Research

Fuzzy cognitive map for the design of EDI controls

Sangjae Lee

a

, Ingoo Han

b,*

a_{Techno-Management Research Institute, Korea Advanced Institute of Science and Technology, Seoul 130-012, South Korea} b_{Graduate School of Management, Korea Advanced Institute of Science and Technology 207-43,}

Cheongryangri-Dong Dongdaemun-Gu, Seoul 130-012, South Korea

Received 4 October 1998; received in revised form 22 March 1999; accepted 10 July 1999

Abstract

EDI control design is ill-structured and demands consideration of the complex causal relationships among various components of the controls, which may be broadly classi®ed into formal, informal, and automated types. Each of these can, in turn, be categorized as internal or external. However, it is dif®cult even for EDI experts to predict the causal effects of one control on another. In order to aid the design of EDI controls, the application of a fuzzy cognitive map, EDIFCM (EDI-Control Design using a Fuzzy Cognitive Map), was developed. Structural equation modeling was used to identify relevant relationships among the components and indicate their direction and strength. A standardized causal coef®cient from structural equation modeling was then used to create a fuzzy cognitive map, through which the state or movement of one control component was shown to have an in¯uence on the state or movement of others. Thus, EDI auditors were able to enhance their understanding of the causal relationship of controls and effectively design them.#2000 Elsevier Science B.V. All rights reserved.

Keywords:Electronic data interchange; Fuzzy cognitive map; Controls; Performance; Security

1. Introduction

EDI (Electronic Data Interchange) is the electronic, computer-to-computer exchange of information in a standard format between business trading partners or various units within an organization. A document must be initially converted into an agreed-upon format (grammar), then transmitted in such a manner that it is error free. Despite the bene®ts claimed for EDI, the EDI literature indicates that EDI adopters seem to have mixed success. One of the major problems relates to the security of EDI. While a substantial reduction in

operating costs may be achieved, these savings can be wiped out by deliberate or accidental loss of data during communication. The system does not accom-plish its intended outcome if the security and integrity of the system control are insuf®cient. A general absence of hard copy or signature/authorization for transactions and audit trails demands changes and enhancement to the traditional control systems.

EDI controls can be broadly de®ned as the process through which an organization achieves its goals when implementing EDI. The controls can safeguard IS resources, thereby, accomplishing the system objec-tives of timeliness and accuracy. Designing EDI controls is seldom simple, as it demands considera-tion of the complex interrelaconsidera-tionships among various components.

*_{Corresponding author. Tel.:‡8229583613; fax:‡8229583604} E-mail address: ighan@kgsm.kaist.ac.kr (I. Han)

The tasks of evaluating and designing EDI controls, as performed by managers and internal auditors, are dif®cult and unstructured. IS auditors have relied upon their experience and know-how to make decisions on the degree to which a system maintains integrity and security. A traditional technique for evaluating control systems is a checklist. However, it is dif®cult to assess the interactions among components using only a checklist method. As the relevant environment is likely to be complex and EDI auditors do not fully understand how the rigorous analytical techniques can assist them in determining the interrelationships among various components.

It is dif®cult for EDI auditors or managers to quantify the strength and direction of the interrelation-ships among EDI controls and performance. This is likely to be particularly true for decision environments which are not well understood. Further, the expertise of a larger number of experts needs to be combined in order to produce a more reliable EDI control structure. A rigorous method is needed to integrate information from various experts and sources.

This article proposes the use of an FCM (Fuzzy Cognitive Map) approach in designing EDI controls.

2. Components of EDI controls

EDI controls ensure that an error or failure in the EDI process does not propagate into other applications of organizations. The EDI system may not reduce cycle time or administrative cost unless it is well designed. If its performance level is unsatisfactory, formal, infor-mal, and automated controls need to be checked and adjusted. These three types of controls can be com-bined to achieve the organizational goals [23].

While internal controls deal with such components as the application system and communication inter-face, external controls are concerned with systems such as proprietary networks connected with trading partners and VANs. Internal controls are established to monitor such systems as accounting or sales con-nected to the network. Agreements must be reached between trading partners on transmission and message standards, and communication protocols. The parties must continuously manage such needs as mutual training, contingency planning, and transmission security with the electronic trading partners.

Controls can be classi®ed into two important dimensions: formality and automation; thus, there are six potential control types. Internal formal controls are established by management and based on written procedures to:

protect applications from errors and unauthorized access, and

ensure that communication is accurate and secure.

The parallel external controls involve procedures to be used by:

VAN service providers to ensure security of EDI messages and communication processes, and

trading partners to ensure security and integrity of

communication.

The items for informal controls are adapted from Jaworski et al. [17]. Internal informal controls include those of IS members and users in recognizing the extent of risk, sense of responsibility, experience, and interaction among colleagues. In a similar way, the external informal controls include components for VANs and trading partners with cross-vulnerabilities. Internal automated controls indicate the degree to which such procedures and methods are used to detect and correct errors during input, process, and output of data and ensure security and authentication software to protect the systems from unauthorized access and computer abuse. External automated controls involve the VANs and trading partners in protecting system integrity.

3. The causal relations among EDI controls

knowl-edge turns out to be higher when formal policies do not exist and when standards are not implemented.

EDI auditors must enforce controls to achieve organizational goals. An access control system using a password is one example illustrating the interaction of the three controls. Procedures for maintaining user passwords and changing procedures are formal; users' recognition of responsibility and faith in the proce-dures comprise informal controls. Access control soft-ware and embedded audit routines are automated controls. As appropriately designed EDI controls can improve performance, successful design requires a detailed understanding of the control structure and its implication on performance.

A clearly de®ned set of policies regarding the education of system users can be the basis for enhan-cing user awareness of the effect of violation of rules on the integrity and security of the system. An educa-tion program on the ethical aspects of system usage can similarly increase the responsibility of employees. Communication and discussion among employees can be encouraged through formalized team training.

After the installation of automated controls, EDI adopters may recognize the importance of formal procedures for managing the system [7,16]; e.g., transaction logs must be protected from alteration in order to retain a valid audit trail.

It may be inef®cient for EDI managers to imple-ment full controls that require signi®cant resources. The appropriate levels of various controls should be determined according to their interdependency and impact on performance.

4. Need for FCM in the design of EDI controls

Audit support systems help auditors with evidence collection and evaluation. Tools, such as generalized audit software packages, have been developed to provide data retrieval, manipulation, and reporting capabilities that are speci®cally oriented to the needs of auditors. This software allows them to use a high-level problem-oriented language to invoke functions to be performed on data. Auditors can increase their understanding of the system and can be supported while making semistructured and unstructured deci-sions with such specialized audit software. Expert systems using arti®cial-intelligence techniques

encap-sulate the knowledge of good auditors about a speci®c problem domain and can reproduce their expertise when faced with a similar domain.

A cognitive map (CM), introduced by Axelrod [2], is a representation of the causal relationships among the elements of a given environment. It describes the perceptions of experts about the subjective world rather than objective reality. CMs were originally used to represent knowledge in the political and social sciences. Their concern is to see whether the state of one element seems to in¯uence the state of another.

CMs can be generalized into FCMs by fuzzifying edge values or causality values. FCMs give different strengths to each link and appear more reasonable to represent most cases. In many cases, knowledge about a speci®c domain is uncertain as well as fuzzy, because most knowledge is expressed as different causal relationships between concepts or variables. The FCM approach is an inference mechanism that allows the fuzzy causal relations among factors to be identi®ed and their impact to be constructed. An FCM is composed of nodes that represent the factors most relevant to the decision environment and arrows that indicate different causal relationships among factors. One factor has a direct positive or negative effect on another. Arrows may have different numerical strengths. Experts describe their understanding of the relationships among the de®ned key factors in order to build a cognitive map.

FCMs are commonly considered best for problems where experts have diverse opinions about a correct answer. An FCM sets up a series of nodes, each of which represents one of the key elements of the problem. It is often dif®cult to quantify the impact of one factor on another. The causal relationships can, however, be indicated by weighted directed connec-tions.

FCMs are especially useful for knowledge acquisi-tion/processing in soft but highly complicated domains where both system concepts and relation-ships are fundamentally fuzzy (e.g. [20,21,27]). Mon-tazemi and Conrath [26] used FCMs for information requirement analysis, suggesting a pattern of effective factors for evaluating the performance of subordinates by insurance claim managers. Looney and Al®ze [24] suggested binary matrices to describe rule-based knowledge. An M-labeled digraph has been used to represent causation in static and dynamic processes [4]. Binary matrices and matrix multiplications have also been introduced for reasoning in semantic net-works [5]. Kim and Pearl [19] used the causal network formalism suggested by Pearl [29] to develop an inference engine for causal and diagnostic reasoning. Further, FCMs have been used to analyze electrical circuits [30], to analyze and extend graph-theoretic behavior [35], and model plant control [12].

The usefulness of FCMs can be highlighted in dynamic feedback systems for which conventional rule-based expert systems are inadequate [31]. Audi-tors rely on past experience rather than explicit rules when evaluating and designing controls. They use past cases to make recommendations for controls and use few inferential rules. As an AI approach, the fuzzy cognitive map technique can compensate for the lack of rule-based mechanisms in traditional expert sys-tems by providing the higher level of abstraction needed for EDI control design.

Subjective, nondeterministic, and context-sensitive judgments have been used to evaluate and determine the interrelationships among controls. Past experience and professional knowledge of EDI auditors may be used in their design. However, the cognitive and situational limitations of auditors may hinder the effectiveness of their reasoning process. People tend to search for information that supports their own ideas and is consistent with their established beliefs. They have dif®culty in simultaneously integrating large quantities of information. Since EDI auditors only deal with a small number of cases, their ability to infer relationships among controls may be limited. The increasing complexity of computerized systems necessitates improved aid for evidence collection and evaluation. The interaction among related controls might even complicate the design and audit process.

5. FCM development

The purpose of FCM is to aid in the recommenda-tion of EDI controls that ensure high EDI perfor-mance. It is necessary to devise a systematic way to estimate the causal relationships among factors based on a historical case base, as there exist no normative model of EDI controls. Methods of determining causal relationships among factors include using the state-ments of decision makers [9], questionnaires prepared speci®cally for this purpose or neural network-based learning [6]. The ®rst and second approaches are based on the assumption that experts in the domain can accurately provide the weights in causal relationships. Traditional design procedures for IS controls, such as interview and observation, may be insuf®cient to deal with the control complexities inherent in EDI. How-ever, integration of the individual FCMs created by experts is needed when there exist multiple maps devised by experts from the same domain with varying degrees of credibility. It is dif®cult to determine the precise strength of the interrelationships among fac-tors at the outset. The edge weights de®ne the degree to which concepts interact. Experts can assign num-bers to the entries of adjacency matrices but it is dif®cult to gauge their strength. In addition, in cases where each map has less accuracy and reliability, the resulting combined map cannot precisely describe, through algorithms, the actual state of the domain environment.

Algorithmic ways of combining various FCMs are incomplete. Existing studies have focused on the combination of knowledge after they are built. A combined FCM is potentially stronger than an indi-vidual one, because information comes from multiple sources. However, maps can differ in content and relative strength, making accurate combination dif®-cult. It is even dif®cult to determine the credibility weight given to each expert accurately when a global FCM is computed from the weighted sum of indivi-dual FCMs:

suggested by individual experts; and Wi is the

credentials, making the determination of credibility weight subjective. There are methods of combining knowledge [22] or estimation of weights, but these demand a comparison of opinions from experts. As the number of experts increases, the comparison of their opinions becomes very complex. Hence it is necessary that the knowledge of experts be accurately repre-sented when the FCM is first constructed.

Using neural network-based learning is inappropri-ate unless the number of data points to be analyzed or the range of values for each data point is large (much larger than statistical techniques) in order to produce reliable weights of each link. In addition, as knowledge is distributed over the entire network, reading and understanding it is dif®cult. It has been suggested that neural network systems are limited in their inability to provide explanations of how input attributes are used to produce output predictions [8,34]. This has resulted in the idea that neural net-works are black boxes that cannot show what the network has learned [13]. There are some heuristic methods to identify the strength of the relationships between inputs and each output variables [11,32,33]. Further, the learning of weights is highly dependent on various parameters such as network architecture (e.g. backpropagation networks, recurrent networks),

degree of training, learning rate, and activation function.

In this study, modeling with Linear Structural Relationships (LISREL) was used to determine the complex causal relationships among factors based on a large number of cases. This approach can validate the signi®cance of causal links. Simultaneous causa-tion among observed variables can also be investi-gated using LISREL [3,18].

An FCM was ®rst built to aid the design of EDI controls by representing how the state of one mode of controls affects that of others. The interrelationships among seven components are modeled using struc-tural equations. The latent variables in the paths represent factors; the relationships among them can be determined after LISREL estimates the standar-dized causal relation. These estimates are then mapped into values ranging fromÿ1 to 1. The overall ®t of the model can be assessed by generating ®tness indices among them the chi-square statistics.

A path diagram for a structural model is shown in Fig. 1. It communicates the basic ideas of the research model, and represents corresponding algebraic equa-tions of the model. The causal relaequa-tionships of the three controls are related to performance through theories of organizational controls and innovation. It

is suggested that formal controls be established ®rst to affect other controls. Informal and automated controls affect each other. Further, there are collective effects of multiple controls that implies that their combination increases performance.

Latent variables are enclosed in circles or ellipses, following the notation suggested by JoÈreskog and Sorbom. A one-way arrow between two variables indicates a hypothesized direct effect.

Structured interviews were used as the primary method of data collection. One or two EDI managers participated simultaneously; they were assumed to know enough about EDI implementation. Any unan-swered questions were passed to colleagues having suf®cient knowledge. The data were gathered as part of a larger investigation concerning EDI controls. The survey instrument was ®rst veri®ed by interviewing EDI practitioners from each ®rm. The wording and interpretation of items, and the extent to which practi-tioners felt they possessed the necessary knowledge to provide appropriate responses were analyzed until a ®nal draft of the questionnaire required only minor revisions. Altogether 10 interviews with practitioners were conducted, and a ®nal review of the question-naire was made by four IS professors.

After validation, the questionnaire was distributed to EDI staff members and a manger. A total of 110 usable responses were returned. A multiple 7-point Likert-type scale was used for each variable of the EDI controls and EDI performance. EDI control measures were newly developed through a synthesis of various sources (e.g. [15,25]) etc. The informal control mea-sures were based on several previous studies including Jaworski et al. EDI performance represents the extent of service improvement and competitiveness achieved through EDI. The measures for these variables are shown in the Appendix A. The unit of analysis were individual EDI-adopting companies.

There are two ways in which an organization can alter the design process of EDI controls: adjustment of internal or external formal controls. Formal controls are policy variables, and performance is measured as value variables; other EDI controls nodes are cognitive variables.

Seven ®t indices suggest a good ®t for the proposed model.c2is 15.7 with 5 degrees of freedom for the unconstrained model.Pvalue is 0.0079. The model's goodness-of-®t index is 0.96; this measures the

rela-tive amount of variables and covariances jointly accounted for by the model. The adjusted-goodness-of-®t is 0.80. The root mean square residual is 0.08; this is a measure of the average of the residuals. These measures of overall ®t indicate the explanatory power of the model.

Some paths have only indirect effects and thus no direct link exists. Most of the 30 causal paths among the variables are signi®cant, except those easily iden-ti®ed in Table 1 of the appendix; e.g., from internal informal to external informal controls and to internal automated controls, etc.

Table 2 shows the adjacency matrix, E. The size of each causal effect is normalized there to show unit variances. The adjacency matrix can be derived from the standardized causal effect.

All standardized effects range from ÿ1 to 1. The highest and lowest causal effects are found in the path from external formal controls to external automated controls (0.71), and from external automated controls back to itself (ÿ0.73). Only six of the 20 nonzero effects among different modes of controls are nega-tive, moderately supporting the positive in¯uence of one mode of controls on another, and the effectiveness of the balanced use of three control modes. The negative numbers indicate negative effects between EDI controls.

Table 1

Causal effects among controls and performance

Causal path MLEa_{of causal}

coefficient

Standardized coefficient

t-value

Internal informal controls!internal informal controls Indirect effect ÿ0.71 ÿ0.71 ÿ8.47*** External informal controls!external informal controls Indirect effect ÿ0.63 ÿ0.63 ÿ9.39*** Internal automated controls!internal automated controls Indirect effect ÿ0.62 ÿ0.62 ÿ9.19*** External automated controls!external automated controls Indirect effect ÿ0.73 ÿ0.73 ÿ12.71*** Internal informal controls!external informal controls Indirect effect ÿ0.07 ÿ0.07 ÿ1.23 External informal controls!internal informal controls Indirect effect 0.14 0.14 2.18** Internal automated controls!external automated controls Indirect effect 0.07 0.07 1.44* External automated controls!internal automated controls Indirect effect ÿ0.16 ÿ0.16 ÿ2.14** Internal formal controls!internal informal controls Direct effect (g11) 1.61 1.63 3.92***

Indirect effect ÿ1.12 ÿ1.14 ÿ2.85***

Total effect 0.48 0.49 8.02***

Internal formal controls!external informal controls Direct effect (g21) 0.79 0.80 1.65**

Indirect effect ÿ0.31 ÿ0.32 ÿ0.67

Total effect 0.48 0.49 7.79***

Internal formal controls!internal automated controls Direct effect (g31) ÿ0.44 ÿ0.45 ÿ2.46***

Indirect effect 0.93 0.95 5.23***

Total effect 0.49 0.50 6.80***

Internal formal controls!external automated controls Direct effect (g41) 0.39 0.39 1.03

Indirect effect 0.13 0.13 0.34

Total effect 0.52 0.53 8.54***

External formal controls!internal informal controls Direct effect (g12) 2.06 2.09 4.38***

Indirect effect ÿ1.47 ÿ1.49 ÿ3.20***

Total effect 0.59 0.60 8.97***

External formal controls!external informal controls Direct effect (g22) 0.84 0.85 1.36*

Indirect effect ÿ0.26 ÿ0.26 ÿ0.42

Total effect 0.58 0.59 8.86***

External formal controls!internal automated controls Direct effect (g32) ÿ0.62 ÿ0.63 ÿ3.02***

Indirect effect 1.14 1.16 5.50***

Total effect 0.52 0.53 6.97***

External formal controls!external automated controls Direct effect (g42) 0.54 0.55 1.13

Indirect effect 0.16 0.16 0.33

Total effect 0.69 0.71 11.35***

Internal informal controls!internal automated controls Direct effect (b31) 0.95 0.96 2.07**

Indirect effect ÿ0.75 ÿ0.75 ÿ2.54***

Total effect 0.20 0.21 0.92

Internal informal controls!external automated controls Direct effect (b41) 1.02 1.02 2.80***

Indirect effect ÿ0.67 ÿ0.68 ÿ2.03**

Total effect 0.34 0.35 4.94***

External informal controls!internal automated controls Direct effect (b32) 0.98 0.98 2.94***

Indirect effect ÿ0.49 ÿ0.49 ÿ1.87**

Total effect 0.50 0.50 4.97***

External informal controls!external automated controls Direct effect (b42) ÿ0.76 ÿ0.76 ÿ1.64*

Indirect effect 0.62 0.63 1.93**

Total effect ÿ0.14 ÿ0.14 ÿ0.81

Internal automated controls!internal informal controls Direct effect (b13) ÿ0.25 ÿ0.25 ÿ0.40

Indirect effect 0.02 0.02 0.03

Total effect ÿ0.23 ÿ0.23 ÿ1.32*

Internal automated controls!external informal controls Direct effect (b23) ÿ1.14 ÿ1.14 ÿ6.05***

Indirect effect 0.74 0.74 4.67***

Total effect ÿ0.40 ÿ0.40 ÿ3.25***

External automated controls!internal informal controls Direct effect (b14) ÿ1.94 ÿ1.93 ÿ3.10***

Indirect effect 1.45 1.44 2.74***

6. Example of FCM application

The direction and strength of cause and effect linkages were identi®ed using a number of cases representing the state of controls. However, this result does not show that the FCM is of value. It is necessary to assess the impact of positive and negative causal-ities when stimuli are exerted on one or more ele-ments. The objective of the application is to illustrate the recommendation of EDI controls that result in the highest EDI performance. The adjacency matrix

shows that the enhancement of some control modes causes an effect on other controls and performance.

`What-if' questions are answered by entering an input vector that, multiplied by the adjacency matrix produces an ordered list of consequences and diag-noses. The value of each element of the input vector can be 1 or 0. A number of hypothetical situations can be provided regarding the state of formal, informal, and automated controls. There are seven combinations of input, depending on whether each state of three controls is activated Table 3.

Table 1 (Continued)

Causal path MLEa_{of causal}

coefficient

Standardized coefficient

t-value

External automated controls!external informal controls Direct effect (b24) 0.48 0.48 0.60

Indirect effect ÿ0.17 ÿ0.17 ÿ0.27

Total effect 0.31 0.31 1.63*

Internal formal controls!performance Direct effect (g51) 0.31 0.27 0.64

Indirect effect 0.08 0.07 0.20

Total effect 0.40 0.34 4.08***

External formal controls!performance Direct effect (g52) 0.29 0.25 0.50

Indirect effect 0.11 0.10 0.21

Total effect 0.41 0.35 4.17***

Internal informal controls!performance Direct effect (b51) 0.11 0.09 0.43

Indirect effect ÿ0.04 ÿ0.03 0.26

Total effect 0.07 0.06 0.33

External informal controls!performance Direct effect (b52) ÿ0.03 ÿ0.02 ÿ0.13

Indirect effect ÿ0.01 0.00 ÿ0.03

Total effect ÿ0.03 ÿ0.03 ÿ0.26

Internal automated controls!performance Direct effect (b53) ÿ0.04 ÿ0.04 ÿ0.23

Indirect effect 0.02 0.02 0.12

Total effect ÿ0.02 ÿ0.02 ÿ0.17

External automated controls!performance Direct effect(b54) 0.13 0.11 0.31

Indirect effect ÿ0.15 ÿ0.13 0.41

Total effect ÿ0.02 ÿ0.02 ÿ0.16

a_{(MLE: Maximum Likelihood Estimate) *p< 0.1, **p< 0.05, ***p< 0.01.}

Table 2

The adjacency matrix representing fuzzy cognitive map

Effect cause Internal

formal controls

External formal controls

Internal informal controls

External informal controls

Internal automated controls

External automated controls

Performance

Internal formal controls 0 0 0.49 0.49 0.50 0.53 0.34

External formal controls 0 0 0.60 0.59 0.53 0.71 0.35

Internal informal controls 0 0 ÿ0.71 ÿ0.07 0.21 0.35 0.06

External informal controls 0 0 0.14 ÿ0.63 0.50 ÿ0.14 ÿ0.03

Internal automated controls 0 0 ÿ0.23 ÿ0.40 ÿ0.62 0.07 ÿ0.02

External automated controls 0 0 ÿ0.48 0.31 ÿ0.16 ÿ0.73 ÿ0.02

Table 3

The state of input and output values for FCM the case that has the highest performance in the stage n1: internal formal controls, n2: external formal controls, n3: internal informal controls, n4: external informal controls, n5: internal automated controls, n6: external automated controls, n7: performance

Case Squared difference from previous stages

n1 n2 n3 n4 n5 n6 n7

Stage 0 Case 1 ± 1 1 0 0 0 0 0

(Input case) Case 2 ± 0 0 1 1 0 0 0

Case 3 ± 0 0 0 0 1 1 0

Case 4 ± 1 1 1 1 0 0 0

Case $5 ± 0 0 1 1 1 1 0

Case 6 ± 1 1 0 0 1 1 0

Case 7 ± 1 1 1 1 1 1 0

Stage1 Case 1 7.41 0 0 1.09 1.08 1.02 1.23 0.70

Case 2 5.91 0 0 ÿ0.57 ÿ0.70 0.70 0.21 0.03

Case 3 6.42 0 0 ÿ0.71 ÿ0.09 ÿ0.77 ÿ0.66 ÿ0.03

Case 4* 8.21 0 0 0.52 0.38 1.73 1.44 0.73

Case $5 11.71 0 0 ÿ1.29 ÿ0.80 ÿ0.07 ÿ0.45 0.00

Case 6 4.30 0 0 0.38 0.98 0.25 0.57 0.67

Case 7 4.48 0 0 ÿ0.20 0.28 0.95 0.78 0.69

Stage 2 Case 1* 15.01 0 0 ÿ1.46 ÿ0.79 ÿ0.07 ÿ0.60 0.00

Case 2 4.17 0 0 0.05 0.27 ÿ0.93 ÿ0.20 ÿ0.03

Case 3 5.08 0 0 0.99 0.22 0.39 0.19 ÿ0.02

Case 4 17.56 0 0 ÿ1.41 ÿ0.52 ÿ1.00 ÿ0.80 ÿ0.03

Case $5 7.47 0 0 1.04 0.48 ÿ0.54 ÿ0.01 ÿ0.04

Case 6 4.57 0 0 ÿ0.47 ÿ0.57 0.32 ÿ0.41 ÿ0.02

Case 7 5.33 0 0 ÿ0.42 ÿ0.31 ÿ0.61 ÿ0.61 ÿ0.05

Stage 3 Case 1 9.41 0 0 1.24 0.44 ÿ0.55 0.04 ÿ0.05

Case 2 2.99 0 0 0.32 0.14 0.75 0.06 0.01

Case 3 3.83 0 0 ÿ0.86 ÿ0.30 0.04 0.20 0.04

Case 4 12.23 0 0 1.55 0.58 0.20 0.10 ÿ0.04

Case $5* 4.80 0 0 ÿ0.55 ÿ0.16 0.79 0.26 0.06

Case 6 2.32 0 0 0.37 0.14 ÿ0.51 0.24 ÿ0.01

Case 7 3.12 0 0 0.69 0.28 0.24 0.30 0.00

Stage 4 Case 1 6.06 0 0 ÿ0.71 ÿ0.13 0.81 0.30 0.07

Case 2 2.00 0 0 ÿ0.41 ÿ0.39 ÿ0.34 0.10 0.00

Case 3 2.67 0 0 0.47 0.30 ÿ0.38 ÿ0.40 ÿ0.05

Case 4* 8.53 0 0 ÿ1.12 ÿ0.52 0.47 0.40 0.07

Case $5 2.99 0 0 0.06 ÿ0.10 ÿ0.72 ÿ0.30 ÿ0.04

Case 6 1.38 0 0 ÿ0.24 0.17 0.43 ÿ0.10 0.02

Case 7 2.17 0 0 ÿ0.65 ÿ0.23 0.09 0.00 0.02

Stage5 Case 1 3.70 0 0 0.16 ÿ0.10 ÿ0.76 ÿ0.39 ÿ0.06

Case 2 1.30 0 0 0.27 0.44 ÿ0.09 ÿ0.18 ÿ0.01

Case 3* 1.94 0 0 ÿ0.01 ÿ0.19 0.54 0.38 0.03

Case 4 5.82 0 0 0.43 0.34 ÿ0.84 ÿ0.57 ÿ0.06

Case $5 1.82 0 0 0.26 0.25 0.46 0.20 0.02

Case 6 0.78 0 0 0.15 ÿ0.29 ÿ0.21 0.00 ÿ0.02

Case 7 1.47 0 0 0.42 0.15 ÿ0.30 ÿ0.19 ÿ0.03

Stage 6 Case 1 2.21 0 0 0.23 0.24 0.51 0.30 0.03

Case 2 0.98 0 0 ÿ0.02 ÿ0.32 0.36 0.16 0.01

Case 3 1.58 0 0 ÿ0.33 0.02 ÿ0.49 ÿ0.22 ÿ0.01

Case 4* 4.22 0 0 0.21 ÿ0.08 0.87 0.46 0.04

Case $5 1.10 0 0 ÿ0.35 ÿ0.30 ÿ0.14 ÿ0.06 0.00

Case 6 0.42 0 0 ÿ0.09 0.26 0.02 0.08 0.02

As an example, the effect of enhancing the strength of formal controls on all the other controls can be tested by setting the ®rst and second concept node (node for internal and external formal controls) in an input vector to 1:

C1 (1 1 0 0 0 0 0)

This results in the output:

C1E (0 0 1.09 1.08 1.02 1.23 0.70) C2where the

level of performance is 0.7, showing that enhancing some EDI controls improves EDI performance. How-ever, it is necessary to ®nd the input vector that leads to highest performance by iteration.

The states of controls suggested are not stable. The set of output vectors may indicate a repeating pattern, whose cycle may vary. However, the size of the difference between one stage and the previous one becomes smaller as the number of multiplication increases. The square difference between the two stages is de®ned as:

Diˆ

X7

iˆ1

Ci;jÿCiÿ1;j

ÿ 2

whereCij is the state of jth controls in stagei. The

squared differences for each state of seven controls are shown in Table 3. They become smaller after stage 2 for all the controls, which shows the convergence of the absolute relative state of controls.

The evolution of the state of controls can be seen as a natural sequence of time, and indicates the possibi-lity of future performance change. EDI auditors can search for the most desirable state of controls leading to the highest performance. For example, cases result-ing in the highest performance are: 4, 1, 5, 4, 3, 4, and 2. Cases 1, 5, 3 and 3 must be focused in stages 2, 3, 5, and 7. Input Case 4 is superior to the other cases, as it leads to the highest performance in three of seven

stages while the other cases result in the highest performance only once. This suggests that Korean EDI auditors should strengthen formal and informal controls in order to make the system more successful.

7. Conclusions

FCMs are fuzzy-graph structures for representing causal reasoning. Their fuzziness can allow the repre-sentation of hazy degrees of causality between various control components. Their graph structure enables systematic causal propagation, in particular forward and backward chaining. FCM was developed to sup-port EDI auditors in discovering the most effective controls. The causal reasoning process of EDI practi-tioners is inevitably subject to human cognitive lim-itations and bias. Furthermore, their memories are variable and ®nite. They cannot be completely con-sistent in searching for relevant experiences, interpret-ing them, and applyinterpret-ing them to problem solvinterpret-ing. high priority controls can be determined through fuzzy cognitive mapping. EDI auditors can obtain an idea of the desirable state of controls by reviewing controls that lead to high performance.

The causal relations among variables and the rela-tive explanatory power of such relationships are derived from a statistical approach rather than by integrating different FCMs. The structural equation modeling approach is used to derive causal relation-ships among controls. It is dif®cult for EDI staff members to predict causal relations among a number of control components. However, it is much easier for them to estimate the state of each part of a control. This approach will enhance the quality of decision making in the investment of IS resources and estab-lishing controls.

Table 3 (Continued)

Case Squared difference from previous stages

n1 n2 n3 n4 n5 n6 n7

Stage7 Case 1 1.35 0 0 ÿ0.40 ÿ0.28 ÿ0.20 ÿ0.13 ÿ0.01

Case 2* 0.84 0 0 ÿ0.19 0.11 ÿ0.41 ÿ0.06 0.00

Case 3 1.28 0 0 0.46 0.14 0.28 0.01 ÿ0.01

Case 4 3.23 0 0 ÿ0.58 ÿ0.17 ÿ0.61 ÿ0.19 ÿ0.01

Case $5 0.69 0 0 0.27 0.25 ÿ0.13 ÿ0.05 ÿ0.01

Case 6 0.23 0 0 0.06 ÿ0.14 0.08 ÿ0.12 ÿ0.01

In this paper, we have provided an example that illustrates the causal reasoning process of control design. The set of controls having high values across the entire network may be suggested as the most desirable control set. The performance resulting from implementation of controls can also be suggested. EDI auditors can thus recognize the value of one control component as it relates to the values of others, allowing control designers to identify each pertinent control component, as well as to develop a more accurate model of EDI controls. EDI auditors can support their decision as to the initial state of controls for the highest future state of performance.

Appendix A. Questionnaire

A.1. EDI Controls

Respondents answer the extent to which they agree or disagree with each statement about controls. The seven-point Likert type scales are used. Select the representative Value Added Network (VAN) Service your company uses the most. If your company does not use VAN, skip the questions about VAN.

A.1.1. Internal formal controls

1. Systems are changed only through authorization from the responsible managers.

2. Integrity check of messages is strictly performed before the messages are processed in the applica-tion.

3. Audit trails of transactions are always maintained for correction of errors and contingency planning. 4. System login is appropriately controlled by access

control procedures such as passwords.

5. EDI messages are checked for duplication, omis-sion or inaccuracy after they are generated and before transmitting the messages.

6. The sender, receiver, and contents of EDI messages are appropriately authenticated after the messages are generated or received.

A.1.2. External formal controls

1. VAN service providers have an appropriate contingency plan for network failures.

2. The representative trading partner has an appro-priate contingency plan for network failures. 3. VAN service providers retransmit messages

if the messages are omitted, duplicated, or inac-curate.

4. The representative trading partner retransmits messages if they are omitted, duplicated, or inac-curate.

5. VAN service provider maintains audit trails for recovery of inaccurate messages.

6. The representative trading partner maintains audit trails for the recovery of inaccurate messages. 7. VAN service provider controls unauthorized

access and dial login to network.

8. The representative trading partner controls un-authorized access and dial login to network. 9. VAN service provider controls unauthorized

access to mailbox by internal staff.

A.1.3. Internal informal controls

1. EDI staff clearly recognizes the risks of the possible propagation of errors from one system to another.

2. Users who process EDI messages clearly recog-nize the risks of possible propagation of errors from one system to another.

3. EDI staff clearly recognizes the importance of their responsibility for the performance of EDI system.

4. Users who process EDI messages clearly recog-nize the importance of their responsibility for the performance of EDI system.

5. EDI staff can evaluate tasks of colleagues to see whether they are incorrect.

6. Users who process EDI messages can evaluate tasks of colleagues to see whether they are incorrect.

7. EDI staff can cope with errors in EDI messages using their own experience.

8. Users who process EDI messages can cope with errors in EDI messages using their own experi-ence.

9. EDI staff frequently cooperates with colleagues to assist in correcting errors.

A.1.4. External informal controls

1. EDI staff clearly recognizes that errors of the VAN can seriously affect our system.

2. EDI staff clearly recognizes that errors of the system of the representative trading partner can seriously affect our system.

3. EDI staff clearly recognizes that the active participation of the VAN service provider is necessary for successful EDI implementation. 4. EDI staff clearly recognizes that the active

participation of the representative trading part-ner is necessary for successful EDI implemen-tation.

5. EDI staff has extensive experience in successfully processing errors with the cooperation of the VAN service provider.

6. EDI staff has extensive experience in processing errors successfully with the cooperation of the representative trading partner.

7. EDI staff knows which items among contracts with the VAN service provider should be applied in communicating messages strictly.

8. EDI staff knows through experience which items among contracts with the representative trading partner should be strictly applied in communicat-ing messages.

9. EDI staff processes their tasks by actively communicating information to their counterparts in the VAN service provider.

10. EDI staff processes their tasks by actively communicating information to their counterparts in the representative trading partner.

A.1.5. Internal automated controls

1. Automated integrity check of data ®elds is performed using embedded software before re-ceived messages are processed in internal applica-tions.

2. Access to sensitive files and programs is effectively controlled using access controls soft-ware.

3. Embedded software is effectively used to auto-matically check accuracy of messages received. 4. Automated authentication procedures effectively

ascertain the identity of sources or destination before sending and after receiving messages.

A.1.6. External automated controls

1. The VAN service provider automatically records messages for the correction of errors and retrans-mission of corrected messages.

2. The representative trading partner automatically records messages for the correction of errors and retransmission of corrected messages.

3. The VAN service provider automatically tracks and reports the status of message communication. 4. The representative trading partner automatically tracks and reports the status of message commu-nication.

5. The VAN service provider attaches message identification codes or digital signatures to effectively authenticate the messages.

6. The representative trading partner attaches mes-sage identification codes or digital signatures to effectively authenticate the messages.

7. The VAN service provider supports connections with diverse environment through various protocol conversion services.

8. The VAN service provider supports connections with diverse environments through providing various message standards.

A.2. EDI performance

Respondents answer the extent to which they agree or disagree with each statement about controls. The seven-point Likert type scales are used. Select the representative trading partner with which your com-pany has the largest volume of transactions.

1. Relations with the representative trading partner are greatly improved through reduced response time after adopting EDI.

2. Our company maintains improved relations with the representative trading partner by reducing delay from errors.

3. Our company improved trust in relations with the representative trading partner by enhancing con-fidentiality of documents

4. Relations with the representative trading partner are greatly improved by reducing omission and inaccurate transmission.

6. The efficiency of interdepartmental transaction processing is greatly increased.

7. Accuracy is greatly improved by reduced paper-work.

8. Transaction processing costs are greatly reduce after adopting EDI.

References

[1] R. Anthony, The Management Control Function, Harvard Business School Press, Boston, MA, 1988.

[2] R. Axelrod, Structure of Decision: the Cognitive Maps of Political Elites, Princeton University, Press, Princeton, NJ, 1976.

[3] H.M. Blalock, Theory Construction: from Verbal to Mathe-matical Formulations. Prentice-Hall, Englewood Cliffs, NJ, 1969.

[4] J.R. Burns, W.H. Winstead, M-labeled digraphs: an aid to the use of structural and simulation models, Management Science 21(3) (1985), pp. 343±358.

[5] J.R. Burns, W.H. Winstead, D.A. Haworth, Semantic nets as paradigms for both causal and judgmental knowledge representation, IEEE Transactions on Systems, Man, and Cybernetics 19(1) (1989), pp. 58±67.

[6] M. Caudill, Using neural nets: fuzzy cognitive maps, AI Expert, 1990, 49-53.

[7] S. Chan, M. Govindan, J.Y. Picard, E. Leschiutta, EDI for Managers and Auditors, Electronic Data Interchange Council of Canada, Toronto, Ontario, 1991.

[8] P. Deng, Automatic knowledge acquisition and refinement for decision support: A connectionist inductive inference model, Decision Sciences 24(2) (1993), pp. 371±393.

[9] C. Eden, S. Jones, D. Sims, Thinking in Organizations, Macmillian Press, London, England, 1979.

[10] J. Frank, B. Shamir, W. Briggs, Security-related behavior of PC users in organizations, Information Management 21 (1991), pp. 127±135.

[11] L.W. Glorfeld, A methodology for simplification and interpretation of backpropagation-based neural network models, Expert Systems with Applications 10(1) (1996), pp. 37±54.

[12] K. Gotoh, J. Murakami, T. Yamaguchi, Y. Yamanaka, Application of fuzzy cognitive maps to supporting for plant control, SICE Joint Symposium of 15th Systems Symposium and 10th knowledge Engineering Symposium, 1989, pp. 99± 104.

[13] J.V. Hansen, J.B. McDonald, J.D. Stice, Artificial intelligence and generalized qualitative-response models: An empirical test on two audit decision-making domains, Decision Sciences 23(3) (1992), pp. 704±723.

[14] A. Hopwood, An empirical study of the role accounting data in performance evaluation. Empirical Research in Account-ing: Selected Studies, supplement to Journal of Accounting Research 10 (1972) 156-182.

[15] ISACA. EDI Control Guide, EDI Council of Australia, Information Systems Audit and Control Association, Sydney Chapter, 1990.

[16] R. Jamieson, EDI: An Audit Approach, The EDP Auditors Foundation, Rolling Meadows, IL, 1994.

[17] J.B. Jaworski, V. Stathakopoulos, H.S. Krishnan, Control combinations in marketing: Conceptual framework and empirical evidence, Journal of Marketing 57 (1993), pp. 57±69.

[18] K.G. Joreskog, D. Sorbom, LISREL 7: A Guide to the Program and Applications, 2nd ed., SPSS, 1989.

[19] J.H. Kim, J. Pearl, CONVINCE: A conversational inference consolidation engine, IEEE Transactions on Systems Man and Cybernetics SMC-17(2) (1987) 120-133.

[20] J.H. Klein, D.F. Cooper, Cognitive maps of decision-makers in a complex game, Journal of the Operational Research Society 33 (1982), pp. 63±71.

[21] B. Kosko, Fuzzy cognitive maps, International Journal of Man-Machine Studies 24 (1986), pp. 65±75.

[22] K. Lee, H. Kim, A fuzzy cognitive map-based bi-directional inference mechanism: an application to stock investment analysis, International Journal of Intelligent Systems in Accounting, Finance and Management 6 (1997), pp. 41±57. [23] S. Lee, I. Han, H. Kym, The impact of EDI controls on EDI

implementation, International Journal of Electronic Com-merce 2(4) (1998), pp. 71±98.

[24] C.G. Looney, A.A. Alfize, Logical controls via boolean rule matrix transformations, IEEE Transactions on Systems, Man, and Cybernetics SMC 17(6) (1987), pp. 1077±1082. [25] J.A. Marcella, S. Chan, EDI Security, Control, and Audit,

Artech House, Norwood, MA, 1993.

[26] A.R. Montazemi, D.W. Conrath, The use of cognitive mapping for information requirement analysis, MIS Quarterly 10(1) (1986), pp. 45±56.

[27] K.S. Park, S.H. Kim, Fuzzy cognitive maps considering time relationships, International Journal of Human-Computer Studies 42 (1995), pp. 157±168.

[28] D.B. Parker, A guide to selecting and implementing security controls, Information Systems Management, 1994, pp. 75± 86.

[29] J. Pearl, propagation and structuring in belief networks, Artificial Intelligence 29 (1986), pp. 241±288.

[30] M.A. Styblinski, B.D. Meyer, Fuzzy cognitive maps, signal flow graphs, and qualitative circuit analysis, Proceedings of the 2nd IEEE International Conference on Neural Networks (ICNN-87), 2, 1988, pp. 549±556.

[31] W.R. Taber, Knowledge processing with fuzzy cognitive maps, Expert Systems with Applications 2(1) (1991), pp. 83± 87.

[32] Y. Yoon, R. Brobst, P. Bergstresser, L. Peterson, A desktop neural network for dermatology diagnosis, Journal of Neural Network Computing 1(1) (1989), pp. 43±54.

[33] Y. Yoon, T. Guimaraes, G. Swales, Integrating artificial neural networks with rule-based expert systems, Decision Support Systems 11 (1994), pp. 497±507.

[35] W. Zhang, S. Chen, A logical architecture for cognitive maps, Proceedings of the 2nd IEEE Conference on Neural Networks (ICNN-88), 1, 1988, pp. 231±238.

Sangjae Leeis a researcher at Techno-Management Research Institute in Korea Advanced Institute of Science and Tech-nology. He received Ph.D. in Manage-ment Information Systems from the Graduate School of Management, Korea Advanced Institute of Science and Tech-nology. He is a certified information systems auditor (CISA). His research papers are forthcoming or published in Telecommunication Systems, Information Resources Management Journal, International Journal of Electronic Commerce, International Journal of Intelligent Systems in Account-ing, Finance and Management, etc. His research interests include electronic data interchange, information systems control and audit.