Inter-organizational Workflow for Intelligent Audit of Information Technologies in terms of Entreprise Business Processes

IT governance is critical to the success of Enterprise governance by providing effective, efficient and measurable improvements in business processes by ensuring that information technologies are in line with business objectives. Consequently, this paper provides an intelligent solution to audit Information System Business processes using the IT Governance Framework COBIT. The particularity of this solution is the use of Inter-organization Workflows (IOW), Multi-agent System and semantic web. In fact Inter-Organizational Workflow is used to cooperate autonomous, heterogeneous and distributed organizations processes to reach a common goal. In this paper case the goal is the dynamic alignment of every Business Process with the convenient Information System component and this through a permanent interaction with different stockholders. Multi-agent Systems (MAS) are known as the natural solution for IOW modeling since they provide dynamic modification and execution of adaptive processes. In addition, MAS have the ability to describe distribution and coordination of IOW organizations in micro and macro level, with high level communication protocols. As for the semantic web, the proposed IT Governance IOW based on COBIT, has the principal role to match Enterprise real Business Goals with COBIT Business goals , so the use of the semantic web is a way to share business terminology and avoid semantic conflict for a correct and efficient Audit operation. Keywords—Inter-organizational Workflow; COBIT; Audit; Information System; IT Governance; Business Processes; MultiAgent System; Semantic Web; Ontology


I. INTRODUCTION
Highlight the competitiveness and cost-effectiveness ratio implies increased confidence in information technologies which are becoming an essential component of business strategy.The automation of business functions dictates the incorporation of most powerful control mechanisms not only in computers and networks but in Business Processes, Human Resources and Services as well.
Indeed, many successful enterprises recognize the potential benefits of the Information technologies and understand in the same time how to manage the risks associated with their implementation by the use of IT Governance Frameworks.
The idea of this work is to propose a solution to control and govern IT and Business Processes (BP) in a parallel intelligent and interactive way, taking the benefit of COBIT, the referential framework of Information Systems Governance.The solution also avoids the high cost of Audit missions and this by interfacing it to any kind of Information System (any technology, any dimension, any architecture…).potential users evaluate permanently their Information technologies in terms of Business Processes [1].
To implement such solution, the proposition was the use of Inter-Organizational Workflow able to cooperate many organizations (Information System components) to achieve a comment goal: Audit Operation in COBIT way, which consists on :  IT alignment with business  Responsible use of OT Resources  Appropriate IT risk management In fact, IOW is a technical model helping heterogeneous and autonomous Enterprises/organizations to put in common their respective BP and skills in order to produce a global cooperative service [2].IOW have three additional aspects from the classical Workflow:  The distribution process organizations.
 The autonomy of organizations: each individual organization takes decisions regarding the conditions of cooperation,  The heterogeneity of organizations to cooperate: this relates to the differences in terms of models and systems.
It's the reason why an IOW context was chosen to deal with simultaneous audit of different components of an Information system.
Ontologies are the key of the semantic web, and they are used in many fields of Computer Sciences for automatic processing, interaction and interoperability of machines.There are many definition of ontology, the most common is that ontology includes or implies a certain view of the world with respect to a given domain; this view is often designed as a set of concepts [3].IOW can also get the benefit of ontologies, in this solution, its use is necessary for the understanding of the www.ijacsa.thesai.orgcommon terminology to avoid semantic conflicts and to ensure the right matching of Business objectives.
At least, the use of Multi-agent System to implement the IOW is justified by the theoretical background this technology propose to deal with heterogeneity, autonomy and distribution constraints of IOW.MAS also support ontologies through communication protocol.
This article is organized as follows.Section 2 presents IOW and its specificities and justify it use in the Audit context.Section 3 gives an overview of Multi-agent System and Web Semantic.Section 4 talks about COBIT as IT Governance Framework and define the relations between its different components.Section 5 presents the organizational model and the global architecture.Section 6 is devoted to the mediation layer architecture.Section 7 shows the used ontology and extracts as example the case of COBIT processes DS5done in Protégé 4.3 platform.Section 8 presents a MadKit simulator of the IT Governance IOW.Section 9 concludes the paper.

A. Workflow and Inter-organizational Workflow
A workflow in general is the total or partial automation of business process execution, execution during which documents, information tasks from one participant to another to perform specific activities according to predefined rules.
There are many kinds of workflows namely:  Administration Workflow: [4] devoted to manage administrative procedures whose rules of conducts are established and known by everyone in the company.
 Production Workflow: [5] devoted to manage the production process in the company.

 Collaboration Workflow:
[6] devoted to manage awareness and group collaboration in a project of creative work  Ad-hoc Workflow: [7] is a class of workflows for specific situations where the flow logic to be followed is set during execution.It forms a hybrid solution collecting characteristics administration, production, and collaboration The interested on these kinds of Workflow will find in the references more details about them the advantages and drawbacks of every one.
Inter-organizational Workflow: is an extension of the classical Workflow aiming at cooperating between heterogeneous and autonomous organizations.The reason why it was chosen as a workflow model for this Audit solution

B. Interoperability in Inter-Organizational Workflows
There are many forms of interoperability in an IOW: -Capacity sharing (static context): structural cooperation among organizations with a well-established infrastructure among pre-defined partners in conception phase.Involved organizations, in this case are engaged in a long-term cooperation and their workflows (business processes) are interdependent [8].
-Chained execution: modeling a global workflow into several disjoint workflows executed sequentially.Each partner is responsible for a part of the workflow.Once this part is executed, the partner transfers the stream to the next partner.Not in a parallel way.
-Subcontracting: allowing to a main partner to delegate the implementation and coordination of part of its workflow to other partners.Workflow control is hierarchical; the partner sees the subcontracted workflows as atomic while they may have complex structures at the running level.
-Loose IOW (dynamic context): occasional and opportunist cooperation, without structural constraints, where the partners involved and their number are not pre-defined.Workflows must be increased by a structure of interactions to allow communication between the different partners and the correct execution instances.Interaction is achieved through asynchronous communication and is based on the flow of messages between local partner's workflows.

C. IT Governance Inter-Organizational Workflow
This article is about Information system Audit context which consists on evaluating the adequacy of every Business Process in the Company in terms of existing parts of the IS.In fact, nowadays IS are more and more complex and open to World Wide Web and new network technologies constraints.So , for this problematic the most adaptive interoperability form for the IOW is the Loose scenario, since sub-IS should not obligatory be known in advance and be interconnected and every part has his own objectives and participate in the same time to the global goal achievement.

A. IOW modeling with MAS and Semantic Web
The combination of Multi-agent system and semantic Web are widely used for modeling system coordination [9].It seems to be appropriate to describe the coordination of IOW as a dynamic system aiming at finding "supply service for a demand service" and adopting the negotiation between partners.In fact, agent technology is a custom frame for IOW abstraction: it resolves its constraint of distribution, heterogeneity, autonomy and flexibility: -Autonomy: every organization of the IOW can be encapsulated in an Agent as autonomous entity having its intentions goals and resources and able to be executed alone or in an environment, depending on the context.
-Distribution: IOW is a distributed context and MAS includes specific architecture, communication protocols and languages to support this constraint.
-Heterogeneity: Agent technology allows communication and interaction between heterogonous agents through Agent-Communication-Languages (ACL).It also provides synchronous and asynchronous ways of communication depending on the agent localization and constraints.www.ijacsa.thesai.orgMAS offer many Meta-Models to cover the organizational aspect of Workflow.It also covers the scalability and security worries in loose IOW context.As for the semantic Web which is the collaborative movement of W3C providing a model that allows data to be shared and reused across applications, enterprises and groups of users [10].It helps to represent shared business terminology of the IOW in a formal way to solve semantic conflicts in the one hand and to define properly services ( supply and demand) in the other hand.
The best representation of semantic web on MAS context is the use of ontology recognized in communication protocol of agents.

B. Ontlogies conceptualisation
As defined before, ontology includes or implies a certain view of the world with respect to a given domain; this view is often designed as a set of concepts such as entities, attributes, processes…etc.
It can take different forms but it necessarily includes a vocabulary of terms and specification of their meaning.
To define ontology four points are essential [11]:  Relation "is a": it's called "subsomption" which define a generalization relationship.
 Author relations: it concerned conceptions relations other than "is a" such as "part of", "primitive of"..etc.

C. Ontologies Editors
There are many ontologies editors namely: Protégé [12]: graphical environment for ontologies development based on hierarchical knowledge model ( classes attributes  properties ).It's one of the most used editors regrouping a wide community of users , it has compatibility with OWL reference , Knowledge base management , ontologies visualizations, alimentation and fusion.
OILED [13]: it's also based on classes' hierarchy, it provides roles specialization, properties test but it's limited to the construction of OIL ontologies example.

OntoEDit[14] :
it's an owner solution based on hierarchical concepts , able to express axioms but it's not reliable since it's limited to a lexical comparison of terms .
The most adaptable ontology to the proposed IT Governance IOW is domain ontology to match BP Demand and BP supply in IT Governance Domain.In this article, Protégé 4.3 is used for modeling this ontology in OWL-S supported by FIPA-ACL as this solution Agent communication languages IV.COBIT: IT GOVERNANCE FRAMEWORK IT Governance is a structure of relationships and processes to control the enterprise to achieve its objectives by generating value while finding the right balance between risk and benefits of IT and processes.It could not be efficient without a referential framework giving best practice.this article is based on COBIT 4.1 (Control Objectives for Information and related Technology Business).

A. What is COBIT? how to grasp it?
COBIT [8] is an IT Governance framework developed in 1994 (published in 1996) by ISACA (The Information System Audit and Control Association).It is designed for the control objectives of information technology.
COBIT proposes best practices through a framework by domain and by process.It presents activities in a manageable and logical structure.Its practices focused more on control, less on execution.To optimize IT-enabled investments, ensure service delivery and provide a good measure to face potential risks For COBIT, as shown in the figure below, every information system can be decomposed into 34 processes, which are divided into four functional areas:  Planning and Organization) (10 processes). Acquire and Implement) (7 processes). Deliver and Support) (13 processes). Monitor (4 processes).These four areas can cover 318 goals with different criterias

B. Mapping Business Goals, IT Goals and COBIT Processes
COBIT offers variety of components interconnected to guide Audit mission and/or IT Governance procedure.
In fact, COBIT proposes three essential kinds of components namely: Business Goals, IT Goals, and IT Processes.These components cover mainly the totality of possible Goals and processes for an Information System.www.ijacsa.thesai.org-Business Goals [15]: COBIT V4.1 (the used version) proposes 20 Business Goals distributed according to the four pillars of balanced square i.e. customer perspective; financial perspective; Information System Direction (ISD) internal perspective and future or anticipation perspective.
-IT Goals: the 20 Business goals refer to 28 IT goals, themselves related to COBIT process.The same IT Goal can be associated with one or more COBIT process (one of the 34 processes presented before.) Consequently, COBIT offers to every Business Goals, IT goals, IT processes, Key activities, Controls, Metrics, RACI Chart, etc.These outputs represents recommendations and measures ISD and Top management should consider for better IT governance.the proposed loose IOW architecture is based on the process oriented aspect of COBIT and the "agentification" of its components detailed before.In fact, COBIT provide hierarchy able to be divided between Actors who can take the responsibility of giving a full image of IS business Objective (BO).The added value of this work is the intelligent matching between real Enterprise Business Goals (expressed by users and managers about IT worries and standard (Business Goals of the BSC) proposed in the framework.This matching is the first mission of IOW Agents, and then an Audit operation will be launched as shown in Figure 2.

C. Case Study : DS5 process Goals and Metrics
In this paper, to illustrate the flow of the proposed IT Governance loose IOW, the case study is as following : an IS user evokes an IS business objective about information reliability for top decisions.
This IS BO will be matched with the 9 th COBIT Business Objective: "Obtain reliable and useful information for strategic decision making".This 9 th BO calls many IT Objectives (see fig3).
To simplify and well clarify the case study for next sections only the example of 9 th Business Objective calling the 20 th IT Objective will be illustrated:" Ensure that automated business transactions and information exchanges can be trusted."This 20 th IT Objectivecall three IT processes (see fig4) .For the same reason, let's take the exemple of DS5 COBIT process witch concerns "system security insurance".It belongs to "Deliver and Support" Domain includes establishing and maintaining IT security roles and responsibilities, policies, standards, and procedures.

V. PROPOSED ARCHITECTURE OF IT GOVERNANCE INTER-ORGANIZATIONAL WORKFLOW
A. Organizational Model Agent-Group-Role (AGR) is a Multi-Agent System Meta model where an agent as an intelligent and communicating entity can play one or more roles through membership in a group or groups without any constraints on its architecture [1].
Based on AGR, the proposed organizational model is organized around the following components: -Five types of groups represented by an eclipse (Audit, Finding Audit, Finding Auditor, Audited and Auditor) -Ten roles represented by a circle as every agent has double role in every group ( Mediator, SI Connection Server, COBIT Connection Server, IS Workflow Agent, COBIT Agent) -Communication between agents is represented by arrows.
Fig.  Every part of Information system (application, ERP module, etc..) is encapsulated on an Agent having IS Workflow Agent role.In the same way every COBIT Business Goal or Business Objective is encapsulated in an Agent having COBIT Agent.
Connection server submits an audit request about a business objective; it allows the mediator agent to return the identity of the appropriate COBIT agent in Audited Group.
IS Workflow Agent and COBIT Agent, after getting each other identities from connection servers negotiate the more priority COBIT process to implement; the RACI matrix, the key metrics and the maturity model to follow in Audit Group.

IS Workflow Agent or COBIT Agent interact
with a connection server (COBIT or IS) from which they get requested partner identity in Finding Audited Group and Finding Auditor Group.
Connection server via a mediator Agent (recording COBIT Agents capabilities), release the appropriate COBIT process (offered by COBIT Agent) in Auditor Group.

It contains the following Agents:
IS Workflow Agent: Agent encapsulating a part of the IS and launched by stakeholders requests about the audit of one or many business processes of the system.

Manager Agent monitors and controls the running of IS Workflow Agents.
COBIT Agent is the auditor agent who broadcasts services throw the COBIT Connection Server.Once into contact with an IS Workflow Agent, COBIT Agent other agents: IT Objective Agents and COBIT IT Process Agents to audit the IS BO in COBIT framework way.

Connection Server Agent is responsible for publishing Workflow IS Agents requests and getting convenient COBIT Agents from Mediator Agent.
Mediator Agent: it's a yellow pages Agent which publishes COBIT Agents offered services and requests made by the IS Workflow agents.the next section will be devoted to it.

A. Medaition Agent proposed architecture
There are principally three kind of mediator Agent: Matchmaker, Broker [21] and Facilitator [22].The difference between a Matchmaker and a facilitator is that the second one intermediate transaction and the first one links provider with Manager Agent

IS Connection Server
Mediator Agent COBIT Connection Server

IS components Flow
Sending Messages Sharing Informations www.ijacsa.thesai.orgrequester by identities exchanging, then they communicate directly.As for a Broker, he gets delegated services with preferences from the requester, asks the provider for results and sends directly this result to the requester.
In this paper case a Matchmaker agent is necessary so as to link between IS Workflow Agent and COBIT agent and let them exchange audit information directly in Audit Group without interfering.This to simulate a real Audit operation consisting on interviewing IS user to propose convenient recommendations.
The role of the Matchmaker in the WIO is to find convenient partner (COBIT BO) for every IS BO instance.-Persistence: it's a dynamic layer responsible for COBIT Agents offered services saving and optionally IS Workflow Agents demands saving.This layer communicates with COBIT Services Data base and IS Objectives Database (optional).
-Processing: it's a dynamic layer where Audit ontology en OWL-s format is created and saved.In fact it's the hierarchical description of demand services and supply ones.This layer communicates with an ontology Data-base, in this paper, Protégé save ontologies by default in a web localization; so data-base could be replaced with an XML file containing ontologies URL.
Matching: it's the comparison and link between a demand and convenient offers; it's a return of convenient COBIT Agent Addresses to IS Workflow Agent.The comparison is based on the Audit Ontology defined in Processing layer and need an algorithm to filter offers (not yet done).This is the intelligent layer of the Matchmaker agent and it's linked to Knowledge Base of Audit operation.

B. AUML Sequence Diagram for BP Matchmaking
To illustrate the intelligent matching of IS Business Objectives and COBIT Business Objectives by mediation entities, the following AUML Sequence Diagram is proposed ( see Fig. Matchmaker Agent saves the service coming from IS Workflow Agent and all supplied services (Persistence layer of Matchmaker Agent see Fig5), processing every service via existing ontologies and compares them (matching layer).In the next section these two layers roles will be detailed.
Once the Matchmaker Agent find convenient supplied service: COBIT BO for the demanded service IS BI; it sends COBIT Agent Address to IS Workflow Agent.
To conclude, the Mediation entity in this paper is a Matchmaker Agent able to save "Supply and Demand" Business Objectives, define them throw Audit ontology and match IS Business Demand with the corresponding COBIT Business Objective.This matching simulates the Audit activity first step: indentifying the problematic IS Business Objectives and its measure in COBIT Framework.From this step, IT Objectives and IT Processes of this IS demand can be defined to get as a result recommendations about: -Activities : list of activities to achieve IT Objective  As a result of ontologies state of art, the "Audit Ontology" of this solution is implemented with Protégé 4.3 in OWL (with Resource Description Framework (RDF) format).
OWL is a widely used web semantic language; it provides many advantages through its hierarchical structure [17], namely:  Service definition through a process model.
 Attributes detailed description (Inputs, outputs, constraints)  Support of different structures of service (atomic, simple or complex)  Set operators default use.
-Maturity model : degree of IT Process implementation (0: nonexistent -5 optimized) -IS stakeholders with the following values( Responsible, Accountable, Consulted, Informed) This technical choice is in line with the fact that the IT Governance IOW simulator is developed in MadKit 5 platform with FIPA-ACL as Agent Communication language, more details will be given about this point in the next section.
At this stage, this same language is kept as Agent Capability description Language since it supports performatives, and ontologies and offers development flexibility.
Coming back to "Audit Ontology" : the Matchmaker Agent is connected to an ontology Data base.Once it gets the COBIT BO service and /or IS BO service, it calls the ontology, extracts entities and properties and defines the class of each concept of the proposed service, eventually equality, inclusion and difference.
In future works the states of arts of ontologies concepts comparison will be presented and the algorithm to compare concepts in terms of "Audit Ontology" will be implemented.
Other reason to implement OWL ontology is the interoperability of defined services: they could be eventually manipulated as web service for a better reusability and without any environmental or architectural integration constraint.

B. Case study and Ontlogy exemple
In this article Protégé 4.3 is used as ontology editor and "Audit ontology" is based on COBIT 4.1 Business Goals definition.
In facts COBIT Business Objectives are divided into 4 categories of perspectives (Financial Perspective; Customer Perspective; Internal Perspective and Learning and Growth Perspective).
Every perspective contains many Business Objectives; Audit ontology concepts and properties are defined around these BO related to the four Perspectives as shown in the figure bellow.www.ijacsa.thesai.orgTo illustrate that, let's show the part of Audit ontology about the case study (see Section IV) IS BO = "IS information's reliability for top management decisions".
The key concepts are: reliability, information, and decision.
On Audit ontology, "Reliability" and "Decision" are subclasses of "Consumer" which is a sub-class of "Perspective"."Reliable information" is a sub-class of "Reliability".
As for object properties: "Reliable information" is useful for "Decision" (see Figure 8).The generated OWL file arround this part of "Audit Ontology" is as bellow:

A. MAS Plateforme choice
As the choice of Multi-Agent platform has a great influence on the design and implementation of MAS, FIPA has produced standards that describe how an agent platform should be.These standards exist to ensure uniform design agents regardless of the platform.
The platform choice is based on the above comparative table [18],

B. Implementation
The solution is developed with JAVA to ensure system portability and to benefit from APIs for Agent and ontology implementation.
Eclipse IDE is used for java development with MADKIT 5 API.
The following roles of the IOW was developed namely: -IS Workflow Agent Role -IS Connection Server Role -Mediator Role -COBIT Server Role -COBIT Agent.The screenshot below present different agents' execution: In this level, a graphic interface was implemented for each Agent and a main class java to simulate the audit operation.a user interface will be proposed later to launch IS Workflow Agent and IS BO input.
The request now is imitated to find the convenient COBIT connection server publishing one of COBIT processes (the choice is based on the mediator matching) We are working at Mediation entity implementation to integrate Audit ontology, and preparing mediation algorithm for its use.

The screenshot presents:
1: IS connection Server Agent presenting a static business objective, it asks the mediator to find its supply service and wait for a request.

3:
COBIT Connection Server publishing its service through the mediator, and waits to be chosen as an auditor.
Ontology type : there five types of ontologies namely : -Domain ontology -Generic ontology -Problem resolution ontology -Application ontology -Representation ontology  Properties definition : it's the definition and classification of concepts and their properties ( simple or complex)

Fig. 4 .
Fig. 4. Global Architecture of the IT GRC Loose IOW

Fig. 5 .
Fig. 5. Mediator Agent ArchitectureThere are three parts In the Matchmaker Agent: 6.): IS Workflow Agent sends the IS BO (demanded service) to IS Connection Server.IS Connection Server confirms the demand reception by an acknowledgement to IS Workflow Agent and Send.Then, it sends demand service to Matchmaker Agent.At the same time, COBIT Agent send throw its own Connection Server COBIT BO (supplied services).

-
Metrics: measures able to quantify IT Processes performance.Responsibilities chart: repartition of activities among -Maturity model : degree of IT Process implementation (0: nonexistent -5 optimized)

Fig. 6 .
Fig. 6.AUML Sequence Diagram for the Mediation Layer VII.AUDIT DOMAIN ONTOLOGY : CASE STUDY DS5A.Audit ontology in OWLAs said before, domain ontology is used in the proposed IT Governance Inter-Organizational Workflow to define IS Business Objectives as demanded services and COBIT Business Objectives as supplied services.The role of this ontology is to understand the common vocabulary of IOW organizations and to allow the Matchmaker to compare and match "demand with supplies".

Fig. 8 .
Fig. 8. OWL Viz Asserted model of a part of Audit Ontology (Constumor Perspective concepts)

Fig. 9 .
Fig. 9. Portion of Generated Audit ontology OWL file VIII.IMPLEMENTATION AND DISCUSSION As implementation of the proposed IT Governance IOW, a multi-agent simulator of Audit operation is developed.Bellow technical specificities of this simulator are presented:

2 :
Mediator Agent matches the audited agent with the convenient auditor agent.It sends service title + COBIT Agent address to IS Connection server.IX.PERSPECTIVE AND CONCLUSION The purpose of this paper is to deploy an agent based Interorganization Workflow to provide permanent and interactive Audit operation of Information systems.Many literature issues were invoked namely: -Inter-Organizational Workflows -Multi-agent System and artificial intelligence -Mediation entities -Semantic Web and ontologies The choice of every issue has an added value for this solution; in fact, Inter-organization Workflows provide the orchestration of heterogeneous components of an IS in an autonomic way.Multi-agent system insures the intelligent dimension of the solution with high level communication protocol and modeling architecture.Mediation in MAS gives a theoretical model of matching services among intelligent entities.Ontologies offer the semantic alignment of stakeholders with COBIT framework vocabulary like experts Audit operation context.This paper opens many perspectives of this research work namely: -Audit negotiation operation between IS Workflow Agent and COBIT Agent and detailed architecture of each of them, -BO Services better description with SOA, -IOW Intelligent user interface modeling and implementation.-Simulatoramelioration in parallel with proposed architectures.In fact, the IT Governance IOW role is not only to find the convenient COBIT Business Objectives for IS goals but to negotiate COBIT recommendation and measure the reality of IS alignment with Enterprise Business, so the next main step of this research is to implement the negotiation infrastructure of the Inter organizational Workflow.The Second important point to develop is the Web Service representation of Processes to benefit from semantic web power and to ensure more portability of our platform.Of course, this should be in parallel of modeling and developing ergonomic platform with

TABLE I .
[9]KING 9 TH BUSINESS OBJECRIVE TO IT OBJECTIVES[9]TABLE TYPE STYLES

TABLE III .
MULT-AGENT PLATFORMS COMPARAISON www.ijacsa.thesai.org is based.In addition to that, MADKIT can build complex systems, control Agent life cycle and provide a complete layer of Agent communication (asynchrony message / broadcast message, etc).