KASS: A Knowledge-based Auditor Support System

This paper describes the design of a knowledge-based system to assist auditors in the evaluatation of internal accounting controls and focusses on the logic-based language AL that has been developed as a knowledge representation formalism. Interesting features of AL include a declarative approach to modeling accounting systems and the means to explicitly describe authority structures typically used to enforce internal controls. KASS: A Knowledge-Based Language for Auditor Support 1.0 Introduction Internal controls evaluation of an accounting system is a complex task that has received growing interest in recent years. Past approaches that met with some success include those drawn from the Artificial Intelligence (AI) literature. Examples include TICOM, developed by Bailey et al (1985) and EDP-XPERT developed by Hansen and Messier (1986) Seminal work in the application of AI to the domain of financial diagnosis is reported in Bouwman (1986). Bouwman analyzed protocols of an expert and constructed models of a firm with heuristic rules that simulated expert behavior. This research laid the foundation for related research on Expert Systems. Braun and Chandler [1982) developed an expert system to assist auditors in the investigation of Analytical Review Fluctuations while Dungan and Chandler (1980) developed knowledge-based expert systems to model Auditors' decision processes. Bailey et al. [1985) developed TICOM, · a system for modeling accounting systems with their embedded external controls, utilizing AI-based representation and search strategies. In modeling accounting systems, TICOM limited itself to modeling the equivalent of a flow chart representation of the system. No explicit means of modeling authority structures or rules to evaluate controls were provided. This paper describes an approach which combines the modeling power of flow charts, albeit within a declarative framework, with the means to model authority structures which are organization tools to enforce controls. In addition, our approach allows the specification of axioms to draw a variety of interesting inferences. The rest of the paper is organized as follows. We begin with a brief description of Internal accounting controls and their role in accounting systems. The design of the KASS system is then discussed and the knowledge representation language AL detailed. Illustrative examples are used to describe the representational power of AL. The paper concludes with a detailed description of the inferences that may be generated from an AL model. 2.0 Accounting systems Accounting systems, like most organizational systems, are extremely complex. This complexity derives from the variety of interacting procedures, objects and roles in the system. Roles are organizational entities (e.g. such as manager and clerk) which are filled by individuals charged with performing a series of procedures. These procedures typically act on objects such as documents, goods etc. and account for the functionality of accounting systems. A brief description of the procedures, roles and objects that make up the accounting structure motivates the discussion of internal accounting controls to follow. Accounting systems span organizational units such as purchasing, receiving, stores etc. Roles in each of these uni ts perform specific procedures. For instance, a clerk in purchasing may be required to receive invoices and receiving reports (types of documents), match their "items" field and in the event of a match transfer the invoice to the cashdisbursements unit. In examining this fragment of a procedure closely it is apparent that: a) the procedure consists of actions such as receive, match, transfer etc. b) actions operate on documents such invoice, receiving report etc. The operations on documents by actions involve other objects in the system such as repositories. Examples of repositories include files, inventory etc .. For instance, an action such as get or put relates documents and the repositories they are placed in. Finally, just as roles and the procedures they perform are attached to organizational units such as departments, so are certain kinds of repositories and documents. While the discussion thus far, has been limited to physical actions such as transfer and get, there are certain other actions which we refer to as deontic actions. These are actions such as permit and prohibit which reference physical actions and access to assets to ensure that they are executed only in accordance with managements' general and specific authorization. This variety of interaction between types of actions, roles, objects etc. define an accounting system whose complexity derives from both the number and structure of these interactions. 3.0 Internal Accounting Controls Internal accounting controls refer to all policies and procedures embedded within the structure of an accounting system that reduce unintentional exposure to business, financial, and accounting risks [Mair, Woods and Davis, 1980]. Controls are categorized in many different ways, such as preventive, detective or corrective. Preventive controls include policies and procedures that are designed to deter employees from making unintentional errors or committing irregularities. Detective controls, on the other hand, are primarily used to discover the occurrence of errors or irregularities (Loebbecpe and Zuber]. These then may go through a corrective procedures. Most controls are preventive because the cost of installing preventive controls is less than the cost of correcting irregularities discovered by detective controls at a later stage. Segregation of duties, accuracy controls and authorizations are classified as preventive controls. Such controls are implicit in the description of an accounting system. Auditors must identify these controls and evaluate them, determining the appropriate reliance to place on them. The study and evaluation of internal accounting controls involves the expertise of well-trained auditors and is a requirement of each and every audit performed by CPAs. In order to be able to understand the complex accounting structure in its entirety and in order to be able to evaluate the internal controls model existing in an organization, there is an urgent need for a tool that can model the system as well as evaluate it. (Note a call for such systems by Loebekke at the Price Waterhouse Audit Symposium, August 1988.) The focus of this paper is the development of such a knowledge-based system that will aid auditors in understanding complex accounting systems and will support the evaluation of internal accounting controls. 4.0 KASS: The Proposed System As previously mentioned, the proposed system extends TICOM's modeling capabilities with deontic reasoning, utilizing a declarative framework. Additionally, the system incorporates rules and axioms used to evaluate internal controls such as described in Meservy et. al. (1986). By declarative, we mean a framework that focusses on the key relationships between the important objects in the problem versus a specification which procedurally specifies how a problem is to be solved. We propose to do this in a well understood and sound formalism based first-order logic. The interesting features of the KASS system include the ability to model authorization structures on top of conceptual flow chart representations of accounting systems. This represents an important step from the knowledge representation viewpoint since it allows the explicit representation of authority which is the instrument used by organizations to effect control. Thus important control concepts such as the segregation of duties can be understood and represented in terms of permissions and prohibitions placed on actions that might collectively compromise the controls of an accounting system. The knowledge representation language AL forms the focus of the rest of the paper. 4.0 Conceptualization of Accounting Systems Modeling entails the construction of an artifact (the model) of some real-world problem. To control complexity, models abstract relevant aspects of the real-world problem of interest. This is what we refer to as a conceptualization of the problem being modeled. The explicit understanding of this conceptualization is particularly important in the use of logic-based modeling languages for knowledge representation since the semantics (loosely, the meaning) of a logic model is explicated in terms of relationships between the symbols of the model and the individuals that make up the "world being modeled". Accounting systems in our modeling effort are conceptualized as systems that consist of a variety of objects (individuals). Examples of these objects include documents, repositories, roles, departments, and assets. Particularly interesting in our conceptualization is the representation of actions as objects. Actions are of two types: physical and deontic. Physical actions such as transfer, get, put etc. typically cause the flow of documents while deontic actions such as permit and prohibit determine who can perform any given action. The description of the accounting system consists of a series of relationships defined on these various types of objects. Traditionally, accounting systems are described from an action processing perspective. Actions which operate on specific kinds of objects and cause them to flow from one role to another, or from one organization unit to another. Actions are performed by agents who fill roles. The performance of physical actions are in turn controlled by deontic actions. Relationships between objects in our conceptualization are thus used to describe authority structures, actions, and the static functionality and capabilities of individual roles and organization units. 5.0 AL: The Language The vocabulary of AL, like any other first-order language, consists of individual constants, predicate constants, function symbols, variables and logical constants. These symbols