After a period of little regulation, many companies are now facing a growing number and an increasing complexity of new laws, regulations, and standards. This has a huge impact on how organizations conduct their daily business and involves various changes in organizational and governance structures, software systems and data flows as well as corporate culture, organizational power and communication. We argue that the implementation of a holistic compliance cannot be divided into isolated projects, but instead requires a thorough analysis of relevant components as well as an integrated design of the very same. This paper examines the state-of-the-art of compliance research in the field of information systems (IS) by means of a comprehensive literature analysis. For the systemization of our results we apply a holistic framework for enterprise analysis and design. The framework allows us to both point out “focus areas” as well as “less travelled roads” and derive a future research agenda for compliance research.


compliance regulations information systems research literature analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aier, S., Kurpjuweit, S., Saat, J., Winter, R.: Business Engineering Navigator – A Business to IT Approach to Enterprise Architecture Management. In: Bernard, S., Doucet, G., Gøtze, J., Saha, P. (eds.) Coherency Management – Architecting the Enterprise for Alignment, Agility, and Assurance Ed. (2009)Google Scholar
  2. 2.
    Braganza, A., Desouza, K.C.: Implementing Section 404 of the Sarbanes Oxley Act: Recommendations for Information Systems Organizations. Communications of the Association for Information Systems 18, 464–487 (2006)Google Scholar
  3. 3.
    Braganza, A., Franken, A.: SOX, Compliance, and Power Relationships. Communications of the ACM 50(9), 97–102 (2007)CrossRefGoogle Scholar
  4. 4.
    Braganza, A., Hackney, R.: Diffusing Management Information for Legal Compliance: the Role of the IS Organization within the Sarbanes-Oxley Act. Journal of Organizational and End User Computing 20, 1–24 (2008)CrossRefGoogle Scholar
  5. 5.
    Breaux, T.D., Antón, A.I.: Analyzing Regulatory Rules for Privacy and Security Requirements. IEEE Transactions on Software Engineering 34(1), 5–20 (2008)CrossRefGoogle Scholar
  6. 6.
    Brown, A.E., Grant, G.G.: Framing the Frameworks: A Review of IT Governance Research. Communications of the Association for Information Systems 15, 696–712 (2005)Google Scholar
  7. 7.
    Butler, T., McGovern, D.: Adoption IT to Manage Compliance and Risks: An Institutional Perspective. In: Proceedings of the 16th European Conference on Information Systems (ECIS), Galway, Ireland, pp. 1034–1045 (2008)Google Scholar
  8. 8.
    Coglianese, C.: Information Technology and Regulatory Policy: New Directions for Digital Government Research. Social Science Computer Review 22(1), 85–91 (2004)CrossRefGoogle Scholar
  9. 9.
    Cooper, H.M.: Organizing knowledge syntheses: A taxonomy of literature reviews. Knowledge in Society 1, 104–126 (1988)Google Scholar
  10. 10.
    Currie, W.: Institutionalization of IT Compliance: A Longitudinal Study. In: Proceedings of the 29th International Conference on Information Systems (ICIS), Paris, France (2008)Google Scholar
  11. 11.
    Fisher, J., Harindranath, G.: Regulation as a barrier to electronic commerce in Europe: the case of the European fund management industry. European Journal of Information Systems 13, 260–272 (2004)CrossRefGoogle Scholar
  12. 12.
    Goldschmidt, P.: Managing the false alarms: A framework for assurance and verification of surveillance monitoring. Information Systems Frontiers 9(5), 541–556 (2007)CrossRefGoogle Scholar
  13. 13.
    Hall, J.A., Liedtka, S.L., Gupta, P., Liedtka, J., Tompkins, S.: The Sarbanes-Oxley Act: Implications for Large-Scale IT-Outsourcing. Communications of the ACM 50(3), 95–100 (2007)CrossRefGoogle Scholar
  14. 14.
    Hu, Q., Hart, P., Cooke, D.: The Role of External and Internal Influences on Information Systems Security – A Neo-Institutional Perspective. Journal of Strategic Information Systems 16, 153–172 (2007)CrossRefGoogle Scholar
  15. 15.
    IEEE: IEEE Recommended Practice for Architectural Description of Software Intensive Systems (IEEE Std 1471-2000). IEEE Computer Society, New York (2000)Google Scholar
  16. 16.
    Kim, H.M., Fox, M.S., Sengupta, A.: How To Build Enterprise Data Models To Achieve Compliance To Standards Or Regulatory Requirements (and share data). Journal of the Association of Information Systems 8(2), 105–128 (2007)Google Scholar
  17. 17.
    Ma, Q., Pearson, J.M.: ISO 17799: Best Practices in Information Security Management? Communications of the Association for Information Systems 15, 577–591 (2005)Google Scholar
  18. 18.
    Matsuura, J.H.: An Overview of Leading Current Legal Issues Affecting Information Technology Professionals. Information Systems Frontiers 6(2), 153–160 (2004)CrossRefGoogle Scholar
  19. 19.
    Merhout, J.W., Havelka, D.: Information Technology Auditing: A Value-Added IT Governance Partnership between IT Management and Audit. Communications of the Association for Information Systems 23, 463–482 (2008)Google Scholar
  20. 20.
    Mishra, S., Weistroffer, H.R.: A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process. Communications of the Association for Information Systems 20, 712–727 (2007)Google Scholar
  21. 21.
    Opengroup: TOGAF Enterprise Edition Version 8.1. The Open Group (2003)Google Scholar
  22. 22.
    Österle, H., Winter, R.: Business Engineering - Auf dem Weg zum Unternehmen des Informationszeitalters. In: Österle, H., Winter, R. (eds.) Business Engineering, 2nd edn., pp. 3–19. Springer, Berlin (2003)CrossRefGoogle Scholar
  23. 23.
    Panko, R.R.: Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks. Communications of the Association for Information Systems 17, 647–676 (2006)Google Scholar
  24. 24.
    Raghupathi, W.R.: Corporate Governance of IT: A Framework for Development. Communications of the ACM 50(8), 94–99 (2007)CrossRefGoogle Scholar
  25. 25.
    Schekkerman, J.: How to Survive in the Jungle of Enterprise Architecture Frameworks: Creating or Choosing an Enterprise Architecture Framework. Trafford Publishing, Victoria (2004)Google Scholar
  26. 26.
    Schwaig, K.S., Kane, G.C., Storey, V.C.: Compliance to the Fair Information Practices: How are the Fortune 500 handling Online Privacy Disclosures? Information & Management 43(7), 805–820 (2006)CrossRefGoogle Scholar
  27. 27.
    Schwerha IV, J.J.: Cybercrime: Legal Standards Governing the Collection of Digital Evidence. Information Systems Frontiers 6(2), 133–151 (2004)CrossRefGoogle Scholar
  28. 28.
    Securities Industry Association, C., Legal, D.: The Role of Compliance. Journal of Investment Compliance 6(3), 4–22 (2005)Google Scholar
  29. 29.
    Setiono, R., Mues, C., Baesens, B.: Risk Management and Regulatory Compliance: A Data Mining Framework Based on Neural Network Rule Extraction. In: Proceedings of the 27th International Conference on Information Systems (ICIS), Paris, France (2006)Google Scholar
  30. 30.
    Smith, H.A., McKeen, J.D.: Developments In Practice XXI: IT in the New World of Corporate Governance Reforms. Communications of the Association for Information Systems 17, 714–727 (2006)Google Scholar
  31. 31.
    Taylor, C.: The Evolution of Compliance. Journal of Investment Compliance 6(4), 54–58 (2005)CrossRefGoogle Scholar
  32. 32.
    Tyler, T., Dienhart, J., Thomas, T.: The Ethical Commitment to Compliance: Buildung Value-Based Cultures. California Management Review 50(2), 31–51 (2008)CrossRefGoogle Scholar
  33. 33.
    Volonino, L., Gessner, G.H., Kermis, G.F.: Holistic Compliance with Sarbanes-Oxley. Communications of the Association for Information Systems 14, 219–233 (2004)Google Scholar
  34. 34.
    Wagner, S., Dittmar, L.: The Unexpected Benefits of Sarbanes-Oxley. Harvard Business Review 84(4), 133–140 (2006)Google Scholar
  35. 35.
    Willcocks, L., Whitley, E.A., Avgerou, C.: The ranking of top IS journals: a perspective from the London School of Economics. European Journal of Information Systems 17, 163–168 (2008)CrossRefGoogle Scholar
  36. 36.
    Winter, R.: Design Science Research in Europe. European Journal of Information Systems 17, 470–475 (2008)CrossRefGoogle Scholar
  37. 37.
    Winter, R., Fischer, R.: Essential Layers, Artifacts, and Dependencies of Enterprise Architecture. In: Society, I.C. (ed.) Proceedings of the EDOC Workshop on Trends in Enterprise Architecture Research (TEAR 2006). IEEE Computer Society, Los Alamitos (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Anne Cleven
    • 1
  • Robert Winter
    • 1
  1. 1.Institute of Information ManagementUniversity of St. GallenSt. GallenSwitzerland

Personalised recommendations