Abstract
Dynamic markets and new technology developments lead to an increasing number of compliance requirements. Thus, affected business processes must be flexible and adaptable. Ensuring business processes compliance (BPC) is traditionally operationalized by means of controls, which can be described as simple target-performance comparisons. Since such controls are not always suitable for achieving BPC, the view is extended by so-called compliance processes. However, the definition and design of appropriate compliance processes for effective BPC depend on a multitude of process characteristics. To address this issue on a general level, we developed a taxonomy for compliance processes consisting of 9 dimensions and 37 characteristics. As a result, the taxonomy allows researchers and practitioners to classify compliance processes according to the state of the art in a formal way. Furthermore, it provides a systematic fundament for greater flexibility, i.e. an ad hoc integration of compliance processes into ongoing business processes to ensure BPC during runtime.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Due to space limitations, we refer to [22] for a detailed explanation of the model.
References
Fdhila, W., Rinderle-Ma, S., Knuplesch, D., Reichert, M.: Change and compliance in collaborative processes. In: 12th IEEE International Conference on Services Computing (SCC 2015), pp. 162–169 (2015)
Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007). doi:10.1007/978-3-540-75183-0_12
Teubner, A., Feller, T.: Informationstechnologie, governance und compliance. Wirtsch. Inform. 50, 400–407 (2008)
Schumm, D., Turetken, O., Kokash, N., Elgammal, A., Leymann, F., Heuvel, W.-J.: Business process compliance through reusable units of compliant processes. In: Daniel, F., Facca, F.M. (eds.) ICWE 2010. LNCS, vol. 6385, pp. 325–337. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16985-4_29
Turetken, O., Elgammal, A., van den Heuvel, W.-J., Papazoglou, M.: Enforcing compliance on business processes through the use of patterns. In: 19th ECIS 2011 (2011)
Bagban, K., Nebot, R.: Governance und compliance im cloud computing. HMD 51, 267–283 (2014)
Wallace, L., Lin, H., Cefaratti, M.A.: Information security and sarbanes-oxley compliance: an exploratory study. J. Inf. Syst. 25, 185–211 (2011)
Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework. Framework and Appendices (2012)
IT Governance Institute (ITGI): IT Control Objectives for Sarbanes-Oxley, 2nd Edn. (2006)
Beeck, V., Wischermann, B.: Kontrolle. http://wirtschaftslexikon.gabler.de/Definition/kontrolle.html
Pretschner, A., Massacci, F., Hilty, M.: Usage control in service-oriented architectures. In: Lambrinoudakis, C., Pernul, G., Tjoa, A.M. (eds.) TrustBus 2007. LNCS, vol. 4657, pp. 83–93. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74409-2_11
Turetken, O., Elgammal, A., van den Heuvel, W.-J., Papazoglou, M.P.: Capturing compliance requirements: a pattern-based approach. IEEE Softw. 29, 28–36 (2012)
Schultz, M., Radloff, M.: Modeling concepts for internal controls in business processes – an empirically grounded extension of BPMN. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 184–199. Springer, Cham (2014). doi:10.1007/978-3-319-10172-9_12
Kittel, K., Sackmann, S., Göser, K.: Flexibility and compliance in workflow systems: the KitCom prototype. In: CAiSE Forum - 25th International Conference on Advanced Information Systems Engineering, pp. 154–160 (2013)
Sackmann, S., Kittel, K.: Flexible workflows and compliance: a solvable contradiction?! In: vom Brocke, J., Schmiedel, T. (eds.) BPM - Driving Innovation in a Digital World. MP, pp. 247–258. Springer, Cham (2015). doi:10.1007/978-3-319-14430-6_16
Kharbili, M., Medeiros, A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: current state and future challenges. In: MobIS (2008)
van der Aalst, W., van Hee, K., van der Werf, J.M., Kumar, A., Verdonk, M.: Conceptual model for online auditing. Decis. Supp. Syst. 50, 636–647 (2011)
Schonenberg, M.H., Mans, R.S., Russell, N., Mulyar, N., van der Aalst, W.M.P.: Towards a taxonomy of process flexibility (extended version). BPM reports (2007)
Gehrke, N.: The ERP auditlab: a prototypical framework for evaluating enterprise resource planning system assurance. In: 43rd Hawaii International Conference on System Sciences (HICSS) (2010)
IT Governance Institute (ITGI): COBIT 4.1. Frameworks, Control Objectives, Management Guidlines, Maturity Models. Rolling Meadows (2007)
Riesner, M., Pernul, G.: Supporting compliance through enhancing internal control systems by conceptual business process security modeling. In: ACIS 2010 Proceedings (2010)
Seyffarth, T., Kühnel, S., Sackmann, S.: ConFlex: an ontology-based approach for the flexible integration of controls into business processes. In: Multikonferenz Wirtschaftsinformatik (MKWI) 2016, pp. 1341–1352 (2016)
Kühnel, S.: Toward a conceptual model for cost-effective business process compliance. In: Proceedings of the Informatik 2017. Lecture Notes in Informatics (LNI) (2017)
Panko, R.R.: Spreadsheets and Sarbanes-Oxley. Regulations, Risks, and Control Frameworks. Communications of the Association for Information Systems (2006)
Nickerson, R.C., Varshney, U., Muntermann, J.: A method for taxonomy development and its product service in information systems. Eur. J. Inf. Syst. 22, 336–359 (2013)
Vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., Cleven, A.: Reconstructing the giant: on the importance of rigour in documenting the literature search process. In: 17th European Conference on Information Systems, pp. 2206–2217 (2009)
Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Quarterly 26, 12–24 (2002)
Gregor, S.: The nature of theory in information systems. MIS Q. 30, 611–642 (2006)
The Institut der Wirtschaftsprüfer in Deutschland e.V. [Institute of Public Auditors in Germany, Incorporated Association] (IDW) (ed.): Principles of Proper Accounting When Using Information Technology. IDW AcP FAIT 1 (2002)
The Institut der Wirtschaftsprüfer in Deutschland e.V. [Institute of Public Auditors in Germany, Incorporated Association] (IDW) (ed.): The Audit of Financial Statements in an Information Technology Environment. IDW AuS 330 (2002)
Tilburg University (ed.): COMPAS. Compliance-driven Models, Languages, and Architectures for Services. http://cordis.europa.eu/docs/projects/cnect/5/215175/080/deliverables/D2-1-State-of-the-art-for-compliance-languages.pdf
German Federal Ministry of Justice and Consumer Protection: Federal Data Protection Act (2009)
Silic, M., Back, A., Silic, D.: Taxonomy of technological risks of open source software in the enterprise adoption context. Inf. Comput. Secur. 23, 570–583 (2015)
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28, 75–105 (2004)
Mwilu, O.S., Prat, N., Comyn-Wattiau, I.: Taxonomy development for complex emerging technologies. The case of business intelligence and analytics on the cloud. In: 19th Pacific Asia Conference on Information Systems (PACIS 2015), pp. 1–16 (2015)
Glaser, F., Bezzenberger, L.: Beyond cryptocurrencies: a taxonomy of decentralized consensus systems. In: Proceedings of the ECIS (2015)
Namiri, K., Stojanovic, N.: Pattern-based design and validation of business process compliance. In: Meersman, R., Tari, Z. (eds.) OTM 2007. LNCS, vol. 4803, pp. 59–76. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76848-7_6
ISACA (ed.): COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, Rolling Meadows (2012)
The Institute of Internal Auditors (IIA): SARBANES-OXLEY SECTION 404. A Guide for Management by Internal Controls Practitioners (2008)
The Institute of Internal Auditors (IIA): Global Technology Audit Guide (GTAG) 1. Information Technology Risk and Controls (2012)
The International Federation of Accountants (IFAC): ISA 315. Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (2009)
Public Company Accounting Oversight Board (PCAOB): Auditing Standard No. 5. An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements (2007)
Weigand, H., van den Heuvel, W.-J., Hiel, M.: Business policy compliance in service-oriented systems. Inf. Syst. 36, 791–807 (2011)
Ramezani, E., Fahland, D., Aalst, W.M.P.: Where did i misbehave? Diagnostic information in compliance checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 262–278. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32885-5_21
Schäfer, T., Fettke, P., Loos, P.: Control patterns: bridging the gap between is controls and BPM. In: Proceedings of the 21st European Conference on Information Systems (ECIS), pp. 88–100 (2013)
Bellino, C., Wells, J., Hunt, S.: Auditing Application Controls. IIA, Altamonte Springs (2007)
German Federal Financial Supervisory Authority: Banking Act of the Federal Republic of Germany (Kreditwesengesetz, KWG). KWG (2016)
Pries-Heje, J., Baskerville, R., Venable, J.R.: Strategies for design science research evaluation. In: ECIS 2008 Proceedings (2008)
Sonnenberg, C., Brocke, J.: Evaluations in the science of the artificial – reconsidering the build-evaluate pattern in design science research. In: Peffers, K., Rothenberger, M., Kuechler, B. (eds.) DESRIST 2012. LNCS, vol. 7286, pp. 381–397. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29863-9_28
Tremblay, M.C., Hevner, A.R., Berndt, D.J.: Focus Groups for Artifact Refinement and Evaluation in Design Research. Communications of the Association for Information Systems 26 (2010)
Namiri, K.: Model-Driven Management of Internal Controls for Business Process Compliance. Karlsruhe (2008)
OMG (ed.): Business Process Model and Notation (BPMN). http://www.omg.org/spec/BPMN/2.0/PDF/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Seyffarth, T., Kühnel, S., Sackmann, S. (2017). A Taxonomy of Compliance Processes for Business Process Compliance. In: Carmona, J., Engels, G., Kumar, A. (eds) Business Process Management Forum. BPM 2017. Lecture Notes in Business Information Processing, vol 297. Springer, Cham. https://doi.org/10.1007/978-3-319-65015-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-65015-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65014-2
Online ISBN: 978-3-319-65015-9
eBook Packages: Business and ManagementBusiness and Management (R0)