With the development of technologies such as Business Process Execution Language (BPEL), a business-process centric approach to design of information systems has emerged. This approach calls for the modeling and analysis of the business process— both to document it as well as to analyze its risk characteristics – specifically, the risk of errors in the data produced by the process. This focus o...

Sarbanes-Oxley (SOX) Act stipulates specific roles for the CEO, CFO, and the Auditor. However, the role of the Chief Information Officer (CIO), usually in charge of IT governance (ITG), is implicit. This is despite the fact that in many firms, accounting and financial information and reporting systems either incorporate or are embedded in sophisticated information systems. Through a discussion ...

Today’s companies face increased pressure regarding compliance to legal obligations. Regulations for the financial sector such as Basel II and III, Solvency II, or the Sarbanes-Oxley-Act explicitly demand various requirements. Many of those requirements address the governance and management of information assets, such as data. Companies need to report and track their information architecture, a...

Prior research has paid very little attention, if at all, to the risks and costs entailed in IT disintegration processes. In this study, we begin addressing this gap by studying how IT disintegration challenges posed by corporate divestitures affect the regulatory compliance risks and costs of divesting firms in the context of the Sarbanes-Oxley Act of 2002 (SOX). We hypothesize that firms with...

The paper shows how excessive reporting, called “crying wolf”, can dilute the information value of reports. Excessive reporting is investigated by undertaking the first formal analysis of money laundering enforcement. Banks monitor transactions and report suspicious activity to government agencies, which use these reports to identify investigation targets. Banks face fines should they fail to r...

In this paper we describe a new approach for the integrity of audit records. We show how to simultaneously establish the integrity of an entire audit data set and of any derived subsets, adapting techniques that have been used before for redactable signatures. In addition, our algorithms allow for the pseudonymization of data fields, cryptographically enforcing the consistency of chosen pseudon...

Regulatory compliance requirements in the area of Internal Controls such as Sarbanes Oxley Act force enterprises to identify, shape and document their business processes. In this context enterprises require mechanisms to ensure that their business processes implement and fulfill compliance requirements independently from business level requirements. In this paper we present a novel approach for...

Today’s enterprises demand a high degree of compliance of business processes to meet laws and regulations, such as Sarbanes-Oxley and Basel II. Compliance should be enforced during all phases of business process lifecycle, from the phases of analysis and design to deployment, monitoring and evaluation. In this paper, a taxonomy of compliance constraints for business processes is introduced base...

This thesis examines anomalies related to the discretionary accruals usage during the tenures of CEOs in listed U.S. companies since the implementation of Sarbanes-Oxley Act. The approach used in this thesis is quantitative in nature. Four well-known discretionary accruals models: Healy model, DeAngelo model, Jones model and modified Jones are used in to separate discretionary accruals from the...

We study the problem of authenticating the content and creation time of documents generated by an organization and retained in archival storage. Recent regulations (e.g., the Sarbanes-Oxley act and the Securities and Exchange Commission rule) mandate secure retention of important business records for several years. We provide a mechanism to authenticate bulk repositories of archived documents. ...