Skip to main content
SpringerLink
Log in

Are we done with business process compliance: state of the art and challenges ahead

  • Regular Paper
  • Published:
Knowledge and Information Systems Aims and scope Submit manuscript

Abstract

Literature on business process compliance (BPC) has predominantly focused on the alignment of the regulatory rules with the design, verification and validation of business processes. Previously, surveys on BPC have been conducted with specific context in mind; however, the literature on BPC management research is largely sparse and does not accumulate a detailed understanding on existing literature and related issues faced by the domain. This survey provides a holistic view of the literature on existing BPC management approaches and categorises them based on different compliance management strategies in the context of formulated research questions. A systematic literature approach is used where search terms pertaining keywords were used to identify literature related to the research questions from scholarly databases. From initially 183 papers, we selected 79 papers related to the themes of this survey published between 2000 and 2015. The survey results reveal that mostly compliance management approaches centre around three distinct categories, namely design-time (\(28\%\)), run-time (\(32\%\)) and auditing (\(10\%\)). Also, organisational and internal control-based compliance management frameworks (\(21\%\)) and hybrid approaches make (\(9\%\)) of the surveyed approaches. Furthermore, open research challenges and gaps are identified and discussed with respect to the compliance problem.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. SpringerLink http://www.springerlink.com.

  2. ScienceDirect http://www.sciencedirect.com/.

  3. ACM Digital Library http://dl.acm.org.

  4. Web of Science http://www.webofscience.com/.

  5. EbscoHost https://www.ebscohost.com/.

  6. IEEEXplore http://ieeexplore.ieee.org/.

  7. Free Search Database DBLP http://dblp.uni-trier.de/.

  8. It might be possible that there are papers on compliance management written in other languages such as German and French, and we exclude such papers from this survey, see Sect. 9.3.

  9. There are other sources of citation measurements and academic search engines, e.g. Microsoft Academic Search, Scopus, Semantic Scholars, see Wouters and Costas [195] for detailed listing.

  10. This is not an exhaustive list of all represented frameworks in their respective category.

  11. OCEG: Open Compliance Ethics Group, available at: http://www.oceg.org/ (retrieved: 8 May 2017).

  12. Semantic Constraints in Process Management Systems, available at: https://www.uni-ulm.de/in/iui-dbis/forschung/abgeschlossene-projekte/seaflows/ (retrieved: 8 May, 2017).

  13. Web Ontology Language http://www.w3.org/TR/owl-features/.

  14. Semantics Web Rule Language https://www.w3.org/Submission/SWRL/.

  15. The Hazard Analysis Critical Control Point System, available at: http://www.standards.org/standards/listing/haccp (retrieved: 8 May 2017).

  16. Regorous Compliance Checker: https://www.regorous.com/ (retrieved: 10 Oct 2013).

  17. PROPOLS is an ontology-based property specification language based on PPS to specify service composition properties.

  18. Internal control, an integrated framework: the committee of sponsoring organisations of the treadway commission [39].

  19. SPIN model checker, available at: http://spinroot.com/spin/whatispin.html.

  20. NuSMV: symbolic model verification, available at: http://nusmv.fbk.eu/.

  21. UPAAL: Uppsala—Aalborg model checker, available at:http://www.uppaal.org/.

  22. The W3C standard: http://www.w3.org/standards/.

  23. Unified modelling language: http://www.omg.org/spec/UML/.

  24. Object constraint language: http://www.omg.org/spec/OCL/.

  25. process mining: http://www.processmining.org.

  26. Eudralex, available at: http://ec.europa.eu/health/documents/eudralex/index_en.htm (retrieved: 25th October 2012).

  27. Colombo Tosatto and colleagues [36] formally proved that checking whether a business process is partially compliant is an NP-complete, and the complexity of checking whether a business process is either fully compliant or not compliant is coNP-complete problem.

References

  1. Abdullah NS, Sadiq S, Indulska M (2010) Emerging challenges in information systems research for regulatory compliance management. In: Proceedings of CAiSE’10. Springer, pp 251–265

  2. Achimugu P, Selamat A, Ibrahim R, Mahrin MN (2014) A systematic literature review of software requirements prioritization research. Inf Softw Technol 56(6):568–585

    Article  Google Scholar 

  3. Ågotnes T, van der Hoek W, Rodríguez-Aguilar JA, Sierra C, Wooldridge M (2007) On the Logic of Normative Systems. In: Proceedings of the 20th international joint conference on artificial intelligence. AAAI Press, Menlo Park, pp 1175–1180

  4. Ågotnes T, Van der Hoek W, Wooldridge M (2010) Robust normative systems and a logic of norm compliance. J Log 18(1):4–30

    MathSciNet  MATH  Google Scholar 

  5. Agrawal R, Bayardo R, Faloutsos C, Kiernan J, Rantzau R, Srikant R (2004) Auditing compliance with a hippocratic database. In: Proceedings of the thirtieth international conference on very large data bases, vol 30, VLDB Endowment, VLDB ’04, pp 516–527

  6. Agrawal R, Johnson C, Kiernan J, Leymann F (2006) Taming compliance with Sarbanes–Oxley internal controls using database technology. In: Proceedings of the 22nd international IEEE conference on data engineering, p 92

  7. Ahmed A, Sakr S (2010) Querying graph-based repositories of business process models. In: DASFAA workshops, pp 33–44

  8. Alberti M, Chesani F, Gavanelli M, Lamma E, Mello P, Montali M, Torroni P (2007) Expressing and verifying business contracts with abductive. In: Boella G, van der Torre L, Verhagen H (eds) Normative multi-agent systems, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany, No. 07122 in Dagstuhl seminar proceedings

  9. Antón AI, Bertino E, Li N, Yu T (2007) A roadmap for comprehensive online privacy policy management. Commun ACM 50(7):109–116

    Article  Google Scholar 

  10. Arbab F, Kokash N, Meng S (2008) Towards using REO for compliance-aware business process modeling. In: Margaria T, Steffen B (eds) ISoLA’08, vol 17. Springer, Berlin, pp 108–123

    Google Scholar 

  11. Arya A, van Dongen B, van der Aalst W (2010) Towards robust conformance checking. In: BPM workshops’10, pp 122–133

  12. Ashby S (2008) Operational risk: lessons from non-financial organisations. J Risk Manag Financ Inst 1:406–415

    Google Scholar 

  13. Awad A (2010) A compliance management framework for business process models. Ph.D. thesis, Hasso Plattner Institut, Potsdam University, Germany

  14. Awad A, Weske M (2009) Visualisation of compliance violations in business process models. In: 5th Workshop on business process intelligence, vol 9, pp 182–193

  15. Awad A, Decker G, Weske M (2008) Efficient compliance checking using BPMN-Q and temporal logic. In: Proceedings of the 6th international conference on business process management (BPM 2008). Springer, Milano, pp 326–341

  16. Awad A, Smirnov S, Weske M (2009) Towards resolving compliance violations in business process models. In: Sadiq S, Indulska M, zur Muehlen M, Dubois E, Johannesson P (eds) Proceedings of the 2nd international workshop on governance risk and compliance GRCIS, pp 18–33

  17. Awad A, Weidlich M, Weske M (2009) Specification, verification and explanation of violation for data aware compliance rules. In: Baresi L, Chi CH, Suzuki J (eds) Proceedings of the 7th international joint conference on service-oriented computing (ICSOC-Service Wave 2009). Springer, Stockholm, pp 500–515

  18. Bai X, Liu Y, Wang L, Tsai WT, Zhong P (2009) Model-based monitoring and policy enforcement of services. In: Proceedings of the 2009 world conference on services, vol I, pp 789 –796

  19. Barnawi A, Awad A, Elgammal A, Elshawi R, Almalaise A, Sakr S (2016) An anti-pattern-based runtime business process compliance monitoring framework. Int J Adv Comput Sci Appl (IJACSA) 7(2):551–572

    Google Scholar 

  20. Bartolini R, Lenci A, Montemagni S, Pirrelli V, Soria C (2004) Semantic mark-up of Italian legal texts through NLP-based techniques. In: Proceedings of the fourth international conference on language resources and evaluation (LREC 2004), Lisbon, Portugal

  21. BCBS (2013) Basel III: The liquidity coverage ratio and liquidity risk monitoring tools. http://www.bis.org/publ/bcbs238.pdf

  22. Beach T, Rezgui Y, Li H, Kasim T (2015) A rule-based semantic approach for automated regulatory compliance in the construction sector. Expert Syst Appl 42(12):5219–5231

    Article  Google Scholar 

  23. Becker J, Delfmann P, Eggert M, Schwittay S (2012) Generalizability and applicability of model-based business process compliance-checking approaches–a state-of-the-art analysis and research roadmap. BuR Bus Res J 5(2):221–247

    Article  Google Scholar 

  24. Bench-Capon T, Gordon TF (2009) Isomorphism and argumentation. In: Proceedings of the 12th international conference on artificial intelligence and law, ACM, NY, USA. ICAIL’09, pp 11–20

  25. Bench-Capon TJM, Coenen FP (1992) Isomorphism and legal knowledge based systems. Artif Intell Law 1(1):65–86

    Article  Google Scholar 

  26. Bérard B, Bidoit M, Finkel A, Laroussinie F, Petit A, Petrucci L, Schnoebelen P (2001) System and software verification–model checking techniques and tools. Springer, Berlin

    Book  MATH  Google Scholar 

  27. Bernstein S, Falcione A (2015) Moving beyond the baseline Leveraging the compliance function to gain a competitive edge: state of compliance survey 2015. Survey report, Pricewaterhousecoopers

    Google Scholar 

  28. Bhattacharya K, Gerede C, Hull R, Liu R, Su J (2007) Towards formal analysis of artifact-centric business process models. In: Alonso G, Dadam P, Rosemann M (eds) Proceedings of the 5th international conference on business process management (BPM 2007). Springer, Berlin, pp 288–304

  29. Biagioli C, Francesconi E, Passerini A, Montemagni S, Soria C (2005) Automatic semantics extraction in law documents. In: Proceedings of the 10th international conference on artificial intelligence and law, ACM, New York, NY, USA, ICAIL’05, pp 133–140

  30. Birukou A, D’Andrea V, Leymann F, Serafinski J, Silveira P, Strauch S, Tluczek M (2010) An integrated solution for runtime compliance Governance in SOA. In: Proceeding of international conference on service-oriented computing (ICSOC), pp 122–136

  31. Bonatti PA, Shahmehri N, Duma C, Olmedilla D, Nejdl W, Baldoni M, Baroglio C, Martelli A, Coraggio P, Antoniou G, Peer J, Fuchs NE (2004) Rule-based policy specification: state of the art and future work. Rewerse project report-i2-d1, Universitá di Napoli Fedrecio II

  32. Bonazzi R, Pigneur Y (2009) Compliance management in multi-actor contexts. In: Proceedings of international workshop on governance, risk and compliance (GRCIS), An ancillary meeting of CAISE

  33. Brighi R, Palmirani M (2009) Legal text analysis of the modification provisions: a pattern oriented approach. In: Proceedings of the 12th international conference on artificial intelligence and law (ICAIL’09), ACM, New York, NY, USA, pp 238–239

  34. Cabanillas C, Resinas M, Ruiz-Cortés A (2010) On the identification of data-related compliance problems in business processes. In: Jornadas Científico-Técnicas En Servicios Web Y SOA (JSWEB’10), Valencia, España, vol 1, pp 89–102

  35. COBIT (2007) Control objectives for information related technology—COBIT 4.1. http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx

  36. Colombo Tosatto S, Governatori G, Kelsen P (2015) Business process regulatory compliance is hard. IEEE Trans Serv Comput 8(6):958–970

    Article  Google Scholar 

  37. COMPAS-Project (2008) D2.1 state-of-the-art in the field of compliance languages—compliance-driven models, languages, and architectures for services. Deliverable D2.1v1.0, Tilburg University, The Netherlands

  38. Cooper HM (1988) Organizing knowledge syntheses: a taxonomy of literature reviews. Knowl Soc 1(1):104–126

    MathSciNet  Google Scholar 

  39. COSO (1994) Internal control–integrated framework. http://www.coso.org/

  40. Cunningham H, Maynard D, Tablan V, Ursu C, Bontcheva K (2001) Developing language processing components with GATE: a user guide. https://gate.ac.uk/sale/tao/tao.pdf

  41. d Araujo DA, Rigo SJ, Muller C, Chishman R (2013) Automatic information extraction from texts with inference and linguistic knowledge acquisition rules. In: 2013 IEEE/WIC/ACM international joint conferences on web intelligence (WI) and intelligent agent technologies (IAT), vol 3, pp 151–154

  42. D’Aprile D, Giordano L, Gliozzi V, Martelli A, Pozzato G, Theseider Dupré D (2010) Verifying business process compliance by reasoning about actions. In: Dix J, Leite Ja, Governatori G, Jamroga W (eds) Proceeding of the 11th international workshop on computational logic in multi-agent systems (CLIMA XI). Springer, Berlin, pp 99–116

  43. de Maat E, Winkels R (2010) Suggesting model fragments for sentences in Dutch Laws. In: Proceedings of legal ontologies and artificial intelligence techniques, pp 19–28

  44. de Moura Araujo B, Schmitz EA, Correa AL, Alencar AJ (2010) A method for validating the compliance of business processes to business rules. In: Proceedings of SAC’10, ACM, pp 145–149

  45. Doganata Y, Curbera F (2009) Effect of using automated auditing tools on detecting compliance failures in unmanaged processes. In: Proceedings of the 7th international conference on business process management (BPM 2009), Ulm, Germany, pp 310–326

  46. El Kharbili M (2012) Business process regulatory compliance management solution frameworks: a comparative evaluation. In: Ghose A, Ferrarotti F (eds) Proceedings of the 8th Asia-Pacific Conference on Conceptual Modelling (APCCM 2012). ACS, Inc., Melbourne, Australia, pp 23–32

  47. El Kharbili M, Stein S (2008) Policy-based semantic compliance checking for business process management. MobIS workshops, CEUR workshops 420:178–192

    Google Scholar 

  48. El Kharbili M, Stein S, Markovic I, Pulvermüller E (2008) Towards a framework for semantic business process compliance management. Banking 08(i):1–15

  49. Elgammal A (2012) Towards a comprehensive framewcompliacbusiness process compliance. Ph.D. thesis, Tiburg Universtity

  50. Elgammal A, Türetken O, van den Heuvel WJ, Papazoglou MP (2010) Root-cause analysis of design-time compliance violations on the basis of property patterns. In: Proceedings of the 8th international conference on service-oriented computing (ICSOC 2010), San Francisco, CA, USA, pp 17–31

  51. Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2011) On the formal specification of regulatory compliance: a comparative analysis. In: Proceedings of ICSOC’10, pp 27–38

  52. Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2016) Formalizing and applying compliance patterns for business process compliance. Softw Syst Model 15(1):119–146

    Article  Google Scholar 

  53. Eshuis R (2006) Symbolic model checking of UML activity diagrams. ACM Trans Softw Eng Methodol 15(1):1–38

    Article  Google Scholar 

  54. Evans GP (2014) Managing risk with an end-to-end process view: adopting a process-based approach to risk management. BPTrends article. https://www.bptrends.com/managing-risks-with-an-end-to-end-processview/

  55. Fellmann M, Zasada A (2014) state-of-the-art of business process compliance approaches. In: Proceedings of European conference on information system (ECIS’14), Tel Aviv, Israel

  56. Fongon P, Grillo K (2004) Corporate implications of Sarbanes–Oxley Act: a public policy. http://www.global-trade.law.com/ITRN711

  57. Förster A, Engels G, Schattkowsky T (2005) Activity diagram patterns for modeling quality constraints in business processes. In: Proceedings of MoDELS’05, pp 2–16

  58. Förster A, Engels G, Schattkowsky T, Straeten RVD (2006) A pattern-driven development process for quality standard-conforming business process models. Proceedings of VL/HCC 2006:135–142

    Google Scholar 

  59. Francesconi E (2010) legal rules learning based on a semantic model for legislation. In: Proceedings of SPLeT workshop

  60. Ghanavati S, Amyot D, Peyton L (2007) Towards a framework for tracking legal compliance in healthcare. In: Proceedings of CAiSE’07, pp 218–232

  61. Ghose A, Koliadis G (2007) Auditing business process compliance. In: Krämer B, Lin KJ, Narasimhan P (eds) Collection of ICSOC 2007. Springer, Berlin, pp 169–180

    Google Scholar 

  62. Giblin C, Liu AY, Müller S, Pfitzmann B, Zhou X (2005) Regulations expressed as logical models (REALM). In: Proceeding of JURIX 2005, IOS Press, pp 37–48

  63. Gilliot M, Accorsi R (2009) Runtime predictions of policy violations in automated buisness processes. Extended abstract: presented at prime life/IFIP Summer School Program, Sept 7–11, Nice/France

  64. Goedertier S, Vanthienen J (2006) Business rules for compliant business process models. In: Proceeding of BIS 2006, Gesellschaft für Informatik, pp 558–579

  65. Goedertier S, Vanthienen J (2006) Designing compliant business processes with obligations and permissions. In: Eder J, Dustdar S (eds) Business process management workshops 2006. Springer, Berlin, pp 5–14

    Chapter  Google Scholar 

  66. Goedertier S, Vanthienen J, Caron F (2015) Declarative business process modelling: principles and modelling languages. Enterp Inf Syst 9(9):161–185

    Article  Google Scholar 

  67. Gogolla M, Bttner F, Richters M (2007) USE: a UML-based specification environment for validating UML and OCL. Sci Comput Program 69(1–3):27–34 (special issue on experimental software and toolkits)

  68. Gómez-López M, Gasca R, Rinderle-Ma S (2013) Explaining the incorrect temporal events during business process monitoring by means of compliance rules and model-based diagnosis. In: Proceeding of EDOCW’13, pp 163–172

  69. Gómez-López MT, Gasca RM, Pérez-Álvarez JM (2015) Compliance validation and diagnosis of business data constraints in business process at runtime. Inf Syst 48:26–43

    Article  Google Scholar 

  70. Governatori G (2005) Representing business contracts in RuleML. Int J Coop Inf Syst 14(2–3):181–216

    Article  Google Scholar 

  71. Governatori G, Hashmi M (2015) No time for compliance. In: Proceedings of EDOC15, Adelaide, Australia, pp 9–18

  72. Governatori G, Milosevic Z (2005) Dealing with contract violations: formalism and domain specific language. In: Proceedings of EDOC 2005. IEEE Computer Society, pp 46–57

  73. Governatori G, Rotolo A (2006) Logic of violations: a Gentzen system for reasoning with contrary-to-duty obligation. Aust J Log 4:193–215

    MathSciNet  MATH  Google Scholar 

  74. Governatori G, Rotolo A (2008) An algorithm for business process compliance. In: Proceedings Jurix 2008. IOS Press, pp 186–191

  75. Governatori G, Rotolo A (2010) A conceptually rich model of business process compliance. In: Proceedings of APCCM’10, vol 110, pp 3–12

  76. Governatori G, Rotolo A (2010) Norm compliance in business process modeling. In: Proceedings of RuleML 2010. Springer, pp 194–209

  77. Governatori G, Sadiq S (2009) The journey to business process compliance. In: Handbook of research on BPM, IGI Global, pp 426–454

  78. Governatori G, Shek S (2013) Regorous: a business process compliance checker. In: Proceedings of ICAIL’13, ACM, Rome, pp 245–246

  79. Governatori G, Milosevic Z, Sadiq S (2006) Compliance checking between business processes and business contracts. In: Proceeding of EDOC’06, pp 221–232

  80. Han J, Jin Y, Li Z, Phan T, Yu J (2007) Guiding the service composition process with temporal business rules. In: Web Services 2007

  81. Hashmi M (2015) A methodology for extracting legal norms from regulatory documents. In: Proceedings of EDOCW’15. IEEE Computer Society, pp 41–50

  82. Hashmi M, Governatori G (2017) Norms modeling constructs of business process compliance management frameworks: a conceptual evaluation. Artif Intell Law. https://doi.org/10.1007/s10506-017-9215-8

  83. Hashmi M, Governatori G, Wynn MT (2013) Normative requirements for business process compliance. In: Service research and innovation–third Australian symposium, ASSRI 2013, Sydney, NSW, Australia, Nov 27–29, 2013. Revised selected papers, pp 100–116. https://doi.org/10.1007/978-3-319-07950-9_8

  84. Hashmi M, Governatori G, Wynn MT (2014) Modeling obligations with event-calculus. In: Proceedings of RuleML’14, Czech Republic, pp 296–310

  85. Hashmi M, Governatori G, Wynn M (2015) Normative requirements for regulatory compliance: an abstract formal framework. Inf Syst Front 18(3):429–455

    Article  Google Scholar 

  86. Hassan W, Logrippo L (2008) Requirements and compliance in legal systems: a logic approach. In: Proceedings of RELAW’08, Barcelona, Spain, pp 40–44

  87. Herrestad H (1991) Norms and formalization. In: ICAIL’91, ACM, pp 175–184

  88. Herther NK (2009) Research evaluation and citation analysis: key issues and implications. Electron Libr 27(3):361–375

    Article  Google Scholar 

  89. Hinge K, Ghose A, Koliadis G (2009) Process SEER: a tool for semantic effect annotation of business process models. In: Proceedings of EDOC ’09, pp 54–63

  90. HIPAA TUG (1996) The US Health Insurance Portability and Accountability Act of 1996

  91. Hoffmann J, Weber I, Governatori G (2009) On compliance checking for clausal constraints in annotated process models. Inf Syst Front 14(2):155–177

    Article  Google Scholar 

  92. IFRS (2014) IFRS 7 international financial reporting standards: financial instruments disclosures. http://www.ifrs.org/IFRSs/Pages/IFRS.aspx

  93. Ingolfo S, Jureta I, Siena A, Perini A, Susi A (2014) Nómos 3: legal compliance of roles and requirements. In: Yu E, Dobbie G, Jarke M, Purao S (eds) Conceptual modeling, vol 8824. lecture notes in computer science. Springer, Berlin, pp 275–288

    Google Scholar 

  94. Jackson D (2006) Software abstractions: logic, language, and analysis. The MIT Press, Cambridge

    Google Scholar 

  95. James E, Jonathan S (2011) The benefits of static compliance testing for SCA next. In: Proceedings of the SDR’11, The Wireless Innovation Forum, Inc

  96. Jiang J, Virginia D, Huib A, Frank D, Yao-Hua T (2013) Norm compliance checking. In: Proceedings of AAMAS’13, Saint Paul, USA, pp 1121–1122

  97. Jiang J, Aldewereld H, Dignum V, Wang S, Baida Z (2014) Regulatory compliance of business processes. AI & Society, Heidelberg, pp 1–10

    Google Scholar 

  98. Johnson C, Grandison T (2007) Compliance with data protection laws using Hippocratic Database active enforcement and auditing. IBM Syst J 46(2):255–264

    Article  Google Scholar 

  99. Johnson CM, Grandison TWA (2007) Compliance with data protection laws using Hippocratic Database active enforcement and auditing. IBM Syst J 46(2):255–264

    Article  Google Scholar 

  100. Kabilan V, Johannesson P, Rugaimukamu D (2003) Business contract obligation monitoring through use of multi-tier contract ontology. In: Meersman R, Tari Z (eds) On The Move (OTM) workshops to meaningful internet systems. Springer, Berlin, pp 690–702

    Google Scholar 

  101. Kabilan V, Johannesson P, Rugaimukamu DM (2003) An ontological approach to unified contract management. In: Proceedings of 13th European Japanese conference on information modelling and knowlege bases, pp 106–110

  102. Kähmer M, Gilliot M, Müller G (2008) Automating privacy compliance with ExPDT. In: Proceedings of the 10th IEEE conference on e-commerce technology and 5th conference on enterprise computing, pp 87–94

  103. Karagiannis D, Mylopoulos J, Schwab M (2007) Business process-based regulation compliance: the case of the Sarbanes–Oxley Act. In: 15th IEEE international requirements engineering conference (RE 2007) pp 315–321

  104. Kazmierczak P, Pedersen T, Ågotnes T (2012) NORMC: a norm compliance temporal logic model checker. STAIRS, frontiers in artificial intelligence and applications 241:168–179

    MATH  Google Scholar 

  105. Keller A, Ludwig K (2002) Defining and monitoring service-level agreements for dynamic e-business. In: Proceedings of the 16th USENIX conference on system administration, USENIX Association, Berkeley, USA, pp 189–204

  106. Kharbili ME, Medeiros AKAD, Stein S, van der Aalst W (2008) Business process compliance checking: current state and future challenges. In: Modellierung Betrieblicher Informationssyteme, MobIS, pp 107–113

  107. Kitchenham B (2004) Procedure for performing systematic reviews. Technical Report TR/SE-0401, Software Engineering Group, Department of Computer Science, Keele University, Keele, UK

  108. Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering. Technical Report EBSE 2007-001, Keele University and Durham University Joint Report

  109. Kiyavitskaya N, Zeni N, Breaux TD, Antón AI, Cordy JR, Mich L, Mylopoulos J (2008) Automating the extraction of rights and obligations for regulatory compliance. In: Li Q, Spaccapietra S, Yu E, Olivé A (eds) Proceedings of the 27th international conference on conceptual modeling (ER 2008). Springer, Berlin, pp 154–168

  110. Knuplesch D, Ly L, Rinderle-Ma S, Pfeifer H, Dadam P (2010) On enabling data-aware compliance checking of business process models. In: Parsons J, Saeki M, Shoval P, Woo C, Wand Y (eds) Proceedings of the 29th international conference on conceptual modeling (ER 2010). Springer, Berlin, pp 332–346

  111. Knuplesch D, Reichert M, Ly LT, Kumar A, Rinderle-Ma S (2013) Visual modeling of business process compliance rules with the support of multiple perspectives. In: Proceedings of the 32th international conference on conceptual modeling (ER 2013), Hong-Kong, pp 106–120

  112. Knuplesch D, Reichert M, Kumar A (2015) Visually monitoring multiple perspectives of business process compliance. In: Proceedings of the 13th international conference on business process management (BPM 2015), Innsbruck, Austria, pp 263–279

  113. Kowalski R, Sergot M (1989) A logic-based calculus of events. In: Schmidt J, Thanos C (eds) Foundations of knowledge base management, topics in information systems. Springer, Berlin, pp 23–55

    Google Scholar 

  114. KPMG (2013) A survey of fraud, bribery, and corruption in Australia and New Zealand. Survey series: issues and insights, KPMG Forensic. https://www.kpmg.com/AU/IssuesAndInsights/ArticlesPublications/Fraud-Survey/FDocuments/fraud-bribery-corruption-survey-2012v2.pdf

  115. Küster JM, Ryndina K, Gall H (2007) Generation of business process models for object life cycle compliance. In: Proceedings of the 5th international conference on business process management (BPM 2007), Brisbane, Australia, pp 165–181

  116. Lam HP, Governatori G (2009) The making of SPINdle. In: Governatori G, Hall J, Paschke A (eds) Proceedings of the 2009 international symposium on rule interchange and applications (RuleML 2009). Springer, Las Vegas, pp 315–322

  117. Lam HP, Hashmi M, Scofield B (2016) Enabling reasoning with LegalRuleML. In: Alferes JJ, Bertossi L, Governatori G, Fodor P, Roman D (eds) Proceedings of the 10th international web rule symposium (RuleML 2016). Springer, Stony Brook, pp 241–257

  118. LeFevre K, Agrawal R, Ercegovac V, Ramakrishnan R, Xu Y, DeWitt D (2004) Limiting disclosure in hippocratic databases. In: Proceedings of the thirtieth international conference on very large data bases, vol 30, VLDB endowment, VLDB ’04, pp 108–119

  119. Leitner M, Rinderle-Ma S (2014) A systematic review on security in process-aware information systems? Constitution, challenges, and future directions. Inf Softw Technol 56(3):273–293

    Article  Google Scholar 

  120. Leitner P, Wetzstein B, Rosenberg F, Michlmayr A, Dustdar S, Leymann F (2009) Runtime prediction of service level agreement violations for composite services. In: Proceedings of the 3rd workshop on non-functional properties and SLA management in service oriented computing. Springer, Heidelberg, pp 176–186

  121. Leitner P, Michlmayr A, Rosenberg F, Dustdar S (2010) Monitoring, prediction and prevention of SLA violations in composite services. In: Proceedings of ICWS’10, pp 369–376

  122. Letia IA, Groza A (2013) Compliance checking of integrated business processes. Data Knowl Eng 87:1–18

    Article  Google Scholar 

  123. Liu Y, Müller S, Xu K (2007) A static compliance-checking framework for business process models. IBM Syst J 46(2):335–361

    Article  Google Scholar 

  124. Lomuscio A, Qu H, Solanki M (2008) Towards verifying contract regulated service composition. In: Proceedings of ICWS’08, pp 254 –261

  125. Ly LT (2012) SeaFlows—a compliance checking framework for supporting the process lifecycle. Ph.D. Thesis, University of Ulm, Osnabrck, Germany

  126. Ly LT, Rinderle-Ma S, Göser K, Dadam P (2012) On enabling integrated process compliance with semantic constraints in process management systems. Inf Syst Front 14(2):195–219

    Article  Google Scholar 

  127. Ly LT, Maggi FM, Montali M, Rinderle S, van der Aalst W (2013) A framework for the systematic comparison and evaluation of compliance monitoring approaches. In: Proceeding of EDOC’13. IEEE Computer Society

  128. Ly LT, Maggi FM, Montali M, Rinderle-Ma S, van der Aalst WM (2015) Compliance monitoring in business processes: functionalities, application, and tool-support. Inf Syst 54:209–234

    Article  Google Scholar 

  129. Maggi F, Montali M, Westergaard M, van der Aalst W (2011) Monitoring business constraints with linear temporal logic: an approach based on colored automata. In: Proceedings of the 9th international conference on business process management (BPM 2011). Springer, pp 132–147

  130. Maggi F, Montali M, van der Aalst W (2012) An operational decision support framework for monitoring business constraints. In: de Lara J, Zisman A (eds) Fundamental approaches to software engineering. Springer, Berlin, pp 146–162

    Chapter  Google Scholar 

  131. Mateescu R, Sighireanu M (2003) Efficient on-the-fly model-checking ror regular alternation-free Mu-calculus. Sci Comput Program 46(3):255–281 (special issue on formal methods for industrial critical systems)

  132. McIntyre SR (2008) Integrated governance, risk and compliance: improve performance and enhance productivity in federal agencies. Technical reports, PricewaterhouseCoopers

    Google Scholar 

  133. Meho LI, Tibbo HR (2003) Modeling the information-seeking behavior of social scientists: Ellis’s study revisited. J Am Soc Inf Sci Technol 54(6):570–587

    Article  Google Scholar 

  134. Milosevic Z, Jösang A, Dimitrakos T, Patton MA (2002) Discretionary enforcement of electronic contracts. In: Proceedings of EDOC’02. IEEE Computer Society, Washington, DC, USA, pp 39–50

  135. Milosevic Z, Sadiq S, Orlowska M (2006) Towards a methodology for deriving contract-compliant business processes. In: Dustdar S, Fiadeiro J, Sheth A (eds) Proceedings of the 4th international conference on business process management (BPM 2006). Springer, Vienna, pp 395–400

  136. Milosevic Z, Sadiq S, Orlowska M (2006) Translating business contract into compliant business processes. In: Proceedings of EDOC’06. IEEE Computer Society, pp 211–220

  137. Monakova G, Kopp O, Leymann F, Moser S, Schäfers K (2009) Verifying business rules using an SMT solver for BPEL processes. In: Business process, services computing and intelligent service management, Leipzig, Germany, pp 81–94. http://subs.emis.de/LNI/Proceedings/Proceedings147/article2475.html

  138. Montali M, Maggi FM, Chesani F, Mello P, Aalst WMPvd (2014) Monitoring business constraints with the event calculus. ACM Trans Intell Syst Technol 5(1):17:1–17:30

  139. Namiri K, Stojanovic N (2007) Pattern-based design and validation of business process compliance. In: Proceedings of CoopIS’07. Springer, Berlin, pp 59–76

  140. Namiri K, Stojanovic N (2007) Using control patterns in business processes compliance. In: Proceedings of WISE’07, Springer, pp 178–190

  141. Namiri K, Stojanovic N (2008) Towards a formal framework for business process compliance. In: Proceedings of MKWI’08, München

  142. Namiri K, Stojanovic N (2008) Towards a formal framework for business process compliance. In: Multikonferenz Wirtschaftsinformatik (MKWI 2008), Germany, pp 1185–1196

  143. Nishizaki S, Ohata T (2013) Real-time model checking for regulatory compliance. In: Das V, Chaba Y (eds) Mobile communication and power engineering, communications in computer and information science, vol 296. Springer, Berlin, pp 70–77

    Google Scholar 

  144. Nute D (ed) (1997) Defeasible deontic logic, synthese library, vol 263. Academic Publishers, Dordrecht

    MATH  Google Scholar 

  145. Nute D (2003) Defeasible logic. In: Bartenstein O, Geske U, Hannebauer M, Yoshie O (eds) Web knowledge management and decision support. Springer, Berlin, pp 151–169

    Chapter  Google Scholar 

  146. OASIS LegalRuleML Technical Committee (2015) LegalRuleML technical committee specifications. https://www.oasis-open.org/committees/legalruleml/charter.php, Retrieved 12 March 2016

  147. OCEG (2012) Governance, Risk and Compliance Capability Model. https://www.oceg.org/about/what-is-grc/

  148. Ochsenschläger P, Repp J, Rieke R, Nitsche U (1998) The SH-verification tool–abstraction-based verification of co-operating systems. J Form Asp Comput 10(4):381–404

    Article  MATH  Google Scholar 

  149. Olivieri F (2014) Compliance by design. Synthesis of business processes by declarative specifications. Ph.D. Thesis, Dipartimento di Informatica, Università digli Studi di Verona, Italy and Institute for Integrated and Intelligent Systems, Griffith University, Australia

  150. OMG (2010) Business Process Model Notation (BPMN). Standard. http://www.omg.org/spec/BPMN/2.0/

  151. OMG (2011) Unified Modeling Language (UML 2.0). http://www.omg.org/spec/UML/2.0/

  152. O’Neill A (2014) An Action framework for compliance and governance. Int J Clin Gov 19(4):342–359

    Google Scholar 

  153. Otto PN, Anton AI (2007) Addressing legal requirements in requirements engineering. In: Proceedings of the 15th IEEE international requirements engineering conference (RE 2007). IEEE Computer Society, pp 5–14

  154. Pattersson P, Larson K (2000) UPPAAL 2K. Bull Eur Assoc Theor Comput Sci 70:40–44

    Google Scholar 

  155. Pershkow BI (2002) Sarbanes-Oxley: investment company compliance. J Invest Compliance 3(4):16–30

    Article  Google Scholar 

  156. Pesic M, Schonenberg H, van der Aalst W (2007) DECLARE: full support for loosely-structured processes. In: Proceedings of 11th IEEE international conference on enterprise distributed object computing (EDOC’07), pp 287–287

  157. Prakken H, Sergot M (1997) Dyadic denontic logic and contrary-to-duty obligations. In: [151], pp 223–262

  158. Ramezani E, Fahland D, van der Aalst W (2012) Where did i misbehave? Diagnostic information in compliance checking. In: Proceedings of the 10th international conference on Business Process Management (BPM 2012), Tallinn, Estonia, pp 262–278

  159. Ramezani E, Fahland D, van Dongen BF, van der Aalst W (2013) Diagnostic information for compliance checking of temporal compliance requirements. In: Proceedings of the 25th international conference on advanced information systems engineering (CAiSE 2013), Valencia, Spain, pp 304–320

  160. Rangan RM, Rohde SM, Peak R, Chadha B, Bliznakov P (2005) Streamlining product lifecycle processes: a survey of product lifecycle management implementations, directions, and challenges. J Comput Inf Sci Eng 5(3):227–237

    Article  Google Scholar 

  161. Rieke R, Repp J, Zhdanova M, Eichler J (2014) Monitoring security compliance of critical processes. 2014 22nd Euromicro international conference on parallel, distributed, and network-based processing (PDP 2014). Italy, Torino, pp 552–560

    Google Scholar 

  162. Rifaut A, Dubois E (2008) Using goal-oriented requirements engineering for improving the quality of ISO/IEC 15504 based compliance assessment frameworks. In: Proceedings of the 16th IEEE international requirements engineering conference (RE 2008), pp 33–42

  163. Rikhardsson P, Best PJ, Green P, Rosemann M (2006) Business process risk management and internal control: a proposed research agenda in the context of compliance and ERP systems. In: Second Asia/Pacific research symposium on accounting information systems, Melbourne

  164. Rinderle-Ma S, Mangler J (2011) Integration of process constraints from heterogeneous sources in process-aware information systems. International workshop on enterprise modelling and information systems architectures (EMISA 20110). Hamburg, Germany, pp 51–64

    Google Scholar 

  165. Roddick JF, Al-Jadir L, Bertossi L, Dumas M, Estrella F, Gregersen H, Hornsby K, Lufter J, Mandreoli F, Männistö T, Mayol E, Wedemeijer L (2000) Evolution and change in data management–issues and directions. SIGMOD Rec 29(1):21–25

    Article  Google Scholar 

  166. Rosemann M, zur Muehlen M (2005) Integrating risks in business process models. In: Proceedings of ACIS’05

  167. Sadiq S, Governatori G, Namiri K (2007) Modeling control objectives for business process compliance. In: Proceedings of BPM’07. Springer, pp 149–164

  168. Salnitri M, Dalpiaz F, Giorgini P (2014) Modeling and verifying security policies in business processes. In: Bider I, Gaaloul K, Krogstie J, Nurcan S, Proper HA, Schmidt R, Soffer P (eds) Proceedings of the 15th international conference on business process modeling, development and support (BPMDS 2014). Springer, Berlin, pp 232–249

  169. Sapkota K, Aldea A, Duce DA, Younas M, Bañares Alcántara R (2011) Towards semantic methodologies for automatic regulatory compliance support. In: Proceedings of PIKM’11, pp 83–86

  170. Scannapieco S, Governatori G, Olivieri F, Cristani M (2011) Designing for compliance: norms and goal. In: The 5th international symposium on rules: research based and industry focused (RuleML 2011), Ft Lauderdale

  171. Schleicher D, Anstett T, Leymann F, Mietzner R (2009) Maintaining compliance in customizable process models. In: Meersman R, Dillon T, Herrero P (eds) On the move to meaningful internet systems: OTM 2009. Springer, Heidelberg, pp 60–75

    Chapter  Google Scholar 

  172. Schmidt R, Bartsch C, Oberhauser R (2007) Ontology-based representation of compliance requirements for service processes. In: Proceedings of the workshop on semantic business process and product lifecycle management, pp 28–39

  173. Schrefl M, Stumptner M (2002) Behavior-consistent specialization of object life cycles. ACM Trans Softw Eng Methodol 11(1):92–148

    Article  Google Scholar 

  174. Schumm D, Turetken O, Kokash N, Elgammal A, Leymann F, Heuvel WJVD (2010) Business process compliance through reusable units of compliant processes. In: Proceedings of the 10th international conference on current trends in web engineering. Springer, Vienna, Austria, pp 325–337

  175. Semmelrodt F, Knuplesch D, Reichert M (2014) Modeling the resource perspective of business process compliance rules with the extended compliance rule graph. Proceeding of the 15th international conference on enterprise. Business-process and information systems modeling, Thessaloniki, Greece, pp 48–63

    Google Scholar 

  176. Spira LF, Page M (2003) Risk management: the reinvention of internal control and the changing role of internal audit. Account Audit Account J 16(4):640–661

    Article  Google Scholar 

  177. Strecker S, Heise D, Frank U (2011) RiskM: a multi-perspective modeling method for IT risk assessment. Inf Syst Front 13(4):595–611

    Article  Google Scholar 

  178. Stumptner M, Schrefl M (2000) Behavior consistent inheritance in UML. In: Laender AHF, Liddle SW, Storey VC (eds) Proceedings of the 19th international conference on conceptual modeling (ER 2000). Springer, Berlin, pp 527–542

  179. Suriadi S, Weiß B, Winkelmann A, ter Hofstede AHM, Adams M, Conforti R, Fidge C, La Rosa M, Ouyang C, Pika A, Rosemann M, Wynn M (2014) Current research in risk-aware business process management–overview, comparison, and gap analysis. Commun Assoc Inf Syst 34(1):933–984

    Google Scholar 

  180. Teresa M, Gómez-López Gasca RM, Pérez-Álvarez JM (2015) Compliance validation and diagnosis of business data constraints in business processes at runtime. Inf Syst 48:26–43

    Article  Google Scholar 

  181. The Basel Committee on Banking Supervision (2004) BASEL II accord - the international convergence of capital measurement and capital standards: a revised framework. https://www.bis.org/publ/bcbsca.htm

  182. Trčka N, van der Aalst WMP, Sidorova N (2009) Data-flow anti-patterns: discovering data-flow errors in workflows. In: van Eck P, Gordijn J, Wieringa R (eds) Proceedings of the 21st international conference on advanced information systems engineering (CAiSE 2009). Springer, Berlin, pp 425–439

  183. Turki S, Marija BO (2010) Compliance in e-government service engineering: state-of-the-art. 1st International conference on exploring services science (IESS (2010) Springer. Switzerland, Geneva, pp 270–275

    Google Scholar 

  184. US-Government (2002) Public Company Accounting Reforms and Investor Protection Act (Sarbanes-Oxley Act), Public Law 107–204, 116 Stat. 745

  185. van der Aalst WM, Basten T (2001) Identifying commonalities and differences in object life cycles using behavioral inheritance. In: Colom JM, Koutny M (eds) Proceedings of the 22nd international conference on application and theory of Petri nets (ICATPN 2001). Springer, Berlin, pp 32–52

  186. van der Aalst WMP, de Medeiros AKA (2005) Process mining and security: detecting anomalous process executions and checking process conformance. Electron Notes Theor Comput Sci 121(Suppl C):3–21. https://doi.org/10.1016/j.entcs.2004.10.013

  187. van der Aalst W, de Beer HT, van Dongen BT (2005) Process mining and verification of properties: an approach based on temporal logic. In: Robert Meersman ZT (ed) CoopIS’05. Springer, Berlin, pp 130–147

    Google Scholar 

  188. van der Aalst W, van Hee KM, van Werf JM, Verdonk M, (2010) Auditing 2.0: using process mining to support tomorrow’s auditor. Computer 43(3):90–93

  189. van der Aalst W, van Hee K, van der Werf JM, Kumar A, Verdonk M (2011) Conceptual model for online auditing. Decis Support Syst 50(3):636–647

    Article  Google Scholar 

  190. van der Aalst W, Adriansyah A, van Dongen B (2012) Replaying history on process models for conformance checking and performance analysis. Wiley Interdiscip Rev Data Min Knowl Discov 2(2):182–192

    Article  Google Scholar 

  191. Vázquez-Salceda J, Aldewereld H, Grossi D, Dignum F (2008) From human regulations to regulated software agents’ behavior. Artif Intell Law 16(1):73–87

    Article  Google Scholar 

  192. Vicente P, Mira da Silva M (2011) A conceptual model for integrated governance, risk and compliance. In: Mouratidis H, Rolland C (eds) Advanced information systems engineering. Springer, Berlin, pp 199–213

    Chapter  Google Scholar 

  193. Wang Z, ter Hofstede AH, Ouyang C, Wynn M, Wang J, Zhu X (2014) How to guarantee compliance between workflows and product lifecycles? Inf Syst 42:195–215

    Article  Google Scholar 

  194. Ward M (1995) Principles and applications of electrochemical quartz crystal microbalance. Physical electrochemistry: principles, methods and applications. Marcel Dekker Inc, New York, pp 293–338

    Google Scholar 

  195. Wouters P, Costas R (2012) Users, narcissism and control ? tracking the impact of scholarly publications in the 21st century. Technical reports, SURFfoundation, Utrecht, The Netherland

    Google Scholar 

  196. Yip F, Parameswaran N, Ray P (2007) Rules and ontology in compliance management. In: Proceedings of EDOC’07, Washington, DC, USA, p 435

  197. Yu J, Manh T, Han J, Jin Y, Han Y, Wang J (2006) Pattern based property specification and verification for service composition. In: Proceedings of WISE 2006. Springer, pp 156–168

  198. Yu J, Han YB, Han J, Jin Y, Falcarin P, Morisio M (2008) Synthesizing service composition models on the basis of temporal business rules. J Comput Sci Technol 23:885–894

    Article  Google Scholar 

  199. Zeni N, Kiyavitskaya N, Mich L, Cordy JR, Mylopoulos J (2013) GaiusT: supporting the extraction of rights and obligations for regulatory compliance. Requir Eng 20(1):1–22

    Article  Google Scholar 

Download references

Acknowledgements

We thank Régis Riveret for his valuable discussions and suggestions and anonymous reviewers for their many valuable comments and suggestions.

Author information

Authors and Affiliations

  1. Data61, CSIRO, 41 Boggo Road, Dutton Park, QLD, 4102, Australia

    Mustafa Hashmi, Guido Governatori & Ho-Pun Lam

  2. Queensland University of Technology (QUT), 2-George Street, Brisbane, QLD, 4000, Australia

    Moe Thandar Wynn

Authors
  1. Mustafa Hashmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guido Governatori
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ho-Pun Lam
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Moe Thandar Wynn
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mustafa Hashmi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hashmi, M., Governatori, G., Lam, HP. et al. Are we done with business process compliance: state of the art and challenges ahead. Knowl Inf Syst 57, 79–133 (2018). https://doi.org/10.1007/s10115-017-1142-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10115-017-1142-1

Keywords

Search

Navigation