Double Approvals of POs higher than $5000 (Double-CheckControl).

An Application Control Strategy defines the way a control monitors the behavior of one or more activities inside a business process (Figure 3). In order to become active an AC requires to be triggered according to the state of the process parameters in a scope. We define further two elements of an AC strategy: scope and pattern based conceptually on the work done by Dwyer et al [ 1 ]. Although their patterns are mainly used for defining formal requirements on program specifications, they can be applied to internal controls compliance and the monitoring requirements there. For a detailed description of the scopes and patterns and their semantics please refer to [ 1 ]. The abstraction layer above business process model we call the “Semantic Process Mirror” (SemanticMirror). According to assessed risks, a set of ACs is defined in this layer. During execution of a business process, this layer will be updated with information needed for the evaluation of defined controls in order to ensure that compliance checks will pass. The approach spans over there phases:

SemanticMirror represents a semantic layer placed on the top of the (usual) syntactical description of a business process (i.e. workflow). In this phase a model of the business process according to Figure 2b will be stored in the SemanticMirror. It will be used later during the phase 2 and 3 to infer whether the process is designed and executed according to a set of declaratively designed ACs in phase 2.

In the following we present a set of formalizations needed for the automatic evaluation of ACs. Control statement CS is a logical statement that describes how to carry out an AC ac in a business process bp:

O(ct) ∧ V(bp, ac(x, cp), GS(bp, scope)) CS(ct, bp, ac(x, cp),GS(bp, scope(M)), action R ) :=

Activity(bp, action R ), where the formula for CS expresses that if a violation V for the given ac occurs (is true) after occurrence O of a ControlTrigger ct on a Guarded Sequence GS, then the corresponding recovery action action R will be instantiated and executed on current instance of bp (the instance that generated the violation). We describe the parameters mentioned above: Guarded Sequence is a sequence of activities, which are along the scope of the AC strategy of an ac in a bp. The values for the violation of a control are calculated by evaluating the statement ac on the SemanticMirror, i.e. if the statement ac can be inferred from the set of facts contained in the SemanticMirror.

An AC ac expresses that a control pattern cp (See Figure 3) must hold if the logical condition on an entity x holds:

ac(x, cp) := condition(x) cp, x ∈ {BusinessDocument, Agent)

We show the formalization of the control pattern (cp) BoundedExistence of n (see Figure 3) for an activity C in the scope of activities defined by GS(bp,scope):

BoundedExistence(n, C, GS (bp,scope) := ( ∧ i=0,..,n n ∃Ci | InstanceOf(Ci , C)) ∧ (i, j=∀0,..,n Ci , C j | Ci!= C j ) ∧ (i=0∀,..,n Ci | Ci ∈ GS (bp,scope))

Example: Applied on the Double-check control in the PO-Process (see scenario) the statement ac looks as follows: ∀PO | BusinssDocument(PO) ∧ Amount(PO,amount) ∧ greater(amout,5000) → BoundedExistence(2, ApprovePO,GSDoubleCheck (P2P, Between(SelectSupplier,SendPO)))

This phase enables the bidirectional interaction between BPM and internal controls management (see Figure 1): The SemanticMirror will be updated by information about the current instance of the business process enacted and if an AC is violated, the recovery action defined in the control statement will be executed. KBAs represent conceptual abstraction of a log channel, which maybe used to update the SemanticMirror.