AN INVESTIGATION OF MULTINATIONAL ENTERPRISE INTERNAL CONTROL AND RISK MANAGEMENT INFORMATION INTEGRATION

Similar documents
Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

FINANCIAL REGULATORY REPORTING ACROSS AN EVOLVING SCHEMA

The Semantic Web: A Vision or a Dream?

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

COSO ERM. To improve organizational performance & Governance COSO ERM. COSO Internal Control. COSO ERM_prepared by Nattapan T. 2

A Generic Approach for Compliance Assessment of Interoperability Artifacts

Archives in a Networked Information Society: The Problem of Sustainability in the Digital Information Environment

Knowledge Representation, Ontologies, and the Semantic Web

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

A GML SCHEMA MAPPING APPROACH TO OVERCOME SEMANTIC HETEROGENEITY IN GIS

Generating and Managing Metadata for Web-Based Information Systems

Information & Translation Technologies

XBRL and W3C. Dave Raggett, W3C. 20 January 2009 Contact: Team briefing

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Context-based Roles and Competencies of Data Curators in Supporting Data Lifecycle: Multi-Case Study in China

Managing the Emerging Semantic Risks

LAMOND W. KEARSE Metropolitan Transportation Authority Chief Compliance Officer

ITSS Model Curriculum. - To get level 3 -

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

DESIGN AND IMPLEMENTATION OF TOOL FOR CONVERTING A RELATIONAL DATABASE INTO AN XML DOCUMENT: A REVIEW

a paradigm for the Introduction to Semantic Web Semantic Web Angelica Lo Duca IIT-CNR Linked Open Data:

Cybersecurity & Privacy Enhancements

Automation of Semantic Web based Digital Library using Unified Modeling Language Minal Bhise 1 1

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Information Technology General Control Review

Compliance Program Design Lessons learned from a COSO framework

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

XBRL : The Way Ahead UTTAM AGARWAL CORPORATE GROUP. July, Presented by: CA. Tanuj Agarwal CA. Urmish Mehta

FRAUD-RELATED INTERNAL CONTROLS

Presented by Naveen Garg NextGen Knowledge Solutions Private Ltd. Date : October 24, 2012

Information Retrieval System Based on Context-aware in Internet of Things. Ma Junhong 1, a *

OVERVIEW BROCHURE GRC. When you have to be right

Instances of Instances Modeled via Higher-Order Classes

Oracle Buys Automated Applications Controls Leader LogicalApps

Oracle Buys Palerra Extends Oracle Identity Cloud Service with Innovative Cloud Access Security Broker

ISO/IEC INTERNATIONAL STANDARD. Information technology Software asset management Part 1: Processes and tiered assessment of conformance

The Semantic Web & Ontologies

Information Technology Branch Organization of Cyber Security Technical Standard

Predstavenie štandardu ISO/IEC 27005

Development of an Ontology-Based Portal for Digital Archive Services

Harmonizing Multi-Model at the World Bank Group

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Organizing and Managing Grassroots Enterprise Mashup Environments. Doctorial Thesis, 24 th June, Volker Hoyer

Ontology Creation and Development Model

AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES

A Breakthrough In the Science of Proposal Development: P-XML. APMP TM Southern California Fall Seminar. October 22, 2004.

Achieving effective risk management and continuous compliance with Deloitte and SAP

Semantic Web Search Model for Information Retrieval of the Semantic Data *

P2P Knowledge Management: an Investigation of the Technical Architecture and Main Processes

Invest in. ISACA-certified professionals, see the. rewards.

ACCELERATE YOUR SHAREPOINT ADOPTION AND ROI WITH CONTENT INTELLIGENCE

Integrated Assurance Embracing The Three Lines of Defense

SAP Security Remediation: Three Steps for Success Using SAP GRC

An Architecture for Semantic Enterprise Application Integration Standards

Reasoning on Business Processes and Ontologies in a Logic Programming Environment

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Enabling Security Controls, Supporting Business Results

How Turner Broadcasting can avoid the Seven Deadly Sins That. Can Cause a Data Warehouse Project to Fail. Robert Milton Underwood, Jr.

Management Science Letters

Database Heterogeneity

FIBO Operational Ontologies Briefing for the Object Management Group

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Enabling Seamless Sharing of Data among Organizations Using the DaaS Model in a Cloud

A Global Look at IT Audit Best Practices

Frameworks and Standards

Business Continuity Planning

Exploring Emerging Cyber Attest Requirements

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

Unstructured Data Migration and Dump Technology of Large-scale Enterprises

Certified Manager Certification

Agenda. TÜV Secure it GmbH short introduction. Risk Analysis Case Study. Certification Procedure. w w w. t u v. c o m 2/ 18. TÜV Secure it GmbH 2003

Weathering the Perfect Storm:

How Secure is Blockchain? June 6 th, 2017

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

LESSONS LEARNED FROM THE INDIANA UNIVERSITY ELECTRONIC RECORDS PROJECT. How to Implement an Electronic Records Strategy

Development of an autonomous driving ECU platform for streamlining the development of autonomous driving vehicle applications

APPLYING KNOWLEDGE BASED AI TO MODERN DATA MANAGEMENT. Mani Keeran, CFA Gi Kim, CFA Preeti Sharma

Network Instruments white paper

PARAMETRIC BIM OBJECTS EXCHANGE AND SHARING BETWEEN HETEROGENEOUS BIM SYSTEMS. Yu-Min Cheng 1 and *I-Chen Wu 1

Overview. Business value

Taxonomy Tools: Collaboration, Creation & Integration. Dow Jones & Company

Opus: University of Bath Online Publication Store

Dynamic Network Segmentation

Realizing the Army Net-Centric Data Strategy (ANCDS) in a Service Oriented Architecture (SOA)

Managing Change and Complexity

The MUSING Approach for Combining XBRL and Semantic Web Data. ~ Position Paper ~

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Copyright 2011 EMC Corporation. All rights reserved.

ADVANCED AUDIT AND ASSURANCE

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

SAP Security Remediation: Three Steps for Success Using SAP GRC

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Interoperability in GIS Enabling Technologies

Information Technology Document Schema Definition Languages (DSDL) Part 1: Overview

Transcription:

AN INVESTIGATION OF MULTINATIONAL ENTERPRISE INTERNAL CONTROL AND RISK MANAGEMENT INFORMATION INTEGRATION Shi-Ming Huang, National Chung Cheng University, 168 University Road, Minhsiung Township, Chiayi County 62102, Taiwan, ROC, +88652720411*16811, smhuang@mis.ccu.edu.tw Tung-Hsien Wu, National Chung Cheng University, 168 University Road, Minhsiung Township, Chiayi County 62102, Taiwan, ROC, +88652720411*16814, thwu33@gmail.com Wei-He Huang, National Chung Cheng University, 168 University Road, Minhsiung Township, Chiayi County 62102, Taiwan, ROC, +88652720411*16814, phoenixeous@gmail.com ABSTRACT Different countries have different internal control information regulations and policies, and it is difficult to integrate a company s overall internal control information without a standard. This study develops an internal control information translation and integration mechanism. The company s headquarters regulation is used as the standard, in order to translate each subsidiary information report. Firstly, XML structure is used to define headquarters RiskML standard taxonomies. Next, the subsidiary s internal control information report is translated into headquarters standard regulation. Finally, the translated information report is integrated, using ontology languages. This integrated information helps the company to identify and analyze each subsidiary s internal control risks and threats and to strengthen the company s overall internal control. INTRODUCTION Globalization is important, in today s business world. Over the past two decades, many companies from different countries have been continuously expanding their branches, worldwide, by investing in a variety of products and services [1]. The most important issue for a multinational enterprise s internal control process is corporate subsidiary governance. Subsidiary governance can be determined as the process of headquarters management of its subsidiary, especially in a different country, and includes every single process that is managed by the subsidiaries. It is very important, in establishing subsidiary governance arrangements, to ensure overall smooth operation of the company. However, different countries have different internal control regulation and policies and it is difficult to integrate company internal control information, within the different regulations. For this reason, a standard regulation is required, to allow the integration of these internal control regulations. As an example, in the early 2010, The Toyota Motor Company, one of the world s largest automotive manufactures, faced a risk management problem. Difficulties were encountered, in the control of product quality, in a different country. The main problem was the lack of risk information reports, from different subsidiaries in many countries. Because of this issue the company lost billions of U.S. dollars [2]. Toyota is just one of many cases of problems in Multinational Enterprises (MNE s) that are caused by a lack of integrated internal control and risk management (IC/RM) information. Although an IC/RM report is an important management tool, only those which contain structural and critical management reports will be helpful to the decision making process. When managing international companies, reliable information must be collected from each subsidiary and integrated, to be of greatest use [3]. Much has been written about various information integration technologies, but 8

only a few reports discuss the integration of internal control and risk management IC/RM information. Some argue for a standard that must be used to integrate IC/RM reports. In October 2003, The Open Applications Group (OAGi) announced the formation of a new RiskML Work Group, to define an XML vocabulary, for the definition of risk and control libraries [4]. Risk Markup Language (RiskML) is an extensible Markup Language (XML) base technology, which is used as a standard, to communicate and exchange IC/RM information between enterprise systems. This study initially determines a suitable translation mechanism, using RiskML standard, and then uses an ontology language concept to integrate business information and analyze the results, to provide more useful information, that can assist executive managers in the decision making process. LITERATURE REVIEW Internal Control Regulations Internal Control is a process that is affected by an entity's board of directors, management and other personnel and is designed to provide reasonable assurance of the achievement of stated objectives, in the following categories: (1) Effectiveness and efficiency of operations, (2) Reliability of financial reporting and (3) Compliance with applicable laws and regulations [5]. One of the most effective tools for improving business s internal control is Control Self-Assessment (CSA) [6]. CSA can be implemented in several ways, but its distinguishing feature is that risk assessments and internal control evaluations are made by operational employees, or lower level managers, who work in the area being evaluated. The output of the CSA process is a self-assessment information report, which contains COSO internal control elements. COSO has defined their internal control elements as COSO Internal Control Elements. These elements include Control Environment, Risk Assessment, Control Activity, and Monitoring [5]. This study covers four major countries, to demonstrate the mechanism for internal control [see Table 1]. Each country has different regulations. Even when it has similar regulations, the information contained in the report is different. A company requires integrated internal control information. If the information is not effectively integrated, there can be significant deficiencies in internal control, resulting in potential losses. Table 1 Comparison of four major countries regulations COSO U.S. Japan Taiwan China Control Environment Internal Environment Control Environment Control Environment Control Environment Risk Assessment Objective Setting Risk Assessment Risk Assessment Risk Assessment Event Identification Risk Assessment Risk Response Control Activities Control Activities Control Activities Control Activities Control Activities Response to IT Monitoring Monitoring Monitoring Monitoring Internal Monitoring Studies related to Information Translation and Integration In 1971, Norman H. Anderson proposed Information Integration Theory, as a way to describe and model the integration of information from a number of sources, to form a basis for an overall judgment. Many related works on information integration use ontology representation language. Ontology is suitable for the integration of heterogeneous information from different data sources. One of the most powerful ontology representation languages is XML. Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form [7]. This translation mechanism uses RiskML, based on 9

XML language, as a standard, to create taxonomies and also to translate internal control information reports. Finally, ontology language concepts are also used to integrate the translated information [8]. SYSTEM MECHANISM Overview This mechanism has three phases, which contain six steps. Firstly, the subsidiary information report is defined as the input. Thereupon, headquarters taxonomies are used as the standard schema for the translation process. Finally, the translated information is integrated in a report, using ontology languages. Figure.1 illustrates the entire mechanism Configuration Phase Once the company has finished the self-assessment internal control process, the system generates a subsidiary self-assessment information report, in the RiskML format. This information is defined as the input data for this mechanism. This data contains four major RiskML entities (Element, Component, Question and Sub Question). Thereafter, everything needed from the subsidiary schema, such as data type, languages and attributes, is prepared for the translation process. The internal control Component is also defined as the main transforming level in the mechanism. The translation phase follows. Figure.1 Overview of system mechanism Translation Phase The first step is the creation of taxonomies. Taxonomy is needed to translate a subsidiary s information report into headquarters standard information. The new taxonomies are created, using headquarters RiskML standard schema. The translation process can then begin. Most enterprises internal operation is usually divided into two levels (Company and Process Level). In this section an illustrated example is given, to allow easier understanding of the translation process. As an example, company A is a multinational enterprise, which has a headquarters in Taiwan and subsidiaries in the United States (U.S.). It is common knowledge that both countries have different internal control regulations. Within different internal regulations there are also different formats for an internal control information report. Taiwan uses COSO regulation and the U.S. uses COSO ERM regulation. As the headquarters of this example company is in Taiwan, Taiwanese COSO regulation is the standard for this company s IC/RM regulations. Other countries regulations must be translated into Taiwanese regulations, before they can be integrated. When the headquarters uploads its IC/RM report, the system does not need to translate this 10

report. The U.S. COSO ERM regulation has eight elements, whereas the Taiwanese COSO element has five elements. In this case the COSO ERM regulation component is translated into component level, under the Risk Assessment element (Figure. 2). After the translation process, every possible conflict that occurs during translation steps is resolved. In this step, four conflicts are defined, including same information with the same name (SS), same information with a different name (SD), close information with the same name (CS), and close information with a different name (CD). As an example, when the U.S. Risk Assessment element is translated into a Taiwanese Risk Assessment element, both of these elements contain close information, but are translated into the same name (CS). Figure.2 Example of component level translation Integration Phase This is the important phase of the mechanism. In this phase, ontology language concepts are used to integrate the translated information. Ontology and Mapping Constructions Briefly, an object with property is identified is supposed to be complex type, in XML Schema. For this condition, the mapping rules are described as: (1) Properties in the XML Schema maps as properties in the Resources Description Framework (RDF) Schema. (2) Simple type maps as properties, in the RDF Schema. (3) Complex properties with properties maps as class, in the RDF Schema. Query Processing To deal with user requests, Query builder is used, to receive and analyze users query requests and validate mistakes in the grammar. Otherwise, it returns an error hint. Secondly, the inference engine is loaded with overall mapping information, to identify similar concepts and return the result to the query conversion. Thirdly, the query conversion transmits the RDF Data Query language (RDQL) into the query transducer, according to the mapping information that is identified by the inference engine. Fourthly, Query conversion changes RDQL into structural XQuery, according to part mapping searches. For XML data, XQuery can query directly. Finally, the query is integrated by the processor and displayed on the user interface. Figure.3, below, shows the query process of this information integration mechanism. 11

Figure.3 Query process of integration mechanism Figure.4 Integration mechanism overall ontology In this information integration mechanism, a query is processed in the intermediary layer. A global ontology request is described by RDQL, while the data source request is described by XQuery. In this framework, a transformation, from RDQL to XQuery, is needed. The intermediary analyzes and decomposes the RDQL request into a query for local ontology, which is further transformed into a query, for each data source. Figure.4 shows the local ontology and global ontology. The process of web-based ontology information integration is then used, to translate the user query into a query that can fit a Subquery of the Local Mapping Table, using query parsing, with the Global Mapping Table. This process also translates Subquery into database Rawquery, using the Local Mapping Table. Results The integration mechanism produces integrated information, which contains company-wide internal control self-assessment information reports and those for each subsidiary, showing a risk value and also a suggestion for the departmental manager, in reference to future operations. (See Figure.5 and 6). This valuable integrated information can be use by executive managers to analyze the detail of both company-wide subsidiaries operations and help with the decision-making process. Figure.5 System Application Result 1 12

Figure.6 System Application Result MECHANISM VERIFICATION Information Capacity Equivalence and Dominance is used as a basis for the verification of translated RiskML schemas, to ensure that there is no loss of information, during RiskML schema integration and translation [9]. This study uses five classifications of information capacity. First of all let A and B sets. A is defined as RiskML information before translation and integration and B is defined as RiskML information after translation and integration. We use five classifications of information capacity includes Functional (F), if f: A B, a A, b B f(a) = b, Injective (I), if f ¹: B A, b B, a A f ¹(a) = b, Total (T), if f: I(S 1 ) I(S 2 ), I(S 1 ) S 1 I(S 2 ) S 2, Surjective (S), if f ¹: I (S 2 ) I(S 1 ), I(S 2 ) S 2 I(S 1 ) S 1, and Bijection (B), if the mapping function meet all the above four properties. For this mechanism, the correctness of each translation rule is certified, if and only if the rule is at least a total relation, since there may be a semantic loss, when translating between different data models. CONCLUSION During this study, it was found that problems associated with the integration of internal control information are an important issue in corporate subsidiary governance. However, only a few related studies mention it. The contributions of this study are related to the collection of domestic and international related studies of the integration of internal control information and to the development of a system application, within the RiskML schema translation and internal control information integration mechanisms, which can be used for xbrl and other further study. Integration of this information helps upper level managers to better manage corporate subsidiary governance. A general three-phase mechanism was developed, which fully automatically translates and integrates information resources with different regulations. Focus is not given to the system application, itself, but rather to the ways in which the integrated information can assist top management, in decision-making process. REFERENCES [1] Wiseman, R.L. & Shuter, R. (eds). in Multinational Organizations: Conceptual, Theoretical, and Practical Issues, 1994, 3-11. [2] Li, H. Toyota Event - Risk and Crisis Management. Deloitte, 2010, 2-3. [3] Wu, C.Y. Decision Making Information Risk: Use of Information Quality Management Reporting to Enhance Decision Making. Deloitte, 2010, 4. [4] Connelly, D.M. OAGIS RiskML Work Group Defines XML Vocabulary for Risk and Control Libraries. 2003. [5] COSO. COSO Internal Control Definition. 2006. [6] Joseph, G.W. & Engle, T.J. The Use of Control Self-Assessment by Independent Auditors. The 13

CPA Journal, 2005. [7] Decker, S., Melnik, S., Harmelen, F.V., Fensel, D., Klein, M., Broekstra, J., Erdmann, M., & Horrocks, I. The Semantic Web: The Roles of XML and RDF. IEEE Internet Computing, 2000, 15 (3), 67-74. [8] Li, Y.H., Jin, Z., & Peng, Y. A Study on XML and Ontology-based Web Data Integration. 2010 10th IEEE International Conference on Computer and Information Technology (CIT 2010), 2010. [9] Fong, S. & Kwan, I. Schema Integration Methodology and its Verification by use of Information Capacity. Journal of Information Systems, 1999. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback