Alert Driven Process Integration and Exception Handing: A Case Study on Audit Confirmation with Web Services

learningsnortSecurity

Nov 3, 2013 (3 years and 7 months ago)

51 views


1

Alert Driven Process Integration
and Exception Handing
:

A Case Study on
Audit
Confirmation

with Web Services


Mandy Y.S. Tong
1

and
Dickson K.W. Chiu
1,2
,
Senior Member, IEEE

1
Department of Computer

Science, Hong Kong
Baptist
University

2
Dickson Computer S
ystems,
7 Victory Avenue, Kowloon,
Hong Kong

email:
mandy_ystong@yahoo.com.hk
,
dicksonchiu@ieee.org


Abstract


I
nformation technology has recently been employed
widely
in different industr
ies
.
H
owever, in the audit
profession,
there is
limited adoption of

co
n
temporary
information technolog
ies
.
Besides automating regular
audit processes, which mainly i
n
volve
s

streamlining the
communications across different organ
i
zations (such as
the client and
its business partners)
, the mon
i
toring of
the overall process a
s well as exception ha
n
dling is
crucial to the process quality and responsiv
e
ness.

I
n
this paper,
we apply our earlier framework of e
-
service
enactment and enforcement for requirements elic
i
tation
and use the concept of alert management for process
modelin
g, together with a Web service based
impl
e-
me
n
tation

for data and process integration. We illu
s-
trate
our approach

to an Alert
-
driven Audit Manag
e-
ment System (ADAMS)
with a case study on the
audit
confirmation process, which requires the most autom
a-
tion of w
ork.

1.

Introduction

I
nformation system
s

have been
play
ing

a more and
more important role in
various
industr
ies
.
H
owever, in
the audit profession,
there is
limited adoption of
co
n-
temporary
information technolog
ies

[5]
.

C
urrently,
there
are
some audit
softwar
e

pac
k
ages
that can help
auditor
s

to
perform

audit assignment
s
.

H
owever,
b
e-
cause
each audit

assignment have its own
characteri
s-
tics,
it is necessary for auditor
s

to
device
an

audit pla
n-
ning for each assignment

[7]
.

T
herefore, such audit
software
pac
k
ages
m
ay not be suitable for each audit
assignment
; and

s
om
e
times, the packaged software may
be useful for part of the audit assig
n
ment but not for the
whole a
s
signment.

So, c
urrently, not many
audit

firm
s

adopt
such
audit
software [
1]
, especially
because
such
s
oftware
packages
are
very
costly. In particular, those
software packages cannot handle the cross
-
organizational co
l
laboration among the clients and their
business par
t
ners required in typical audit processes

[6]
.

To
perform

an audit assignment, it is nece
ssary for
auditors to send out
requests
to
selected
client

s
bus
i-
ness partners (
deb
t
ors and
creditors
)

to confirm
the
ir

outstanding account ba
l
ances
.

However, it is
often
quite
difficult to collect back
adequate
co
n
firmation
s

on time
for a reliable audit p
rocess
, especially if a client

s bus
i-
ness partners are from overseas
.


If an auditor cannot receive
adequate

confirmation
s
,
they have to use alternative
and less precise
method
s

to
verify
whether the
account
balances provided are

acc
u-
rate.

T
hese alternativ
e procedures
i
n
clude
checking
documents of
various

purchase

order,
invoices,
deli
v
ery

note
,

shi
pping documents,
and receipt/payment for re
l-
evant outstanding balance
s, which are usually manual
and much more time
-
consuming
.

This
need
s

a few
hours to a few da
ys depend
ing

on the size of the co
m-
pany.

A
s
the
audit fee of an a
s
signment is based on
time,
further automation
can help
save the
audit fee.

F
or
the
audit
firm, it can have more time to deal with other
a
s
signment
s
.

To approach this problem, we identify the

need for
not just automating the regular process, which mainly
involves streamlining the communications across di
f-
ferent organizations. In addition, the monitoring of the
overall audit process as well as exception handling is
crucial to the process qua
l
it
y and responsiveness.
Therefore, we
adapt
our earlier framework of e
-
service
enactment and enforcement [3] for the requirements
elicitation and use the co
n
cept of alert management [4]
for process modeling, together with a Web service
s

based
implementation

for the data and process integr
a-
tion

of
our
Alert
-
driven Audit Management System
(ADAMS)
.

2.

Background

and Related Work

Although every audit project is unique, the audit
process is similar for most engagements

[1]
and no
r-
ma
l
ly consists of four stages: Prelim
inary Review,
Fieldwork, Audit Report, and Fo
l
low
-
up Review
. The
bulk of the tedious work in the stage Fieldwork and is
the main target for further automation. In pa
r
ticular
,
there are usually strict professional guidelines for pr
o-
c
esses in this stage. The

Hong Kong Institution of Ce
r-
t
i
fied Pu
b
lic Accountant
(HKICPA) has a clear stan
d-
ard for auditor to obtain audit confi
r
mation.

T
he
guid
e-
lines of
HKSA 500

and HKSA 505
[
8
]
instruct auditor
s


2

to get suff
i
cient appropriate and external confirmation
in the audit

process.

HKSA 505 paragraph 13 stated
that “external confirmation of an account receivable
pr
o
vides reliable and relevant audit evidence regarding
the existence of the account as at a certain date.

Co
n-
firm
a
tion also provides audit

evidence regarding the
o
per
a
tion of cutoff procedures.


I
f audit
ors

cannot get
suff
i
cient audit confirmation
s
, it
is required to

perform
a
l
ternative audit procedure
s

(HKSA 505 par
a
graph 31).
Further,
Warren [2] point
s

out that sufficient audit
co
n-
firmation
s

are

important in the a
udit procedure.
T
her
e-
fore, it is critical for auditor
s

to obtain sufficient audit
confi
r
mation
s

in order to improve the efficiency of the
audit assignment.


To better illustrate the target part of the audit pr
o-
c
ess studied, we use a
case
of
auditing
a comp
any i
n-
co
r
porated in Hong Kong trading watches.

O
nce the
co
m
pany receives

the order from its

creditor
, the pu
r-
cha
s
ing department contact
s

its debtors for
the required
parts.

A
fter getting the confirmation from the debtors,
the co
m
pany confirm
s

the order.

T
h
e company
then
wait
s

for the supplier to ship the parts to them asse
m-
bling partners for assemble processes.

W
hen the a
s
se
m-
bling processes is done, the company arrange
s

for the
shi
p
ment of the finished good from the subcontra
c
tor to
the clients.

T
herefore,
in the business, the co
m
pany
does
not
hold

any inventory.

M
ost of its creditors and
deb
t
ors are from foreign countries
, e.g.,

d
ebtors

and
subco
n
tractors

of th
e

company are mostly from China
and
Hong Kong
, while
creditors are mostly from Mi
d-
dle East region,

America
,

and

European

countries.

Fi
g-
ure 1 shows an overview of the audit confi
r
mation pr
o-
cess, which is currently often carried out man
u
ally or
semi
-
automatically.

System
Updated the
AR/AP
report
Balance
input
Seek
help
Report for
balance not
yet confirmed
Updated
information
Confirm re
-
sent
of confirmation
Report of
client seeking
help
Request for
balance
confirmation
Enquiry for the
confirmation
balance
Auditor
Admin. Staff
CPA Firm

s Clients
Client

s Debtors/
Creditors

Figure
1
.
Audit Confirmation Proce
ss Overview

Our earlier work
[3]
employs W
eb services to inte
r-
face process enactment, exception detectors
,

and exce
p-
tion handlers within and
a
cross organizations by su
p-
porting the appropriate cross
-
organizational commun
i-
cation and collaboration.

We further

propose the use of
an Alert Management System
(AMS)
[4]
to manage
pro
c
esses with urgencies and deadlines. We
ad
a
pt
these
framework
s
to audit
process collaboration,
especially

for the purpose of cross
-
organization co
m
munication in
order to enhance the
effi
ciency

of the audit confirm
a-
tion process.

A
c
cording to best of our knowledge, there
have not been reports on such integration in the liter
a-
ture, employing the concept of alerts and events using
Web services as an implementation framework
, esp
e-
cially on how

exceptions are handled in this domain
.

3.

System Architecture
for

Exception Ha
n-
dling

Clients

Business
Partners
Auditors on mobile
Clients
Bank
Client Accounts
Information
System
Status
Monitor
Alert
Management
System
Balance
Confirmation
System
Collaboration
Process
Enactor
Access Administration
System
Event
Adapter
Timer
Job and Assignment
Monitoring
System
Requirement
Enforcer
Web Services Interface
ECA Rules,
Scheduling Rules,
Event Repository,
Event
Subsciption
List
Internet

Figure
2
.
Alert
-
driven Audit Management System

Architecture

Based on the requirements,
Figure
2

depicts the
overal
l system archite
c
ture for
our

Alert
-
driven Audit
Management System (
ADAMS
). The architecture su
p-
porting the
process enactment
and exception handling is
characterized with
event
-
condition
-
action (
ECA
)

r
ules
driven by events. The ECA rules, business entities
,
event r
e
pository
,

and event subscriber events are stored
in a database. The collaboration process enactor carries
out enactment requirements
, while
the requirement e
n-
forcer detects and handles exceptions. The event ha
n-
dler co
l
lects internal events from t
he collaboration pr
o-
cess enactor and external events from the Web Se
r
vice
inte
r
face.
Some e
vents trigger alerts
, which

are handled
by the
Alert Management System (
AMS
)
. The status
monitor allows
relevant
users to view the pr
o
gress of
audit

a
s
signments

D
uri
ng
the samples select
ion

procedure, there may
be some exceptional case happened. The system will
automatically select the
business partners whose

ou
t-
standing balance larger than 5% when selecting sa
m-
ples.
T
he 5% of outstanding balance being
chosen

is
due t
o the industry normal practice.
T
herefore, the sy
s-
tem
should
not pr
e
-
set the criteria of adjusting the pe
r-

3

cen
t
age of being chosen as sample for the client.
E
ach
a
d
justment of the criteria for samples selection should
be done by partner or se
n
ior manager of

the audit firm.
In this section
,

we
highlight
how the AMS further helps
the exception handling by alerting the relevant profe
s-
sional upon some special circumstances
.

Samples Selection
No. of Sample
Selected
No sample selected
At least one
sample selected
One sample or more than
one sample selected
Condition
Rearrangement by
auditor
Normal Process
Error made in the balance
input process
More than one
sample
Only one sample
selected
Yes
No
Send message to auditor and
select samples manually
Ask client to re
-
input
the balance

Figure
3
.
Exception Handling Proc
ess

No sample selected by the system

-

I
n some case,
there may be no sample selected by the system

because

all
business partners
have a very low balance which
cannot reach the cond
i
tional level

of
5% of the total
balance.

I
n th
is

situation
, the
AMS
will se
nd an alert
message to the senior manager.

The

senior manager will
review the
circumstances

and see if it is necessary to
rearrange the preset condition

(particularly the value
5% according to the guidelines)
.

A
s each audit assig
n-
ment have its own special
nature, it is not sui
t
able to
preset the system to automatically change the condition
without the
approval of the
senior
manager of the
aud
i-
tor.

O
nly one sample selected

-

In some case, there
may
be
only one sample s
e
lected by the system.

T
his
may caused b
y a significant balance fr
o
m one
business
partners
or
when the
cl
i
ent

makes a wrong data entry
.

For example, i
f one debtor/creditor
occupies

95% of the
total balance, it will be
come

the only sample s
e
lected.

I
n this situation, the
AMS
will send an alert to

the se
n-
ior manager

to
review the
situation

and see if it is ne
c-
essary to select more
sample
s (manually)
.



Only a few samples
selected

-

In

this case, i
t may
not necessary for

the

system to send out more confirm
a-
tion
s
.

H
owever,
the senior manager
must mak
e
the final
professional dec
i
sion
.

T
herefore, the
AMS
will send out
an alert to

the

senior manager and ask.

I
f the senior
ma
n
ager thinks

that it is necessary to reset the cond
i-
tion, he can change the preset system requirement
s
.

O
the
r
wise, the senior manage
r can keep the sample
selected by the system and let the system to send out the
confi
r
mation r
e
quests
.

E
xtreme
ly

low
confirmation
response rate



This
may be caused by the low access
i
bility
or utilization of
the I
nternet in some
less developed r
e
gions of t
he
world
.

F
or example, if most of the client

s
business
partners
are from
Africa

or South America, they may
have diff
i
culties
in

access
ing

I
nternet
to
reply the
co
n-
firmation
.

T
herefore, in such case, the response rate for
the audit confirm
a
tion may be very

low.

T
o
avoid

the
delay of the assignment, the system will
a
u
tom
ati
cally

send the response report to
the
auditor day by day
a
u-
t
o
matically

in order to let auditor have a better control.

A
lso, the
AMS

can be adjusted to
send the reminder
alert
(inclu
d
ing au
tomated fax)
to
business partners
2
weeks before the deadline

(instead of 1 week) so that
the
bus
i
ness partners may
have more time to reply to
the confirm
a
tion.

F
or th
is

exceptional situ
a
tion, the
AMS
will send an alert to auditor and let them have a
bette
r control
and monitoring of
the progress of audit
confirmation r
e
ceived.

A high
quality

of integration to streamline the pr
o-
c
ess int
e
gration is required the timely participation of
both human (especially professional decision) and sy
s-
tems. Here, the AMS pl
ays an active role for the
task
notification and
overall process
monitoring. In partic
u-
lar,
the auditor
s are better informed upon
exception
s

ha
p
pene
d, so that they can

have a faster response to the
exceptional situation.

Figure
3

summarizes
the exce
p-
tion h
andling pr
o
cedure
facilitated

by
AMS
[4].

4.

Web Services Based
Integration

The audit firm can provide
W
eb services to inte
r-
face diffe
r
ent process enactment systems, enforcement
system
,

and exception handling by supporting the
r
e-
quired
communication

and inte
rfacing
.

Web service
s

offer a unified platform for both manual and progra
m-
matic interfaces. I
f a client and its business partners are
higher technologically enabled, Web services fu
r
ther
automate the data and process integration

of the A
D-
AMS
with the
ir

e
x
i
sting accounting systems
.

At the
same time, other users can also access the
ADAMS
with
the
client Web pages pr
o
vided by the audit firm on
top of these Web services.

Once the auditor receives the engagement from the
client
,
the
account
s

for the client and i
ts
business par
t-
ners are
activated

by the system manager.

T
he system
can offer
the key
services to client and its
business
partners
to
aut
o
matically send
or adjust the balance
entered
or to
change
the
co
n
tact information.

I
n order to
provide
security
and t
o increase the trust between the
involved parties, the sy
s
tem will generate
a
password

4

for each client and its
business partners to call back

the
relevant Web services

(electronic certificates are used
later when they are adopted widely)
.

A
lso, for each
am
endment made by the client or its
business partners
,
a reference will be gene
r
ated
and logged
.

The W
eb service
s

for
the client
include
three
key
i
n-
terfaces

designed for the function of entering ba
l
ance,
adjusting balance
,

and adjusting contact inform
a
tion
.

T
he system will assign a
secret
reference number for
each

amendment of inform
a
tion of the system.

T
he
user
must
input the reference number in order to amend the
information input last time.

T
her
e
fore, the reference
number can be used as a
security

code in

order to
fu
r-
t
her

control the amendment of information.

T
he
key
W
eb service
s

for
the client

s deb
t
ors/creditors

include
two
interfaces

for the function of balance confirmation
and balance adjustment.


5.

Discussions

and Conclusion

In this paper, motivated by
the inadequate process
and data integration for the audit profession, we have
pr
o
posed a solution based on alerts

and Web services.
We have illustrated
our approach
with the audit confi
r-
mation

process
, which requires the most of manual
work and professiona
l decisions.

We have also
adv
o-
cated
the
adaptation
of a methodology
for eliciting
know
l
edge of the
requirements
into business rules in
ECA format
, to facil
i
tate the
implementation

with an
AMS and Web services

in an e
-
service e
n
vironment.

By
using
this sol
ution
, auditor
s

can have a better
control
and monitoring of
the
overall
process.

In pa
r
ti
c-
ular,
the
AMS
sends
alert me
s
sage
s

to
the
auditor
upon
exceptions
.

B
y getting known the exceptional situation
in a real time, it can help to improve the
r
e
sponsivenes
s
of professional work of the auditor. In addition, the
AMS helps remind the confirmation r
e
sponse of the
client

s business partners. This saves the tedious work
of the auditor and help increase the r
e
sponse rate.

We have
also employed
contemporary Web se
rvice
s

tec
h
nology
to provide further chance of automation via
progra
m
matic process and data integration, in particular
with the a
c
counting systems of the clients and their
business partners. A key advantage is such automation
and integration reduces h
u
man
error

in data entry and
paper work
.
In addition, f
aster r
e
sponse

of the
audit
confirmation

process, which is the main bottleneck,

improve
s

the
overall
efficiency

of the auditing assig
n-
ment. This further enables
the auditor
to
have a better
planning to the
audit assignment
s

on hand

and job all
o-
cation
,

thereby
redu
cing human

cost
s
.

Further, ele
c
tro
n-
ic me
s
sages, instead of postal
exchanges
, save not only
time but also
the postage cost
s
.

On the other hand, the
unified platform of Web services supporting both h
u-
man and programmatic processes
does
not e
x
clude the
support
of
business partners who have poor Internet
access or autom
a
tion and revert to manual or semi
-
automatic processes.
We expect all these adva
n
tages
can offset t
he
development
and
maintenance

costs
o
f
for the automation, which
may be high for the small and
m
e
dium size
(SME)
audit
firm
s

[6]
.



To further develop the research and prototype
, sec
u-
rity
and reliability
problem
s

are
critical.

For example,
t
he system
has
to ensure the outstanding balance is i
n-
put by the client

s accountant
.

I
t
is
difficult for the sy
s-
tem to confirm whether the work is done by an autho
r-
ized person

or the data is supplied by a reliable system
in a
n
other organization
.

We are exploring the use of
R
ole
B
ased
A
ccess
C
ontrol (RBAC) a
nd
ontology
to
a
p
proach this problem.

Besides
sending audit
confirmation

to client

s
bus
i-
ness partners
, it is
also
necessary for
the
auditor to
a
u-
tomate the
r
e
quest
for
bank confirmation
about
the bank
account
balance
s

through Web services
.

H
owever,
proper

authorization from the client is required and
trust issues arise
.

P
rivacy issues then also arise

too
. We
are looking into the adoption issues and plan to evaluate
our approach from feedback
questionnaires

of the var
i-
ous stakeholders. We are also intereste
d in the applic
a-
tion of our
methodology

in other professional d
o
mains,
such as insurance and legal a
p
plications.


References

[1]

Ferdinand A. Gul.

Hong Kong Auditing: Economic Th
e-
ory and Practice, 2005.

[2]

Carl S Warren
.

Confirmation
Informativeness
.

Journal of
A
c
counting Research, 1974

[3]

Dickson K. W. Chiu, S.C. Cheung, Sven Till.

An Arch
i-
tecture for E
-
Contract Enforcement in an E
-
service E
n-
vironment
.

In
Proc. HICSS36
, CDROM, 10 pages, IEEE
Computer Press, 2003

[4]

Dickson K. W. Chiu, Benny W. C. Kwok, Ray L. S.
Wong,
S.C. Cheung, Eleanna Kafeza.

Alert
-
driven E
-
service Management
.
In
Proc
.

HICSS37
, CDROM, 10
pages, IEEE Computer Press, 2004 (Best Paper Award)
.

[5]

T McCollum
.

Continuous Auditing on the Rise
.

The
I
n
ternal

Auditor.

63
(4):
15
-
17,
Aug

2006.


[6]

Ruth M Kaye,

Jim Mo
lzahn,

Elizabeth J Folsom
.

The
Value of Automation
.

The

Internal Auditor

63
(
3
):

85
-
88,
Jun 2006.


[7]

Stuart Manson,

Sean McCartney,

Michael Sherer
.

Audit
automation as control within audit firms
.

Accounting,
Auditing & Accountability Journal

14
(
1
):
109
,
2001.


[8]

Hong Kong Instit
u
tion of Certified Public Accountant
.
Hong Kong Standard on Auditing. November 2004.
Available:
http://www.hkicpa.org.hk/ebook/main.php