Value-Based Argumentation for Justifying Compliance Brigitte Burgemeestre1, Joris Hulstijn1 , and Yao-Hua Tan1,2 1
IT Audit, Faculty of Economics and Business Administration, Vrije Universiteit Amsterdam {cburgemeestre,jhulstijn}@feweb.vu.nl 2 Department of Technology, Policy and Management, Delft University of Technology
[email protected]
Abstract. Compliance is often achieved ‘by design’ through a coherent system of controls consisting of information systems and procedures . This system-based control requires a new approach to auditing in which companies must demonstrate to the regulator that they are ‘in control’. They must determine the relevance of a regulation for their business, justify which set of control measures they have taken to comply with it, and demonstrate that the control measures are operationally effective. In this paper we show how value-based argumentation theory can be applied to the compliance domain. Corporate values motivate the selection of control measures (actions) which aim to fulfill control objectives, i.e. adopted norms (goals). In particular, we show how to formalize the dialogue in which companies justify their compliance decisions to regulators using valuebased argumentation. The approach is illustrated by a case study of the safety and security measures adopted in the context of EU customs regulation. Keywords: Regulatory compliance, internal control, risk management.
1 Introduction Most organizations are subject to a wide variety of government laws and regulations. These regulations usually have a significant impact on an organization’s operations [14]. Nowadays many rules and regulations are implemented through IT: accounting standards are coded in ERP systems, and workflows and business processes are re-designed for compliance [21]. Compliance is verified through an audit process to identify whether rules and procedures are present in the IT-system, are known by employees, and are actually adhered to. In such audits traditionally the burden of proof is on the regulator. Governments and other regulatory agencies are moving away from this labor intensive command and control approach and experiment with various forms of selfregulation [3,12]. In so called mandatory self-regulation, some of the control tasks like rule-making or rule-enforcement, are delegated from the regulator to the companies themselves [19]. The regulator now only has to audit companies’ self control [17], implemented in their internal control system. Due to major accounting scandals (Enron, WorldCom) the audit of a company’s assessment of their internal control system has become a common practice [14], and can be found in different compliance programs, like Sarbanes-Oxley (SoX) [22], SAS-70 audits, ISO certification etc. For the regulator the audit object is changing from a set of standardized rules into a company specific control system. This is called system-based audit. Simply checking whether a control G. Governatori and G. Sartor (Eds.): DEON 2010, LNAI 6181, pp. 214–228, 2010. c Springer-Verlag Berlin Heidelberg 2010
Value-Based Argumentation for Justifying Compliance
215
system is present, does not suffice. It is the quality of the system that matters. The burden of proof now lies with the company: they must decide upon and explain how they ensure compliance to the relevant regulations in their specific business. However, the transition is not easy. Empirical research has shown that communication about norms in cases of self-regulation is difficult, for both parties [4,5,3,12]. When developing control systems, high-level control models such as COSO [7], Simons’s levers of control [24], and IT governance models such as COBIT [13], serve as inspiration for designing internal control systems. Risk management is suggested as a technique to point out weaknesses specific to the line of business and define appropriate control measures (e.g. COSO ERM [8], NIST-800-30 [16]). Risk management and governance models thus support companies in deciding upon the implementation of control measures. However, they are not designed as a means to explain compliance decisions to external auditors. Although the quantification of risks into categories of high, middle, or low makes them measurable for the company, risk assessments may also obscure the reasoning that underlies control implementation decisions, for example about dependencies in the system architecture, trade-offs, or strategic priorities [18]. Decision support about compliance should not only help companies to make decisions but also enable external auditors to assess the quality of the decisions. For assessing compliance, the total system of controls in a specific application domain needs to be considered. Domain knowledge is needed to understand the risks and to determine whether appropriate measures have been taken. For example, in the petrochemical domain processes are largely automated. Loading and unloading explosive liquids and gases requires specific expertise and infrastructure, like pressure valves. We cannot expect such expertise to be available among auditors. A company’s explanation of its compliance decisions should therefore include relevant domain knowledge and make explicit how business processes, control measures and compliance objectives are linked. In this paper we argue that argumentation theory [26] provides a framework that can help companies to underpin their compliance decisions and justify them to stakeholders. Argumentation theory studies the structure of disputes by providing formal models of possible claims, attacks and counterattacks. We use a particular version of argumentation, value-based argumentation, which has been applied to practical reasoning: an agent must justify its choice of actions, motivated by goals, which are in turn motivated by the social values of the agent [2,1]. In our view, demonstrating compliance is analogous: a company must justify how a selection of control measures (actions), motivated by the corporate values of the company, contributes to the achievement of control objectives i.e. adopted norms (goals). The structured nature of the argumentation framework with its claims and (counter)attacks closely resembles the audit process as we encounter it in practise. In particular, the so called critical questions which are provided by the argumentation approach can help to make the audit process more systematic. The paper is structured as follows. Section 2 introduces value-based argumentation theory. In Section 3 we apply value-based argumentation to the compliance domain. Section 4 contains a case study about compliance of a petrochemical company to EU customs regulations, showing how value-based argumentation can provide a justification for control measures.
216
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
2 Value-Based Argumentation Theory Argumentation is an interactive process in which agents make assertions (claims) about a certain topic, which support or attack a certain conclusion. Besides that the agents may attack each other’s assertions. There is no single truth; what matters is the justification of the conclusion. Argumentation theory can be fruitfully applied to practical reasoning [26]. Practical reasoning is the deliberation process in which goals are set and actions are chosen to achieve these goals. Walton [26] organizes practical reasoning in terms of argument schemes and critical questions. An argument scheme presents an initial assertion in favor of its conclusion. Now it is up to the opponent to try and disprove the assertion. The opponent can, by asking any of the appropriate critical questions, try to shift the burden of proof back to the initial proponent. To get the weight of presumption on its hand again, the initial proponent must give a satisfactory answer. Atkinson et al [2,1] have taken Walton’s notion of a goal and replaced it with three distinct elements: states, with certain features, goals, desired features in a state or undesired consequences, and values, reasons why certain features are desirable, and consequences undesirable. They present the following argument scheme: AS1 In current state qx , we should perform action α, which will result in a new state qy , which will realize a positive goal g, or avoid negative consequences c, which will promote some positive value v. A state is defined as a set of propositions about the world to which a truth value can be assigned; a goal is a subset of this set of states, and values are evaluation functions on goals. Goals are the desired effects of an action, whereas a state represents the actual result, some of which may undesired. For example, when my goal is to get my teeth cleaned I go to the dentist, accepting the additional pain. Values provide the reasons for which an agent wishes to achieve a goal: they set a priority. Values account for the fact that agents may disagree. Even when agents agree upon a goal to be achieved, they may disagree about the reasons for achieving it, due to their contrasting value set. An argument scheme asserts an initial position. Opponents may then ask critical questions (CQ), trying to undermine the assumptions underlying the argumentation. Atkinson’s has extended the 4 critical questions associated with Walton’s argumentation scheme[26]. A list of critical questions provided by Atkinson et al [2,1], is given below. CQ1 Are the believed circumstances true? CQ2 Assuming the circumstances, does the action have the stated consequences? CQ3 Assuming the circumstances and that the action has the stated consequences, will the action bring about the desired goal? CQ4 Does the goal realize the value stated? CQ5 Are there alternative ways of realizing the same consequences? CQ6 Are there alternative ways of realizing the same goal? CQ7 Are there alternative ways of promoting the same value? CQ8 Does doing the action have a side effect which demotes the value?
Value-Based Argumentation for Justifying Compliance
217
CQ9 Does doing the action have a side effect which demotes some other value? CQ10 Does doing the action promote some other value? CQ11 Does doing the action preclude some other action which would promote some other value? CQ12 Are the circumstances as described possible? CQ13 Is the action possible? CQ14 Are the consequences as described possible? CQ15 Can the desired goal be realized? CQ16 Is the value indeed a legitimate value? The critical questions of Atkinson can be associated with one of the three stages generally involved in practical reasoning (compare decision theory [23]): 1. Problem formulation: decide upon the relevant propositions and values to express the decision structure, i.e. decision alternatives and their consequences (CQ2, CQ3, CQ4, CQ12, CQ13, CQ14, CQ15, CQ16), 2. Epistemic reasoning: determine the initial state of the decision structure (CQ1), 3. Choice of action: develop argumentation schemes and critical questions, to determine the ranking of the various decision alternatives, and select a specific decision alternative (CQ5, CQ6, CQ7, CQ8, CQ9, CQ10, CQ11).
3 Justifying Compliance Decisions In this section we apply value-based argumentation to the justification of compliance decisions. We study a company’s decision making process on the design of a set of control measures that aim to assure compliance with laws and regulations. These decisions must then be audited, to be accepted or rejected by the regulator. In other words, this is a form of self-regulation. 3.1 Control System Design The regulations used in self-regulation are often formulated as open norms, of which the exact implementation is left to be decided, instead of specific rules, that prescribe in detail what to do [4]. A company therefore has to make conscious decisions on how to operationalize the norms and choose appropriate controls to ensure them. Laws and regulations can be considered as objectives that originate from external stakeholders, like the government, and are adopted by the company. To implement these objectives, they need to be reformulated to take the company’s specific business context into account. Furthermore, the company may have to alter other existing objectives that (negatively) interfere with the adopted objectives. For each control objective a company must determine a set of possible alternative control measures, and select a coherent subset. Controls must form a coherent system, containing the right mix of preventive measures, and detective and repressive measures [20]. A rational decision would select the decision alternative of which the outcomes are most preferred. However, in compliance, it makes no sense to look for ‘the best’ solution;
218
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
one should be satisfied with a solution which is ‘good enough’. This is called satisficing [23]. In general, however, control measures should be proportional: the strongest measures should only be implemented if deviating from the objectives has severe consequences(eg. controls in nuclear plants vs. paper production). Otherwise, the negative effect that controls may have on other organizational goals like ‘just in time delivery’, increased profit or an enjoyable working environment, may outweigh the goal of becoming compliant. Furthermore we assume that corporate values play a role in deciding upon control objectives and measures. When a company favors the value safety over profitability, they are more likely to opt for the most advanced control measures – that are often also the most expensive ones –, than when this is not the case. Choosing between control actions requires thus a careful consideration between increased assurance regarding the achievement of certain control objectives and the possible impact on other organizational goals, influenced by corporate values. 3.2 Auditing Stakeholders want assurance about a company’s compliance with regulations. That is, they want to be confident that a company’s compliance statement is reliable [14]. The design, existence and operating effectiveness of an internal control system is therefore audited by an (external) auditor. Auditing is the systematic, objective and documented process to obtain and evaluate evidence to ascertain the degree of correspondence with established criteria [20]. The evidence may be directly obtained from the contents of the company’s information systems, but often an auditor needs to obtain information, clarification, insight and explanations from employees of the organization. In system-based auditing, the burden of proof is on the company’s side. A company must therefore provide evidence to the auditor on the appropriateness of the setup and functioning of the control system. To enable an auditor to evaluate the proposed system of controls, the decisions underlying the design of the system have to be made explicit. A clear mapping has to be established between the (abstract) legislation and the control objectives as they are operationalized and implemented by the company. This requires extensive domain knowledge that also needs to be included in the motivation. The auditor must determine whether the proposed system of controls is sufficient. An auditor may criticize a company’s control objectives or the proposed measures when they do not comply with the objectives defined in the legislation. Whereas rules define the exact boundaries of the law beforehand (ex ante), compliance with open norms is often settled after they have been operationalized and implemented (ex post), namely when the norms are being audited [4]. When judging that a company is non-compliant with rules, the auditors only have to point out which required facts are absent – the legal consequences of those missing facts have already been determined. But when a dispute arises about open norms, auditors must not only point out the relevant facts, but also determine the legal consequences of the facts because this has not been done ex ante [15]. An auditor therefore always has to specify in detail the motivation of a negative judgement to the company. An auditor not only has to verify the correct operationalization and implementation of a set of norms, but also whether a company has considered all the relevant norms in its implementation. Completeness thereby has to be approached in a practical sense, as
Value-Based Argumentation for Justifying Compliance
219
the number of possible combinations of controls is almost endless. A company has to put in a ‘reasonable’ effort to motivate its compliance with the legislation. For example, compliance requirements for small company’s may be lower than for multinationals, because one can not expect small companies to make large investments or to have in-house knowledge available. Through communication between the company and regulator, control implementations are evaluated and norms are slowly established about what is considered to be an acceptable implementation. In other words, company and regulator co-create an operationalization of the open norms in the legislation [6]. 3.3 Motivation Why is value-based argumentation useful for the justification of compliance decisions? Observe that designing a set of control measures is analogous to deciding which actions to take. Companies have to translate the relatively abstract open norms into possible control objectives (goals) that fit within their general mission and vision (values), decide which of these control objectives to adopt, and how to implement specific control measures (actions) which are appropriate for their specific situation. Furthermore, the initial argumentation scheme (AS1) in combination with the critical questions resembles quite clearly the audit process as we encounter it in practice. A major part of auditing is dedicated to questioning auditees to get access to relevant data and verifying acquired information. The structured nature of the argumentation framework enables both auditee and auditor to collaborate in an effective compliance audit. In particular, it supports auditees to provide auditors with relevant data in the relative context and the critical questions may be useful as audit questions for the auditor. Especially critical questions CQ1, CQ2, CQ3, CQ5, CQ6, CQ12, CQ13, and CQ14 fit well into the current audit practice as they focus directly on the effectiveness of the internal control system. The critical questions about values (CQ4, CQ7, CQ8, CQ9, CQ10, CQ11, and CQ16) are more relevant for companies that use corporate values in prioritizing their decisions. However, these critical questions can also be of interest when they reveal that commonly accepted values, such as liberty, anti-discrimination or personal privacy are demoted through certain control objectives or actions. 3.4 Formal Argumentation Framework We follow the notation of [1], which makes use of [25]. This argumentation framework was originally intended to model cooperative decisions in multi-agent systems. Because we study the decision making of an individual company, we do not include the definitions that are needed to model groups, like coalitions, joint action, etc. The control system we wish to model may be in any of a finite set Q of possible states, with some q0 ∈ Q designated as the initial state. At q0 a control system may be completely absent and developed from scratch or there can be an existing control system which needs to be adapted. For compliance justification, q0 needs to be a truthful depiction of reality. When controls are mentioned in q0 that are not present, this inevitable leads to non-compliance. When existing controls are not reported in q0 , this may cause incompliance when these controls interfere with the newly proposed controls or objectives. Each system is associated with a set Ac of possible control actions α. The
220
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
effect of actions is represented by a transition function τ on states. The transition function is partial, which means that not all actions are possible in all states. For example, the use of access control cards does not make sense when there is no gate that restricts access. In other words: actions have preconditions, indicated by ρ. Which properties p are satisfied or true in a given state is indicated by π. Definition 1. An Action-based Alternating Transition System (AATS) is an 7-tuple S = Q, q0 , Ac, ρ, τ, Φ, π where: • • • •
Q is a finite, non-empty set of states; q0 ∈ Q is the initial state; Ac is a finite, non-empty set of actions α; ρ : Ac → 2Q is an action pre-condition function, which for each action α ∈ Ac defines the set of states ρ(α) from which α may be executed; • τ : Q × α → Q is a partial system transition function which defines the state τ (q) that would result by the performance of α from state q. • Φ is a finite, non-empty set of atomic propositions; and • π : Q → 2Φ is an interpretation function, which gives the set of primitive propositions satisfied in each state. Atkinson and Bench-Capon [1] provide an extension of the AATS given in [25] to enable the representation of values. First there is a set of values V . For compliance, we assume that corporate values influence the decision making to pursue certain goals or choose between actions. Every transition between two states affects properties of the states, which in turn may influence the value. A value is either promoted (+), demoted (-) or unchanged (=) by a transition, based on the propositions that hold in the state. Which transitions are promoted or demoted depends on the whether the properties of those states correspond to the goals of the agent we are modeling, and ultimately, on whether those goals themselves promote or demote the values of the agent. Definition 2. An AATS extended to accommodate the notion of values, is an 9-tuple S = Q, q0 , Ac, ρ, τ, Φ, π, V, δ, where • V is a finite, non-empty set of values; • δ : Q×Q×V → {+, -, =} is a valuation function which defines the status (promoted (+), demoted(-) or neutral (=)) of a value v ∈ V ascribed by the agent to a transition between two states. We can now re-state argument scheme AS1 in terms of the extended AATS: AS2 Given that initial state q0 equals qx , we should perform action αi , such that τ (qx , αi ) = qy , / π (qx ), or c ∈ π (qx ) and c ∈ / π (qy ) such that g ∈ π (qy ) and g ∈ such that for some vu ∈ V, δ(qx , qy , vu ) is ‘+’.
Value-Based Argumentation for Justifying Compliance
221
4 Case Study: Control Measures for Handling Cargo-Units In this case study we look at compliance with European customs legislation, namely the AEO initiative to enhance safety and security of international trade. A company can apply to become Authorized Economic Operator (AEO), if it can demonstrate to be reliable throughout the EU in the context of its customs related operations [10,11]. AEOs receive several benefits in customs handling, which can lead to considerable cost-reduction. Customs can direct their efforts towards non-certified companies, while reducing the administrative burden for AEOs. To qualify for the AEO status a company must perform a self assessment to determine whether it meets the criteria described in the Community Customs Code and the AEO guidelines [11]. Important parts of the selfassessment are a characterization of the business environment and a risk assessment to identify risks and decide on (additional) measures [9]. In a kind of meta-audit, customs check whether the self-assessment is performed correctly, whether the company identified all relevant risks, whether appropriate measures were taken, and whether these measures are operational. Since the appropriateness of security measures is very context dependent, it is important for customs to know how the companies have weighed the risks and decided on the measures. In response to auditing scandals (e.g. Enron, WorldCom), such an audit of a management’s assessment of their internal control system has become a common practice besides the traditional audit of financial statements[14]. Clearly, the AEO initiative has been developed with this idea in mind and classifies as a representative form of system-based audit. In the remainder of this section we discuss the case of a petrochemical company ‘PCC’ that applied in the Netherlands for the AEO certificate. We construct the argument for PCC’s decisions on implementing certain control measures to support compliance with a specific article in the AEO legislation. 4.1 Data Collection Data for this case study was collected by document analysis, semi-structured interviews and observation (cf. [27]). We studied internal and public documents from both Dutch Tax and Customs administration (Dutch TCA) and PCC, including PCC’s risk-based self-assessment. We conducted 5 interviews with Dutch TCA experts, and joined the auditors on two visits to PCC. To elicit detailed expert knowledge, we showed experts of Dutch Tax the AEO application of PCC and asked them how they would have assessed this company and if they could point out points of interest. We also asked them some general questions about AEO certification and self-assessment. PCC’s risk-based reasoning was already made explicit in the AEO application. The duration of the interviews varied from 2- 4 hours and the visits took about 6 hours. Except for the visits, we tape-recorded all interviews with the participants’ prior agreement. Minutes were made of meetings. 4.2 Case Description PCC produces explosive liquids and gasses in almost fully automated production processes that require limited human intervention. Incoming and outgoing goods are administered carefully to quickly notice missing goods. Personnel is trained to handle the
222
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
goods with care and prevent accidents. The damage can be huge when a tank filled with chemicals falls in the wrong hands. The goods are produced at secured premises surrounded by fences and access is controlled through security personnel, personalized access cards and cameras. From time to time personnel is searched to check if they bring materials inside or take them away from the premisses. PCC has implemented these security measures to prevent unauthorized access and tampering with goods and containers that are on PCC’s premisses. A relevant clause in the AEO law [10] is article 14.k(c): “Measures for the handling of goods include protection against the introduction, exchange or loss of any material and tampering with cargo units”. When the goods leave the premises to be transported to clients or other subsidiaries they can also be subject to theft or tampering. Therefore, article 14.k(c) applies not only to security on a company’s premisses but also to security measures for transport. PCC’s goods are transported in containers and high pressure tanks on ships, trains and trucks. New contemporary measures like the TREC (Tamper Resistant Embedded Controller) device, which is an electronic seal with sensors and GPS transmitters, or RFID tags (Radio Frequency Identification) may replace or enhance existing controls, like seals or straps, that are installed on containers to prevent and spot unauthorized opening. Because of the nature of the goods, security is very important but, because of the low value of the goods per unit, the costs of security must be kept low. 4.3 Argumentation for Cargo Security During Transport We will now discuss PCC’s decisions on implementing measures to prevent tampering with cargo units that are on transport, in order to support compliance with article 14.k(c). We model the justification for PCC’s decisions in a state transition diagram using an argumentation-based approach. In addition we describe the dialogue between PCC and the Dutch customs in terms of argumentation schemes and critical questions. To comply with the AEO legislation PCC needs to ensure that appropriate control measures are in place to achieve the goals or control objectives of end-state qy required by legislation. Article 14.k(c) describes the goals in qy as: it is not possible for an unauthorized person to add or remove products from a cargo-unit that is on transport. Physical security measures (locks, straps and seals) and access control measures (identification, authentication and authorization) aim to prevent unauthorized access. Furthermore, the goods and who will get access to them need to be registered to get insight in the functioning of the controls and construct audit trails. That gives us five propositions: physical security (Ps), identification of all people accessing (Id), authentication (At), authorization (Az), and registration (Re). So end state qy will have to satisfy at least the following propositions: π(qy ) = {P s, Id, At, Az, Re} Note that in each state, other propositions can be satisfied that also promote or demote values and thereby affect the decision making. In particular, during the dialogue between customs officers and PCC, two more issues come up. PCC suggests to use trusted transport companies who recruit drivers who are competent (Co). This measure is needed anyway, because PCC personnel must know how to handle highly explosive
Value-Based Argumentation for Justifying Compliance
223
gases and liquids. Another issue in the discussion is the large investments (In) possibly required to implement technological security solutions. So the set of potential propositions is defined as follows. Φ = {P s, Id, At, Az, Re, Co, In} To achieve end-state qy , actions need to be performed. But first we describe the initial state q0 outside the premises of PCC. Truck drivers have to identify and authenticate themselves (by a photo-ID) when they pick up the goods at the premisses. The goods are transported in containers and tanks that are loaded onto trucks that can be locked with conventional locks and keys. When the goods are delivered, the receivers have to sign for acceptance of the goods. Under those conditions none of the propositions in Φ are satisfied, so π(q0 ) = { }. PCC can choose from a number of actions to enhance the safety and security outside the premises. Control actions need to be proportional and contribute to the satisfaction of propositions defined for the end-state qy . Some best practices in cargo-transportation that are intended to prevent tampering with cargo units are: α1 Trusted transporters: subject all truck drivers to screening, extensive training and access control measures, in order to achieve a state in which only authorized and competent personnel, is allowed to transport dangerous goods. α2 Container seals or straps: seals or straps are put onto the door of a cargo-unit as an means to partly prevent (unauthorized) opening of that cargo unit, and to detect any opening afterwards, by a broken or removed seal. α3 RFID tags: RFID tags are electronic devices which are put onto a cargo unit to register its passing through RFID readers that can be installed in places like gates, harbors and airports. This registration can be used to get insight in (deviances in) the route that the cargo is traveling. α4 TREC Device: A TREC device is an electronic seal, which is installed on the door of a cargo-unit to register the whereabouts using GPS, to control authorized opening of the cargo unit by means of login-password combination, and to detect any unauthorized opening. Note that not all actions are possible in all states. In particular, the container seals, RFID tags and TREC have overlapping functionalities (physical security, registration, tracking and tracing) and a combination of these measures is therefore redundant. We will therefore not discuss combinations of α2 , α3 , and α4 . Note that they do differ with respect to implementation costs and possibilities of data collection and integration with IT-systems. The integrity of the goods can be verified and monitored at different points in the supply chain. We also identified the values that influence the decision making process on this topic. According to its own Code of Conduct, some of PCC’s core values are: v1 ‘safety and security’ (S) v2 ‘cost leadership’ (C) v3 ‘control and accountability’ (A)
224
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
Values v1 and v3 correspond to values underlying the AEO legislation. Using actions α1 , α2 , α3 , α4 and values v1 , v2 , v3 ) we can model the states which can be reached from state (qy ). The states, the transitions resulting from actions and the values which are promoted, demoted or unchanged by transitions, are shown in Figure 1. C=, S+, A= ƋЋ(Ps, Id, At, Az, Re, Co, In)
ƋЈ(Ps, _, _, _, Re,_, In) ɲ І: trusted transporters ɲ Ј :RFID tags
ƋЉ (Ps, Id, At, Az, Re, _, In) ɲ І: trusted transporters
ɲ Љ͗trec device C-, S+, A+
ƋЌ(Ps, Id, At, Az, Re, Co, In)
ƋЅ(_, _, _, _, _, _, _) ɲ І : trusted transporters
C=, S+, A= ɲ Љ͗trec device C-, S+, A+
C-, S+, A+ ɲ Ї: security seals
C=, S+, A=
ƋІ(_, Id, At, Az, _, Co, _)
ƋЇ(Ps, _, _, _, Re,_ ,_)
C, S+, A=
ɲ І: trusted transporters
ɲ Ї: security seals C, S+, A =
C=, S+, A=
ƋЊ(Ps, Id, At, Az, Re, Co, _)
C-, S+, A+
ɲ Ј :RFID tags
Fig. 1. State transitions,values, and control actions outside the pcc premisses
We will now model a dialogue between PCC and Dutch customs, as it occurred during the audit visit of Dutch customs to PCC, in terms of argumentation schemes and critical questions. The dialogue consists of argumentation moves (A1, A2, ..), similar to scheme AS1, followed by objections (O1, O2, ..), which correspond to one of the critical questions (CQ). Objections to objections do not necessarily correspond to critical questions. That means that all the customs’ objections are in fact CQs, except for the responses to the companies responses (A2, A3, A4). We model such responses as (partial) instantiations of argument scheme AS1, because they suggest alternative actions (control measures). Argument 1 (A1), PCC: Action α1 ‘trusted transporters’ is performed to reach q1 , in which only authorized (Id, At, Az), and competent (Co) truck drivers have access to the goods during transport, which promotes v1 ‘safety’ and the control objectives of the end state qy are achieved (AS1). Objection 1(O1), Customs: Unauthorized access is still possible as truck drivers are not the only people who have access to the cargo during transport, so the action does not have the stated consequences (Id, At, Az, Co) and additional measures are needed (CQ2). O2, PCC: When a truck driver is near his truck he will prevent thieves or terrorists from gaining unauthorized access to the goods, so action α1 does have the stated consequences. O3, Customs: Truck drivers will have to leave their truck at some time, so unauthorized access to the cargo is still possible (CQ1). A2, Customs: PCC should perform α4 , implementing TREC devices, which will lead to state q4 in which unauthorized access is physically prevented (Ps, Id, At, Az), but if something does happen, it is detected immediately (Re), which will promote v1 ‘safety’ and v2 ‘auditability’ (AS1).
Value-Based Argumentation for Justifying Compliance
225
O4, PCC: Performing action α4 will lead to state q4 in which considerable investments (In) will have to be made, while the profit margin on the goods is low, which will demote value v3 ‘cost leadership’(CQ9). A3, Customs: PCC can also perform α3 installing RFID tags in combination with seals, which will lead to state q3 in which physical security (Ps) is increased and the movements of the goods can be traced (Re), which promotes v1 ‘safety’ and v2 ‘auditability’, and v3 ‘cost leadership’ is less demoted than in state q4 (AS1). O5, PCC: α3 does not always promote v1 ‘safety’ and v2 ‘auditability’, because some trucks will take routes where no RFID gates are passed and the movements of the truck are therefore not registered (CQ4). Furthermore, RFID requires large investments (In), so value v3 ‘cost leadership’ is still demoted (CQ9). A4, Customs: PCC should perform α2 and put conventional security seals on each cargo unit, which will lead to state q3 , in which unauthorized access is prevented (Ps), but if something does happen it is detected afterwards (Re), which will promote v1 ‘safety’ and v2 ‘auditability’ (AS1). In the end, PCC agrees with customs that α1 and α2 result in state q5 in which Ps, Id, At, Az, Re and Co are all satisfied, but In is not, so the goal of complying with article 14.k(c) of the AEO legislation is brought about without large investments: qy = q5 . 4.4 Discussion In the previous section we formalized PCC’s decision making on choosing control measures to comply with customs legislation AEO using an argumentation-based approach. We operationalized a specific article(14.k(c) )of the legislation into control objectives (goals) and identified control measures (actions) that would help to achieve desired states and fulfill the control objectives. Values are used as a means to choose between (combinations of) actions. First, we found that argumentation theory in combination with AATS can be used to model a decision problem in the compliance domain. It helps to explain how a system of controls works. Control measures are not considered in isolation but in a wider organizational context. Possible control actions are listed and for each proposed action the prerequisites, consequences, and side effects on other relevant actions, states, goals and values are considered. Furthermore, critical questions used in the problem formulation and epistemic reasoning phase address if the decision problem and the proposed solutions are a fair depiction of reality. A limitation of the approach is that the initial state q0 has to be chosen wisely, as it can influence the further framing of the decision problem. One should realize that in practice, there is never an initial state. One always has to deal with a situation in which some decisions have already been taken. In our case, the fact that PCC is a petrochemical company means that they have already taken many measures concerning safety and security. For instance, the decision to use ‘trusted transporters’ makes sense, because the same recruiting companies also select, recruit and train specialized technical and chemical personnel. Another point of critique is that external risks, i.e,. threats and vulnerabilities are not an integral part of the argumentation approach, which is especially important in decision making on security issues. However risks can be included by implementing risk aversion as a value, or by having
226
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
risk mitigation as a goal. Also the analysis from current to desired circumstances, and the avoidance of undesired consequences exhibits some similarities with risk analysis. Second, we found that the effect of actions on states, goals, and values is used as a means to choose between alternative control measures. For most deliberations this works well: states where goals are achieved are favored over neutral and negative states, and the promotion of values is favored over the demotion of values. However, in the case study we found that there can be cases where these decision criteria are not sufficient to choose between alternatives. For example, both the TREC device and RFID tags have a negative effect on the value cost. But the negative impact of the TREC is much bigger than the RFID tag on the ‘cost’ value. In some cases, we need a more precise valuation, than the simple ‘+/–/=’ range. Furthermore, the TREC example shows that there can be an ordering of the relative importance of values. Apparently cost is more important than auditability: ‘cost’ > ’auditability’. Our implementation using AATS inherited from [1] does not support an ordering on values. Third, using argumentation theory, a justification for each decision on implementing control measures is produced. The use of generic concepts like values, goals, actions, and circumstances makes it easy to understand the reasoning process and to ask directed questions in an audit. Both positive and negative effects of control measures are made explicit and taken into account when decisions are made. Relevant contextual information becomes explicit for stakeholders. Furthermore, the position taking and (counter) attacks in argumentation resemble quite naturally the audit process as we encounter it in practice. The critical questions can help companies to better prepare themselves for audits, and can be used by auditors as audit questions. A disadvantage compared to risk analysis, is that argumentation theory may overlook certain aspects that are not included in the internal values or goals of the organization, such as external threats, or aspects like safety and security which are essential for the public interest. Especially for such aspects, we need regulation. Finally, the use of (corporate) values as evaluation criteria links compliance more directly to (corporate) strategy, which allows for an integrated approach, embedding control into the business process. In addition, the state transition diagram makes the implementation order and relation to other control measures explicit. One can now easily show why certain (combinations) of control measures are favored over others. This facilitates future adaptations to the control system as it is now clear what the (in)direct consequences are of replacing control measures. Like with all forms of modeling, there is however always the risk that the value model turns out to be only a ‘paper exercise’, and is not really followed in practice. For such reasons, audits need to be frequently repeated, so that the outcomes of the value-based control approach can be verified later. Summarizing, we can say that the case study shows that value-based argumentation provides a structured approach for justifying compliance measures, because it makes the reasoning underlying such decisions explicit and understandable for stakeholders. It relates control actions to the achievement of objectives under the consideration of corporate values. Unlike other approaches in the compliance domain, such as risk analysis, control measures are not considered in isolation but as a control system that should fit into the organizational context. This approach fits well onto the current audit practice that focuses on a company’s assessment of their internal control system.
Value-Based Argumentation for Justifying Compliance
227
5 Conclusions In this paper we used value-based-argumentation for justifying compliance with laws and regulations. We described how it can be used to set up a control system, and to justify the decisions made on the implementation of controls to a regulator. Using a case study of the AEO legislation, we demonstrate that value-based argumentation theory can in fact be used to model the dialogue in which agents have to justify compliance to a regulator. Argumentation theory makes the business context of the implemented controls explicit in the argumentation scheme and provides criteria to weigh the alternative options. This is very helpful for auditors as they can trace how the controls relate to the organizational goals and values in general. Value-based argumentation thus supports decision making and auditing in the compliance domain. A good management process would also take the organizational context into account, but since practitioners tend to focus on risk outcomes only, this is often not made explicit. We therefore believe that for the compliance domain, techniques taken from argumentation theory provide a useful addition to existing governance models and risk management approaches that are often used by companies to set up, or evaluate control systems. Especially for the (external) audit of a company’s assessment of their internal control system, argumentation theory can provide useful benefits.
References 1. Atkinson, K., Bench-Capon, T.: Practical reasoning as presumptive argumentation using action based alternating transition systems. Artificial Intelligence 171, 855–874 (2007) 2. Atkinson, K., Bench-Capon, T., McBurney, P.: Computational representation of practical argument. Synthese 152(2), 157–206 (2006) 3. Ayres, I., Braithwaite, J.: Responsive Regulation: Transcending the Deregulation Debate. Oxford University Press, Oxford (1992) 4. Burgemeestre, B., Hulstijn, J., Tan, Y.-H.: Rule-based versus principle-based regulatory compliance. In: Governatori, G. (ed.) Proceedings of JURIX 2009, pp. 37–46. IOS Press, Amsterdam (2009) 5. Burgemeestre, B., Hulstijn, J., Tan, Y.-H.: Towards an architecture for self-regulating agents: a case study in international trade. In: Polleres, A., Padget, J. (eds.) Proceedings of COIN@MALLOW (2009) 6. Burgemeestre, B., Hulstijn, J., Tan, Y.-H.: Norm emergence in regulatory compliance. In: Padget, J. (ed.) Proceedings of Normas 2010 (2010) 7. COSO. Internal control – integrated framework (1992) 8. COSO. Enterprise risk management – integrated framework (2004) 9. European Commission. The AEO Compact model. Technical Report TAXUD/2006/1452, Directorate-General Taxation and Customs Union (2006) 10. European Commission. Commission Regulation no 1875/2006 of 18 december 2006. Official Journal of the European Union 360, 64–125 (2006) 11. European Commission. AEO guidelines. Technical Report TAXUD/2006/1450, DirectorateGeneral Taxation and Customs Union (2007) 12. Gribnau, H.: Soft law and taxation: The case of the netherlands. Legisprudence 1(3), 291– 326 (2007) 13. ISACF. Control objectives for information and related technology, COBIT 4.1 (2007)
228
B. Burgemeestre, J. Hulstijn, and Y.-H. Tan
14. Knechel, W.R., Slaterio, S.E., Ballou, B.: Auditing: Assurance and Risk, 3rd edn. Thomson South-Western (2007) 15. Korobkin, R.B.: Behavioral analysis and legal form: Rules vs. principles revisited. Oregon Law Review 79(1), 23–60 (2000) 16. NIST 800-30. Risk management guide for information technology systems. Technical report, National Institute of Standards and Technology (2002) 17. Power, M.: The Audit Society: Rituals of Verification. Oxford University Press, Oxford (1997) 18. Power, M.: Organized Uncertainty: Designing a World of Risk Management. Oxford University Press, Oxford (2007) 19. Rees, J.: Self regulation: an effective alternative to direct regulation by OSHA? Policy Studies Journal 16(3), 602–614 (1988) 20. Romney, M., Steinbart, P.: Accounting Information Systems, 10e. Prentice Hall, NJ (2006) 21. Sadiq, S.W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007) 22. Sarbanes, Oxley: Public law 107 - 204 - sarbanes-oxley act of 2002. Technical Report Public Law 107 - 204, Senate and House of Representatives of the United States of America (2002) 23. Simon, H.: Administrative Behavior, 1st edn., 3rd edn. Free Press, New York (1947/1976) 24. Simons, R.: Levers of Control: How Managers Use Innovative Control Systems to Drive Strategic Renewal. Harvard Business School Press, Cambridge (1995) 25. van der Hoek, W., Roberts, M., Wooldridge, M.: Social laws in alternating time: Effectiveness, feasibility and synthesis. Synthese 156(1), 119 (2007) 26. Walton, D.: Argument Schemes for Presumptive Reasoning. Lawrence Erlbaum Associates, Mahwah (1996) 27. Yin, R.: Case study research: Design and methods, 2nd edn. Sage Publications, Thousand Oaks (2003)