To reduce the burden on the front-office in government organizations the concept of e-government has been introduced. In E-government, most of the government functions and processes are carried out in the digital form over the Internet. Over time e-government is becoming a challenge at different levels of public administration. To cope with this challenge, E-government is usually managed in terms of stages of growth and E-government architectures [9]. These architectures are based on the Service-Oriented Architecture (SOA), while SOA has rapidly become the de-facto standard for modern information systems. SOA helps to streamline the business processes in a highly standardized manner [2,8,22]. SOA is based on distributed services that together perform a collaborative task. The Open Group [29] and OASIS [18] define SOA as "a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains".
When E-government uses SOA, this allows for a flexible and adaptive composition of services that communicate with each other via a general platform.
In recent years, the focus of SOA research has shifted to management, control and monitoring [20]. In this line, we define Service Oriented Auditing (SOAu) as the combination of SOA and Auditing. SOAu aims to realize the vision of continuous and online monitoring of services [33,23]. This has also relevance for e-government.
In this paper, we will consider the Customs and its trade facilitation as an Egovernment organization example. Customs controls are rapidly innovating from a labour-intensive and paper-based door-keeping function to international trade facilitation that explore the current global digital infrastructure (e-customs). However, the use of the modern technology concepts (like SOA, SOAu, Monitoring, RFID) in the automation of custom control has by far not been explored to its limits. The focus of this explorative paper is to consider the possible use of SOA and SOAu in E-government organization, especially in custom controls, and how SOAu influences the relationship between government and business. The paper is organized as follows. Section 2 gives an overview of the background knowledge including recent developments in customs control and the Extended Single Window (ESW) project of which our research is a part. Section 3 describes the e-government evolution towards the service oriented architecture. Section 4 categorizes auditing configurations in terms of coordination, audit object and audit subject. Section 5 closes with the main conclusions and directions for future research.
In this section we introduce four concepts that are at the basis of this paper. These concepts include Custom Controls, Modernized Custom Code, Extended Single Window, Service-Oriented Architecture and Auditing.
The Modernized Customs Code (MCC) was adopted by the European Communion in April 2008 but the process of realization is still enduring. The aim of MCC is to simplify legislation and administration procedures for both customs authorities and traders. The purposes of MCC are:
Goods Tracking: Streamline the customs procedures in such a way that it reduces the effort to keep track of the goods. Custom Guarantee System: Streamline and harmonies further the customs guarantee systems Develop Paperless Environment: Lot of paper work is needed for a simple custom procedure. MCC will ensure the computerization of all customs formalities, with a view to a completely 'paperless environment for customs and trade', e-customs Decision No 70/2008/EC of the Parliament and of the Council, adopted on 15 January 2008, by (i) Electronic lodging of customs declarations and accompanying documents as the rule (ii) Exchange of electronic information between the national customs, and other authorities;
Centralized Clearance: Introduce and promote the concept of "centralized clearance", by which authorized traders can declare goods electronically and pay their customs duties at the place where they are established. These all procedures will be irrespective of the Member State through which the goods will be brought in or out of the EU customs territory or in which they will be consumed. Single Window: An extension of the concept of centralized clearance by providing the documents at a single point. It provide a base for the development of the 'Single Window' and 'One-Stop-Shop' concepts, under which economic operators give information on goods to only one contact point ('Single Window' concept), even if the data should reach different administrations/agencies, so that controls on them for various purposes (customs, sanitary,...) are performed at the same time and at the same place ('onestop-shop' concept).
The concept of centralized clearance implies that when an "authorized operator" declares at the customs office, this office carries out the documentary risk analysis. The office then forwards the results of its analysis to the border customs office in that Member State or in another Member State where the goods are actually to enter or leave the Community (the 'office of entry/exit'). Border office can apply physical controls if needed. Procedures are different for the compliant and trusted traders. As a benefit of centralized clearance, the goods need not to be moved to the office of import or export but could be delivered directly to the point of sale. This would allow multinational companies to conduct all of their EU business with one customs office. Centralized clearance leads to the single electronic entrance point which is called as "Single Window". In "Single Window" authorized operators provide the information required by customs once and then all other agencies have access to it.
The vision of the Extended Single Window project (ESW) 1 started in 2010 is to develop an integrated and coordinated border management solution for ports and airports integrating with previous and subsequent procedures for reliable, secure, and cost effective logistic chains throughout the Netherlands as a logistic gateway to Europe. The coordinated border management solution is referred to as 'Extended Single Window'. It requires efficient and reliable handling of data to generate information for effective joint supply chain planning for shippers, goods owners, transportation companies, forwarders, terminals and other logistic service providers. This data is also used to generate information for government agencies, like customs, agricultural and tax. Currently, shippers and goods owners are faced with a wide range of regulations and procedures when goods enter or exit the EU. Completion of declaration processes and risk analyses and planning and coordination of inspections by the various agencies before shipments are (un)loaded from an aircraft or vessel enables logistics actors (terminal operators, forwarders, transport operators) to plan and execute transportation of shipments with hinterland hubs efficiently (improving modal shift, throughput time i.e. for perishable goods and reducing congestion). Efficient and reliable government controls reduce administrative costs, increase reliability of the supply chain, and ultimately reduce transport costs for shippers and logistic operators. ESW project is a source for realization of all these discussed tasks. Thus, ESW covers all regulations and procedures for coordinated border management at ports, airports and extending to hinterland hubs according to the MCC for both incoming and outgoing logistic flows, including integration with previous (outgoing goods for instance preceded by export) and subsequent procedures (incoming goods for instance followed by transit). Basic research in advanced information technologies is in Event Driven Architecture with a Logistic Interoperability Ontology:
-Event Driven Information Service Bus (EISB). It is an extension of the concept of Enterprise Service Bus (ESB). Basically, each logistic operation triggers an event. Minimally, an EISB supports publish/subscribe functionality to events in virtual data space. Since the data space is virtual, relevant data can still reside with each actor depending on governance and logistic innovations at business level. Thus EISB can support traditional document-driven processes as well as new event-driven processes for tracking and tracing of movement of goods. -Logistic Interoperability Ontology Framework. It specifies the semantics of all physical objects as shared by business actors in supply chains, e.g. semantics of containers, goods items, and trucks thus allowing that each actor shares only relevant information with one or more other actors.
Using the EISB concept it is possible to extend the Single Window concept in at least two important ways. The Single Window is based on digital documents, whereas the ESW is based on events, which is much more flexible. It is not necessary anymore for the sender to collect the data needed in the form of document template. The receiver specifies which data he wants to see (by subscribing to events), and these data are collected then (that is, continuously) from the virtual data space fed by all the distributed events. Secondly, the Single Window only streamlines data flow in one direction, from logistic operators to government agencies, whereas the EISB also supports data flow among logistic operators, among government agencies (e.g. to realize a One-Stop-Shop), or from government agencies to operators. One of the very powerful new possibilities opened up this way is end-to-end supply chain integrity as advocated by Hesketh [7].
Enterprises need to respond quickly to the today's more competitive and global market. To fulfill this purpose business needs to streamline its business processes in highly standardized manner. A contemporary approach for addressing these critical issues is service oriented architecture (SOA) [2,8,22]. "SOA is a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains. Therefore providing a homogeneous means to offer, discover, interact with and use capabilities to produce desired effects which are consistent with measurable pre-conditions and expectations" [18]. SOA as an emerging approach meets the requirements of loosely coupled, standards-based, and protocol independent computing [20]. The enterprise service bus provides the functionality of highly distributed communication and integration based on event-driven and asynchronous communication. SOA can be extended to deal with service orchestration, intelligent routing, provisioning, integrity and security of massages as well as service management [21]. Extended SOA functionality is separated into three plans (i) Service foundation (ii) Service composition (iii) Service management and monitoring [19]. SOA and cloud computing are complementary activities. A platform for cloud computing provides a value-added underpinning for SOA [24], while SOA allows for optimal usage of Software-as-a-Service (SaaS) in cloud platforms.
Auditing is evaluation/monitoring/control of an organization/person/product on the basis of some norms. Traditionally, auditing can be defined in two scenarios (a) an internal audit (b) external audit. According to ISA standard 2010, internal auditing is 'to monitor and evaluate the effectiveness of an organizational risk management and control system' [37] while in external auditing the focus is on the assurance about the accuracy of the financial statement and coordination related tasks. The methods of internal and external audit are very similar, but external audit uses fixed norms, while the audit norm can be the subject of optimization in the case of internal audit. Audit addresses the quality of the business. Because of compliance issues organizations have to pay significant attention on the management, reporting and monitoring of the business processes [6]. Auditing is a periodic activity, where the time period and scope differs from one situation to another. In some organizations auditing is performed continuously termed as continuous audit [3]. Continuous and online auditing are very similar but slightly different concepts. Online auditing means that the auditing makes use of Internet technology for the distribution and/or acquisition of the audit data [32]. This also gives opportunities for interactive access to the data (drilling down). Ideally, online audit is continuous audit but continuous audit can be realized off-line as well [14].
3 e-Government Evolution towards SOA E-government growth has been studied in two ways: (i) content analysis of the government web sites for specific features of E-government [10,28,36], (ii) survey among local government officials. Moon [17] conducted the most known survey of government officials . Sometimes both content method and survey methodology have been used together.
Different models of e-government growth have been developed. For public administrators of e-government Layne and Lee [15] describe different stages of e-government development and propose a 'stages of growth' model for fully functional e-government. Keeping in view the technical, organizational and managerial feasibility and corresponding examples, four stages of growth model are: (1) cataloging, (2) transaction, (3) vertical integration, and (4) horizontal integration. These stages consider the citizen as a user of governmental services. These stages describes that citizen-focused change must be considered throughout egovernment development.
The two-stage model of Reddick [26] builds forth on the four stage model. This model of e-government growth is applied to municipalities. Stage I is the cataloging of information online and Stage II is transactions being completed online. These stages apply to various e-government relationships being government to citizen (G2C), government to business (G2B), or government to government (G2G). In this study, it appears that G2C e-government is primarily in Stage I cataloging information, in essence, providing an online presence for cities. Egovernment is considered more developed in the case of G2G use of internet for government employees.
Governmental agencies are trying to migrate their traditional systems architectures to more horizontally and vertically integrated architectures. Janssen and Veenstra [9] describe the stages of growth model for the development of information architectures for local governmental agencies. These stages consider the front and back office in parallel. The five-stage model consists of (1) no integration, (2) one-to-one messaging, (3) warehouse, (4) broker and (5) orchestrated broker architecture. The first three stages are about integration using data warehouses. The fourth stage not only handles information, but also starts invoking other types of technical services. In the last growth stage, the orchestrated broker architecture enters. This stage is specialized into SOA. Public decision-makers can use these stages as a guidance and direction in SOA architecture development. The stage model provides the milestones to evaluate and control the costs of architecture development.
For improving service delivery, departments and agencies have to work together and manage the mutual information flows. Stage models can help further e-government development. The stage model proposed by Klievink and Janssen [11] describes the stages of development in joint-up government at national level. It consists of following five stages: (1) Stovepipes (2) Integrated organizations (3) nation-wide portal (4) inter organizational integration and (5) customer-driven, joined-up government. These stages also consider SOA.
From the above, we can see that integration has always been an important e-government concern, evolving from an intra-to an inter-organizational scope. SOA can very well support this development, but it also requires a more holistic view to the coordination of e-government services [12].
The relationship between computer science and auditing is bi-directional. In a computer science perspective, applications of computer science are subject to audit, e.g. the information system infrastructure and accounting system, while in audit perspective, IT applications are employed as a powerful means to support risk management and auditing, for instance ACL audit software (www.acl.com) and the AuditSystem-2 used at Deloitte (www.deloitte.com). Service oriented auditing (SOAu) aims at the use of service-oriented technology to further support audit processes and realize the vision of continuous and online monitoring. In this article an audit module can be defined with the help of the following model proposed by Weigand and Bukhsh [33]. tecture of an audit module based on service-oriented monitoring solution. Events [1] generated by business services (including service request and service response events) are published on the EISB. The continuous monitoring (CM) service collects the events using the publish/subscribe mechanism. Then it generates the IST (as-is) model from the event traces by means of specified process patterns. Such a pattern consists of two parts: a condition part specifying selection criteria on operational events, and a result part specifying one or more economic events, typically defined on a higher abstraction level, e.g. using the REA business ontology [16]. When the processing detects an operational event pattern, it generates the corresponding economic event as IST model. The IST model contains both compliant and non-compliant process instances from which a fault list is generated (evaluation). The result of the evaluation can be forwarded immediately to the stakeholder, be it Company / Government/ Concerned Authorities (push) or made available online (pull).
Monitoring management is a second and important component of the model that is responsible for adapting and optimizing the first component in the face of internal and external changes. This activity is responsible for deriving process patterns from a fixed SOLL (normative) model, and uses process mining or other machine-learning techniques.
From a coordination perspective, we can divide the government and company audit relationship into two categories. (i) uncoordinated: in which one company is audited by one government authority at a time. (ii) coordinated: when many collaborating companies are audited by many government authorities in a coordinated action.
Uncoordinated means that one government authority audits one company at a time, based on direct communication between the company (e.g. trading company) and government authority (e.g. custom). In this category, there are again two subcategories, depending on the audit subject: (i) government audits the company (ii) company audits itself, reporting to the government.
Audit by the Government: Audit by Government is of detective and corrective nature. Government want to check the status of the organization /company's declarations and trustworthiness. Government authorities or shareholders or investors usually perform this type of audit. They audit the assets, controls, declarations and all the matters related to the company's stability. Audit by the Company: In this case, the company has a rigorous internal auditing system. According to Starreveld et al [27] organizations need internal control measures, including organizational rules and control activities. These internal controls are in general of a preventive nature, i.e. preventing the occurrence of errors and opportunistic behavior of the organizational agents. The purpose of auditing the internal controls by the company is first of all to implement accountability to owners and to attract investors. Nowadays, they may also be required by partners, e.g. powerful customers who are dependent on the quality of the company's processes. However, the very same measures can be used to implement accountability to the government, thus avoiding duplicated efforts.
A company/organization provide services to its customers/users with the help of different parallel or stand alone processes. We make an important distinction between operational and control services.
Operational Service: Each operational service executes a particular activity in the company's primary processes. Operational services consume and produce value objects, so to safeguard value, operational processes need to be controlled. Control Service: Control services implement business control on the operational services. Control services takes place at two levels: control within the organization and external control. Control services involve the creation of management systems, managing the consistency and quality of products coming to/from the company. It also involves the development of programs and processes that operate automatically [34].
Whereas the audit type says who is performing the audit (subject), the service type says what is the primary focus of the audit (object). The following table shows the four possible combinations:
Type I Type II By Government Type III Type IV Table 1. Audit subject/object categorization Type I: Administration in the companies always needs to keep an eye on the status of the company. A focus on operational processes corresponds to traditional transaction-based auditing. Traditionally, this type is not feasible as the government is not willing to accept the risks of abuse and fraud. It is only willing to leave the auditing responsibility to the company when the company is firmly in control (type II). However, with the use of (automated) audit modules (cf. Fig. 1), the type may become acceptable. The audit module supports a continuous monitoring service of the company's operational services. In this way, it can detect and immune any potential operational issue. The results can be published and made accessible to the government agency. Type II: Companies arrange the audit activity especially auditing the control services for itself to have self-assessment. This so-called system-based control is usually more efficient and effective than the transaction-based type. There are other reasons for choosing this type as well. Companies with international supply chain like to show themselves to be compliant and standardized. The self-assessment can also replace costly governmental controls, as in the case of custom procedures. For this purpose e-customs provides a standard known as Authorized Economic Operator (AEO) certificate [5]. To get an AEO standard company have to show customs compliance, appropriate recordkeeping standards, financial solvency, and appropriate security and safety standards in place. An audit module audits the company's control services in order to ensure compliance to the AEO standard. This module can use the same architecture as the model in Fig. 1, where the events being monitored are now control service events (for instance, changing authorizations) rather than operational service events. Type III: When the government audits the operational services then there are two scenarios (i) government physically audits the operations and operational services. This is the traditional way of working, where custom inspectors process clearance request documents per transport and check all or a selection of the containers passing the border. Evidently, this is a labor-intensive process. (ii) Government audits the operational processes by using advanced IT such as the automated scanning, audit tools [33] and/or process mining techniques such as proposed by Van der Aalst et al [31]. Type IV: This can be seen as a variant of type II where the company has a rigorous internal control system, but rather than doing a self-assessment, the government remotely monitors and evaluates the control system. This variant may benefit both the company and the customs. Probably, it requires an even higher level of "being in control" then in the case of type II. In this case it is not sufficient that the internal control system is compliant, according to human interpretation, but that this compliance need to be assessed and monitored online. In other words, the internal control system must be highly formalized and automated. The costs that this brings for the company can be compensated by the fact that (manual) self-assessments are no longer needed: the company only needs to provide access to the control services, via some interface. For the customs, it also saves costs of manual processing of AEO reports, and may provide a higher level of security. On the other hand, it requires sophisticated audit tools. It is also important that the interfaces are well-defined and based on standards.
Growing trade and increased security require new controls. In parallel government would like to reduce the administrative burden. E-customs supports simplified paperless trade procedures, prevents potential security threats and counterfeit tax related frauds and also ensures the interoperability with other e-customs systems within and outside the Europe. The use of SOA in e-customs [25] helps us to access to the location of goods through its supply chain, the provision of evidence for import/export, the notification through alerts in case of exceptions, for example deviation from the planned trajectory, abnormal conditions for containers and others. With the still growing world-wide trade, no single company can fulfill all needs so it has to collaborate and cooperate with other companies. In this context, coordination emerges as a separate service.
Coordination Service: Co-ordination services can be defined as services supporting an exchange process (a set of events) for a good or a service [34].
Processes like identification, negotiation, order execution and after-sales take place in a good exchange as well as a service exchange. Within this process, a distinction can be made between core services -the transfer of goods, services or money -and coordination services that support the process and manage the dependencies between activities [4].
Weigand et al [35], describe a user-centric service coordination cycle that assumes a consumer who interacts with multiple service providers who in turn offer some real-world service as part of a service bundle. Dependencies between activities arise, among others, from the occurrence of shared resources. For instance, when a consumer wants to use a hotel service and a flight service, a shared resource is the physical person himself, who can be at only one place in a given time. In the case of international trade and custom procedures, a shared resource is the container in question. This creates a need for coordination.
Next to the co-ordination among the companies in the chain there are multiple government authorities who audit them. Suppose there are n government authorities to audit m companies. In total there will be n.m combination of audits. This will cost lot of effort and time from government authorities. To overcome this issue, the concept of trusted third part may be adopted. Audit by Third Party: In this scenario there is a third party who is trustworthy for both company as well as Government/ Investor/ Concerned Authorities. Government selects the trusted third party based on some standards and certifications. The third party audits the company, combining the different requirements from different government agencies, and takes a chain perspective rather than focusing on one company only. The type of audit is of detective, corrective and preventive nature. The audit information can be used by the company itself (it has outsourced its auditing so to say). If Government requires audit information then it can extract this online from the third party's interactive interface. Since the third party is external to both the Government and the company, it can manage the coordination of audit activities.
The concept of third-party can be implemented in several ways. In market economies, it is not realistic to assume that there will be a single third-party.
Several competing and complementary companies will try to play part of this role. So it is better to talk about a third party network rather than a third party actor. Within such a network there may even be opportunities for a fourth-party actor concept as this also exists in logistics [30].
Assuming a coordinated auditing approach, three coordination types can be distinguished, from minimal to maximal (Table 2 Type A: When coordination is not an assigned function. It means N government authorities will audit M number of companies independently. The lack of coordination results in inefficiencies and problems that the company must try to solve. Type B: When there is data and information sharing/coordination between the government authorities, as in the one-stop government concept There may also be chain coordination between the companies, but the two are not integrated.. In the e-customs domain, this type should involve not only data sharing but also coordination of inspection activities. For companies that are currently in type A, this type B is a big improvement. Type C: In this type there is overall coordination between the companies and as well as between the government authorities. This implies that not only companies have a single access point to various government services, but also that the government has a single access point to a logistic chain or business network. In this case, coordination is maximal. This type can only be realized by the support of intermediary third parties. It also requires that the government is willing to retreat from its role of "sole care taker" to the one of Service Provider/Network Manager [13].
SOA is a basic architecture for integrating global services. Audit in combination with SOA provides a massive potential of innovation. In this paper we have introduced SOAu as a new area of research within the domain of Information Systems. In order to explore the applicability of SOAu we have developed a categorization of auditing approaches based on three dimensions: the audit object, the audit subject and the coordination level.
This research is partially supported by the DINALOG (www.dinalog.nl) project "Extended Single Window".