Business Control Management – A Discipline to Ensure Regulatory Compliance of SOA Applications
The success of today’s business operations depends largely on the ability to react to changing factors of influence. With the increasing distribution and heterogeneity of enterprise applications, the challenge is to gain and sustain oversight and to manage the different aspects of business operations systematically. Many disciplines and best practices have been established: On the infrastructure level, Service oriented architectures provide a common base to compose distributed applications. On the operational level, business process management provides high level visibility of end-to-end transactions. On the information level, master data management aggregates and consolidates data throughout the organization. There is, however, an aspect that is becoming more and more relevant but still lacks a proper discipline: Regulatory compliance of business operations. The pressure to prove compliance with legal obligations and industry wide requirements has risen tremendously in recent years – and in light of the ongoing economic crises it is likely to rise further. To address this gap, this paper presents a systematic development method to define, deploy and monitor business controls across a distributed enterprise application. First, we establish a repository of obligations that keeps track of the dependencies between processes, data, applications, and regulations. Second, we define and deploy operational controls as a set of services to gather, classify and correlate information. Finally, we provide end-to-end visibility of the business transactions for monitoring and reporting.
KeywordsRegulatory compliance CMS Continuous assurance Provenance
Unable to display preview. Download preview PDF.
- 1.Curbera, F., Doganata, Y., Martens, A., Mukhi, N., Slominski, A.: Business Provenance - A Technology to Increase Traceability of End-to-End Operations. In: Proceedings of Coopis 2008. LNCS, vol. 5331. Springer, Heidelberg (2008)Google Scholar
- 2.Committee of Sponsoring Organizations of the Treadway Commission:Enterprise Risk Management – Integrated Framework (2004), www.coso.org
- 3.Agrawal, R., Johnson, C., Kiernan, J., Leymann, F.: Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology. In: Proceedings of the 22nd Conference on Data Engineering, ICDE. IEEE Computer Society, Washington, DC (2006)Google Scholar
- 4.Christopher, G., Müller, S., Pfitzmann, B.: From Regulatory Policies to Event Monitoring Rules: Towards Model-Driven Compliance Automation. IBM Research Report RZ 3662, IBM Zurich Research Laboratory (2006)Google Scholar
- 7.Governatori, G., Milosevic, Z., Sadiq, S.: Compliance checking between business processes and business contracts. In: Proceedings of the 10th IEEE Conference on Enterprise Distributed Object Computing, EDOC. IEEE Computer Society, Washington, DC (2006)Google Scholar
- 8.Namiri, K., Stojanovic, N.: A Formal Approach for Internal Controls Compliance in Business Processes. In: Proceedings of 8th Workshop on Business Process Modeling, Development, and Support (BPMDS 2007), Trondheim, Norway (2007)Google Scholar
- 9.Verver, J.: Building and Implementing a Continuous Controls Monitoring and Auditing Framework, ACL Services Ltd. (2005)Google Scholar
- 10.Brown, R.L.: The SOA road to sustainable risk and control management. IBM White Paper (January 2007), ftp://ftp.software.ibm.com/software/lotus/lotusweb/sox/TheSOARoadtoSustainableRiskandControlManagementJan2007.pdf