Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology

The Sarbanes-Oxley Act instituted a series of corporate reforms to improve the accuracy and reliability of financial reporting. Sections 302 and 404 of the Act require SEC-reporting companies to implement internal controls over financial reporting, periodically assess the effectiveness of these internal controls, and certify the accuracy of their financial statements. We suggest that database technology can play an important role in assisting compliance with the internal control provisions of the Act. The core components of our solution include: (i) modeling of required workflows, (ii) active enforcement of control activities, (iii) auditing of actual workflows to verify compliance with internal controls, and (iv) discovery-driven OLAP to identify irregularities in financial data. We illustrate how the features of our solution fulfill Sarbanes-Oxley requirements using several real-life scenarios. In the process, we identify opportunities for new database research.

[1]  Jan Chomicki,et al.  Implementing temporal integrity constraints using an active DBMS , 1994, Proceedings of IEEE International Workshop on Research Issues in Data Engineering: Active Databases Systems.

[2]  Nimrod Megiddo,et al.  Discovery-Driven Exploration of OLAP Data Cubes , 1998, EDBT.

[3]  Dimitrios Gunopulos,et al.  Mining Process Models from Workflow Logs , 1998, EDBT.

[4]  Ron Weber,et al.  Information Systems Control and Audit , 1998 .

[5]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[6]  Fabio Casati,et al.  Specification and implementation of exceptions in workflow management systems , 1999, TODS.

[7]  Andrzej Cichocki,et al.  Modeling and Composing Service-Based nd Reference Process-Based Multi-enterprise Processes , 2000, CAiSE.

[8]  Silvana Castano,et al.  Managing Workflow Authorization Constraints through Active Database Technology , 2001, Inf. Syst. Frontiers.

[9]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[10]  Stuart Loh,et al.  Continuous Assurance of E-Business Transactions For Fraud Detection , 2002 .

[11]  Archana Bharathidasan,et al.  Sensor Networks : An Overview , 2002 .

[12]  Gregory Gutin,et al.  Digraphs - theory, algorithms and applications , 2002 .

[13]  Boudewijn F. van Dongen,et al.  Workflow mining: A survey of issues and approaches , 2003, Data Knowl. Eng..

[14]  Sanjay Kumar Madria,et al.  Sensor networks: an overview , 2003 .

[15]  Wil M. P. van der Aalst,et al.  Workflow mining: discovering process models from event logs , 2004, IEEE Transactions on Knowledge and Data Engineering.

[16]  Thomas E. Hartman The cost of being public in the era of Sarbanes-Oxley , 2004 .

[17]  Kenneth A. Goldman,et al.  Matchbox: secure data sharing , 2004, IEEE Internet Computing.

[18]  Fabio Casati,et al.  Business Process Intelligence , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[19]  Christos Faloutsos,et al.  Auditing Compliance with a Hippocratic Database , 2004, VLDB.

[20]  Manfred Reichert,et al.  Adeptflex—Supporting Dynamic Changes of Workflows Without Losing Control , 1998, Journal of Intelligent Information Systems.

[21]  Michael G. Alles,et al.  The Law of Unintended Consequences? Assessing the Costs, Benefits and Outcomes of the Sarbanes-Oxley Act , 2004 .

[22]  Christian S. Collberg,et al.  Tamper Detection in Audit Logs , 2004, VLDB.

[23]  Sanjiva Weerawarana,et al.  The Business Process Execution Language for Web Services , 2005, Process-Aware Information Systems.

[24]  Roger Barga,et al.  Proceedings of the 22nd International Conference on Data Engineering Workshops, ICDE 2006, 3-7 April 2006, Atlanta, GA, USA , 2006, ICDE Workshops.

[25]  Jan Mendling Business Process Execution Language for Web Service (BPEL) , 2006 .