Metaphysics of Internal Controls

A quality internal control system has been seen as a remedy for various corporate governance issues. Two pieces of legislation, the Foreign Corrupt Practices Act (FCPA) and the Sarbanes-Oxley Act (SOX) deal with very different corporate governance issues, but each argue for a similar remedy. Both the FCPA and the SOX legislation argue that improved (or proper) internal controls are necessary to root out bribery of foreign officials, in the case of the FCPA, and (in the case of SOX) to support the accurate preparation of financial statements. An issue that has yet to be resolved is that the quality of internal control systems is subject to subjective assessments of the internal control deficiencies and their impact. This paper presents a mathematical model of internal controls based on Gӧdel number of axioms. This results in the representation of quality internal controls in terms of an integer. This approach also allows for inferences about financial statements and various auditing judgements

The Informational Value of Corporate Responsibility Reporting: The Global Reporting Initiative in Finland

The directive 2014/95/EU as regards to non-financial and diversity information by certain large undertakings and groups will bring the previously voluntary practice of corporate responsibility reporting under regulation in the European Union in 2017. The Global reporting initiative’s framework for corporate responsibility disclosures is the most recognized guideline for corporate responsibility reporting. With the endorsement from the new 2014/95/EU directive the GRI framework will most likely continue to grow as the most applied responsible reporting guideline. In light of the new directive it is seen appropriate to investigate the informational value the GRI reporting guideline currently has for investors making investment decisions in the stock market. This thesis examines the effect releasing a first GRI report has on firm long-term information asymmetry measured by a liquidity variable, the turnover rate. The study is conducted on Finnish data and consists of 117 publicly listed companies from the Nasdaq OMX Helsinki Stock Exchange between 2001 and 2014. Furthermore, it is studied to what extent the GRI framework is recognized by companies listed in the exchange during the same timeframe. The empirical methodology applies a fixed effects panel regression model where a binary GRI variable in addition to the control variables for firm size, stock price, leverage and profitability are regressed on share turnover rate. The empirical regression could not find any statistically significant evidence that initiating a GRI report in Finland between 2001 and 2014 affected firm turnover rate. In light of the results it cannot be supported that the GRI guideline inevitably lowers firm information asymmetry and that reports based on the guideline would inherently offer investors valuable information in the Nasdaq OMX Helsinki Stock Exchange. The possible reasons for this can stem from the fact that the disclosed GRI reports are not third-party verified for the accuracy of their contents leaving the framework vulnerable to corporate misuse.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format

Ensuring compliance with data privacy and usage policies in online services

Online services collect and process a variety of sensitive personal data that is subject to complex privacy and usage policies. Complying with the policies is critical, often legally binding for service providers, but it is challenging as applications are prone to many disclosure threats. We present two compliance systems, Qapla and Pacer, that ensure efficient policy compliance in the face of direct and side-channel disclosures, respectively. Qapla prevents direct disclosures in database-backed applications (e.g., personnel management systems), which are subject to complex access control, data linking, and aggregation policies. Conventional methods inline policy checks with application code. Qapla instead specifies policies directly on the database and enforces them in a database adapter, thus separating compliance from the application code. Pacer prevents network side-channel leaks in cloud applications. A tenant’s secrets may leak via its network traffic shape, which can be observed at shared network links (e.g., network cards, switches). Pacer implements a cloaked tunnel abstraction, which hides secret-dependent variation in tenant’s traffic shape, but allows variations based on non-secret information, enabling secure and efficient use of network resources in the cloud. Both systems require modest development efforts, and incur moderate performance overheads, thus demonstrating their usability.Onlinedienste sammeln und verarbeiten eine Vielzahl sensibler persönlicher Daten, die komplexen Datenschutzrichtlinien unterliegen. Die Einhaltung dieser Richtlinien ist häufig rechtlich bindend für Dienstanbieter und gleichzeitig eine Herausforderung, da Fehler in Anwendungsprogrammen zu einer unabsichtlichen Offenlegung führen können. Wir präsentieren zwei Compliance-Systeme, Qapla und Pacer, die Richtlinien effizient einhalten und gegen direkte und indirekte Offenlegungen durch Seitenkanäle schützen. Qapla verhindert direkte Offenlegungen in datenbankgestützten Anwendungen. Herkömmliche Methoden binden Richtlinienprüfungen in Anwendungscode ein. Stattdessen gibt Qapla Richtlinien direkt in der Datenbank an und setzt sie in einem Datenbankadapter durch. Die Konformität ist somit vom Anwendungscode getrennt. Pacer verhindert Netzwerkseitenkanaloffenlegungen in Cloud-Anwendungen. Geheimnisse eines Nutzers können über die Form des Netzwerkverkehr offengelegt werden, die bei gemeinsam genutzten Netzwerkelementen (z. B. Netzwerkkarten, Switches) beobachtet werden kann. Pacer implementiert eine Tunnelabstraktion, die Geheimnisse im Netzwerkverkehr des Nutzers verbirgt, jedoch Variationen basier- end auf nicht geheimen Informationen zulässt und eine sichere und effiziente Nutzung der Netzwerkressourcen in der Cloud ermöglicht. Beide Systeme erfordern geringen Entwicklungsaufwand und verursachen einen moderaten Leistungsaufwand, wodurch ihre Nützlichkeit demonstriert wird

The microdata analysis system at the U.S. Census Bureau

The U.S. Census Bureau has the responsibility to release high quality data products while maintaining the confidentiality promised to all respondents under Title 13 of the U.S. Code. This paper describes a Microdata Analysis System (MAS) that is currently under development, which will allow users to receive certain statistical analyses of Census Bureau data, such as crosstabulations and regressions, without ever having access to the data themselves. Such analyses must satisfy several statistical confidentiality rules; those that fail these rules will not be output to the user. In addition, the Drop q Rule, which requires removing a relatively small number of units before performing an analysis, is applied to all datasets. We describe the confidentiality rules and briefly outline an evaluation of the effectiveness of the Drop q Rule. We conclude with a description of other approaches to creating a system of this sort, and some directions for future research

IAS/IFRS and financial reporting quality: Lessons from the European experience

AbstractThis paper discusses the effects of the adoption of IAS/IFRS in Europe on the quality of financial reporting. In doing so, it adopts the perspective of stock market investors and focuses on value-relevance research. The adoption of IAS/IFRS in Europe is an example of accounting standardization among countries with different institutional frameworks and enforcement rules. This allows investigating whether, and to what extent, accounting regulation per se can affect the quality of financial reporting and leads to convergence in financial reporting. This is a key issue for standard setting purposes as IAS/IFRS have been adopted in very diverse countries all over the world, and many others are likely to adopt them in the near future

Health IT Legislation in the United States: Guidelines for IS Researchers

In this tutorial, I review the most pressing legal issues that health information systems (IS) professionals face and how health information technology (IT) legislation drive them. The issues I discuss include the confidentiality and security of electronic protected health information, meaningful use of health IT, health information exchanges, and information governance. I also provide directions for future research

A Decathlon in Multidimensional Modeling: Open Issues and Some Solutions

The concept of multidimensional modeling has proven extremely successful in the area of Online Analytical Processing (OLAP) as one of many applications running on top of a data warehouse installation. Although many different modeling techniques expressed in extended multidimensional data models were proposed in the recent past, we feel that many hot issues are not properly reflected. In this paper we address ten common problems reaching from defects within dimensional structures over multidimensional structures to new analytical requirements and more

Continuous Process Auditing (CPA): an Audit Rule Ontology Approach to Compliance and Operational Audits

Continuous Auditing (CA) has been investigated over time and it is, somewhat, in practice within nancial and transactional auditing as a part of continuous assurance and monitoring. Enterprise Information Systems (EIS) that run their activities in the form of processes require continuous auditing of a process that invokes the action(s) speci ed in the policies and rules in a continuous manner and/or sometimes in real-time. This leads to the question: How much could continuous auditing mimic the actual auditing procedures performed by auditing professionals? We investigate some of these questions through Continuous Process Auditing (CPA) relying on heterogeneous activities of processes in the EIS, as well as detecting exceptions and evidence in current and historic databases to provide audit assurance