8/2/2006 Prelimary – do not quote 1

Transaction Objects, Control Objects, Control tags and

Tags Dynamics

Miklos A. Vasarhelyi

Rutgers University

2

Outline

Introduction Transaction Objects Control Objects Control tags Tags Dynamics Conclusions

8/2/2006 Prelimary – do not quote 3

Introduction

4

The evolving environment WEB services create a set of anonymous cooperating

processes Transactions are complex virtual entities that can assume

many forms and can be modified by sequential processes Transactions can be routed along processes and

modified by these processes Data structures are being progressively balkanized Transactions, databases, and processes can cooperate in

forms that are bizarre under traditional systems designs

5

Introduction The emergence of digital business

measurement and document processing has changed fundamentally business processes

Control measurement has been interpreted as control documentation

XBRL/FR deals with the reporting tail end of the process

XBRL/GL allow for a more granular data structure

There are major conceptual needs in this world

6

Conceptual needs Transactions must be defined with unique

characteristics relative to type (objects) Controls must be describable, measurable,

monitorable, and combinable Transaction x control clusters must be

definable and measurable Transactions must have some form of

accuracy (quality) parameter and this parameter must be related to its entailing processes

Transactions must have security mechanisms to ensure their integrity

7

Basic Elements

Business process Transaction Control Database Events Procedures and Flows

8/2/2006 Prelimary – do not quote 8

Transaction Objects

9

What is a transaction?

Is a unique record transmitted among processes?

Is a record that is modified in a sequence of processes?

Is a single record of a database? Is a basic atom of certain XML derivative

languages? Is a matching unit of an XBRL/GL taxonomy?

10

Customerdatabase

Productdatabase

Salesperson

database

Client

Items

Sold

Client Management

Process

Clientdatabase

Sales

person

• A process generates a transaction that has 97% reliability

•The best estimator is that the transaction is 97% reliable

•What does that mean?

Automatic confirmation

Data entry edit - lookup

Management Control

Management Control

•Bad database item

•Bad data entry

•Correct form, entry but fallacious transaction due to other process fault

•Not delivered

•Client cannot pay

•Product defective

•Broken in transit

•Client changed mind

•Product bad

11

Transaction objects

Must be defined when a process is conceived Have object characteristics, attributes, defined

behaviors, and inheritance algorithms Have to have defined their interaction with

other processes Are affected by controls and processes and

events

8/2/2006 Prelimary – do not quote 12

Control Objects

13

Control Objects There are many types They have unique attributes such as

transactions They modify business processes and

transactions The control object can be part of a transaction,

part of a BP, encompass several business processes

May be linear, layered, amorphous, sequential, parallel, etc…

14

Types of Controls – Summary

I. AUTHORIZATIONS II. VALIDITY III. POPULATION AND TRANSFER CONTROLS IV . PROCESS CONTROLS V. COVERAGE

• Va. SEGREGATION• V.b SUPERVISION• V.c RULES AND PROCEDURES• V.d INSURANCE

VI. ACCESS VII. AUDIT (ex-post analysis) VIII. COMPLIANCE WITH GAAP

15

Types of Errors

I. PROCEDURAL ERRORS II. COMPUTATION ERRORS III. ACCOUNTING ERROR IV. INTEGRITY ERROR V. TIMING ERROR VI. GAAP ERROR VII. IRREGULARITIES VIII. LEGAL ERRORS IX. MISCELLANEOUS

MANAGEMENT ERRORS

16

Info

rmatio

n an

d C

om

mu

nicatio

n

Control ActivitiesICPsICC

Control Environment

MONI TORING

Risk Assessment

Operations Financial Compliance Reporting

Unit A

Unit B

Entity 1

Entity 2

Entity 3

Manual &AutomatedSystems

MetricsAnalyticsAlarmsStandards

Basic set of ControlsControl reportsControl MetricsControl Evaluation rules

COSO and continuous monitoring

17

•"An internal control procedure (ICP) is a single control measure such as the checking of a control total." (Cushing[1], p.25)

•Controls are seldom used in isolation and may entail anything from one procedure with many functions (such as supervision) to a precise numerical check. It is necessary, therefore to define and relate internal controls, and groups of controls.

•"An Internal Control Cluster (ICC) consists of one or more internal control procedures related to one or more types of error or activity, while an internal control system (ICS) is a set of ICCs that constitute a particular cycle of the business organization." (Vasarhelyi, op. cit., p. 43)

8/2/2006 Prelimary – do not quote 20

Control tags

21

Definition

XML derivative tagging with a new type of tag, the control tags that incorporate specific control information on items of information.

22

Types of Control Tags 1) reliability related tags

• that specify the reliability of the item being measured

• at its most basic it entails the reliability of the control process that has generated the transaction

2) control aid tags• tags that serve to leave behind tracer information on the

datum processing (cookie crumbs),

• tags that record processes that the transaction was submitted,

• tags that contain other control information, and

• a mixture of the above.

23

Reliability control tags

An ongoing assessment of the reliability of the control processes that generate a transaction is made.

This measurement is carried with the transaction

If it is subject to other processes, this reliability assessment is changed

24

Control tags, cookie crumbs and digital IDs

ConsolidationFinancial statements

Subsidiary 2Financial statements

Subsidiary 3Financial statements

Subsidiary 1Financial statements

Assurance station

DID1

DID6

DID5DID4

DID2

DID3 Financial IntermediaryFinancial statements

analysis

DID7DID8

DID9

Dynamic control spots with cookie crumb

collection

25

Tracer related control tags (cookie crumbs)

Tags carry a unique identifier of the transaction that is encrypted

This identifier is deposited in tracer receptacles across the transaction path

Public x private encrypting schema are used to verify transaction paths

26

Path recording control tags

Transactions record its path by collecting process DIDs and carrying them encrypted

Alternatively these may be deposited in a third party safe Web site and a pointer carried

Information about the crypt decoding key / method is carried by the transaction as a tag

27

Information Control Tags

Contain other control related information that could entail• Organizational placement and hierarchies

• Reliability change related information

• Name of the DLA assuror, e.g. KPMG

• Outsource related agreements

8/2/2006 Prelimary – do not quote 28

Tags Dynamics

29

Followups Clientdatabase orders

database Price-product

database transactiondatabase

Process 1Pre-salesProcesses

lComplementaryproducts

Salespeople-entities

leads

SalesProcesses

Provisioningprocesses

CashCollections

Receivables

client

8/2/2006 Prelimary – do not quote 30

Conclusions

31

Conclusions The balkanization financial information distribution

creates serious integrity concerns One must create a new conceptualization to

understand and represent the elements of business processes

Control tags associated to XML derivative transactions can deal with many of these problems

Substantial investments on the standards, their implementation into software, and their conceptualization must be made

32

Conclusions 2

Transactions and controls are object types with unique characteristics related to their types

They have to be unique in type and measurable

They are denominated in clusters and procedures

They are modified across the life-cycle of the busines process elements