In view of recent business scandals that prompted the Sarbanes-Oxley legislation, there is a greater need for businesses to develop systematic approaches to designing business processes that comply with organizational policies. Moreover, it should be possible to express the policy and relate it to a given process in a descriptive or declarative manner. In this paper we propose role patterns, and show how they can be associated with generic task categories and processes in order to meet standard requirements of internal control principles in businesses. We also show how the patterns can be implemented using built-in constraints in a logic-based language like Prolog. While the role patterns are general, this approach is flexible and extensible because user-defined constraints can also be asserted in order to introduce additional requirements as dictated by business policy. The paper also discusses control requirements of business processes, and explores the interactions between role based access control (RBAC) mechanisms and workflows.