Abstract
In enterprise resource planning (ERP) environments the audit of business process compliance is a complex task as audit relevant context information about the ERP system like application controls (ACs) need to be considered to derive comprehensive audit results. Current compliance checking approaches neglect such information as it is not readily available in process models. Even if ACs are automatically analysed with audit software, the results still need to be linked to related processes. By now, this linking is not methodically supported. To address this gap this paper presents a method to automatically enrich process models with audit relevant information about ACs. The method consists of three phases: process model construction, automated analysis of ACs, and model enrichment. It utilizes two existing artefacts and combines them to provide a comprehensive basis for compliance checking. Moreover, the enriched process models can support auditors in conducting process audits in ERP environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Lickel, C.W.: Introduction. IBM Systems Journal 46, 1 (2007)
Liu, Y., Muller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Systems Journal 46, 335–361 (2007)
van der Werf, J.M.E.M., Verbeek, H.M.W., van der Aalst, W.M.P.: Context-Aware Compliance Checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 98–113. Springer, Heidelberg (2012)
Ramezani, E., Fahland, D., van der Werf, J.M., Mattheis, P.: Separating Compliance Management and Business Process Management. In: Daniel, F., Barkaoui, K., Dustdar, S. (eds.) BPM Workshops 2011, Part II. LNBIP, vol. 100, pp. 459–464. Springer, Heidelberg (2012)
Gehrke, N.: The ERP Auditlab - A Prototypical Framework for Evaluating Enterprise Resource Planning System Assurance. In: 43rd Hawaii International Conference on System Sciences (HICSS), pp. 1–9 (2010)
Van der Aalst, W., van Hee, K., van der Werf, J.M., Kumar, A., Verdonk, M.: Conceptual model for online auditing. Decision Support Systems 50, 636–647 (2011)
Asprion, P., Knolmayer, G.: Compliance und ERP-Systeme: Eine bivalente Beziehung. Controlling & Management 53, 40–47 (2009)
IT Governance Institute (ITGI): IT control objectives for Sarbanes-Oxley: the role of IT in the design and implementation of internal control over financial reporting. IT Governance Institute, Rolling Meadows, IL (2006)
Bellino, C., Wells, J., Hunt, S.: Global Technology Audit Guide (GTAG) 8: Auditing Application Controls (2007)
Jans, M., Alles, M., Vasarhelyi, M.: Process mining of event logs in auditing: Opportunities and challenges. In: International Symposium on Accounting Information Systems, Orlando (2010)
Caron, F., Vanthienen, J.: Applications of Business Process Analytics and Mining for Internal Control. ISACA Journal 4 (2012)
Kerr, D., Houghton, L., Burgess, K.: Power Relationships that lead to the Development of Feral Systems. Australasian Journal of Information Systems 14, 141–152 (2007)
Rosemann, M., Recker, J., Flender, C.: Contextualisation of business processes. International Journal of Business Process Integration and Management 3, 47–60 (2008)
Kuhn Jr., J.R., Sutton, S.G.: Continuous auditing in ERP system environments: The current state and future directions. Journal of Information Systems 24, 91–112 (2010)
Gehrke, N., Mueller-Wickop, N.: Basic Principles of Financial Process Mining A Journey through Financial Data in Accounting Information Systems. In: AMCIS 2010 Proceedings (2010)
Becker, J., Delfmann, P., Eggert, M., Schwittay, S.: Generalizability and Applicability of Model-Based Business Process Compliance-Checking Approaches – A State-of-the-Art Analysis and Research Roadmap. BuR - Business Research 5, 221–247 (2012)
Committee of Sponsoring Organizations of the Treadway Commission, C.: Internal Control - Integrated Framework (1992), http://www.coso.org
Gelinas, U.: Business processes and information technology. Thomson/South-Western, Mason Ohio (2004)
Strecker, S., Heise, D., Frank, U.: Prolegomena of a modelling method in support of audit risk assessment - Outline of a domain-specific modelling language for internal controls and internal control systems. Enterprise Modelling and Information Systems Architectures 6, 5–24 (2011)
Institut der Wirtschaftsprüfer in Deutschland e.V (IDW): PS 261 Feststellung und Beurteilung von Fehlerrisiken und Reaktionen des Abschlussprüfers auf die beurteilten Fehlerrisiken (2009)
Elder, R.J., Beasley, M.S., Arens, A.A.: Auditing and assurance services: an integrated approach. Pearson, Boston (2010)
Information Systems Audit and Control Association (ISACA): COBIT and Application Controls: A Management Guide (2009), http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-and-Application-Controls-A-Management-Guide.aspx
Bodnar, G.H., Hopwood, W.S.: Accounting information systems. Pearson, Upper Saddle River (2012)
International Auditing and Assurance Standards Board (IAASB): ISA 315 - Identifying and Assessing the risks of Material Misstatement through Understanding the Entity and its Environment (2009)
Bell, T.: Auditing Organizations Through a Strategic-Systems Lens: The KPMG Business Measurement Process. University of Illinois Press, Urbana Ill (1997)
Ruhnke, K.: Business Risk Audits: State of the Art und Entwicklungsperspektiven. Journal für Betriebswirtschaft 56, 189–218 (2006)
Stuart, I.C.: Auditing and assurance services: an applied approach. McGraw-Hill Irwin, New York (2012)
El Kharbili, M., De Medeiros, A.A., Stein, S., van Der Aalst, W.M.P.: Business process compliance checking: Current state and future challenges. In: Loos, P. (ed.) Modelling Business Information Systems (MoBIS 2008), pp. 107–113 (2008)
Ly, L.T., Rinderle-Ma, S., Göser, K., Dadam, P.: On enabling integrated process compliance with semantic constraints in process management systems. Inf. Syst. Front. 14, 195–219 (2012)
Ramezani, E., Fahland, D., van der Aalst, W.M.P.: Where Did I Misbehave? Diagnostic Information in Compliance Checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 262–278. Springer, Heidelberg (2012)
Rosemann, M., Recker, J.C.: Context-aware process design: Exploring the extrinsic drivers for process flexibility. In: The 18th International Conference on Advanced Information Systems Engineering. Proceedings of Workshops and Doctoral Consortium, pp. 149–158 (2006)
Monakova, G., Kopp, O., Leymann, F., Moser, S., Schäfers, K.: Verifying Business Rules Using an SMT Solver for BPEL Processes. In: Business Process and Services Computing Conference, BPSC 2009 (2009)
Knuplesch, D., Ly, L.T., Rinderle-Ma, S., Pfeifer, H., Dadam, P.: On Enabling Data-Aware Compliance Checking of Business Process Models. In: Parsons, J., Saeki, M., Shoval, P., Woo, C., Wand, Y. (eds.) ER 2010. LNCS, vol. 6412, pp. 332–346. Springer, Heidelberg (2010)
Wolter, C., Miseldine, P., Meinel, C.: Verification of Business Process Entailment Constraints Using SPIN. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 1–15. Springer, Heidelberg (2009)
Alles, M., Brennan, G., Kogan, A., Vasarhelyi, M.A.: Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems 7, 137–161 (2006)
van der Aalst, W.M.P., et al.: Process Mining Manifesto. In: Daniel, F., Barkaoui, K., Dustdar, S. (eds.) BPM Workshops 2011, Part I. Lecture Notes in Business Information Processing, vol. 99, pp. 169–194. Springer, Heidelberg (2012)
Van der Aalst, W.M.P., van Hee, K.M., van Werf, J.M., Verdonk, M.: Auditing 2.0: Using Process Mining to Support Tomorrow’s Auditor. Computer 43, 90–93 (2010)
Tiwari, A., Turner, C.J., Majeed, B.: A review of business process mining: state-of-the-art and future trends. Business Process Management Journal 14, 5–22 (2008)
Jans, M., Alles, M., Vasarhelyi, M.: The case for process mining in auditing: Sources of value added and areas of application. International Journal of Accounting Information Systems 14, 1–20 (2013)
Jans, M., Alles, M., Vasarhelyi, M.: Process Mining of Event Logs in Internal Auditing: A Case Study. In: 2nd International Symposium on Accounting Information Systems, Rome (2011)
March, S.T., Smith, G.F.: Design and natural science research on information technology. Decis. Support Syst. 15, 251–266 (1995)
Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Quarterly 28, 75–105 (2004)
Österle, H., Becker, J., Frank, U., Hess, T., Karagiannis, D., Krcmar, H., Loos, P., Mertens, P., Oberweis, A., Sinz, E.J.: Memorandum zur gestaltungsorientierten Wirtschaftsinformatik. Schmalenbachs Zeitschrift für Betriebswirtschaftliche Forschung 62, 662–672 (2010)
Peffers, K., Rothenberger, M., Tuunanen, T., Vaezi, R.: Design science research evaluation. In: Peffers, K., Rothenberger, M., Kuechler, B. (eds.) DESRIST 2012. LNCS, vol. 7286, pp. 398–410. Springer, Heidelberg (2012)
Venable, J., Pries-Heje, J., Baskerville, R.: A Comprehensive Framework for Evaluation in Design Science Research. In: Peffers, K., Rothenberger, M., Kuechler, B. (eds.) DESRIST 2012. LNCS, vol. 7286, pp. 423–438. Springer, Heidelberg (2012)
Yin, R.K.: Case study research: design and methods. Sage Publications, Los Angeles (2009)
Romney, M.B., Steinbart, P.J.: Accounting Information Systems. Prentice Hall (2008)
Van Dongen, B., van der Aalst, W.M.P.: A Meta Model for Process Mining Data. In: Conference on Advanced Information Systems Engineering (2005)
Günther, C.W., van der Aalst, W.M.P.: Fuzzy Mining – Adaptive Process Simplification Based on Multi-perspective Metrics. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 328–343. Springer, Heidelberg (2007)
Schultz, M., Müller-Wickop, N., Nüttgens, M.: Key Information Requirements for Process Audits - an Expert Perspective. In: EMISA, pp. 137–150 (2012)
Namiri, K., Stojanovic, N.: Pattern-Based Design and Validation of Business Process Compliance. In: Meersman, R., Tari, Z. (eds.) OTM 2007, Part I. LNCS, vol. 4803, pp. 59–76. Springer, Heidelberg (2007)
Schumm, D., Turetken, O., Kokash, N., Elgammal, A., Leymann, F., van den Heuvel, W.-J.: Business Process Compliance through Reusable Units of Compliant Processes. In: Daniel, F., Facca, F.M. (eds.) ICWE 2010. LNCS, vol. 6385, pp. 325–337. Springer, Heidelberg (2010)
Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A Design Science Research Methodology for Information Systems Research. Journal of Management Information Systems 24, 45–77 (2007)
Leist, S., Lichtenegger, W.: Integration automatisch generierter und manuell konstruierter Prozessmodelle. In: Engels, G., Karagiannis, D., Mayer, H.C. (eds.) Modellierung 2010, Klagenfurt, March 24-26. LNI, vol. 161, pp. 99–116. Ges. für Informatik, Bonn (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schultz, M. (2013). Enriching Process Models for Business Process Compliance Checking in ERP Environments. In: vom Brocke, J., Hekkala, R., Ram, S., Rossi, M. (eds) Design Science at the Intersection of Physical and Virtual Design. DESRIST 2013. Lecture Notes in Computer Science, vol 7939. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38827-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-38827-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38826-2
Online ISBN: 978-3-642-38827-9
eBook Packages: Computer ScienceComputer Science (R0)