ABSTRACT
The development of information systems for financial report issuance must be adherent to the demands of the law and regulations that regulate the financial market. In order to perform this task, organizations need to implement control in the Information Technology (IT) area to maintain their systems' conformity to laws and regulations. In the development of this work, it was found, through a state-of-art study, that there are no proposals contemplating the solution of this problem in its totality. In order to achieve this goal, in this paper it is presented a model for Information Technology management constituted by COBIT, ITIL and BPM management good practices, together with SOA and XBRL Technologies. This model is composed by 03 layers that aim at structuring the organization IT and business processes, besides defining a process for implementing SOA and integrating its Web services with XBRL language. One can expect this work to contribute to companies to decrease the negative impact coming from the lack of conformity with laws and regulations, through the creation of a corporative and IT environment that is flexible and more adaptable to changes, which may occur in legal demands, as well as improving the quality and reliability of financial report issuance.
Keywords: BPM, COBIT, IT, ITIL, SOA, XBRL Governance.
1. INTRODUCTION
This work development was performed based on research regarding management and governance good practices in the area of information technology, as well as on the identification and analysis of XBRL language and service oriented architecture technical features for applying only concepts that are necessary to the context of the problem in question. It was also performed bibliographic research consisting in the reading of academic texts and papers and study of COBIT, ITIL and BPM technical specifications. In this phase of the work, non-existences and limitations of elements defined in proposals similar to this work were found.
The solution presented in this article aimed at contemplating theses deficiencies through the proposition of a model of management and governance for creating and releasing financial reports in the organizations that must be in conformity with specific laws and regulations for this purpose. The proposed model development was performed in parts, being divided in layers, so its implementation in the organizations may be performed iteratively and independently, allowing that the layers that attend the organization needs are implemented independently. However, a case study was not performed due to the proposal complexity, which would make its practical application unviable in a well-timed occasion.
The evolution in the area of Information Technology (IT) has taken place through diverse factors; one of them occurs due to the legislations that the organizations must follow. Sarbanes-Oxley law - SOX (ITGI, 2006) was one of the laws that significantly impacted the IT area, increasing its relevance in the organizations that must be in conformity with this law (Guerra, 2007). In this context, the organizations performed more investments in IT and valued the bond that the IT area maintains with the organization strategic goals, making the development in the IT area a critical factor for organizational success, as well as a competitive differention in the market. To help with the conformity with legal demands, according to Guerra (2007), companies' IT areas have started to adopt Control Objectives for Information and Related Technology (COBIT) (ITGI, 2007a), because COBIT defines what the goals that IT controls must conform with are, in order to satisfy SOX (ITGI, 2006).
COBIT is a good management practice, independently of the technological platform, which helps IT governance to structure a monitoring process to check and measure processes. Through COBIT, the companies are able to assure that IT will be aligned to businesses goals, which involve laws, and, therefore, obtain competitive advantages for the organizations businesses (ITGI, 2007a).
Another good IT management practice, which combined with COBIT helps organizations to be conformed to laws and regulations, is ITIL. ITIL is a set of good practices regarding life cycle management of IT infrastructure services focused on business. With COBIT, the organization determines control criteria and goals to be reached by IT processes and, through the use of ITIL, these IT processes are structured and defined.
Organizations ' business processes, not only IT processes, also need to be well controlled and defined so the company may establish the control points required by laws and regulations. A good practice for managing processes that conform to this need is Business Process Management (BPM) (BPMN, 2006). With BPM it is possible not only to select and align business critical processes to the organization strategy, but also to create a mechanism for structuring, evaluating, measuring and controlling the business processes.
Although COBIT ITIL and BPM enable the creation of an IT and corporative environment that contributes to the conformity required by laws and regulations, companies must deal with issues related to the diversity of data format that contributes to the creation of financial reports. It increases significantly: (i) the time of financial report issuance, due to the efforts towards data transformation; (ii) the costs coming from these efforts performance and; (iii) the risks of errors occurrence, decreasing, furthermore, report reliability and generating, consequently, negative impacts on the business.
The usage of two technologies together, SOA (Erl, 2009) and XBRL (Silva, 2003, 2002), may contribute to the improvement of problems related to the format diversity of financial data and provide a better adaptation capacity of the information systems for changes in business processes. The Extensible Business Reporting Language (XBRL) is an international standard adopted by companies of public and private areas, which contributes to solving the problem related to the diversification of financial information data format (Silva, 2003). XBRL provides a structure that enables data and financial information interchange and consequently data integration, which are found in different formats and in different information systems. The Service Oriented Technology (Erl, 2009) or SOA (acronym for Service Oriented Architecture) that has as its main goal, in the context of this paper, to facilitate services creation (SOA applications) that will automatize the business processes related to the organization's financial and accounting areas. SOA allows the construction of more flexible and adaptable applications to the changes in business processes.
Through the analysis of the good practices and technologies discussed in this section and the lack of a model of IT management that attend the needs that the organization have, in order to conform its IT and corporative environment to the laws and regulations, it is seen the necessity of proposing a structured model for IT management that integrate these good practices and technologies (COBIT, ITIL, BPM, SOA and XBRL) in order to contribute to issue financial reports and improve the organizations' adherence to laws and regulations.
The rest of this article is organized as follows. Section 02 presents correlate works that were analyzed and subsidies the construction of the model. Section 03 details the structure of the model of IT management. Finally, in Section 04 the conclusions and final considerations of this article are made.
Correlative Works
In this section, it is performed an analysis of the works related to the IT management structured model proposed in this paper.
(Biancolino & Critofoli, 2008) performed an analysis of SOA and XBRL technologies, which constitute an important resource that may be used by controllers, in order to provide an IT solution that would provide a link between the business demands and regulatory departments. Through the analysis performed, the authors concluded that SOA is a facilitator for corporative information systems as modulator of business services that can be easily integrated and reused, creating a flexible and adaptable IT infrastructure. The analysis performed for XBRL technology, however, has highlighted the importance this language holds in the financial area, due to the facility offered in sharing and searching financial information in the context of organizational information systems. Nevertheless, although other authors highlight the importance of these technologies, for the accountant area and for the issuance of financial reports, in order to successfully develop information systems through SOA and XBRL, they do not discuss business processes structuring. (Gluchowski & Pastwa, 2006) have proposed to investigate reliable and fast ways of performing financial and business data interchange through SOA, with Web Services and XBRL technologies, in order to eliminate problems related to the issuance of financial reports and making the business processes more flexible. The authors presented a proposal of how to develop financial information systems, through SOA with Web Services and XBRL, and discussed the benefits that the services would bring to financial report issuance. However, the business processes organization was not discussed.
The work of (Waldman, 2009) aimed at describing a script for performing the SOA implementation in medium and large size corporations. In order to do that, the author suggests that the implementation be done in phases, starting, firstly, with a single system that is small and simple. From the success of the first implementation, according to (Waldman, 2009), the same process should be repeated in other systems, until it is performed in the whole organization. If the evaluation of the first implementation is not satisfactory, new attempts must be made until the organization is familiarized and confident with the new concept (SOA) and, thus, it may advance to other systems. However, this work does not fill the gap regarding the alignment of SOA applications with business processes, and it does not discuss deeply the phases of SOA implementation and the relation of SOA with IT governance.
The work of (Baldam, Valle, Pereira, Hilst, Abreu and Sobral, 2010) aimed at describing BPM good practices, contributes to its implementation in a corporative environment. The authors then created a life cycle model for implementing and maintaining processes management, using BPM in the companies. According to the authors, the benefits generated by the model proposed are: (i) creating improvement goals; (ii) eliminating reworks; (iii) aligning the activities to the company strategies; (iv) standardizing tasks and; (v) improving information for the information systems present in the companies. Nevertheless, this work has not discussed the relation of the good practices of management processes, using BPM, with the SOA application, nor has treated the aspects related to IT processes that will support the SOA services.
(Moreira, 2009) proposed a methodology that integrates COBIT with ITIL, in order to implement IT governance in the organizations that need to be in conformity with Sarbanes-Oxley Law. Through the phases and files proposed in the methodology, the organizations might be able to have their IT processes well defined and controlled, which contribute to better attending the needs of the information systems, besides providing an improvement in the company business processes. With the integration of these good practices, according to (Moreira, 2009), the company that implements IT management will get the possibility, through the usage of COBIT, of: (i) strategically aligning IT with the business; (ii) selecting the organization critical processes and that have a bad performance, so they may be improved; (iii) identifying the company risk profile and evaluating the risks related to the services that are being delivered; (iv) evaluating the maturity of the more critical processes for the business and aligning them to a level of ideal maturity in an efficient way, through the improvement projects. Through the ITIL good practices, however, the work of (Moraes, 2009) aims at structuring IT processes in an efficient way so that these processes may reach their control goals defined by COBIT, making them better projected, controlled and enabling them to generate more benefits for the business, as well as attending the demands of Sarbanes-Okley Law. Although providing well defined and controlled IT processes, through the proposed methodology, the author does not discuss business processes management.
2. IT MANAGEMENT STRUCTURED MODEL
The IT management structured model proposed, in this work, is based on good management practices such as BPM, COBIT and ITIL and on SOA and XBRL technologies. Its architecture was developed from the problems discussed in Section 01 and the analysis of good practices and technologies discussed in Section 02. This section is organized in the following way: Section 3.1 presents the IT management model together with the elements that compose its structure, after that, in Section 3.2, the aspects related to the business process layer of the IT management model are discussed, Section 3.3 describes the layer related to the model IT processes and Section 3.4 presents the layer related to SOA and XBRL technologies.
2.1 Model Structure
The proposed model goal is to provide subsides of management and governance so that companies may be more adherent to the laws and regulations by which they abide, and so that they can improve the quality and reliability of the financial report issuance.
In order to provide a better understanding, visualization and grouping of the involved practices and technologies, the proposed model is divided into three layers, as it can be seen in Figure 3.1. Each layer has management associated good practices or technologies to allow them to reach their goals. The model is organized in phases, which have activities that may be subdivides into tasks.
It is important to emphasize that the sequence of the model layers execution, as it can be seen in Figure 3.1, was defined with the assumption that the company needs to have, before developing SOA services, business processes which are defined and aligned to the organization strategy and IT processes which are structured and aligned to the business goals, towards IT.
The layers execution order is justified, because the business processes will originate the functionalities and information, which will be automatized and stored through the SOA services. If the processes do not work, due to their loss of structure, lack of maturity or inefficiency, there is no point for a company, with these processes, in adopting SOA architecture for developing and maintaining information systems. SOA architecture will not improve the performance of non-structured business processes, once they originate the flows and information for SOA services. Another aspect that justifies the sequence of execution established for the management model proposed regards services construction. In order to do that, it is necessary that the company has an IT process structure that maintains the development and the evolution of the services, in a way that they generate the expected results for the company.
Although the proposed model establishes an execution order for the layers, these may be executed independently from one another. This is important because not all the companies have the need of implementing all the layers, due to, for example, the fact that they already have their IT or business processes management structure. Thus, the companies that are in this context may use the model layers as a reference to maturate their practices and develop new initiatives.
The main goals of the three layers that compose the proposed model are:
(i) Business Processes Layer: In this layer, the aspects related to such organization business processes as controlling, optimizing, evaluation, selection, identification and planning are discussed, based on the company strategic priorities. The model is then based on BPM good practices. In this layer, it is discussed the whole life cycle adopted so that the organization business processes can evolve and become mature over time. This layer contributes to the creation of IT and corporative environment, through BPM good practices;
(ii) IT Processes Layer: In this layer, the aspects of IT processes management that enable the organizations to implement IT governance are discussed. In this layer, COBIT and ITIL good practices are used to identify business and IT goals, selecting the IT processes, perform analysis and diagnoses and implement the processes and improvements projected for them. This layer, like the Business Processes layer, also contributes to the creation of a more adherent IT and corporative environment to laws and regulations;
(iii) SOA and XBRL Layer: In this layer, the aspects related to SOA implementation and risk control and identification, coming from this implementation, are treated. Another aspect is SOA integration, through the Web Services, with XBRL, enabling, this way, information systems that are more flexible, connectable and aligned to the business processes, besides improving the quality and reliability if integrated with financial reports issuance.
The following subsections discuss each one of the model architecture layers.
2.2 Business Processes Layer
This layer treats the aspects related to business processes management, using BPM good practices. This layer application is performed through some tools, techniques, and reference business process management maturity models. This layer, through the business process management structure provided by BPM good practices, contributes to the creation of a technological and corporative environment which is more adherent to laws and regulations and more suitable to the efficient generation of financial reports.
The BPM life cycle model proposed in this paper, as it can be seen in Figure 3.2, is based on that proposed by (Baldam, Valle, Pereira, Hilst, Abreu and Sobral, 2010), being composed by 04 phases that will be discussed in the following subsections.
2.2.1 Planning Phase
This phase defines BPM activities that will be able to contribute to reaching the organization strategic, management and operational goals (Baldam, Valle, Pereira, Hilst, Abreu and Sobral, 2010). It is relevant to emphasize that administrative initiatives involve organization internal processes, implicating, most of the times, interest conflicts and lack of comprehension of the goals. Because of that, it is very important the support from the top management of companies that wish to use BPM, because it may compromise directly the success and continuity of BPM.
This phase has two goals. The first is to select the critical business processes for the company. The second is to provide a holistic view and the business processes alignment to the organization strategy, through the development of a global vision of the processes. In this phase, the entrances are obtained through the strategic planning, external environment, laws and regulations and opportunities and threats. This phase generates as an exit, the guidelines and specifications necessary to the performance of the modeling and optimization of the processes, which is performed in the project phase. The main activities in this phase are:
(i) Develop a global vision of the processes, allowing the company to have a general vision of relationships among processes and starting an alignment of the processes with the company strategy. This activity is relevant for the company to have a better understanding of the functioning and the relationship between the processes, from the strategic level to the operational level. A better understanding of how the processes relate to each other is expected, improving, thus, the model projects and isolated process studies. The development of a global vision of processes must be performed before initiating a project of BPM practices inclusion;
(ii) Select the company key processes, defining in which of processes (strategic, management or operational) the organization is stronger, weaker, which the weak spots are, which threats and opportunities are presented, which indicators were defined. It is important to observe that some processes, not necessarily processes with quality, cost and deadline problems, may be optimized so the company obtains a better cost and deadline reduction, even if the process is perfectly working. It must be performed a classification by order of priority of the organization business processes, giving attention to the processes that need immediate solutions.
2.2.2 Project Phase
This life cycle phase aims at performing the study of the current situation of the organization processes and proposes a better fixture situation for each one of the selected processes. This phase goals are: (i) documenting the processes; (ii) employing methodologies to optimize the processes; (iii) redrawing and innovate the processes; (iv) performing BPM benchmarking (technique that allows defining, understanding and develop processes through the study of how other organizations perform the same activities) (Baldam, Valle, Pereira, Hilst, Abreu and Sobral, 2010) and; (v) performing simulations. This phase is formed by two large activities: (i) modeling the process current state and; (ii) modeling the process desired state.
Before starting the modeling project, it is necessary to analyze specifications and guidelines that were generated in the planning phase. It also important to analyze the global vision of the processes so that the company can define the number of subprocesses related to the process that will be modeled and, thus, estimate the effort and the resources necessary to perform the modeling.
a) Current State Modeling
This activity, in the Project phase, aims at understanding the existing process and identifying its failures so that the errors previously made are not repeated. The current state modeling involves the following tasks: (i) planning the modeling; (ii) collecting information about the process, identifying possible improvement points; (iii) modeling the process; (iv) validating the process and adjusting, if necessary, the discrepancies between the model of the process modeled in this activity and the process that is in execution. This is necessary for confirming if the process that was modeled, in this activity and based on the process that is in execution, does not have any inconsistent data and if the data is precisely represented.
b) Desired State Modeling
The desired state modeling provides improvements in the process under analyses. To do so, this activity involves tasks: (i) selecting improvement techniques; (ii) model process and; (iii) simulating and validating processes. Among the techniques that may be used, are (Baldam, Valle, Pereira, Hilst, Abreu and Sobral, 2010):
(i) Continuous Improvement: that seeks to continuously establish goals and identifies improvement opportunities through critical analysis performed regarding process data, audit reports and other sources.
(ii) FAST (Fast Analyses Solution Technique): allows the rapid improvement of a process, giving immediate returns to the organization (Harrington, Esseling and Nimwegen, 1997);
(iii) Benchmarking: allows defining, understanding and creatively developing the processes through the study of how other organizations perform the same activity.
(iv) Redrawing: aims at refining the current process. This technique is applicable to processes that are not good and;
(v) Innovation: consists in a more severe approach of process improvement, providing a totally new vision of the current process.
Each one of the presented techniques results in improvements and cost reduction, time and margin of error for the process. The definition of which technique or techniques combination must be used will depend a lot on the organization needs and importance of the process for the business. This way, each organization must choose and perform the necessary techniques association to achieve the desired result., from the analyses performed in the process, based on its importance for the business and factors such as execution time and process cost, as well as competitiveness that the business demands.
2.2.3 Implantation Phase
This phase is responsible for the optimized process implantation. Among the activities that compose this phase, are: (i) training and empowering users and; (ii) implementing the process. This phase puts in practice what was defined in the project phase. It is a critical phase, because it is at this moment that the process will start to be executed by the users and the negative and positive impacts of the changes performed in the process will be actually put in practice.
Baldam, Valle, Pereira, Hilst, Abreu and Sobral (2010) assert that the process implantation be treated as a specific project, being able to be managed through the good practices of Project Management Institute (PMI) (PMI, 2008). The processes implantation may demand the creation of subprojects for configuration, customization or even creation of specific information systems for the process being discussed, although the process execution does not necessarily demand these systems.
2.2.4 Control and Monitoring Phase
This phase performs the monitoring and control of the processes in execution, aiming at maintaining them inside the planned goals. The monitoring and control provide the decision makers with information regarding the process behavior, allowing one to analyze if the processes are in conformity with what is expected and if they attend the needs of organization's strategies (Baldam, Valle, Pereira, Hilst, Abreu e Sobral, 2010). This phase provides the necessary feedback to the planning and BPM life cycle project phases. Among the activities that compose this phase are: (i) monitor and control the process and; (ii) evaluate the results.
2.3 IT Processes Layer
This layer treats the aspects related to the IT process management and the implementation of an IT governance program, enabling the creation of a more efficient and manageable corporative and technological environment, which is adherent to laws and regulations. In order to that, the IT management model proposed uses COBIT and ITIL good practices.
This layer is divided into four sequential phases that have activities directed to achieve each phase goals. The phases that compose this layer are:
(i) Initiation: this phase mainly aims at identifyingIT needs and selecting the processes that must be reorganized inside the organization based on the business priorities and IT risks in the company.
(ii) Evaluation and Diagnoses: this phase mainly aims at providing the solution for the IT area needs, based on the critical processes selected through the IT goals and the business goals;
(iii) Planning Improvement Projects: this phase mainly aims at organizing and defining the projects that must be aligned with the organization business for implementing IT governance based on improvements proposed by the evaluation and diagnoses phase;
(iv) Execution: this phase mainly aims at executing the improvement projects that were created in the previous phase.
Initially, in order to achieve the goals of the two first phases, the IT management model uses COBIT. ITIL will be, initially, used in the GAP analyses activity (that will be explained in section 3.3.2) that belongs to the evaluation and diagnoses phase. Thereafter, in the planning and execution phases, ITIL will be used to perform the definitions of the improvement projects and to implement these processes. However, in the planning and execution phases, COBIT also may be used as a reference to clarify issues related to the goals and practices of control associated to the IT processes that are part of the improvement projects. A detailed view of the structure of this layer may be seen in Figure 3.3.
2.3.1 Starting Phase
This phase is responsible for identifying IT area goals and business goals towards IT, obtained through the analysis of the company's strategic planning together with other documents such as, for example, Balance Scored Card (BSC) (Kaplan and Norton, 1997). It is relevant to emphasize that activities related to obtaining strategic planning and the company BSC are out of the scope of the model proposed in this work. In this phase IT process selection takes place, based on IT goals, taking into account the company operating area and identification and evaluation of IT risks that are related to the organization. This phase is composed of 03 activities:
(i) Identifying Goals: this activity comprehend the identification of business goals towards IT area and IT goals. IT goals are selected from the business goals that satisfy the company's corporative strategy. Thus, the IT goals selected are part of an IT area strategy that is aligned to the corporative strategy to satisfy the company business goals. COBIT is used in this activity to perform the mapping between the organization corporative goals and the business goals towards IT (ITGI, 2007a).
(ii) Selecting Processes: this activity aims at selecting IT processes that are critical for the organization business. After identifying the IT goals, it is possible to identify associated processes, which will assure that the IT goal is satisfied.
(iii) Identifying and Evaluating Risks: this activity mainly aims at identifying IT risks related to the company that may affect the IT governance implementation program. In order to do so, according to ITGI (2007b), it is necessary to understand how the company administration treats the issues regarding risks, so it is possible to identify the company risk treatment profile. Once the profile is identified, risks related to business goals and IT goals and processes need to be identified. One must analyze and document all the relevant threats and vulnerabilities, as well as their respective impacts over the services that are currently delivered by the company IT area and that are related to the business goals and to the IT goals and processes that were selected (ITGI, 2007b). After identifying the risks related to the services delivered by the company IT area, one must identify and relate the risks concerning IT governance implementation, in what regards new developments and activities executed by the IT governance program. Once the risks are identified, one must define how they will be treated.
2.3.2 Evaluation and Diagnoses Phase
This phase mainly aims at evaluating and diagnosing IT area needs based on critical processes that were selected through IT goals and business goals. This possible solution is suggested based on the analysis and diagnoses performed in critical processes, in a way that the current situation and which future goals the organization wishes for these processes are understood, considering the distance between the current state and the wished state and the business priorities. This phase is divided in 03 activities:
(1) Evaluating current situation: this activity mainly aims at evaluating the current maturity of the processes that were selected in the initiation phase. This activity is responsible for the understanding of how the processes, which were selected, are being executed and managed inside the company. COBIT is used in this activity through its maturity model, which is based on the CMM maturity model (ITGI, 2007a). Through this model it is possible to measure the selected processes current stage and to establish an improvement goal for these processes.
(il) Defining Ideal Situation: this activity mainly aims at establishing the ideal maturity level for the critical processes that were selected in this first phase layer. This definition, the ideal maturity level definition, must be done by taking into account the IT process importance for the company business and IT area and the entries and exits obtained and generated by the analyzed process. One can also perform a benchmarking to analyze similar processes at the current maturity levels in the companies, which operate in the same market segment, so the company has an external comparison for analysis and decision making purposes.
(iii) Analyzing GAP: this activity mainly aims at analyzing the selected processes at thecurrent maturity level together with the ideal maturity level, translating into improvement opportunities for the process. In order to do so, one must determine, for each one of the analyzed processes, the cause of problems, the existing risks, the common related issues and the good practices and standards that may help to eliminate the gap between the current maturity level and the ideal one for a determined IT process.
2.3.3 Improvement Project Planning Phase
This phase mainly aims at planning the improvement projects based on improvements proposed by the GAP analysis activity, performed in the evaluation and diagnoses phase, in Section 3.3.2. These improvements are projected and executed through ITIL good practices, taking into account COBIT control practices. This phase is composed of 02 activities:
(i) Defining Improvement Projects: this activity mainly aims at transforming the improvements proposed in the evaluation and diagnoses phase into projects that will be later added to the IT governance implantation program. These improvements are the ITIL set of control goals, control practices and best practices that were related in the evaluation and diagnoses to achieve the established maturity level. For each project, the organization must establish a priority that might be based on the analysis performed in the aspects related to the project cost, deadline, importance for the business and benefits that will be generated. After this analysis, the approved projects will move to the next activity.
(ii) Developing Action Plan: this activity basically sums up in defining the sequence in which the approved projects will be executed. This sequence may be defined taking into account the priority that each project had in the previous activity. It is relevant that the company have an efficient change control, in order to guarantee that all activities that are necessary and included in the projectes are controlled, and so that any change is documented, analyzed and approved, assuring that only the approved changes are implemented, avoiding, thus, losses. This change control may be performed by the usage of Project Management Institute (PMI) project management good practices (PMI, 2008).
2.3.4 Execution Phase
This phase mainly aims at performing the improvement project implementation, using the ITIL good practices and COBIT control practices considerations. In this phase, it is also important to use PMI project management good practices to assure that the results desired for the business are obtained, through the improvement projects execution. This phase has 02 activities:
(i) Executing Improvement Projects: this activity consists in executing all of the improvement projects, which were approved in this layer planning phase, according to the sequence defined by project prioritization. The whole improvement project implementation must use ITIL good practices, so that the processes that are being improved or implanted are reorganized or structured in an efficient way. This activity is also responsible for acquiring, developing, testing and executing the solutions that better satisfy the projects' goals, so, in the end, the IT governance implementation program goals are achieved (ITGI, 2007b).
(ii) Evaluating Results: this activity aims at evaluating experiences and results obtained from the IT governance implementation program, registering and sharing the lessons learned. This activity allows the organization to evaluate what IT governance implementation program is delivered, comparing the expectations of the involved ones. This may be obtained through the comparison of original information criteria in relation to the ones obtained and combining it to a program implantation staff evaluation, together with the evaluation of the ones involved in the program. This evaluation may be performed through workshops, satisfaction surveys and interviews. It is also relevant to register and share the lessons learned, because they contain relevant information that may be used not only by the program staff, but also in future projects of process improvement. This way, the steps for concluding this activity are: (i) combining the satisfaction survey evaluation, interviews and workshops; (ii) comparing and reporting the obtained results in relation to what was initially proposed by the performed project and; (iii) promoting brainstorming with all the ones involved in the program to register the lessons learned.
2.4 SOA and XBRL Layer
This layer treats the aspects related to SOA implementation, including risks management and SOA integration, through web services, with XBRL, enabling, thus, financial reports emission. In order to do that, an SOA implementation model is proposed. The model, through SOA services, aims at providing information systems which are more flexible, interoperable and aligned to business processes, providing more flexibility to the changes that happen in the organization business, due to the need of adequacy of the information systems to the changes that take place in legal requirements.
This model contributes, through XBRL usage, for: (i) decreasing the need for financial data format transformation, due to XBRL being a technology used as a standard for data integration; (ii) decreasing the cost of data extraction, due to the usage of XBRL and; (iii) decreasing the error risk and, consequently, increasing the reliability of financial information, since it is not necessary to perform huge efforts to transform and extract data from different formats anymore (Silva, 2003).
SOA implementation model considers the following aspects: (i) start SOA implementation through a single system, preferably a system that provides a good migration process. It is also important that the system is small and simple; (ii) repeat the same process for other systems, until it is performed for the whole organization and; (iii) perform services compositions for developing new information systems.
Figure 3.4 presents SOA and XBRL layers, together with the model phases and the activities that compose them. As it is possible to observe, through Figure 3.4, SOA and XBRL layer implementation model lead the companies to the process of SOA adoption and integration of web services with XBRL language. The phases, together with the activities that are part of this layer and that compose the SOA implementation model, will be described in the following subsections.
2.4.1 Organizational Needs Identification Phase
This phase aims at evaluating the organization current context, besides identifying the elements that will be transformed into SOA services, providing risk management. To do that, this phase contains the following activities:
(i) Evaluate Entrepreneurial Context
This activity aims at evaluating de company current scenario analyzing the following elements: (a) the business processes that should be already structured, defined and efficient; (b) the information systems, which automatize the business processes and from which the legacy components will be extracted to be transformed into services and; (c) governance structure or program necessary to structure and control IT processes, which will allow the adequate use of resources for developing and maintaining service oriented solutions.
(ii) Select Functionalities/Components
This activity concentrates in the selection of components or functionalities of the legacy systems that will be transformed into services.
(iii) Manage Risks
This activity aims at performing the risk management in SOA implementation. This activity is divided into two tasks: (a) identify and evaluate risks in SOA implementation and; (b) control risks in SOA implementation. These tasks are detailed below:
a) Identify and Evaluate Risks in SOA Implementation
This task identifies and evaluates the risks that are associated to SOA implementation. The SOA adoption process is susceptible to some occurrences that may be decisive to its conception and must be identified, because they might make SOA implementation in the organization not viable or suspend it. In this activity, some risks common to SOA implementations are also approached.
Once the company risk treatment profile has already been defined in the phase of IT processes layer starting, Section 3.3.1, the risks related to SOA implementation must be identified. The risk identification in SOA implementation process must evaluate: (i) if the company technical staff understands what service oriented architecture is and if it has the capacity for its adoption; (ii) the legacy components that will be transformed into services and chosen in the SOA implementation planning activity; (iii) the company capacity in perform the changes that are necessary to realize the benefits of SOA implementation; (iv) the existence of IT governance and support from the top management; (v) the methodology of business processes management used and if there are well structured and efficient business processes; (vi) the budget designated to SOA adoption; (vii) the adequacy of risk management practices and methodologies. Once identified the risks, one must define how they will be treated.
One must document how the risk management will be performed and register all the risks identified during this activity and along SOA implementation. The steps to successfully perform this task are: (i) identify the risks related to the services offered by the company; (ii) identify the risks that are related to new developments and activities that will be performed in SOA implantation and; (iii) define the treatment that will be given to find risks.
b) Control Risks in SOA Implementation
This task aims at providing the necessary support for the company to perform risk control in SOA implementation, through the IT management good practices that have been used to create the IT and corporative environment. The implementation of IT governance, through the usage of COBIT and ITIL good practices, and through a good business processes management, through the usage of BPM good practices, helps understanding, structuring, maintaining and evolving the process (IT and business ones) and guaranteeing a commitment from the top management. The usage of these good management practices contributes to controlling risks and threats that may appear in SOA implementation.
The companies that want to avoid and control diverse factors (organizational or technical) that generate risks to the SOA implementation process must have a unique understanding about their IT and business processes and must guarantee full support from the top management, assuring, thus, the support from all the departments that are involved in the initiative.
2.4.2 Implementation Phase
This phase's main goal is to develop the SOA solution that will attend the organization needs. In order to do so, this phase contains the following activity:
(i) Develop SOA Solution
This activity regards the survey of requirements, analysis and project, implementation and services test. It is relevant to emphasize that, in the analysis and project, one must consider the aspects related to the reuse and integration of the services that will compose the business solution. Normally, in order to perform the decomposition of business processes into IT services, a top-down (Marzullo, 2009) approach is adopted, as it is shown in Figure 3.5. According to this approach, a business process may be decomposed in several subprocesses, which may be unfolded into activities that, in the end, are divided into tasks. These tasks are automatized and consequently transformed into web services, which are grouped into modules that, once integrated, form the information system that automatizes the whole business process. In this activity, the integration of web services with XBRL language still happens.
The following subsection describes the task responsible for performing the integration between web services and XBRL.
a) Integrate Web Services with XBRL
The Web Services represent a way of implementing services in a service oriented architecture and provide an infrastructure independent from the platform, also making different technology integration and development easier. This task aims at integrating the Web Services with the XBRL language. In order to do so, illustrating architectural model and scenario were created, respectively, in addition to the integration architecture and process.
The integration architectural model may be seen in Figure 3.6, which shows, through a layer division, how the integration between XBRL and the Web Services may happen. It is possible to observe in the model that Web Services usage is useful both to format XBRL data and to consolidate them in financial reports. However, initially, it is necessary to transform the legacy systems components into web services, responsible for the financial information, or to create web services for the legacy systems functionalities that relate them directly to the financial information that will be present in the financial reports to be issued. This is necessary so that the Web Services are able to extract the data from the legacy systems, put them in the XBRL format and later, through these data consolidation, create a financial report, performing, thus, the integration between the two technologies. An issue to be considered, in this architectural model, is that the business processes are the architectural model elements that direct, through regulations and laws by which they are linked, the needs of the XBRL documents that will be constructed by the organization through their Web Services.
An example of integration between SOA and XBRL may be visualized in Figure 3.7, which presents a situation where a multinational and open capital company that has 03 branches with distinct data systems and base send their financial information in XBRL format, through Web Services, to their main office, which consolidates this information in an integrated financial report to, later, send them to regulatory departments. In this context, the integration between XBRL and Web Services may happen in two distinct moments. The first moment happens in the XBRL file creation, when the Web Services will access the heterogenic data base to extract the data, converting them into XBRL format. The second moment happens in two situations: (i) when the company branches provide the Web Services that send the XBRL files to their main offices that represent the financial report for a certain month or year, so that they can be integrated in a single report and; (ii) when the organizations make Web Services available to send the XBRL file, which represent the integrated financial report for a certain month or year to the regulatory departments.
The integration between XBRL and Web Services happens when the XBRL instance file is packed inside the SOAP message that will be transmitted. This way, right after the XBRL taxonomy definition or selection and the posterior XBRL file creation, it is possible to start the XBRL file packing inside the SOAP message so that it can be transmitted. It is important to emphasize that the defined taxonomy must be useful as a standard, because the XBRL file must be validated during its creation and after the SOAP message unpacking and, consequently, reception of the XBRL file for processing and for the financial report issuance.
2.4.3 Implantation Phase
This phase aims at implanting an SOA solution. This phase contains the activity that implant an SOA solution, which is responsible for putting in operation the services developed in the previous phase.
If the first initiative of an SOA implementation does not turn out to be effective, the company must perform a detailed analysis of the reasons that make the initiative unsuccessful, so that the committed errors or risks, which occurred during the implantation attempt, may be duly corrected or eliminated. Later, when the organization becomes more familiarized with and confident about the new concept (SOA), new attempts may be performed. After the implantation success, the organization may advance towards the implantation in other systems. However, until the end of an SOA implantation, the legacy systems and SOA applications will exist in a concomitant way. During an SOA adoption process, the governance polices must be totally implanted, if they do not exist.
With the organization advance and maturation, in what concerns the use of SOA, one expects that the new projects will become faster, cheaper and with fewer implantation problems, because, the higher the level of reuse, the lower the effort for development will be and problems are likely to occur. When all the systems are service oriented, the organization must have a stabilized scenario and all the services must be in the company's services repository and the presence of duplicated services inexistent. In this context, it is important that any new service follows the development process and the organizational policies directed to SOA. The usage of services, made available by the company, must also be made through the services repository and with a formal contract of services rendering (Waldman, 2009).
2.4.4 Final Considerations Regarding the Model
The model proposed in this work uses information technology governance good practices accepted by the market and the academia, besides new technologies for develping financial reports and information systems. Figure 3.8 shows the relation between IT processes (structured and defined through good COBIT and ITIL practices), SOA applications (developed through Web Services and XBRL) and the Business Processes (structured and maintained through BPM good practices) for the accomplishment of entrepreneurial strategies.
BPM helps defining, structuring and managing the business processes present in the organization. COBIT and ITIL, together, structure and improve IT processes that support the information systems (SOA applications), which automatize the company business processes, in order to achieve its strategy. The change management IT process is an example of support given by IT processes to SOA applications. Once it is structured and defined, through COBIT and ITIL practices, the change management process must support SOA applications, in what regards the changes and modifications in legal requirements imposed by laws and regulations by which the organizations abide.
With the use of BPM good practices, the organization is able to manage with more efficiency the business processes, mitigating or eliminating risks related to the lack of these process mapping, which, in this case, may generate the decrease of advantages that will be obtained from an SOA implementation, due to the complexity of the business processes and the fact that they involve diverse departments in the organization.
The COBIT that acts as an IT governance model and, thus, embodies SOA governance helps to intensify the control over the processes that support the development and provision of service oriented applications, as it is the case of processes of service level management, changes, configuration, acquisition and maintenance of systems. In this way, COBIT contributes tothe mitigation or elimination of the risks related to the lack of governance and support from the company's top management(both described in the previous section).
ITIL contributes to managing the service level, the services that will be used or offered by the organization, minimizing the risk of not accomplishing what was previously agreed (OGC, 2007). ITIL also provides a contribution, through changes and configuration management, to the services that are already in production, because, through this management, it is possible to establish a higher control over the changes that may occur in the services, avoiding, thus, risks and problems coming from nonauthorized changes and/or performed in some service that is being rendered (OGC, 2007).
3. CONCLUSION
This paper presented an IT management model for financial reports issuance. The model is divided into 03 layers and provides the creation of a corporative and IT environment which is more adherent to laws and regulations and more favorable to financial reports generation.
The business processes layer aims at planning, evaluating, optimizing and controlling the organization business processes, through the usage of BPM good practices.
In the IT processes layer, the IT area governance is implemented, based on business priorities and IT risks, using COBIT and ITIL good practices. In this layer, techniques are used to select, analyze and implement an organization IT process. The business layer and the IT layer contribute to the creation of a corporative environment and to the IT area. COBIT, as an IT governance model, allows measuring, controlling, and evaluating all the IT processes that, in turn, supports the organization business processes, contributing to achieving the company strategy. ITIL, however, contributes, through its practices, to projecting and structuring projects in a suitable way, making them more efficient and controlled inside the organization. This way, one may observe the good effects that IT governance implementation brings to the organization.
SOA and XBRL implementation layer deals with aspects related to risk identifications and control in the service oriented architecture implementation. In this context, the execution of this layer of the proposed model enables risk reduction and a controllable SOA implementation, through the usage of good practices, such as the ones from COBIT, ITIL and BPM, since these practices improve the SOA implementation control, security and risk reduction. In the SOA/XBRL layer, it is presented a model for implementing this architecture integrated with XBRL, through Web Services, enabling the provision of information systems that are more flexible, connectable and aligned to the business processes, besides improving the reliability and quality in financial reports issuace.
The structured management model proposed presents the benefit of creating an IT and corporative environment which is more adherent to laws and regulations and more favorable to financial reports generation. This model also contributes to decreasing the needs for financial data format transformation and for decreasing the extraction costs due to XBRL usage. Error risksand, consequently, increase of financial information reliability are also reduced, since there is no need to perform big efforts to transform and extract data in a different format anymore. With the SOA usage, the model is able to provide information systems that are more flexible, interoperable and aligned to the business processes, providing more flexibility to the changes that occur in the organization business.
With the intention of performing a comparison between correlate works and the IT management structured model proposed in this paper, it was performed an analysis between the works described in Section 03 and the proposed model, discussing the deficiencies and benefits identified in the works. Table 4.1 presents a comparison between these works.
Through the comparison, it is possible to observe that only the IT management structure model proposal contemplates all the good practices of technology management described in this paper. This is important, because with the collaborative usage of these management practices and technologies treated in this paper, it becomes possible to solve the problems related to IT management and to financial reports issuance, in a context of continuous change in the laws and regulations that govern them.
It becomes evident, through the analysis of Table 4.1, that it was not found, in the literature researched for this work development, a similar proposal, emphasizing, thus, the need to create an IT management model that would make the corporative and IT environment more favorable for financial reports issuance and more adherent to laws and regulations.
REFERENCES
Baldam, Roquemar de Lima; VALLE, Rogerio de Aragäo Bastos do; PEREIRA, Humberto Rubens Maciel; HILST, Sérgio de Mattos; ABREU, Mauricio Pereira de; SOBRAL, Valmir Santos. (2010). Gerenciamento de Processos de Negocios BPM - Business Process Management. Erica.
BPMN. (2006). Business Process Modeling Notation Specification. Needram. Disponivel em: http://www.bpmi.org. Acessado em 20/05/2011.
Erl, T. (2009). Service-Oriented Architecture (SOA): Concepts, Technology, and Design, Edited by Prentice Hall, 9a Edition.
Guerra, Márcia R. (2007). Govemança de TI com COBIT. Säo Paulo: TIEXAMES. Disponivel em: http://www.tiexames.com.br/ensino/home.php. Acessado em: 20/08/2008.
Harrington, H. J.; Esseling, E.K.C.; Nimwegen, H. V. (1997). Business Process Improvement. New York: McGraw-Hill.
ITGI. (2007a). COBIT 4.1. USA: IT Governance Institute. Disponivel em: http://www.isaca.org/Template.cfm?Section=Downloads3&Template=/MembersOnly.c fin&ContentID=49581. Acessado em 20/08/2008.
ITGI. (2007b). IT Governance Implementation Guide. USA: ITGI. Disponivel em:http://www.isaca.org/Template.cfin?Section=Downloads3&Template=/MembersOn ly.cfin&ContentID=49582. Acessado em: 20/03/2009.
ITGI. (2006). IT Control Objectives for Sarbanes-Oxley. USA: ITGI. Disponivel em: http://www.cobitonline4.info/Pages/Public/Browse/PdfDownload.aspx. Acessado em: 20/03/2009.
Josuttis, N. M. (2007). SOA in Practice: The Art of Distributed System Design (Theory in Practice), Edited by OReally Media.
Kaplan, Robert S.. Norton, David P. (1997). A Estratégia em Açâo. Rio de Janeiro: Campus.
Leal, M.A.M. (2006). A Organizaçâo e Arquitetura de Processos na Telemar. In: segundo Seminário Brasileño de Gestäo de Processos, Rio de Janeiro. Volume único. CD-ROM.
Marzullo, Fabio Perez. (2009). SOA na Prática Inovando o seu negocio por meio de soluçoes orientadas a serviço, Editado por Novatec.
Moreira, José Rogério Poggio. (2009). Govemança de ti: metodologia para mtegraçâo do COBIT e ITIL em empresas que buscam conformidade com a lei Sarbanes-Oxley. UNIJORGE, Salvador.
OGC. (2007). The Official Introduction to the ITIL Service Lifecycle. UK: TSO.
Paim, R., Caulliraux, H., Cardoso, V. e Clemente, R. (2009). Gestäo de Processos: pensar, agir e aprender. Bookman.
PMI. (2008). Um Guia do Conhecimento em Gerenciamento de Projetos (Guia PMBOK). Pensilvania, EUA: PMI.
Silva, P. C. (2003). Explorando lmguagens de marcaçâo para representaçâo de relatórios financeiros. Dissertaçâo de Mestrado. UNIFACS, Salvador.
Silva, P. C., Teixeira, C. C. (2003) A Gestäo da Informaçâo Financeira do Banco Central do Brasil Apoiada por XBRL In: I Workshop de Tecnologia da Informaçâo e gerência do Conhecimento, 2003, Fortaleza.
Silva, P. C., Teixeira, C. C. (2002) Informaçoes Financeiras como Hiperdocumentos na Web In: VIII Brazilian Symposium on Multimedia and Hypermedia Systems - SBMIDIA 2002, 2002, Fortaleza. SBC, p.356 - 364.
Siqueira, L. G. P. (2006). Modelo de Govemo de Processos da Área Internacional da Petrobras. In: Segundo Seminário Brasileño de Gestäo de Processos, Rio de Janeiro, Anais. Volume único. CD-ROM.
Waldman, Daniel. (2009). Cenários e Etapas para Implantaçâo SOA. Disponivel em: <http://www.aqueleblogdesoa.com.br/2009/05/cenarios-e-etapas-para-implantacao-soa/>. Acessado em: 18/12/2010.
OASIS. UDDI. (2004). Disponivel em: http://uddi.Org/pubs/uddi-v3.0.2-20041019.pdf. Acessado em 20/12/2011.
Shuja, Ahmad K; Krebs, Jochen. (2008). Unified Process Reference and Certification Guide. IBM Press.
W3C. HTTP. (2009). Disponivel em: http://www.w3.Org/standards/techs/http#w3c_all. Acessado em 20/12/2011.
W3C. SOAP. (2007a). Disponivel em: http://www.w3.Org/standards/techs/soap#w3c_all. Acessado em 20/12/2011.
W3C. WSDL. (2007b). Disponivel em: http://www.w3.Org/standards/techs/wsdl#w3c_all. Acessado em 20/12/2011.
W3C. XML. (2008). Disponivel em: http://www.w3.Org/standards/techs/xml#w3c_all. Acessado em 20/12/2011.
José Rogério Poggio Moreira
Universidade Salvador (UNIFACS) - Salvador, Bahia, Brazil
Paulo Caetano da Silva
Universidade Salvador (UNIFACS) - Salvador, Bahia, Brazil
Manuscript first received/Recebido em 07/03/2012 Manuscript accepted/Aprovado em: 19/06/2013
Address for correspondence / Endereço para correspondência
José Rogério Poggio Moreira é graduado em Sistemas de Informaçào pelo Centro Universitário Jorge Amado (2009). Pós graduado em Qualidade e Govemança de TI pela Faculdade Ruy Barbosa. Atualmente é mestrando em Sistemas e Computaçào, pela Universidade Salvador (UNIFACS) e trabalha como analista de sistemas no Ministério Público. Possui experiência na área de Engenharia de Software, Qualidade e Govemança de TI e Gerência de Projetos, atuando corn os temas: COBIT, ITIL, BPM, SOX, SOA E XBRL. E-mail: [email protected]
Paulo Caetano da Silva is graduated in Chemical Engineering by Bahia Federal University (1985). Master in Computer Networks by Salvador University - UNIFACS (2003). Doctor in Computer Sciences (2010) by Pernambuco Federal University. Currently is a professor at Salvador University (UNIFACS) at Master's program in Systems and Computing, as well as an analyst at Central Bank of Brazil. He holds experience in the area of computer sciences, focused in Software Engineering, Database, SOA and XML, acting mainly in XBRL, OLAP for XML, information systems, Web and financial information. Email: [email protected]
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
Copyright TECSI Information Systems and Technology Management, University of Sao Paulo Sep-Dec 2013
Abstract
The development of information systems for financial report issuance must be adherent to the demands of the law and regulations that regulate the financial market. In order to perform this task, organizations need to implement control in the Information Technology (IT) area to maintain their systems' conformity to laws and regulations. In the development of this work, it was found, through a state-of-art study, that there are no proposals contemplating the solution of this problem in its totality. In order to achieve this goal, in this paper it is presented a model for Information Technology management constituted by COBIT, ITIL and BPM management good practices, together with SOA and XBRL Technologies. This model is composed by 03 layers that aim at structuring the organization IT and business processes, besides defining a process for implementing SOA and integrating its Web services with XBRL language. One can expect this work to contribute to companies to decrease the negative impact coming from the lack of conformity with laws and regulations, through the creation of a corporative and IT environment that is flexible and more adaptable to changes, which may occur in legal demands, as well as improving the quality and reliability of financial report issuance. [PUBLICATION ABSTRACT]
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer