnificus, prof. dr. Ph. Eijlander, in het openbaar te verdedigen ten overstaan van een door het college voor promoties aangewezen commissie in de aula van de Universiteit op woensdag 28 januari 2015 om 14.15 uur door

Faiza Allah Bukhsh

(5)

Promotor: Prof. Dr. Piet Ribbers

Copromotor: Dr. Hans Weigand

Overige leden van de Promotiecommissie : Prof. Dr. Jan Vanthienen Prof. Dr. Yao-Hua Tan Prof. Dr. Hennie Daniels Dr. Philip Elsas

The research reported in this thesis has been carried out under the auspices of SIKS, the Dutch Gradu-ate School for Information and Knowledge Systems (SIKS Dissertation Series No. 2015-02), and Cen-tER, the Graduate School of the Tilburg School of Economics and Management (TiSEM), Tilburg University.

Copyright c Faiza Allah Bukhsh, 2015

(6)

List of Acronyms

3PL 3rd Party Logistics, page 46

AICPA American Institute of Certified Public Accountants, page 16

AIS Accounting Information System, page 23

BAM Business Activity Monitoring, page 22

BMO Business Modelling Ontology, page 22

BOM Business Operations Management, page 22

BPEL Business Process Execution Language, page 18 BPI Business Process Intelligence, page 22

BPMN Business Process Modelling Notations, page 18 C-CSI Container Security Initiative, page 59

C-TPAT Trade Partnership Against Terrorism, page 59

CA Continuous Auditing, page 55

CAWS Continuous Auditing Web Service, page 26

CEP Complex Event Processing, page 19

CICA Canadian Institute of Chartered Accountants, page 16

CIM Centralized Item Master, page 47

CM Continuous Monitoring, page 56

CMS Customs Management System, page 46

DSM Demand Side Management, page 88

EAM Embedded Audit Module, page 55

EISB Event Driven Information Service Bus, page 40

EPC Electronic Product Code, page 19

(11)

ERP Enterprise Resource Planning, page 18

EU European Union, page 31

FP Final date of Payment, page 131

GTAG Global Technology Audit Guide, page 16

IIA Institute of Internal Auditors, page 16

IO International Operates, page 41

ISA International Standard on Auditing, page 14

ISACA Information Systems Audit and Control Association, page 16 ISIS Information System for International System, page 46

MCC Modernized Customs Code, page 31

MNR Movement Reference Number, page 49

MRN Movement Reference Number, page 45

OLAT Online Auditing Tool, page 23

REA Resource Event Agent, page 11

RFID Radio Frequency Identifier, page 19

STL Secure Trade Lane, page 34

SW Single Window, page 32

TREC Tamper Resistant Embedded Controller, page 34

UML Unified Modelling Language, page 108

(12)

List of Figures

1.1 Thesis structure . . . 8

2.1 Information auditing within an organization extracted from (Vaassen, 2002) . . . 15

2.2 Taxonomy of adaptation (Hiel, 2010) . . . 20

2.3 Basic REA concepts (Hrubý et al., 2006) . . . 25

3.1 Single window . . . 32

3.2 Extended single window (ESW) . . . 40

3.3 Supply chain of D-company . . . 44

3.4 Supply chain of M-Company (extracted from business process docu-mentation) . . . 46

3.5 DataFlow of M-company(extracted from business process documenta-tion) . . . 47

4.1 Audit module . . . 56

4.2 Customs as a service: a global view . . . 58

4.3 Basic service production structure in REA(agent omitted) . . . 61

4.4 REA model of excise liability life cycle . . . 63

5.1 Coordinated auditing . . . 76

5.2 Partial business process flow . . . 77

5.3 Current state of D-company . . . 78

5.4 Proposed state of D-company . . . 79

5.5 Generalized third part solution for companies . . . 79

5.6 Customs procedure D-company Oosterhout(bought by D-company Oosterhout) . . . 81

5.7 Customs procedure D-company Oosterhout(bought by D-company Darmstadt) Customs declaration in Oosterhout . . . 82

5.8 Customs procedure D-company Oosterhout(bought by D-company Darmstadt) Customs declaration in Darmstadt . . . 83

6.1 Conceptual representation of auditing process . . . 90

6.2 Smart auditing framework (generalized) . . . 93

(13)

6.4 Relationship between events of a process . . . 101

6.5 Hierarchy between concepts . . . 101

6.6 Meaning and representation in SBVR . . . 105

6.7 REA exchange process (Hrubý et al., 2006) . . . 109

6.8 REA conversion process (Hrubý et al., 2006) . . . 110

6.9 Rule dependency diagram (Weigand et al., 2011a) . . . 111

6.10 Decision tree for adaptation process . . . 115

6.11 UML representation of REA model for excise management . . . 117

6.12 Representation of an acquisition fraud scenario (Podlipnik, 2012) . . . 120

6.13 Representation of Carousel fraud scenario (Podlipnik, 2012) . . . 121

7.1 Interaction between M-company and a Customs authority . . . 129

7.2 M-company adaptive auditing system overview . . . 130

7.3 M-company adaptive auditing system against smart auditing frame-work . . . 131

7.4 Payment Deadline (PD), Final Date of Payment (FP), and Recom-mended Date of Payment (RP) calculation algorithm . . . 134

7.5 Examples of Payment Deadline (PD), Final Date of Payment (FP), and Recommended Date of Payment (RP) calculation (IFP is 10 days and TP is 1 working day) . . . 136

7.6 An example of Interest Free Period (IFP) and Transfer Period (TP) checking (IFP is 12 days and TP is 1 working days) . . . 138

7.7 Samples of compliance check cases on a timeline . . . 142

B.1 Pick Pack and Ship Process . . . 170

B.2 Data file describes how really data looks like . . . 170

B.3 Sample data file in-putted into PROM . . . 172

B.4 Log dashboard . . . 174

B.5 Log summary . . . 175

B.6 Screen short of the LTL Checker Default configuration . . . 177

B.7 Screen short of the few log patterns from Log . . . 178

(14)

List of Tables

2.1 Inclusion/Exclusion criteria for literature search . . . 13

2.2 Audit classification . . . 13

2.3 Existing information processing frameworks . . . 16

2.4 Dimensions of continuous auditing (Chan and Vasarhelyi, 2011) . . . 17

2.5 Example industry area . . . 20

2.6 Summary . . . 28

3.1 List of projects . . . 39

3.2 Typology of organizations(extracted from (Vaassen, 2002)) . . . 43

5.1 Levels of auditing . . . 67

5.2 Toys quality control in M-Company . . . 72

5.3 Audit subject/object categorization . . . 74

5.4 Coordination types . . . 76

6.1 Auditing in the context of service oriented architecture . . . 89

6.2 Input output and processing involved in each module of smart auditing framework . . . 97

6.3 Translation of rules . . . 107

7.1 Inputs and outputs for Payment Deadline (PD), Final Date of Payment (FP), and Recommended Date of Payment (RP) calculation algorithm 135 7.2 Inputs for Interest Free Period (IFP) and Transfer Period (TP) check-ing algorithms . . . 138

7.3 Customs specific requirements setting for Customs A, B, and C . . . . 141

7.4 A sample case set for CR adaptation validation (CN stands for Customs name while LP represent late payment) . . . 143

7.5 Compliance check validation result . . . 145

7.6 CR adaptation validation result . . . 147

8.1 Comparison with other projects . . . 153

B.1 Translations of data in the form of traces . . . 171

B.2 Correlation between smart auditing framework’s modules and PROM’s plugin . . . 173

(15)

(16)

Acknowledgement

With the name of Allah, the most gracious, most compassionate and ever merciful. Who gave me the courage to go through the hardship and power to do the right, the wisdom to think, to observe, to judge to analyse and to full fill dreams of my life.

I owe to a number of people who helped me in successfully carrying out this project. It is mine honour and pleasure to mention some of them who always proved helpful, cooperative and spared their valuable time for me. The ones I forgot to mention have equally contributed to this project.

I would like to express my gratitude for Dr. Hans Weigand for his patience and guidance. His encouraging attitude helped me to keep my spirit high and to develop and realise my research goals. Each meeting with him provided new insights and ideas for future directions. Without his critics and useful comments, this thesis would not have been possible. I pay my special thanks to Prof. Piet Ribbers for being the Promoter of this research study.

I am thankful to Alice and Mieke for their kindness and prompt administrative support that simplified significantly my stay in (information) management depart-ment. I would like to extend my gratitude to the members of the department of (information) management for providing a good working environment. I am also thankful to Sandra from HR department for her help, encouragement and support.

The list of friends to whom I owe a word of thanks is enormous. Here I mention a few of them. Saba and Ram thank you for being always there for resolving problems related to all aspects of my life. Sidra, Sulaiman and Shaheer (almost forgot to mention Shahyar) for all the discussions at tea. Nima and Katja, for being there for a good laugh specially Nima for finishing all the food at the end of party. Aamir, your jokes and suggestions for youtube videos are always a source of amusement. Somayah and Matin it is always nice to have a casual conversation with you. Irfan Zafar, for being a good family friend.

I would like to mention few colleagues; first and foremost is Jeewanie, with whom I have not only shared the office but also the difficulties and problems I was facing related to work and family. Among other colleagues I would like to mention Yan for being a source of information and Ehsan for refreshing my mind during thesis writing. I would like to express my deepest gratitude to the team of daycare Unikid and Unikid 2.0 for their cooperation. I owe a great deal of gratitude to Saeed-uz-Zaman (Bhai sahib) for paving the way toward my journey to earn a PhD.

(17)

I want to say thanks to those people who are strength in my life. First and foremost, my beloved parents Ishrat Begum and Allah Bakhsh, whom always have a great impact on my career and life. Seeing me become a Dr. has always been their utmost desire and I am so happy that I have finally fulfilled it. Few words of thanks for AMMAN and ABBA JI (Tasneem Begum & Ijaz Ahmed) for all the support and encouragement. Then, I pay thanks to Guria baji, Chanda baji and brother-in-laws (Imran, Nouman, Adnan, Rehan, Sami-ullah, Khizar) and sister-brother-in-laws for understanding my less talkative attitude due to workload. Saba and Zeeshan deserves a special line for being wonderful support via Skype. I would like to thank to my siblings Bilal and Javara for their emotional support and bearing the work tension in the form of facing unexpected anger from my side. My youngest sister (elder child

¨

^) Zaharah, I would not have been able to write a single line of this thesis without your support in last two years. Words cannot express what you have done for me.

Finally, I must express my profound gratitude to the person who is very close to my heart, my husband, for his love and support on one hand and for his laziness on the other that made me extra active to keep the right balance between work and family. I want to say thanks to two precious gifts that I have received during my PhD, Farzan the little and “caring” man of mine and Fahema the cute and “very disciplined” fairy. I believe that your existence and spiritual support is a key success factor in all stages of PhD.

(18)

CHAPTER

1

Introduction

In international trade, reliability, security and cost effective logistic chain manage-ment are very important challenges that can only be met by innovative usages of IT. Focus of IT innovation is on creating a faster, safer and more reliable interna-tional flow of goods through the smoother and more efficient processing of import, export and Customs procedures.

1.1 Background

Service oriented architecture (SOA) is one of IT innovations. Formally Open group and OASIS define SOA as “a paradigm for organizing and utilizing distributed capa-bilities that may be under the control of different ownership domains”. SOA (Papa-zoglou and Heuvel, 2007) is not only a change in architectural style of information systems but also provides new opportunities for innovating and redesigning business processes. Especially in case of business processes from multiple organizations. Ad-herence to SOA standards makes it easy for services to communicate independently from their physical location and without requiring detailed information about service itself. Such communication is provided by enterprise service bus (ESB).

In the business world, business processes are the foundation of all organizations, and are mostly impacted by industry laws and regulations. After high-profile busi-ness failures and scandals, such as Enron1 _{and WorldCom}2 _{compliance of business}

processes is a concern for most of the organizations. These incidents resulted in a formation of a broad body of strict legislations, e.g, Sarbanes-Oxley act3.

Due to these laws, companies are required to maintain systems of internal controls for compliance management. Subsequently, organizations are left struggling with de-velopment and deployment of compliance management and/or auditing solutions. As a reaction, we have recently witnessed substantive research on the topic of compli-ance, monitoring and auditing (Comuzzi et al., 2013; Ghose and Koliadis, 2007; Kang

1_{http://www.economist.com/node/940091 Accessed: July 10,2014}

2_{http://money.cnn.com/2002/06/26/news/companies/accounting_scandals/} _Accessed: _July

10,2014

3_{http://www.soxlaw.com/ Accessed: July 10,2014}

(19)

et al., 2012; McDonald-Madden et al., 2010; Qin, 2012; Sadiq and Governatori, 2010; Weigand et al., 2011a). When compliance is in such a strong demand, the question of how to optimize it becomes a strategic concern. In this context, the concept of “horizontal supervision” aims at transforming the traditional vertical relationship be-tween government and business into one collaboration with a common goal of both efficiency and legal compliance. Horizontal supervision is applied, among others, in the innovation of Customs control.

To improve the efficiency as well as the effectiveness of audit process by introduc-ing the pre-requisites and a framework where an integration of intelligent techniques in combination with auditing is developed in the SOA environment are research fo-cuses of our thesis. The scientific relevance is that it provides a conceptualization and theoretical grounding for performing audit from internal and external auditor’s perspective. Moreover, it discusses the potential benefits provided by REA and pro-cess mining for auditing. The research presented in this thesis does not warrant a “one suits all” solution.

The administrative regulations of international trade and transport are still not harmonized across countries and government organizations. This lack of harmoniza-tion leads to administrative burdens for internaharmoniza-tional logistic service providers and their customers and thus extra costs. Practical implication of our research objec-tive is to explore and address issues between Customs and companies, for example auditing of tax and excise declarations. Our thesis discusses many Customs related issues, one of them is the concept of authorised economic operator (AEO). To receive the status of AEO, the company must have prepared and implemented a security and monitoring plan and taken initiative in reporting irregularities. In return, the Customs authority will stop or reduce the number of audits of the administrative systems and the inspections of individual transactions. In this way, the ability to show compliance has measurable business value.

The rest of this chapter is structured as follows: the motivation behind our re-search is elaborated in Section 1.2 by discussing why we need compliance manage-ment in Customs domain. The objectives pertaining to this research are discussed in Section 1.3. Fundamental research problem, considered in this research, is de-fined precisely in Section 1.4, along with the list of research questions. The research methodology that we have followed to solve the research problems is discussed in Section 1.5. Limitations of our research are discussed in Section 1.6. Finally, the structure of the thesis is outlined in Section 1.7.

1.2 Research Motivation

(20)

1.2. RESEARCH MOTIVATION 3 • Internal policies: In order to control the internal processes organizations set compliance policies. These compliance policies are imposed by various parties along the organizational hierarchy ranging from top management to the respon-sible business units;

• Policies of trade partners: Trade usually involves several parties to make up a supply chain. Suitable policies are generated for number of trade partners along the supply chain and several specialized service providers such as financial service providers, Customs brokers, and shipping service providers;

• Standards: The organization may choose to adopt various standards and frameworks in order to improve different aspects of the organization. The ex-amples of these standards include GS1, COBIT, etc.;

• National laws and regulations: Based on multiple factors government im-plements laws and regulations at national level. Whereas at the international level managing legal compliance of national laws is usually a complex affair; • International trade laws and agreements: From last few decades

inter-national trade agreements have played important role.These are bilateral trade agreement. While majority of the agreements aim to assist the trade between partner nations, some agreements create more burdens to the trade organization in the form of additional standards.

When combined together, these different levels of policies and regulations make the logistic compliance management complicated. An example of the situation can be a company that wants to import goods and sell them in the European union (EU). As a Customs union, the EU imposes the same amount of Customs duty regardless of the point of entry into the union. On the other hand, value added tax (VAT) is imposed by the countries where the company markets and sells the products. Due to the freedom of movement within the EU, tracking of duties and VAT payment of these goods is complex for both the importer and the regulators. Moreover, the importer may choose to outsource some parts of the import process to third-party specialists. For example, the products may be handled by a shipping company while the payment of Customs duties is done by another agent that is specialized in Customs brokerage. To handle the growing complexity in cross-border logistics compliance manage-ment, many organizations adopt information systems (IS) in their management prac-tices. Technology adoption assists auditors in their work in automating the partial /whole compliance checking process. Underlying objective behind IS audits are safe-guarding assets, maintaining data integrity, and achieving the organization’s goals.

(21)

according to a change in compliance requirements. This can free the staffs from system configuration tasks to work on more productive assignments. By reducing human-involvement in the system possibility of errors introduced by human is also minimized.

1.3 Research Goals

As discussed in the previous sections, growing business has growing compliance needs. Solutions of compliance need of business are mostly in terms of compliance modules. These compliance modules usually have issues of re-usability, flexibility and evolution. In this thesis our goal is not only to address some of these challenges but to develop an efficient and self adaptive auditing solution. We will discuss the research goals from two perspectives: research perspective and domain (i.e, Customs and company) perspective. The research goals are described below:

• From a domain perspective, our goal is to provide a service-driven audit process to the business. Sub-goals of the above statement are given below.

– The concept of audit as service must be easy to understand and easy to handle by non-technical users.

– The solution approach (that is auditing framework) must support the translation of business requirements and ontological concepts into business rules and norms.

– Audit process should be self adaptive with respect to the dynamic business needs.

– Solution approach must be generalized to handle most of the companies with goods flow.

• From a research perspective, the framework must provide a methodological way to build and maintain the optimized audit process. The sub-goals of the above statement are given below.

– The steps of audit process should be provided by the framework.

– Framework should consider the audit process from the service perspective. – The auditing framework must consider re-usability aspect. This helps to-ward the optimal use of auditor’s time and effort spent on audit process for data collection, rule set generation and compliance report generation. – As it is not possible to describe exceptions, the framework must catch

exception.

(22)

1.4. RESEARCH QUESTIONS 5 This thesis focuses on three main aspects of auditing. The first part concerns: (a) audit prerequisites such as defining audit process, audit object, audit subject, co-ordination aspects and many related concepts (b) Second part emphasis on how to automatically detect deviating activities (c) The third part is about the use of adap-tive computing techniques in auditing. Design will exploit the information gained through detection of deviation from norms and use this information to adjust the business rules in order to improve efficiency and effectiveness of the compliance man-agement process/auditing.

1.4 Research Questions

As we have discussed in the previous sections the business environment requires com-prehensive management to ensure compliance with norms and standards. This rep-resents a fundamental business need addressed in this dissertation. In the following we will discuss the main research question and its decomposition.

“How to improve control effectiveness and efficiency of government audit process by exploring the potential use of SOA and smart techniques”.

This is a complex question with lot of details hidden in it. We use the steps of Wieringa and Heerkens to formulate research sub-questions into design questions and knowledge questions (Wieringa and Heerkens, 2006). In the following we will show decomposition of our research question.

Knowledge Questions

1. What is the state of the art in the area of service oriented architecture, auditing and related areas?

2. To what extent could SOA improves the audit processes of Customs procedures? 3. What are the problems between Customs and its clients and how to overcome

some of these problems?

4. What is the potential usage of adaptive computing techniques in the field of compliance management?

5. To what extent efficiency and effectiveness of audit process can be improved by using smart techniques?

Design Questions

(23)

2. How can an organization’s reliability mature with evolving relationships between government and business?

3. How to achieve added value by using knowledge for compliance checking pur-pose, especially by using REA ontological concepts for efficient and effective auditing?

4. How to detect activities that violate compliance requirements while involving as little human interaction as possible?

1.5 Research Methodology

Based on (Peffers et al., 2007) and (Wieringa, 1996), the work conducted in this dissertation belongs to the area of design science in the field of information systems. Design science is based on engineering of problem-solving paradigm. It defines the ideas, practices, technical capabilities, and products to perform steps like analysis, design and implementation. The innovation (artefact) we are seeking to produce as the outcome of this research is a technology based audit solution that assures effective and efficient audit process. The research methodology to produce effective and efficient audit innovation consists of five iterative steps; problem definition, investigation and analysis of the state- of-the-art, solution design, validation and assessment. These steps are discussed below.

• Problem definition: An initial step towards solution of a problem is its pre-cise understanding and definition. Thus leads to a clear vision of the problem under consideration. Progress in research converts certain preliminary defini-tion into discrete research quesdefini-tions. These problem definidefini-tions and the research questions are addressed in Section 1.4.

• Investigation and analysis of the state-of-the-art: After research question identification next step is the investigation on the existing literature which leads to the better understanding of the defined problem, better determination of the scope of the research. Moreover, open research challenges can be identified by comparison of related research-proposals. An exhaustive review of the state-of the-art in the related areas of auditing is given in Chapter 2.

(24)

1.6. LIMITATIONS 7 • Validation: The utility, quality, and efficiency of a design-artefact must be rigorously demonstrated via well executed evaluation methods (Peffers et al., 2007). The solutions proposed in this research are validated in two ways:

– The internal and construct validity of the approach are verified by adding a case study at the end of each chapter. This case study validates the artefacts discussed in Chapter 4, Chapter 5 and Chapter 6.

– We have explored and tested the smart auditing framework from imple-mentation aspect in order to ensure the utility and applicability of the proposed approach in Appendix B. Moreover, the implementability of the adaptive audit system is evaluated with simulated data in Chapter 7. The findings and results of the case study conducted and functional testing are discussed in Chapter 8.

• Evaluation: This step involves the evaluation of the benefits, shortcomings and limitations of the developed solutions. Improvement points based on the results concluded from the previous validation steps lead to future research directions. The details of this evaluation step are presented in Chapter 8.

1.6 Limitations

The limitations of the proposed work presented in this thesis are discussed below. • The evaluation of proposed approaches is limited to two case studies that are

(a) D-company and (b) M-company. These are real world cases about food products and toys respectively. Both cases relate to the import and export domain, where Customs and logistic companies are involved. To some extent empirical evaluations has been performed using simulated data but the proposed approaches has not been validated in a field experiment.

• The proposed smart auditing framework and its pre-requisites are built on the basis of (a) interviews with two companies and (b) business process documen-tation of these companies. It is possible to extend the framework and its pre-requisites based on data collection from other companies.

1.7 Thesis Structure

In Figure 1.1 a brief view of chapters in this thesis is given with an indication of their relevance with respect to each other. The outline of the thesis is as follows:

(25)

Figure 1.1: Thesis structure

• Chapter 3 introduces two industrial case studies that have been explored and analysed within the context of the ESW research project4. The case studies are based on companies operating in different industry sectors. These case studies are used as running scenarios throughout this dissertation as well as for validation.

• Audit based service innovation is introduced in Chapter 4.

• The level of auditing and coordination aspects between the companies have been discussed as pre-requisite in the Chapter 5.

• In Chapter 6, the smart auditing framework is introduced. Smart auditing framework, aid the refinement and analysis of internal and external audit process is presented.

• In Chapter 7, a comprehensive analysis of the adaptive auditing system (a mod-ule of the smart auditing framework ) is presented.

• In Chapter 8, conclusions and directions for future work are highlighted.

4_{http://www.dinalog.nl/nl/projects/r_d_projects/extended_single_window/ Accessed: July}

(26)

1.8. PAPERS UNDERLYING THIS THESIS 9

1.8 Papers Underlying this Thesis

1.8.1 Published Papers

This thesis is based on ten reviewed publications/submissions that have been either presented/submitted at international conferences or workshops or published/submit-ted to international journals.

1. Bukhsh, F. A. and Weigand, H. (2011). e-government controls in service-oriented auditing perspective: Beyond single window. In Overbeek, S., Tan, Y.-H., and Zomer, G., editors, Workshop on IT Innovations Enabling Seamless and Secure Supply Chains, In conjunction with the 10th_{International Electronic}

Government Conference 2011 (EGOV-2011).

2. Weigand, H. and Bukhsh, F. A. (2011). Supporting customs controls by means of service-oriented auditing. In 11th IFIP WG 6.11 Conference on e-Business, e-Services, and e-Society, I3E, Kaunas, Lithuania, October 12-14.

3. Bukhsh, F. A. and Weigand, H. (2011). Evaluating the application of service-oriented auditing in the B2G domain: A case study. In Grabis, J. and Kirikova, M., editors, Perspectives in Business Informatics Research, volume 90 of Lecture Notes in Business Information Processing, pages 281–295.

4. Bukhsh, F. and Weigand, H. (2012). E-government controls in service-oriented auditing perspective: Beyond single window. International Journal of Elec-tronic Government Research, 8(4):34–53.

5. Bukhsh, F. A. and Weigand, H. (2012). REA & process mining: How to combine them for auditing? In 6th _{International Workshop on Value Modeling}

and Business Ontology, Vienna Austria.

6. Bukhsh, F. A. and Weigand, H. (2012). Towards smart auditing in governmental control. In Proceedings of 5th_{ECITL 2012 in Gothenburg, Swedan.}

7. Bukhsh, F. A. and Weigand, H. (2013). Smart auditing–innovating compliance checking in customs control. In IEEE 15th_{Conference on Business Informatics}

(CBI), pages 131–138. IEEE.

8. Bukhsh, F. A. and Weigand, H. (2013). Towards a formalization of smart audit. In 7th_{International Workshop on Value Modeling and Business Ontology, Delft}

Netherlands.

(27)

10. Bukhsh, F. A. and Weigand, H. (2014). Smart Audit of pick pack and ship request. In ILS2014, Breda, The Netherlands.

1.8.2 Working Papers

Following are the working papers underlying this thesis,

11. Manjing,T. Bukhsh, F. A. and Weigand, H.(2014) Adaptation: A partially au-tomated approach. CentER Discussion Paper, Tilburg University, the Nether-lands.

(28)

CHAPTER

2

Literature Review

Business monitoring are characterized as multi-disciplinary, which has its roots in service sciences and accounting. A major challenge in this area of research is to bridge the gap from two distant worlds of service science and accounting.

This chapter establishes the background knowledge for basic and related concepts to understand this thesis. In Section 2.2 we discuss main concepts and proceed on by introducing some related concepts in Section 2.3. Section 2.4 describes techniques such as PROM and Resource Event Agent ontology (REA) which will be used in this thesis. These tools and techniques are building blocks of our research. The chapter ends by summarizing the state-of-the-art and summary of basic concepts with bibliography.

2.1 Literature Review Procedure

We have followed the systematic literature review guidelines discussed by (Cooper and Schindler, 2003). A systematic review consists of a review protocol that details the rationale of the survey, research objectives, search strategy, selection criteria, data extraction, synthesis and analysis of the extracted data and interpretation of the findings. In our literature review we have formulated literature review questions, literature search strategy and literature selection criteria.

2.1.1 Literature Review Questions

The contribution of our literature review lies in the analysis and evaluation of pub-lished literature related to our area of research. The following literature review ques-tions are based on critical analysis of recently conducted researches. Our systematic search strategy, search strings, data extraction and evaluations, results and discus-sion are aimed at investigating the appropriate tools, techniques and methods for service based auditing. The following are the main research questions related to our literature search:

• Question 1: What are the basic concepts needed for developing service based auditing solution?

(29)

• Question 2: Which tools and techniques can help in development of service based auditing solution?

• Question 3: What are the research gaps in the fields of service oriented archi-tecture(SOA) and auditing?

2.1.2 Research Source

For our research, we have included eight electronic libraries/indexing services as data sources namely ACM Digital Library, CiteseerX, IEEE Xplore, ISI Web of Knowledge, ScienceDirect, Scopus, SpringerLink, and Wiley Inter Science Journal Finder.

2.1.3 Search Strategy

Studies from pioneers of information and /or IT auditing and SOA fields are con-sidered at first. Then the focus was on reference list of collected studies. These reference lists explored the missing pieces from our gathered literature. Most of the time, reference lists had those references that are already collected which validates the literature collection approach and ensure that search strings are performing well enough. Search strings are constructed using keywords SOA and auditing mainly and have considered synonyms and related terms as well. Boolean ‘AND’ and ‘OR’ con-junctions with keywords are used in digital libraries instead of plain search strings, such as SOA AND Auditing AND (method OR technique OR approach).

Sample search strings are constructed based on most citied papers and by fre-quently going through the alternative key terms and keywords suggested in papers we have initially considered.

2.1.4 Study Selection

It is likely that the search results obtained from the indexing services contain some irrelevant information. For instance while looking for search string ‘auditing AND information system’, we have selected the paper titled “Audit Firm Rotation and Audit Quality” from the returned results of the query. But after reading the paper, we came to know this paper relates to financial domain which is not our focus. In order to avoid including irrelevant bibliography, we have performed a selection of most relevant literature form the returned results. This is mostly done manually by looking at the results returned by our queries. We have formulated exclusion and inclusion criteria before reporting certain research in our literature review. These criteria are given in Table 2.1.

(30)

2.1. LITERATURE REVIEW PROCEDURE 13

Inclusion Criteria Exclusion Criteria I1. A study in the form of a scientific

peer-reviewed paper. Motivation: A scientific paper guarantees a certain level of quality through a peer review process and contains a substantial amount of content.

E1. A study that is not about IS and IT perspective. Rationale: Our objective is to study audit with respect to information do-main, so we exclude any other audit types. I2. A study which is focused on audit

require-ments. Motivation: We are interested in per-forming audit in service based environment , which implies that any study targeting audit requirements, audit operations and audit is-sues in service domain should be included.

E2. A study that is related to challenges and issues about how an audit should be performed on financial data. Rationale: We are not in-cluding an audit that focuses on economic and financial aspects of a business such as in coop-erate finance. As financial audit of ledgers, an-nual report follows difference audit techniques then what is need for IS audit.

I3. The objective of the study is to presen-t/propose a solution(s) for performing audit in service based environment. Motivation: We are interested in audit performance with SOA. A solution for this could be a complete audit process/method/framework or solution enabling audit form service perspective.

E3. A study that is not addressing auditing from service perspective. Rationale: We ex-clude papers with a main objective other than proposing a solution to auditing from service perspective.

I4 We have used some Dutch literature in par-allel with English literature. Motivation: As this research is performed in the Netherlands so some concepts from Dutch audit doctrine are being considered.

E4. The Study is reported in another lan-guage than English and Dutch. Rationale: We exclude the literature that are written in languages other than Dutch and English, since English is the common language for reporting in most of the international venues of computer science.

Table 2.1: Inclusion/Exclusion criteria for literature search

Classification Basis Audit Types

Based on organizational structure Statutory audit, Private audit, Government audit

Based on timing and scope of audit procedure

Continuous auditing, Internal audit, Interim audit, Final/Periodical audit, Balance sheet audit

Based on specific objective Cost audit, Special audit, Tax audit, Manage-ment audit, Operational audit, Marketing dit, Environmental audit, Social audit, HR au-dit, Energy audit

(31)

accordance with the research objective/motivation. During our research these criteria are mostly considered in combination such as I1, I2 and E2.

2.2 Auditing

The change occurring in organizations, as a result of development in information tech-nology, introduced challenges to accounting professionals which resulted in auditing of information, where information is representative of a resource which requires effec-tive management in the form of management controls and information management (Davis et al., 2011; Sutton, 2006). Auditing can be (roughly) defined as:

“An evaluation /monitoring /control on an organization /person /product”.

Auditing is an activity, which is performed at different times in different organi-zations at different scenarios. Extensive use of IT in organiorgani-zations pave the wave for extended concepts of auditing that are online and continuous auditing.The use of in-formation for auditing purpose is based on accounting inin-formation system discipline where use of information in an organization with respect to related disciplines are described in Figure 2.1, in the following Chapters we will also consider auditing of information in combination with internal controls, information and communication technology and accounting.

In the literature, there is a great deal of variation for classifying auditing see e.g. (Basu, 2009). In Table 2.2, we have provided classification of audit from dif-ferent perspective.

Auditing is usually categorized as: (i) internal audit (ii) external audit. Accord-ing to the international standard on auditAccord-ing (ISA) standard 2013 internal auditAccord-ing typically include “assurance and consulting activities designed to evaluate and im-prove the effectiveness of the entity’s governance processes, risk management and internal control” 1_{. Moreover, internal auditing is characterized as: Monitor and}

evaluate the effectiveness of an organizational risk management and control system (Zarkasyi, 2006)External auditing provides the assurance on the accuracy of the state-ments (mostly financial). Due to compliance issues organizations have to pay signif-icant attention on the management, reporting and monitoring of the business pro-cesses (Ghose and Koliadis, 2007). The work performed by external vs. internal auditing is different primarily in the type of objective and the type of risk assessed by the auditors. The external audit’s objectives is typically in existence, completeness, presentation and disclosure, rights and obligations and valuation of financial state-ments. Institute of Internal Auditors (IIA) in International Professional Practices Framework (or known as the Red Book) states that the internal audit activity must

1_{International Standard on Auditing: standard 610-Using the Work of Internal Auditors,}

(32)

2.2. AUDITING 15

Figure 2.1: Information auditing within an organization extracted from (Vaassen, 2002)

assist the organization in maintaining effective controls by evaluating their effective-ness and efficiency and by promoting continuous improvement. Moreover, compliance with internal corporate procedures, external regulatory requirements such as Sarbanes Oxley, or compliance with industry codes of conduct such as ISO 14001, effective in-ternal auditing is the basis of compliance management and continuous improvement. Effective compliance management can protect you against potential litigation, finan-cial implications and reputation damages.

Audit is a comprehensive discipline and how it is performed depends on: (a) data to be audited (b) type of audit to be performed (c) type of outcomes required from audit process. Following frameworks propose different approaches to perform audit as shown in Table 2.3. In the following Chapters we will also propose an audit framework from goods flow perspective.

Auditing exists on different levels, depending on the subject (who performs the audit?) and the object of audit (e.g. transactional data, or control procedures). There are three identifiable aspects of auditing which are given below:

• Audit Object: Financial audits, operational audits, departmental reviews, IS audits, integrated audits, investigative audit and follow up audits.

• Audit Subject: Internal audit (Zarkasyi, 2006), external audit (second and third party audit) and owner ordered audit.

(33)

Reference Description

(McNally, 2013) COSO ERM framework describes an organization’s objectives in the following four categories (a) strategic (b) operations (c) reporting (d) compliance.

(Tuttle and Van-dervelde, 2007)

CobiT is another commonly used framework for de-veloping and evaluating technology intensive informa-tion systems, used for benchmark of best control prac-tices developed and maintained by Information Sys-tems Audit and Control Association

(Aalst et al., 2011) Based on process mining introduced an auditing framework.

(Schumm et al., 2010) Propose a framework for augmenting business process with reusable process fragments to stimulate compli-ance by design.

(Schaad and Moffett, 2002)

Presents a framework for formally expressing and analysing organizational controls using Alloy specifi-cation language.

Table 2.3: Existing information processing frameworks

Thus according to IIA auditing is as an examination of data, records and opera-tions. The main task of auditing is to give an opinion about the effectiveness of risk management, control, and governance (The Institute of Internal Auditors, 2013).

2.2.1 Continuous and Online Auditing

Continuous auditing was developed at AT&T Bell laboratories in 1989 by Vasarhelyi and Halper (Vasarhelyi and Halper, 1991). Since then, several guidelines have been issued on continuous auditing by different accounting bodies. For example the Cana-dian institute of chartered accountants (CICA), American institute of certified public accountants (AICPA) issued their red book in 1999, the institute of internal auditors (IIA) issued a global technology audit guide (GTAG) on continuous auditing in 2005, and in 2010, the information systems audit and control association (ISACA) issued an audit and assurance guideline on continuous auditing. The continuous auditing is an evolving notion therefore different definition are around (see for example definition given by (Chang and Ingraham, 2006) and (Rezaee et al., 2002)). In 1999 CICA and AICAP have defined continuous auditing as:

“A process or methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with or a short period after, the occurrence of events underlying the subject matter” (Ziegenfuss, 2006).

Continuous auditing, as an emerging field, is considered as a conjunction of several sub-components for example:

(34)

2.2. AUDITING 17

Dimension Traditional Auditing Continuous Auditing Frequency Periodic Continuous or more frequent Approach Reactive Proactive

Procedure Manual Automated Work Labour and time intensive audit

pro-cedure

handling exceptions and audit proce-dures requiring human judgement Nature Analytical review procedures and

sam-pling testing

Continuous controls monitoring and continuous data assurance of the whole population of data

Testing Manual testing Data modelling and data analytic Reporting Periodic Continuous or more frequent

Table 2.4: Dimensions of continuous auditing (Chan and Vasarhelyi, 2011)

• Continuous auditing = Continuous control assessment + continuous risk moni-toring (Coderre and Police, 2005)

• Continuous auditing = Continuous controls monitoring + continuous transac-tion monitoring + macro-level trends (Littley and Costello, 2009)

Continuous auditing is based on automation technology and audit activities contin-uously and frequently (Vasarhelyi et al., 2004). Therefore, continuous auditing can be considered as real-time or near real-time opposite to periodic traditional auditing. Due to automation of continuous auditing, internal auditor’s involvement reduced (Davidson et al., 2013). Innovation in traditional practices of auditing from seven dimensions are as shown in Table 2.4 (Chan and Vasarhelyi, 2011). Aalst et al. ad-vocates an auditing approach that is based on continuous monitoring of transaction data (Aalst et al., 2011). Auditing also considers the internal controls, e.g, auditing checks the compliance to the COSO standards (Ghose and Koliadis, 2007). Major goals of continuous auditing are to provide continuous assurance with greater trans-parency while keeping in view the risks (Vasarhelyi et al., 2004).

Mostly continuous auditing and continuous monitoring use similar data and per-form similar type of processing. Continuous auditing and continuous monitoring are performed in an organization simultaneously and usually they are coordinated to avoid duplication of work. Differentiation point is that continuous auditing is performed by independent auditors, while continuous monitoring is performed by management of organization. Traditionally monitoring is done throughout the process while auditing is done either at the end of a period or when a process is completely finished. Usually audit is performed on the control procedures. However, continuous online assurance comes very close to monitoring in this respect as it includes observing and analysing a process at or near real-time (Vasarhelyi et al., 2004).

(35)

models but also describe a comparison of three well known continuous auditing models (Flowerday et al., 2006).

The continuous (Murcia et al., 2007) and on-line auditing (Aalst et al., 2011; Greiler et al., 2010) can be performed, in an organization, together as well as sepa-rately. There exist some challenges in the field, continuous and online auditing, Such as (i) accuracy and completeness of transaction data, (ii) reliability checks of internal control system, (iii) for continuous auditing, the system need to be real time which is expensive to achieve, (iv) data compatibility formats (Murcia et al., 2007). There is a minute difference between the concepts of continuous and on-line auditing. The main difference between online auditing and continuous auditing is that online auditing can be continuous auditing but a continuous auditing need not to be an online auditing. This difference is observable especially for enterprise resource planning (ERP) sys-tems (Kuhn Jr and Sutton, 2010). Traditional audit ensures operating effectiveness of control. If these controls are not in place or do not function properly, the auditors can only analyse samples which are only a portion of the overall data. Fortunately, chang-ing in information tools and technologies improved auditchang-ing techniques significantly.

2.3 Associated Concepts & Terminologies

In the previous sections we have discussed topics which are directly related to the topic of the thesis. In this section we shall review the concepts which are required in the development of the smart auditing approach, presented in this thesis. In the following section we will answer the second literature search question given in Section 2.1.

2.3.1 Business Processes

Business process is defined differently by different authors from different perspectives. We will emphasis on how instead of what and will consider a business process is a specific ordering (in time & space) of activities with a defined beginning an end and having a well defined input and output which will ultimately create some value for the auditor. Rummler & Brache define business process as:

“In a business process we have series of steps designed to produce a product or service. These processes are usually cross-functional, some processes result in a product or service that is received by an organization’s external auditior” (Rummler and Brache, 1990).

(36)

2.3. ASSOCIATED CONCEPTS & TERMINOLOGIES 19 2010). BPEL enables organizations to automate their business processes by orches-trating services. It forces organizations to think in terms of services and enable them to compose existing functionality and new applications by exploiting existing ser-vices. Services are reused across different applications. After designing the business process their management and monitoring is considerably important. This shift in thinking in-terms of services instead of process have lead to the notion of business process management, business process monitoring, business activity monitoring, busi-ness process re-design and busibusi-ness process risk assessment (Aalst, 2008; Carnaghan, 2006; Danylevych et al., 2010).

2.3.2 Logistic Processes

Processes related to the transportation, storage and intermediate storage of goods are called logistic processes. The challenge is to integrate all the logistic processes which can achieve supply chain efficiency. Among logistic processes, supply chain manage-ment is a big challenge (Talevski et al., 2005). Usually logistic processes are based on services, these services can be a part of some service oriented architecture (Kunkel et al., 2010; Li et al., 2010; ZhenHua et al., 2009). Management, optimization and monitoring of these logistic services are challenging (Baida et al., 2008), (Baida et al., 2007). Logistic process controls and logistic process monitoring tasks demands mon-itoring each step of the logistic process, along the supply chain.

Supply chain monitoring enables the auditors to check the quality conditions dur-ing the transportation (Michiels et al., 2008). In order to monitor each step of logistic process, many technologies exist for example (a) radio frequency identifier (RFID) can be used throughout the supply chain (Niederman et al., 2007; Wu et al., 2011) and its use increases the amount of data due to continuous monitoring and tracking (Lin et al., 2010; Zhang et al., 2008). (b) electronic product code (EPC) introduced by EPC global (an international industry consortium) uses the concept of unique iden-tification for a single product throughout the supply chain (Tribowski et al., 2009).

2.3.3 Complex Event Processing

Complex Event Processing (CEP) is an event-processing concept mainly used in busi-ness process management (Hermosillo et al., 2010). Complex Event Processing is defined as

"A set of tools and techniques for analysing and controlling the complex series of interrelated events that drive modern distributed information systems" (Luckham, 2001).

(37)

Example Industry Area CEP Application Scenario Transportation Track & trace scheduling Telecommunication Service monitoring Logistics Supply chain monitoring

Financial service Intrusion & fraud detection, predictive con-sumer information management, adaptive ESB, anti money laundering and more. Manufacturing Supply chain monitoring

Telecommunication Network & application management Energy Power & grid monitoring

Table 2.5: Example industry area

organization. In the second step CEP process the events and finally in the third step CEP describe about the subsequent actions.

CEP is applicable to business process automation, schedule and control processes, network monitoring and performance prediction and intrusion detection (Mendes et al., 2008; Wasserkrug et al., 2008). Rule based system also used CEP to achieve business intelligence (Agoglia et al., 2011). Event processing works between the area of business process management/modelling/automation, business activity monitoring (monitoring of processes) and SOA monitoring/management (Ishikawa, 2010; Jobst and Preissler, 2006; Levina and Stantchev, 2009; Wang et al., 2011). In Table 2.5 use of CEP in example industry scenarios are given (Komoda, 2006).

2.3.4 System Adaptation

The term ‘adaptive system’ refers to a system that automatically detects changes in its environment. According to some business rules and other compliance require-ments, the system decides how to react on the changes. Finally, the system exe-cutes the decision.

Figure 2.2: Taxonomy of adaptation (Hiel, 2010)

(38)

2.3. ASSOCIATED CONCEPTS & TERMINOLOGIES 21 and is therefore depicted as a cycle. As shown in Figure 2.2, the cycle is composed of three phases: Detect, Decide, and Execute.

In the first phase, the system detects changes using different means such as through exceptions (faults), through observation, or through notification. In the second phase, the system has to make decision on where and when to respond to the changes. The final phase, the system takes an action to execute the decision. The granularity of adaptation can be categorized into two general approaches (McKinley et al., 2004):

• Parameter adaptation: modifying variables to influence the dynamic behaviour of the system;

• Composition adaptation: altering structure or architecture to influence the dy-namic behaviour of the system.

The concept of autonomic computing lies very close to the concept of adaptation used in this thesis. The initiative was taken by IBM in 2001 (Kephart and Chess, 2003). The vision of autonomic computing is to create computer systems capable of self-management to overcome the growing complexity in system management (IBM Group, 2006). The term autonomic computing derived from autonomic nervous sys-tem in human biology. The nervous syssys-tem can self-manage attributes of the human body such as temperature, heartbeat, and blood sugar level without involving con-sciousness. In an autonomic computer system, IBM defines the following four broad categories of self-management (IBM Group, 2006):

• Self-configuration: automatic configuration of components; • Self-healing: automatic recovery;

• Self-optimization: automatic monitoring and control of resources with respect to the defined requirements;

• Self-protection: proactive identification and protection from attacks.

An architecture of an autonomic manager shown as a loop of four parts that share knowledge plus sensor and effector (Kephart and Chess, 2003):

• Monitor: collecting and aggregating information from managed resource; • Analysis: analysing the situation and IT environment in order to predict future

situation;

• Plan: using policy information to guide its work; • Execute: executing the plan;

(39)

2.4 Theories

In this section we will discuss some theories related to auditing. Auditing of business processes, controls and event logs has been widely discussed by (Bierstaker et al., 2009; Carnaghan, 2006; Kopp and O’Donnell, 2005). These papers discuss business-process-focused audit, software and internal control auditing, flowcharts and business models auditing. In parallel, Jans et al. and Aalst introduced the concept of process mining in the research on auditing and supported the ideas of (i) extracting knowledge from event logs, (ii) their analysis and (iii) audit evaluation report generation (Aalst, 2009; Jans et al., 2010).

Based on the choice of activities and the process instance, business data should be analysed. For event logs analysis and compliance checking PROM is a process mining tool. Services triggers events, and events are analysed using event log. For auditing in SOA environment, we have considered process mining and PROM tool as fundamental building blocks (Aalst, 2011).

Audit process is performed by the guidelines proposed by different accounting bodies for example AICPA and CICA. Use of business ontology for supplementing audit is discussed in our thesis. There exist a number of business ontologies, each ontologies have its own focus as discussed by Dietz (Dietz, 2006). The following list describes some of well known ontologies and their focus:

• Business Modelling Ontology (BMO) is based on e-business models (Oster-walder, 2004),

• e3 _value _ontology: _founded _on _controls _and _value _prepositions _in

business (Gordijn et al., 2006),

• REA ontology: basis for accounting information systems and focused on repre-senting increases and decreases of value in an organization (McCarthy, 1982) The list of ontologies given above is not exhaustive. As discussed in Section 1.4, focus of our thesis is economic aspects of business and REA ontology emphasizes on economics of events and replaces double-entry bookkeeping with semantic models of economic exchanges and conversions.

2.4.1 Process Mining

(40)

2.4. THEORIES 23 problems and monitoring deviations (e.g, comparing the observed events with prede-fined models or business rules). It is closely related to business activity monitoring (BAM), business operation management (BOM), business process intelligence (BPI), and data/work-flow mining (Aalst, 2011; Aalst et al., 2003). Van der Aalst et al. has proposed the use of process mining technology to support auditing under the name of “Auditing 2.0” (Aalst et al., 2010). Process mining is a collection of methods used to distil structured process descriptions from an event log (Aalst, 2011). This event log is constructed from raw data extracted from information systems such as enterprise resource planning (ERP) or business process management system. In order to facilitate process mining analysis, four characteristics are needed to be extracted from the information systems (Jans et al., 2012):

• The activity that take place during the event; • The process instance of the event;

• The party responsible for the event; • The timestamp of the event.

Jans and her colleagues conducted a case study on using process mining of event logs in internal auditing of a procurement process (Jans et al., 2012). The case study took place in a major European bank. The event logs were constructed from the audit trail of an ERP system. Results of the case study were satisfactory since they uncovered several material weaknesses in the process which had already been audited by the company’s internal auditors. Moreover, they were able to identify several transactions that required further investigation by the internal auditors such as many violations of segregation of duty principle and mismatches between real payments and invoices. With the wave of event log and process mining techniques a new form of audit-ing came into beaudit-ing, known as Auditaudit-ing 2.0 (Aalst et al., 2011). Online Auditaudit-ing Tool (OLAT) is based on Auditing 2.0 and monitors the relevant activities of the information system and check if these events conform to the business rules. OLAT is log based and work in two modes, one mode reports the violation of business rules to the management of the organization, and other inform the information system. Therefore, we can call OLAT as an external control mechanism. However, the OLAT tool can detect (potential) violation and we can use this information to prevent the violation or to enact a compensation. OLAT is dependent on information system. Whereas our research is build upon accounting information system (AIS) concepts such as business rules auditing, information auditing, service based auditing therefore OLAT and its underling concepts have potential to be used in our research.

2.4.2 Computational Auditing

(41)

Computa-tional auditing is based on Petri-net theory and deontic logic. Fundamental concepts are value cycle behaviour structure, value jump, segregation of duties (in relation to the value cycle), spanning reconciliation checks, axiomatic proviso and auditee’s be-haviour in the modalities ’Soll’ (i.e., normative) and ’Ist’ (i.e., actual). Computational auditing knowledge provides the foundation for the development of a system known as Smart Audit Support, this system was primarily used for the international audit practices of Deloitte Touch Tohmatsu International (Elsas, 1996). The first release of Smart Audit Support was delivered in August 1994 (Elsas, 2011).

2.4.3 Resource Event Agent

A generalized accounting framework is Resource Event Agent(REA) which is designed to be used in a shared data environment for the professionals (accountants and non-accountants). The REA ontology was first formulated in 1982 (McCarthy, 1982). Basic philosophy of REA is:

“If an enterprise wants to increase the total value of resources under its control, it usually has to decrease the value of some of its resources”.

A resource is any object that is under the control of an agent and regarded as valuable by some agent while An agent is an individual or organization capable of having control over economic resources and transferring or receiving the control to or from other agents. The constituents of processes are called economic events. The basis of REA is the semantic data model for accounting proposed by McCarthy (McCarthy, 1982). REA mainly focuses on enterprise concepts such as accountability and control principles. REA discusses interconnected transaction cycles that all contribute to the generation of value for the enterprise. Usually each transaction cycle consist of business processes. REA uses the principle of economic reciprocity (i.e., give and take), the resources whose value is affected by these events and the agents involved in these events. Economic resource, economic agent, economic event, commitment and contract are fundamental REA concepts (Hrubý et al., 2006) as shown in Figure 2.3. • Economic Resource: A thing that is insufficient and has utility for economic agents and is something users of business applications want to plan, monitor, and control is economic resource.

• Economic Agent: An individual or organization capable of having control over economic resources, and transferring or receiving the control to or from other individuals or organizations is called as economic agent.

(42)

2.5. RESEARCH GAPS 25

Figure 2.3: Basic REA concepts (Hrubý et al., 2006)

• Commitment: It is a promise or obligation of economic agents to perform an economic event in the future.

• Contract: A collection of increment and decrement commitments and terms is known as contract. Under the conditions specified by the terms, a contract can create additional commitments. Thus, the contract can specify what should happen if the commitments are not fulfilled.

REA recognizes two kinds of duality between events: conversion duality and exchange duality. Exchange is a process in which an enterprise receives economic resources from other economic agents, and it gives resources to other economic agents in return. Conversion is a process in which an enterprise uses or consumes resources in order to produce new or modify existing resources. REA structures provide a solid basis for dealing with the economic events in SOA environment (Overhage and Schlauderer, 2010). There is a direct mapping from REA models to database structures (Chang and Ingraham, 2006). The dualities express integrity constraints that can be used for both the design of control mechanisms (preventive) and for the detection of deviating be-haviour (detective). These dualities can be of added value during the process of audit.

Smart auditing: Innovative compliance checking in customs controls

Tilburg University

Smart auditing

Bukhsh, F.A.

SMART AUDITING

SMART AUDITING

Innovative Compliance Checking In Customs

Controls

Proefschrift

Contents

List of Acronyms

List of Figures

List of Tables

Acknowledgement

CHAPTER

1

Introduction

1.1

Background

1.2

Research Motivation

1.3

Research Goals

1.4

Research Questions

1.5

Research Methodology

1.6

Limitations

1.7

Thesis Structure

1.8

Papers Underlying this Thesis

1.8.1

Published Papers

1.8.2

Working Papers

CHAPTER

2

Literature Review

2.1

Literature Review Procedure

2.1.1

Literature Review Questions

2.1.2

Research Source

2.1.3

Search Strategy

2.1.4

Study Selection

2.2

Auditing

2.2.1

Continuous and Online Auditing

2.3

Associated Concepts & Terminologies

2.3.1

Business Processes

2.3.2

Logistic Processes

2.3.3

Complex Event Processing

2.3.4

System Adaptation

2.4

Theories

2.4.1

Process Mining

2.4.2

Computational Auditing

2.4.3

Resource Event Agent

2.5

Research Gaps