Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance Requirements for Business-process driven SOAs

Published byLeo Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Compliance Requirements for Business-process driven SOAs"— Presentation transcript:

1 Compliance Requirements for Business-process driven SOAs
Mike P. Papazoglou Tilburg Research Institute on Services Science Tilburg University, The Netherlands

2 OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS
OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

3 WHAT IS COMPLIANCE? Compliance is any explicitly stated rule or regulation that prescribes any aspect of an internal or cross-organizational business process. Different types of compliance include: Policies internal to an organization (business rules) Functional or non-functional, e.g., QoS - security policies. Mutually acceptable agreements, e.g., SLAs that drive a business transaction. Policies external to an organization Public policy (e.g., privacy/data protection, consumer protection, ..) Laws & regulations (universally applicable) Sectorial regulations, e.g., transportation & delivery. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

4 SOA & COMPLIANCE IT managers & internal auditors need to work together to examine SOA compliance & security vulnerabilities & explore cost-effective approaches to risk mitigation before implementing an SOA. Internal controls must be enforced by SOAs, e.g., internal controls that segregate duties by assigning user roles to individuals may not work well within the SOA SOAs need to be designed with compliance requirements in mind Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

5 CURRENT SITUATION WITH COMPLIANCE
Currently compliance solutions to rules and regulations Is ad-hoc & is typically hand crafted for particular compliance problems. It is: hard to maintain hard to evolve multiple systems with ill defined dependencies hard to reuse (custom made narrow solutions) hard to understand (address several requirements in a tangled manner) hard to formally verify Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

6 REGULATORY COMPLIANCE
Compliance regulations, such as HIPAA, Basel II, Sarbanes-Oxley (SOX) and others require all organizations to review their business processes and ensure that they meet the compliance standards set forth in the legislation. This can include: Data acquisition and archival, document management, data security, financial accounting practices, shareholder reporting functions, & to know when unusual activities occur. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

7 INTERNAL CONTROL: DEFINITION
Internal control is the cornerstone in auditing, it assures business process compliance, delivering guarantees regarding virtually all accounting aspects of services, including risk management, financial checks & governance processes it is the most important & fundamental concept for an Internal Auditor It is designed to provide reasonable assurance regarding the achievement of objectives in: Financial reporting reliability Operating efficiency and effectiveness Compliance with applicable laws and standards Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

8 INTERNAL CONTROL: EXAMPLE (SOX)
To implement a compliance regulation act, e.g., SOX section404, which mandates that well-defined & documented processes & controls be in place for all aspects of company operations that affect financial info. & reports requires: controlling and auditing who accesses financial information, controlling and auditing what financial information is accessed, and ensuring financial information is not compromised during transmission. A strategy for automating the integration of diverse business processes & their accompanying internal control systems throughout the enterprise is therefore needed. SOX Financial Reporting puts into place requirements and penalties to ensure that companies' financial statements accurately represent their business position.

9 CONTROL ACTIVITIES The policies and procedures that ensure that management directives are carried out - control activities occur throughout the organization, at all levels and in all functions. Ensure that the necessary actions are taken to address risks during the achievement of company objectives. Include a range of diverse activities such as: approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

10 OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS
OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS

11 COMPLIANCE METHODOLOGIES
There are good methodologies & guidelines that already exist to help audit processes: COSO framework for establishing internal controls over financial reporting. COBIT (Control Objectives for Information and Related Technology) provides security & control practices & a reference framework for management, users, IS audit, control & security practitioners. Maturity Models determine the current status of the organization’s processes how they should evolve. They provide both the goals to strive for and the means of measuring attainment of those goals. Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

12 THE COSO FRAMEWORK COSO is a standard ICT framework providing guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud, & financial reporting. It is the leading framework for applying SOX Monitoring Assessment of a control system’s performance over time Combination of ongoing and separate evaluation Management and supervisory activities Internal audit activities Control Activities Policies/procedures that ensure management directives are carried out Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties Information & Communication Pertinent information identified, captured and communicated in a timely manner Access to internally and externally generated information Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action COSO is a standard produced by the Committee of Sponsoring Organizations of the Treadway Commission. It has been promoted by the Sarbanes-Oxley oversight committee as the preferred ICT control framework. Concretely, the framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. To this end it identifies control environment, risk assessment, control activities, information and communication, and monitoring as key components. Control activities are of relevance here as they constitute the policies and procedures that help ensure that all necessary actions are taken to address risks. Although COSO does not define how to model such activities, it does identify several of them including matters such as authorizations, data verifications, reviews of operating performance, security of assets and segregation of duties. Risk Assessment Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives – forming the basis for determining control activities Control Environment Sets tone of organization, influencing control consciousness of its people Factors include integrity, ethical values, competence, authority, responsibility, organization structure, HR policies and IT control environment Foundation for all other components of control Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

13 OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS
OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

14 LOOKING AT MATURITY MODELS
Lean Six Sigma for services is a business process improvement methodology that improves process (DMAIC) quality & consistency & enables the reduction of the cost of complexity Make it Stick Implement & Sustain Process Transformation Sustain the Change Create ROI Engage & Enable the entire Organization 5. CONTROL (integrate activities) 4. IMPROVE (improve processes) Create Possibility for Change DMAIC is a process improvement approach 3. ANALYZE (find KPI process gaps) 2. MEASURE (determine KPIs for processes) 1. DEFINE (identify core processes & sub-processes) Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

15 OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS
OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS

16 COMPLIANCE & BPM-DRIVEN SOAS
Process Modeling, Simulation and Documentation Process Analyst Process Development and Systems Integration Business Analysts Process and Monitoring Repository BPM-middleware Business Use Cases Business-domain overview Business process interaction patterns Requirements Process Model interactive, real time dashboards proactive alerts & monitoring screen Process Workspace Process Participants Business Management As with every IT project, the Systems Analysts interview the Business Owners to understand the use cases, requirements, etc. A business process model is used to gain understanding and agreement not just between the Business Owners and Systems Analysts, but even between individuals in the Business Owners group (we would all be surprised how often there is real disagreement about how our processes actually work). **CLICK** That process model (along with the documentation you embed directly within it) becomes the contract between the Business and IT. Once the Systems Analysts complete the model and future Test Cases, **CLICK** they share the model with the Development Team who will complete the detailed work of connecting the model to the systems and human interfaces required to complete the Process Application. As the diagram indicates, **CLICK** this is very often an iterative process that serves to further solidify that contract between the Business and IT. Once the Developers are finished, **CLICK** the completed Process Application is deployed in the BPM system for execution. The BPM system manages the interaction **CLICK** of humans and systems in the process and stores every event in its state repository. Since this repository contains process AND business data, it provides management **CLICK** interfaces and dashboards to the Business Owners. These are real-time displays showing status at any level of the process. For example, one executive may be viewing a Balanced Scorecard while a business operations expert may have a dashboard depicting adherence to Service Level Agreements. This data provides the final link in the lifecycle chain that allows the business to further refine and improve the process. As you can see, this is an iterative lifecycle that fosters and enables Continuous Process Improvement. Process Management & Business Activity Monitoring Historical & Trend Analysis Tools Enterprise Information Systems CRM SCM ERP Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

17 OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS
OUTLINE OVERVIEW – SERVICES & COMPLIANCE COMPLIANCE FRAMEWORKS COMPLIANCE & BPM-DRIVEN SOAs RESEARCH TOPICS

18 SOME INTRESTING RESEARCH TOPICS
Continuous Auditing Business-process driven SOAs Dealing with the Effects of Business Process Changes High-level Languages for expressing Compliance-based Requests Compliance-aware service composition and reuse patterns Compliance-aware behaviour specification and checking (reliability & fault tolerance) Compliance-aware service monitoring Michael P. Papazoglou © “WCC” Milano Sept. 7, 2008

Download ppt "Compliance Requirements for Business-process driven SOAs"

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
An Internal Control Overview

An Internal Control Overview
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Islamic University of Gaza

The Islamic University of Gaza
HHS Webinar Internal Controls and You: How Internal Controls Can Improve and Protect Your Energy Assistance Program John M. Harvanko, Director Office of.

HHS Webinar Internal Controls and You: How Internal Controls Can Improve and Protect Your Energy Assistance Program John M. Harvanko, Director Office of.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Similar presentations

Ads by Google