Accountability Computing

Governance, risk management, and compliance (GRC) have become major concerns of corporate executives and government regulators. The accountability property is considered as one of the key metrics of GRC. Accountability is not only the concern of large enterprises or governments but a concern for each employee. Employees should be accountable for their behavior to show that they are following the guidelines and internal policies.

In Oxford English Dictionary, the definition of the accountable is required or expected to justify actions or decisions. We use an extended meaning of the accountabilty in contrast to the narrowly defined accountability that deals only with the definition of accounting. The term accountability is often used in different business contexts.

We define six basic components for accountability, Person Responsible, Stakeholder, Subject Matter, Evidence, Accountability Rule and Accoutability Analysis Point.

• Person Responsible (A) - A subject who is responsible for activity, statement, or decision. Examples of A are CEO, manager, president, etc.
• Stakeholder (B) - A subject who delegate privileges and/or resources to A. B verifies if A is behaving as B expects. Examples of B are various stakeholder(s) such as stock holder, citizen, reviewer, supervisor, etc.
• Subject Matter (M) - An object on which A is acting. Examples of M are behavior (e.g. business process), statement (e.g. financial results), or decision.
• Evidence (E) - An object generated as a result of the activity of A. Examples of E are bill, invoice, voucher, money transfer document, system log, etc.
• Accountability Rule (R) - A set of rules and/or policies to which A should follow to be accountable for M to B. Examples of R are audit policy, test strategy, monitoring policy, etc.
• Accountability Analysis Point (AAP) - An entity that analyzes accountibility relationship using given set of information. AAP verifies if A is accountable for M to B using E according to the R.

The following figure depicts the relationship among the basic model components.

Fig. 1 - Accountability Meta Model

• The SOX specifically requires finance-related companies to prepare internal control reports showing that sufficient controls are in place. Each business owner defines their business processes using a business workflow editor associated with potential risks and countermeasures (controls), which is called the risk-control matrix (RCM). In an audit, the auditor verifies the internal control report, but we identified two problematic areas. The first problem is that it is not easy to check if all of the potential risks have been identified and safeguarded against across the entire business processes of a company in a holistic manner. The second problem is that the test of the internal controls by investigating actual evidence is very labor intensive. Accountability computing will address these problems by introducing business process verification mechanisms.
• The Federal Rules of Civil Procedure (FRCP) define the legal procedures for civil suits in the United States. The procedures include the Disclosure step that involves Discovery by which can compel the disclosure of all of the relevant information with regard to a civil suit such as email messages, business documents, and transaction logs. A company that is being sued must retain the relevant evidence and disclose it to the court. However, it is not easy to describe the required electronic evidence after a hold order is issued because very few governance mechanisms are in place in enterprises to support eDiscovery requirements. Accountability computing will address this problem by introducing the required business logic for stakeholders. This will help people designing appropriate business processes as well as in generating proper evidence without even knowing what sorts of lawsuits might befiled in the future.