Article Preview
Top1 Introduction
Business reality consists of contractual arrangements between actors, like seller and buyer. A contract is a statement of intent to regulate behaviour. In this sense, “… most organizations are simply legal fictions which serve as a nexus for a set of contracting relationships among individuals” (Jensen & Meckling, 1979) (p.310). Businesses put more and more effort into demonstrating compliance, not only with laws and regulations, but also with business contracts. This effort has a huge cost. The notion ‘costs of control’ is important, but difficult to define. It does not only involve the visible costs of implementing controls, but also the hidden costs of counterproductive behaviour, gaming the system, delays and missed opportunities because of reduced flexibility and usability (Merchant, 1998). Much of the corporate governance debate therefore concentrates on the question: what constitutes a cost efficient control system? (Tirole, 2001, Speklé, 2001, Williamson, 1979).
One particular way to deal with the increasing costs of control is to use information technology in a clever fashion. Generally, information systems may help (i) to collect and analyse evidence in order to monitor, detect and correct undesired behaviour, and (ii) to facilitate the organization to be ‘in control’ by preventing undesired behaviour. This may be called ‘compliance by design’ (Sadiq & Governatori, 2009, Sadiq et al., 2007). The term was initially used in the context of business process management (Dumas et al., 2005). The approach assumes there is a reference model (‘de jure’ model) with process constraints against which the evidence of process behaviour (‘de facto’ model) can be verified. However, in the literature on business process management it is generally not specified how to derive a reference model, e.g. from legal sources, technical standards or best practices. Also, given a ‘de facto’ model, it is left unspecified how the raw evidence needs to be interpreted and mapped onto the ‘de jure’ model. Compliance verification is assumed to take place at design time, but similar checks can be repeated at runtime, to make sure the verified model is still operational. In that case, the approach starts to resemble continuous control monitoring (Alles et al., 2006, Vasarhelyi et al., 2004). What matters is that controls have been built into the design of the business processes and can be verified at or near real time.
Generally, these matters are approached from a technical perspective and issues regarding transaction costs, auditing roles and responsibilities and the meaning of evidence are not sufficiently addressed. We therefore prefer to use the term ‘compliance by design’ in a broader sense, referring to an integrated design of organizational, procedural and technical measures, to make sure the organization is evidently compliant.
In this paper we therefore analyse the problem of demonstrating compliance within an automated environment, focusing on the strength of evidence and the roles of management, internal and external auditors and other stakeholders in setting up a control system. Our research question is the following:
1. How can organizations ensure and prove to others that they are compliant with a contract, while at the same time making sure the costs of control will not increase?
Our approach will be to analyse a real world case study. The case study concerns the set-up of an automated control system for ensuring compliance of the monthly invoice with a contract regulating public transport services for the elderly and disabled. We develop a kind of artefact: the automated control system. In that sense we follow a design science paradigm (Hevner et al., 2004). The case study will help to induce lessons learned about the design and application of automated controls in a complex and highly regulated domain. Thus the case study is meant for theory building, rather than theory evaluation, compare (Eisenhardt, 1989).
In order to analyse the case study with sufficient rigour and to make the outcomes generalizable to different application domains, we will use formal specification and verification techniques, to capture the essence of the reasoning process. In particular, we want to show that the control system correctly implements the contract and that it has increased the quality of evidence.