Skip to main content
SpringerLink
Log in

A Taxonomy of Compliance Processes for Business Process Compliance

  • Conference paper
  • First Online:
Business Process Management Forum (BPM 2017)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 297))

Included in the following conference series:

Abstract

Dynamic markets and new technology developments lead to an increasing number of compliance requirements. Thus, affected business processes must be flexible and adaptable. Ensuring business processes compliance (BPC) is traditionally operationalized by means of controls, which can be described as simple target-performance comparisons. Since such controls are not always suitable for achieving BPC, the view is extended by so-called compliance processes. However, the definition and design of appropriate compliance processes for effective BPC depend on a multitude of process characteristics. To address this issue on a general level, we developed a taxonomy for compliance processes consisting of 9 dimensions and 37 characteristics. As a result, the taxonomy allows researchers and practitioners to classify compliance processes according to the state of the art in a formal way. Furthermore, it provides a systematic fundament for greater flexibility, i.e. an ad hoc integration of compliance processes into ongoing business processes to ensure BPC during runtime.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Due to space limitations, we refer to [22] for a detailed explanation of the model.

References

  1. Fdhila, W., Rinderle-Ma, S., Knuplesch, D., Reichert, M.: Change and compliance in collaborative processes. In: 12th IEEE International Conference on Services Computing (SCC 2015), pp. 162–169 (2015)

    Google Scholar 

  2. Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007). doi:10.1007/978-3-540-75183-0_12

    Chapter  Google Scholar 

  3. Teubner, A., Feller, T.: Informationstechnologie, governance und compliance. Wirtsch. Inform. 50, 400–407 (2008)

    Article  Google Scholar 

  4. Schumm, D., Turetken, O., Kokash, N., Elgammal, A., Leymann, F., Heuvel, W.-J.: Business process compliance through reusable units of compliant processes. In: Daniel, F., Facca, F.M. (eds.) ICWE 2010. LNCS, vol. 6385, pp. 325–337. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16985-4_29

    Chapter  Google Scholar 

  5. Turetken, O., Elgammal, A., van den Heuvel, W.-J., Papazoglou, M.: Enforcing compliance on business processes through the use of patterns. In: 19th ECIS 2011 (2011)

    Google Scholar 

  6. Bagban, K., Nebot, R.: Governance und compliance im cloud computing. HMD 51, 267–283 (2014)

    Article  Google Scholar 

  7. Wallace, L., Lin, H., Cefaratti, M.A.: Information security and sarbanes-oxley compliance: an exploratory study. J. Inf. Syst. 25, 185–211 (2011)

    Google Scholar 

  8. Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework. Framework and Appendices (2012)

    Google Scholar 

  9. IT Governance Institute (ITGI): IT Control Objectives for Sarbanes-Oxley, 2nd Edn. (2006)

    Google Scholar 

  10. Beeck, V., Wischermann, B.: Kontrolle. http://wirtschaftslexikon.gabler.de/Definition/kontrolle.html

  11. Pretschner, A., Massacci, F., Hilty, M.: Usage control in service-oriented architectures. In: Lambrinoudakis, C., Pernul, G., Tjoa, A.M. (eds.) TrustBus 2007. LNCS, vol. 4657, pp. 83–93. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74409-2_11

    Chapter  Google Scholar 

  12. Turetken, O., Elgammal, A., van den Heuvel, W.-J., Papazoglou, M.P.: Capturing compliance requirements: a pattern-based approach. IEEE Softw. 29, 28–36 (2012)

    Article  Google Scholar 

  13. Schultz, M., Radloff, M.: Modeling concepts for internal controls in business processes – an empirically grounded extension of BPMN. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 184–199. Springer, Cham (2014). doi:10.1007/978-3-319-10172-9_12

    Google Scholar 

  14. Kittel, K., Sackmann, S., Göser, K.: Flexibility and compliance in workflow systems: the KitCom prototype. In: CAiSE Forum - 25th International Conference on Advanced Information Systems Engineering, pp. 154–160 (2013)

    Google Scholar 

  15. Sackmann, S., Kittel, K.: Flexible workflows and compliance: a solvable contradiction?! In: vom Brocke, J., Schmiedel, T. (eds.) BPM - Driving Innovation in a Digital World. MP, pp. 247–258. Springer, Cham (2015). doi:10.1007/978-3-319-14430-6_16

    Google Scholar 

  16. Kharbili, M., Medeiros, A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: current state and future challenges. In: MobIS (2008)

    Google Scholar 

  17. van der Aalst, W., van Hee, K., van der Werf, J.M., Kumar, A., Verdonk, M.: Conceptual model for online auditing. Decis. Supp. Syst. 50, 636–647 (2011)

    Article  Google Scholar 

  18. Schonenberg, M.H., Mans, R.S., Russell, N., Mulyar, N., van der Aalst, W.M.P.: Towards a taxonomy of process flexibility (extended version). BPM reports (2007)

    Google Scholar 

  19. Gehrke, N.: The ERP auditlab: a prototypical framework for evaluating enterprise resource planning system assurance. In: 43rd Hawaii International Conference on System Sciences (HICSS) (2010)

    Google Scholar 

  20. IT Governance Institute (ITGI): COBIT 4.1. Frameworks, Control Objectives, Management Guidlines, Maturity Models. Rolling Meadows (2007)

    Google Scholar 

  21. Riesner, M., Pernul, G.: Supporting compliance through enhancing internal control systems by conceptual business process security modeling. In: ACIS 2010 Proceedings (2010)

    Google Scholar 

  22. Seyffarth, T., Kühnel, S., Sackmann, S.: ConFlex: an ontology-based approach for the flexible integration of controls into business processes. In: Multikonferenz Wirtschaftsinformatik (MKWI) 2016, pp. 1341–1352 (2016)

    Google Scholar 

  23. Kühnel, S.: Toward a conceptual model for cost-effective business process compliance. In: Proceedings of the Informatik 2017. Lecture Notes in Informatics (LNI) (2017)

    Google Scholar 

  24. Panko, R.R.: Spreadsheets and Sarbanes-Oxley. Regulations, Risks, and Control Frameworks. Communications of the Association for Information Systems (2006)

    Google Scholar 

  25. Nickerson, R.C., Varshney, U., Muntermann, J.: A method for taxonomy development and its product service in information systems. Eur. J. Inf. Syst. 22, 336–359 (2013)

    Article  Google Scholar 

  26. Vom Brocke, J., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., Cleven, A.: Reconstructing the giant: on the importance of rigour in documenting the literature search process. In: 17th European Conference on Information Systems, pp. 2206–2217 (2009)

    Google Scholar 

  27. Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Quarterly 26, 12–24 (2002)

    Google Scholar 

  28. Gregor, S.: The nature of theory in information systems. MIS Q. 30, 611–642 (2006)

    Google Scholar 

  29. The Institut der Wirtschaftsprüfer in Deutschland e.V. [Institute of Public Auditors in Germany, Incorporated Association] (IDW) (ed.): Principles of Proper Accounting When Using Information Technology. IDW AcP FAIT 1 (2002)

    Google Scholar 

  30. The Institut der Wirtschaftsprüfer in Deutschland e.V. [Institute of Public Auditors in Germany, Incorporated Association] (IDW) (ed.): The Audit of Financial Statements in an Information Technology Environment. IDW AuS 330 (2002)

    Google Scholar 

  31. Tilburg University (ed.): COMPAS. Compliance-driven Models, Languages, and Architectures for Services. http://cordis.europa.eu/docs/projects/cnect/5/215175/080/deliverables/D2-1-State-of-the-art-for-compliance-languages.pdf

  32. German Federal Ministry of Justice and Consumer Protection: Federal Data Protection Act (2009)

    Google Scholar 

  33. Silic, M., Back, A., Silic, D.: Taxonomy of technological risks of open source software in the enterprise adoption context. Inf. Comput. Secur. 23, 570–583 (2015)

    Article  Google Scholar 

  34. Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. MIS Q. 28, 75–105 (2004)

    Google Scholar 

  35. Mwilu, O.S., Prat, N., Comyn-Wattiau, I.: Taxonomy development for complex emerging technologies. The case of business intelligence and analytics on the cloud. In: 19th Pacific Asia Conference on Information Systems (PACIS 2015), pp. 1–16 (2015)

    Google Scholar 

  36. Glaser, F., Bezzenberger, L.: Beyond cryptocurrencies: a taxonomy of decentralized consensus systems. In: Proceedings of the ECIS (2015)

    Google Scholar 

  37. Namiri, K., Stojanovic, N.: Pattern-based design and validation of business process compliance. In: Meersman, R., Tari, Z. (eds.) OTM 2007. LNCS, vol. 4803, pp. 59–76. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76848-7_6

    Chapter  Google Scholar 

  38. ISACA (ed.): COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, Rolling Meadows (2012)

    Google Scholar 

  39. The Institute of Internal Auditors (IIA): SARBANES-OXLEY SECTION 404. A Guide for Management by Internal Controls Practitioners (2008)

    Google Scholar 

  40. The Institute of Internal Auditors (IIA): Global Technology Audit Guide (GTAG) 1. Information Technology Risk and Controls (2012)

    Google Scholar 

  41. The International Federation of Accountants (IFAC): ISA 315. Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (2009)

    Google Scholar 

  42. Public Company Accounting Oversight Board (PCAOB): Auditing Standard No. 5. An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements (2007)

    Google Scholar 

  43. Weigand, H., van den Heuvel, W.-J., Hiel, M.: Business policy compliance in service-oriented systems. Inf. Syst. 36, 791–807 (2011)

    Article  Google Scholar 

  44. Ramezani, E., Fahland, D., Aalst, W.M.P.: Where did i misbehave? Diagnostic information in compliance checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 262–278. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32885-5_21

    Chapter  Google Scholar 

  45. Schäfer, T., Fettke, P., Loos, P.: Control patterns: bridging the gap between is controls and BPM. In: Proceedings of the 21st European Conference on Information Systems (ECIS), pp. 88–100 (2013)

    Google Scholar 

  46. Bellino, C., Wells, J., Hunt, S.: Auditing Application Controls. IIA, Altamonte Springs (2007)

    Google Scholar 

  47. German Federal Financial Supervisory Authority: Banking Act of the Federal Republic of Germany (Kreditwesengesetz, KWG). KWG (2016)

    Google Scholar 

  48. Pries-Heje, J., Baskerville, R., Venable, J.R.: Strategies for design science research evaluation. In: ECIS 2008 Proceedings (2008)

    Google Scholar 

  49. Sonnenberg, C., Brocke, J.: Evaluations in the science of the artificial – reconsidering the build-evaluate pattern in design science research. In: Peffers, K., Rothenberger, M., Kuechler, B. (eds.) DESRIST 2012. LNCS, vol. 7286, pp. 381–397. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29863-9_28

    Chapter  Google Scholar 

  50. Tremblay, M.C., Hevner, A.R., Berndt, D.J.: Focus Groups for Artifact Refinement and Evaluation in Design Research. Communications of the Association for Information Systems 26 (2010)

    Google Scholar 

  51. Namiri, K.: Model-Driven Management of Internal Controls for Business Process Compliance. Karlsruhe (2008)

    Google Scholar 

  52. OMG (ed.): Business Process Model and Notation (BPMN). http://www.omg.org/spec/BPMN/2.0/PDF/

Download references

Author information

Authors and Affiliations

  1. Martin Luther University Halle-Wittenberg, 06108, Halle (Saale), Germany

    Tobias Seyffarth, Stephan Kühnel & Stefan Sackmann

Authors
  1. Tobias Seyffarth
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephan Kühnel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefan Sackmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tobias Seyffarth .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Universitat Politècnica de Catalunya, Barcelona, Spain

    Josep Carmona

  2. Paderborn University, Paderborn, Germany

    Gregor Engels

  3. Pennsylvania State University, University Park, Pennsylvania, USA

    Akhil Kumar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Seyffarth, T., Kühnel, S., Sackmann, S. (2017). A Taxonomy of Compliance Processes for Business Process Compliance. In: Carmona, J., Engels, G., Kumar, A. (eds) Business Process Management Forum. BPM 2017. Lecture Notes in Business Information Processing, vol 297. Springer, Cham. https://doi.org/10.1007/978-3-319-65015-9_5

Download citation

Publish with us

Policies and ethics

Search

Navigation