Given the myriad risks facing organizations these days, information systems and more importantly the data underlying the systems are susceptible to material errors, irregularities, or even fraud. It is therefore critically important to ensure that proper controls are built into organizational information systems. This paper describes a methodology for identifying risks and internal controls on a business process model. Using McCarthy's (1982) Resources, Events, Agents (REA) model as the basis for business process modeling, the methodology is aimed at the identification and documentation of internal controls at the business process level. With a focus on accounting information systems, we first show how the basic REA framework is used to model revenue cycle business processes. We then identify illustrative risks, the corresponding audit objectives, and related internal control procedures for the sales order processing subsystem. A UML diagram of the sales order processing subsystem entities is shown, with specific table and field level controls indicated. Future directions in this line of research aimed at developing an internal control ontology are also discussed.

Arens, A.A. and Loebbecke J.K. (1997), Auditing: An Integrated Approach. 7th ed. Upper Saddle River: Prentice Hall.

Bailey, A.D. Jr., Duke, G.L., Gerlack, J., Ko, C., Meservy, R.D., and Whinston, A.B. (1985), “TICOM and the Analysis of Internal Controls,” The Accounting Review, 60 (2): 186-201.

Church, K.S. and Smith, R.E. (2007), “An Extension of the REA Framework to Support Balanced Scorecard Information Requirements,” Journal of Information Systems, 21 (1): 1-25.

COSO Report (Committee of Sponsoring Organizations of the Treadway Commission). (1992), Internal Control - Integrated Framework. New York: AICPA.

Fox, M.S., Barbuceanu, M., and Gruninger, M. (1996), “An organisation ontology for enterprise modeling: Preliminary concepts for linking structure and behavior,” Computers in Industry, 29: 123-134.

Gal, G., and McCarthy, W.E. (1985), “Specification of internal controls in a database environment,” Computers and Security, March: 23-32.

Geerts, G. and McCarthy, W.E . (2001), “Using Object Templates from the REA Accounting Model to Engineer Business Processes and Tasks,” Working paper, Michigan State University, http://www.msu.edu/user/mccarth4/G&M-maintext.htm.

Geerts, G. and McCarthy, W.E . (2002), “An Ontological Analysis of the Primitives of the Extended-REA Enterprise Information Architecture,” The International Journal of Accounting Information Systems, 3(1): 1-16.

Geerts, G. and McCarthy, W.E. (2000), “The ontological foundations of REA Enterprise Information Systems,” Presented at the American Accounting Association Annual Meeting, Philadelphia, PA, 2000.

Geerts, G. and McCarthy, W.E. (2001), “Using Object Templates from the REA Accounting Model to Engineer Business Processes and Tasks,” Review of Business Information Systems, 5 (4): 89-108.

Hinde, S. (2004), “IT controls, financial reporting, and fraud,” Computer Fraud & Security, 7: 13-14.

ISO/IEC, (2005a), International Standardisation Organisation, Standard 27001: Information Technology - Security techniques - Information Security Management Systems–Requirements (2005-10-15).

ISO/IEC, (2005b), International Standardisation Organisation, Standard 17799: 2005: Information Technology - Security techniques. Code of practice for information security management, Second Edition (2005-06-15).

Kaplan, D., Krishnan, R., Padmna, R., and Peters, J. (1998), “Assessing data quality in accounting information systems,” Communications of the ACM, 41(2): 72-78.

McCarthy, W.E. (1979), “An Entity-Relationship View of Accounting Models,” The Accounting Review, 54 (4): 667-686.

McCarthy, W.E. (1982), “The REA Accounting Model: A Generalized Framework for Accounting Systems in a Shared Data Environment,” The Accounting Review, 57 (3): 554-578.

O’Leary, D.E. (1999), “Modeling Time In REA/REAL Databases,” Working Paper, University of Southern California.

Ramos, M. (2004), “Evaluate the Control Environment: Documentation Is Only a Start; Now It’s All about Asking Questions,” Journal of Accountancy, 197 (3): 75-78.

Sarbanes-Oxley Act. (2002), Public Law No: 107-204. Washington, D.C.: Government Printing Office.

Verdaasdonk, P. (2003), “An Object-Oriented Model for Ex Ante Accounting Information,” Journal of Information Systems, 17 (1): 43 - 61.

Wand, Y., and Weber, R. (1989), “A Model of Control and Audit Procedure Changein Evolving Data Processing Systems,” The Accounting Review, 64 (1): 87-107.

Weber, R. (2002), “Ontological Issues in Accounting Information Systems,” In Researching Accounting as an Information Systems Discipline, edited by Arnold, V. and Sutton, S.G., Sarasota: American Accounting Association.