一个正式的方法遵从行为的内部控制的业务流程【外文翻译】.doc

1、 1 外文翻译 原文 A Formal Approach for Internal Controls Compliance in Business Processes MaterialSource:http:/. Author: Kioumars Namiri , Nenad Stojanovic Abstract. Regulatory compliance requirements in the area of Internal Controls such as Sarbanes Oxley Act force enterprises to identify, shape and docu

2、ment their business processes. In this context enterprises require mechanisms to ensure that their business processes implement and fulfill compliance requirements independently from business level requirements. In this paper we present a novel approach for the modeling and implementation of Interna

3、l Controls in business processes. The approach is based on the formal modeling of Internal Controls, thus it can serve as the basis for usage of logic mechanisms in the compliance verification process. The main idea is the introduction of a semantic layer in which the process instances are interpret

4、ed according to given control statements, without changing the original business processes. Keywords: BPM, Regulatory Compliance, Formal Verification, Semantic The advent of regulatory compliance requirements in the area of Internal Controls such as Sarbanes Oxley Act 2002 (SOX) requires the impleme

5、ntation of an effective Internal Controls system in enterprises as a management responsibility. In this context COSO (Committee of Sponsoring Organizations of the Treadway Commission) has proposed an integrated framework,which is recognized by regulation bodies and auditors as a de facto standard fo

6、r realizing the Internal Controls System. COSO defines the Internal Controls as a “process” designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting and compliance withapplicable laws and regula

7、tions. Following is a summary of the Internal Controls process: Identify all the significant accounts in the company. Identify for those accounts all relevant business processes affecting them. Define for each relevant business process a set of control objectives specific to the enterprise 2 that mu

8、st hold for that process. Continuously assess the risks for the enterprise by their identification for each control objective. Design and implement based on the risk assessment a set of effective controls in order to prevent or detect the occurrence of the identified risks. The controls must be test

9、ed and used in daily operations. Since the realization and effectiveness of the above process involves different roles such as internal and external auditors together with consultants, the introduction and operations of Internal Controls compliance (i.e. SOX 404) is considered to be expensive and ti

10、me consuming. An approach is required to bring a higher level of adaptability, reusability and usability in Internal Controls compliance process. The adaptability is defined as an easy and fast way for introduction of new or changed controls on business processes. The reusability is related to the p

11、ossibility to describe the controls on the conceptual level in order to abstract from the concrete implementation details of the controls. The usability addresses the need of bridging the gap between the non-technical auditing consultants and technical people realizing the controls implementation. T

12、his paper introduces an abstraction layer above a business process, in which the controls are formally modeled and evaluated against existing process models and instances. It describes a novel, semantically-driven approach for the automation of Internal Controls in an enterprise, based on their conc

13、eptual separation from Business Process Management (BPM). In this semantic layer the controls are formally modeled and evaluated against existing process instances. We see several advantages of such an approach: 1 、 It enables usage of formal methods, like inference, for the verification of a busine

14、ss processs compliance to Internal Controls and SOX compliance. 2、 Consequently, the compliance will be performed automatically, based on the current state of parameters (instances) of a business process 3、 Moreover, the conceptual description of control conditions ensures the flexibility of the app

15、roach, i.e. the changes of the controls will not affect the changes in the design and execution of the original business processes. 4、 Finally, through another abstraction layer introduced on the top of the compliances definition, we ensure that non-experts can built on top of the domain model provi

16、ded. We are mostly concerned with automation of the so called Application Controls 1(AC) , which control business processes to support financial control objectives and to prevent or detect unauthorized transactions. 3 However, the approach provides a general framework that can be applied with respec

17、t to any other compliance domain using BPM technology. The paper is organized as follows: We start with a motivating scenario for a new, flexible approach for compliance management. In the third section we introduce the domain model of Internal Controls/SOX compliance. In the fourth section we prese

18、nt our approach using the entities introduced in the domain model, whereas the fifth section explains its implementation architecture. Related literature is discussed in section six. Concluding remarks and some future research questions are given in the last section. Related Work ， On a conceptual l

19、evel our work is related to Integrating Risks in Business Process Models, where a taxonomy of risks in business processes is provided. It does not explicitly state how a risk is positioned inside the Internal Controls compliance domain and leaves the semantic link between risks, business process des

20、ign and execution open. In Designing Compliant Business the logic behind the obligations and permissions on a business process is made explicit in the form of temporal deontic assignments that can be used in business process design respectively their contracts.In these approaches, the constraints on

21、 business process would be designed into the business process, while we show how a designed constraint can be applied during execution time on business processes.The work done in Business Rules using Aspect Oriented Programming(AOP) techniques to extend the functionality of BPEL is closed to the sep

22、aration of Internal Controls compliance concerns from BPM. Software providers also offer related solutions for compliance management. Taming Compliance with Sarbanes Oxley Internal Controls Using Database Technology gives an overview and discusses the current software products in this area and their

23、 limitations. However to our best knowledge, there is no approach which shows how Internal Controls could be declaratively formulated in terms of introducing a specific domain model for Internal Controls and showing an approach to formally declare and apply the controls separately from processes. In

24、 this paper we introduced a semantic based approach for conceptual modeling of Internal Controls required by regulation such as SOX. They are captured as declarative rules and deployed during execution-time on business processes. We built the model based on the de facto Internal Controls standard ca

25、lled COSO. Using this approach, new application controls can be defined on business processes without changing the original business logic of processes. The approach will enable 4 definition of the controls outside of the workflow. One concern in this context is the fact that although in our approac

26、h the recovery actions do not change the original business logic of the process, we have to verify the approach with results in the area of adaptive workflows. Further we plan to detail the formalization and apply it to BPMN as target process modeling environment.Regarding the proposed architecture

27、and the SemanticMirror synchronization component we have to analyze and validate the performance affecting its real feasibility.Another issue that must be addressed is the inter-control dependency: in order to become effective, a“well-designed” control may depend on existence, effective design and o

28、peration of other controls. This issue is actually also mentioned directly by law. Further COSO (and also law) calls in this context to “manage the change” in the enterprise, which means among others that a new or redesigned business process should always be followed by a new risk assessment (and po

29、ssibly new or updated set of controls). Today this is carried out mostly manually. We consider bringing a higher level of automation in this approach as an open research question.In this paper we introduced a semantic based approach for conceptual modeling of intermal controls required by regulation

30、s such an SOX. This controls are captured declaratively and checked during execution time of business processes.On a conceptual level our work is related to ,where a taxonomy of risks for business processes is provided.In the logic behind the obligations and permissions on a business process and con

31、tracts is made using temporal deontic logic . give an overview and discusses the current industrial software products in this area and their limitations. 译文 一个正式的方法遵从行为的内部控制的业务流程 资料来源： http:/ 作者： Kioumars Namiri , Nenad Stojanovic 摘要：一些内部控制方面的强制性规定如 Sarbanes Oxley Act 强制要求企业识别相关的业务流程并形成文档。在此背景下 ,企业需

32、要机制 ,以确保他们的业务流程实施和完成按要求独立的业务水平的要求。本文提出了一条崭新的途径来建模和实施经营过程的内部控制。该方法是建立在内部控制的正式建模的基5 础上的，因此，可作为 内控是否得到遵循的验证过程的逻辑机制。主要思想是引进了语义层的解释 ,均根据过程实例给出控制语句 ,没有改变原来业务流程。 关键词 :企业流程管理、监管要求、正式的验证、语义的技术 一些内部控制方面的强制性规定如 Sarbanes Oxley Act 强制要求企业 识别相关的业务流程并形成文档。在此背景下 COSO(委员会 )Treadway 赞助的组织委员会提出了一个统一的理论框架下 ,是管制机构和审计人员作

33、为事实上的标准为实现其内部控制系统。 COSO 内部控制的定义为“过程”设计提供了一个合理的保证 ,对于实现目标的效果和效率 操作 ,可靠性的财务报告和遵守适用的法律法规 ,制定本办法。以下是一份内部控制过程 :确认所有的重要的帐户的公司。识别为这些帐户有关业务流程惹是生非的时候。定义各个相关业务流程一套控制目标特定的企业必须坚持这个过程。风险持续不断地评估其身份企业为每个控制目标。设计和实现风险评估的基础上形成了一套有效的控制的检查 ,以防止发生的确认风险。必须被测试的控制 ,并应用于日常操作。从上面的有效性和实现过程包括不同的角色 ,如内部和外部审计员提出顾问一起 ,介绍和操作符合内部控制

34、的 (如下， SOX)被认为是昂贵又耗时的。要将一种较高 水平的适应性、可重用性、可用性的内部控制合规管理过程。适应性定义为一个容易和快速引进新方法控制或改变业务进程。可重用性与可能描述管制的概念的层次为了文摘从具体的实现细节对照。可用性地址的需要非技术间的缝隙审计咨询顾问和技术人员实现控制实施。介绍了一种抽象层以上 ,业务流程建模和正式的控制对现有评价过程模型和要求。它描述了小说、语义驱动方式内部控制的自动化需求在企业应当根据其概念性 ;业务过程管理。在这个语义层控制正式进行建模和评估对现有的程序实例。我们看到这样的方法优点 :1、它使使用正式的方法 ,像推论 ,用于验证 的业务流程和 SO

35、X 遵从内部控制的要求。 2、因此 ,合规管理将被完成 ,自动的现状的基础上的参数 (实例 )的业务流程 3、而且 ,概念描述控制条件 ,确保灵活的方法 ,那就是。控制的变化 ,不影响改变原有的设计和实施业务进程。4、最后 ,介绍了通过另一抽象层的筛选顶部的定义 ,我们保证建立简化非专业人员领域模型的顶端上的提供。我们通常都是关心所谓的自动化应用的控制 (交流 ),控制的业务过程 ,以支持财务管理目标和防止或检测未授权的交易。然而 ,路径提供了一个总体框架可以适用有关任何其他合规域使用器件技术。摘要组织如下 :我们首先要在激励 场景一种灵活的方式 ,进行合规管理。第三部分中 ,我们介绍了领域模

36、型内部控制的遵守。在第四部份 ,我们现在的方式介绍了使用实体领域模型 ,而第五部分会解释实施建筑，讨论了相关文献。作为结束语和一些未来的研究问题的最后部分了。在一个概念的层次我们的工作关系到整合风险业务流程模型 ,在经营过程的风险的分类提供参考。它不明确的陈述风险是如何定位内部内部控制合规域和叶语义联系风险、业务流程的设计和实施开放。6 在业务流程 ,设计的义务和逻辑性的权限 ,在业务流程的形式显示的制造时间道义可用于作业分别业务流程设计的合同。在这些计算方法 ,商业上的约束 ,这一过程将设计成业务流程 ,我们展示如何设计约束可以应用在执行时间在业务流程。工作完成后 ,使用方面在业务规则所聚集

37、的面向编程技术的功能 ,延长封闭BPEL 的分离器件内部控制合规的担忧。软件提供商也同样提供相关的解决方案 ,进行合规管理。符合塞班斯内部控制的奥克斯利用数据库技术 ,作一简要论述了当前软件产品在该区域其局限性。然而 ,我们的知识 ,并没有显示方法 ,可以制定内部控制方面的公布一个特定的域模型引入内部控制 ,并显示出一种方法 ,并将正式宣布分别从控制过程。 基于途径的语义概念建模内部控制的法规所要求 的。他们像被声明规则和部署在执行时间在业务流程。我们建造了事实上的模型的内部控制标准称为COSO。使用这种方法 ,新的应用程序控制 ,可以被定义在业务流程 ,而不改变原来的业务逻辑过程。该方法将使

38、定义的控制以外的工作流程。在这种情况下顾虑的事实是 ,虽然在我们的方法恢复的行动不更改原有的业务逻辑的过程中 ,我们来验证该方法与结果在该地区的自适应工作流。前进 ,我们计划详细的形式化描述的基础上 ,应用于基于 BPMN 为目标的过程建模环境。关于该体系结构和语义镜子同步组件 ,我们必须分析问题并验证性能影响其真正的可行性。另一个问 题是 ,要解决这些国际米兰的控制依赖 :为了生效 ,精心设计的控制可能依赖于存在 ,有效的设计和运行其他控制。其实 ,这个问题也是直接提到法律。进一步COSO 在此背景下 ,“管理转变”的企业 ,这意味着其中一个新的或重新设计的业务流程应该总是随后是一轮新的风险评估。今天这主要进行手动操作我们考虑带更高的自动化水平在这种方法中成为了一种公开的研究的主要问题。 在本文中 , 我们介绍了一个语义概念建模的基础方法控制法规要求的油田这样的 SOX。这一项控制占领期间检查执行时间公布和业务流程。我们在一个概念的层次 ,在 那里工作关系到一个分类法的风险的业务过程提供参考。在逻辑背后的义务和权限 ,在业务流程和合同是由道义逻辑时间。作一概述 ,并探讨了目前在这一地区的工业软件产品和其局限性。