Managing  Business  Process  Compliance  Requirements   Oktay  Turetken1,  Amal  Elgammal1,  Michael  P.  Papazoglou1,  Willem-­‐Jan  van  den  Heuvel1   1European  Research  Institute  in  Service  Science,  Tilburg  University,    

Warandelaan  2  K731  5000LE,  Tilburg,  The  Netherlands  

 

Abstract:     Ensuring   compliance   to   laws,   regulations,   and   standards   in   a   constantly   changing   business   and   compliance   environment   is   one   of   the   major   challenges   the   companies   are   facing   today.   Organizations   have   increasing   need   for   systematic   approaches   to   manage   compliance   throughout   the   business   process   lifecycle.   In   this   paper,   we   present   an   integrated   framework   to   capture   and   manage  business  process  compliance  requirements.  We  explain  the  key  elements  of  compliance  and   introduce   a   set   of   patterns   that   assist   the   definition   of   frequently   recurring   compliance   requirements  constraining  business  processes.  This  approach  enables  the  application  of  tools  and   methods  for  automated  compliance  verification  and  monitoring  of  business  processes.  

Keywords:   Business   Process   Compliance,   Compliance   Requirement,   Internal   Control,   Control   Pattern    

 

PRINTED VERSION at: Turetken, O., Elgammal, A., van den Heuvel, W-J., Papazoglou, M. (2012). “Capturing Compliance Requirements: A Pattern-Based Approach”. IEEE Software,

May/June 2012, pp. 29-36. http://dx.doi.org/10.1109/MS.2012.45  

  v1  –PrePrint  Draft  

1  

 

1

Introduction  

In   today’s   technology-­‐centric   environment,   the   ability   to   manage   compliance   to   regulations,   laws,   and   other   imperatives   has   become   a   critical   requirement   for   business   success.   Almost   every   aspect   of  running  a  business  is  governed  with  directives  that  enforce  organizations  to  provide  assurance   to   regulators,   stakeholders,   customers,   and   business   partners   that   they   have   done   their   due   diligence  in  establishing  compliance  to  stated  requirements.    This  necessitates  an  integrated  set  of   policies,   processes,   and   IT   systems   that   are   governed   through   internal   controls.   Internal   controls   are   actions   that   contribute   to   the   achievement   of   the   organization's   objectives   regarding:   (i)   the   effectiveness  and  efficiency  of  operations,  (ii)  the  reliability  of  internal  and  external  reporting,  and   (iii)  compliance  with  applicable  laws,  regulations  and  internal  policies  [1].  Internal  control  becomes   a   highly   pertinent   business   issue   particularly   after   a   series   of   large   corporate   scandals   in   early   2000s.  As  a  response  to  these  failures,  governments,  regulators,  and  standard  setting  groups  issued   various   laws   and   regulations,   such   as   Sarbanes–Oxley   Act   (SOX)   [2],   EU   Directive   2008/30/EC   (Euro-­‐SOX)   [3],   and   Basel   III   [4].   These   directives   assume   continuously   monitored   and   improved   internal   controls   in   place   to   provide   reasonable   assurance   to   the   achievement   of   objectives   including  those  concerning  compliance.     Many  companies  have  taken  steps  to  integrate  internal  controls  with  their  business  processes  and   enterprise  application  systems  to  address  specific  regulations.  However,  in  most  cases  these  efforts   led  to  tailored  and  isolated  solutions  that  involve  hard-­‐coded  requirements  across  multiple  systems.   This   scattered   structure   poses   threats   to   the   integrity   and   consistency   of   requirements   [5].   It   impedes  the   ability   to  adapt   constantly   changing  business   environment.   Contemporary   approaches   to   managing   internal   controls   in   business   processes   are   rather   fragmented   and   lead   to   reactive   –   rather   than   proactive   –   risk   prevention.   Existing   tools   (such   as   Oracle   GRC   Accelerators   and   SAP   BusinessObjects   GRC)   are   mainly   offering   solutions   for   monolithic   applications   (such   as   ERP   systems)  that  pose  difficulties  for  SOA  environments.     Compliance  specifications  and  business  process  (BP)  specifications  should  be  decoupled  as  they  are   typically   formulated   by   different   stakeholders   and   have   different   lifecycles  [6].   Decoupling   involves   defining   and   managing   compliance   information   as   a   separate   entity   -­‐starting   from   abstract  

v1  –PrePrint  Draft  

2  

  constraints   and   their   sources   to   concrete   and   organization   specific   rules   and   requires   them   to   be   linked   to   relevant   process   specifications   and   applications   to   enable   round-­‐trip   traceability.   Conceptual   separation   of   compliance   information   and   storing   in   a   centralized   location   helps   managing   and   independently   evolving   compliance   requirements.   Like   business   processes,   these   requirements  also  constantly  change.  A  centralized  compliance  repository  can  assist  in  analyzing  the   impact  of  such  changes  by  maintaining  backward  traceability  to  compliance  sources  and  forward  to   the   rules   and   applications   that   implement   and   enforce   them.   It   helps   avoiding   duplicate   implementation  and  handling  of  compliance  information  in  different  applications,  thereby  reducing   maintenance  costs  [7].       Establishing   a   repository   requires   a   uniform   conceptual   basis   to   accurately   capture   compliance   information.  This  information  comprises  not  only  abstract  concepts  (such  as  compliance  objectives),   but   also   concrete   rules   that   are   expressed   using   formal   languages.     Formal   specification   of   compliance   rules   paves   the   way   for   the   automated   and   lifetime   assurance   of   business   process-­‐ based   systems.   Partially   or   fully   automating   manual   business   process   inspections   and   audits   would   significantly  reduce  the  risk  of  violations,  resulting  in  reductions  on  the  overall  cost  of  compliance.   However,   the   complexity   of   the   formalisms   and   concerns   regarding   their   usability   remain   as   significant   obstacles   for   their   widely   adoption   in   practice.   We   consider   using   patterns   as   a   viable   approach  to  shield  their  complexity  off  from  business  and  compliance  experts  and  to  facilitate  the   formal  specification  of  these  rules  in  the  abstract.     To   address   these   problems,   first,   we   propose   a   set   of   compliance   management   activities   that   integrates   with   the   BP   lifecycle.   These   activities   guide   organizations   to   identify   and   refine   compliance   requirements   and   to   apply   them   in   verifying   and   monitoring   process   compliance   throughout  the  BP  lifecycle  phases.  Second,  aligned  with  these  practices,  we  developed  a  conceptual   model  for  a  centralized  compliance  repository  to  capture  compliance  elements  and  cross  correlate   them   with   process   specifications.   This   model   also   incorporates   a   set   of   compliance   patterns   for   defining   frequently   recurring   compliance   requirements.   Patterns   help   in   generating   formal   rules   to   enable   the   application   of   automated   tools   for   compliance   verification   and   monitoring.   To   investigate  the  applicability  of  our  solutions,  we  have  developed  a  set  of  integrated  software  tools  

v1  –PrePrint  Draft  

3  

  and  employed  them  in  two  case  studies  that  deal  with  real-­‐life  business  processes  of  companies  in   two  different  industry  sectors.    

2

Business  Process  Compliance  Management  Framework    

A   compliance   approach   should   embrace   a   preventive   focus   that   considers   compliance   from   the   very   early   stages   of   business   process   design   [6].   We   followed   a   holistic   approach   for   managing   compliance  throughout  the  BP  lifecycle  phases.  Figure  1a  provides  insight  into  an  operational  view   of   the   business   process   compliance   management   framework   that   we   developed.   The   compliance   management   activities   are   based   on   the   COSO   Framework   [8],   which   is   accepted   as   the   reference   standard   for   establishing   and   assessing   internal   control   systems   in   organizations   [9].   Figure   1b   shows   the   key   concepts  and   their   relationships  that   emerge   from   these   activities   and   constitute   the   building  blocks  of  the  compliance  repository.  Figure  1c  exemplifies  these  concepts.     Objective  Setting  and  Boundary  Identification:   This  is  the  initial  step  to  the  understanding  and  establishment  of  the  (compliance)  objectives   and   the  boundaries  of  acceptable  conduct.  The  boundaries  include  both  mandatory  directives,  such  as   laws   and   regulations   (e.g.,   SOX,   Basel   III),   and   voluntary   sources,   such   as   industry   best   practices,   standards   (e.g.,   ISO   9000,   ISO/IEC   27000   series),   internal   and   external   policies,   and   business   partner   contracts.   From   compliance   perspective,   key   concepts   in   this   phase   are   directives   (compliance   sources)   and   compliance   requirements.   To   govern   the   courses   of   actions   in   organizations,   directives   express   compliance   requirements   at   various   abstraction   levels.   A   compliance  requirement  is  a  constraint  or  assertion  that  prescribes  a  desired  result  or  purpose  to  be   achieved   by   factoring   actions   or   control   procedures   in   processes   [10].   A   requirement   can   be   prescribed   in   the   form   of   abstract   constraints   or   control   objectives   such   as   the   ones   specified   by   COBIT  framework  [11].     Business  Process  Analysis  &  Design:     BP   lifecycle   starts   with   the   analysis   of   existing   process   and   the   design   of   ‘to-­‐be’   processes   taking   into   account   various   factors,   such   as   business   objectives,   architectural   frameworks,   industry   best   practices,   and   compliance   requirements   [12].   The   processes   can   be   modeled   using   a   process  

v1  –PrePrint  Draft  

4  

  definition   notation,   such   as   BPMN,   followed   by   the   construction   of   detailed-­‐level   executable   business  process  and  service  specifications  using,  for  instance,  languages  such  as  WS-­‐BPEL  or  XPDL.   Our  framework  assumes  a  generic  model  for  business  processes.  It  considers  processes  designed  as   a   collection   of   process   elements   that   contain   key   concepts,   such   as   activities,   events,   business   objects,  roles  and  organizational  units.     Risk  Assessment  &  Response:     A   risk-­‐based   approach   is   fundamentally   necessary   in   understanding   the   inherent   uncertainty   involved  in  pursuing  organizational  objectives.  Taking  into  consideration  the  compliance  objectives   and  the  current  design  of  business   processes,  it  is  essential  to  identify,  assess  and  prioritize  the  key   events  that  can  compromise  business  process  compliance.  The  likelihood  and  the  impact  of  risks  are   analyzed,   which   together   designate   how   important   a   particular   compliance   requirement   is   to   the   organization.  Response  actions  to  deal  with  non-­‐compliance  are  planned  as  contingencies.     Control  Definition  and  Implementation:     Controls  are  key  to  decrease  the  likelihood  of  a  (compliance)  risk  to  materialize.  They  mitigate  risks   to   provide   reasonable   assurance   to   the   fulfillment   of   compliance   requirements.   At   this   stage,   compliance  experts  (internal  auditors)  may  work  together  with  legal  experts  and  business  process   domain   experts,   as   analyzing   risks   over   processes   and   defining   necessary   controls   require   not   only   compliance  but  also  business  domain  knowledge.     Controls   can   be   grouped   into   various   categories.     One   such   categorization   distinguishes   between   preventive   and   detective   controls.   Preventive   controls   help   to   keep   violations   from   occurring.   Examples   include   authorizations,   segregation   of   duties,   and   prior   supervisory   approval.   Detective   controls,   on   the   other   hand,   often   produce   information   regarding   an   occurred   violation   to   help   understand  its  causes.  Examples  are  management  reviews,  exception  reports,  and  reconciliations.     Regarding  the  point  of  application,  controls  are  also  categorized  as  process,  technical,  and  physical   [13]   Process   controls   apply   policies   and   practices   over   business   processes.   Authorizations,   approvals,   inspections,   segregation   of   duties   are   examples   of   such   controls.   Technical   controls   involve   the   use   of   devices   or   systems   mainly   for   authentication,   encryption,   identification   or   security  purposes.  Physical  controls  are  instituted  mainly  to  guard  critical  assets.     v1  –PrePrint  Draft  

5  

  Business   processes   are   typically   subject   to   both   preventive   and   detective   process   controls.   Automated   assurance   of   these   controls   is   at   utmost   important,   as   manual   controls   are   usually   expensive  to  design  and  test  in  the  long  run  [14].  A  viable  approach  is  to  formally  define  rules  for   process   controls   to   enable   automated   verification   and   monitoring   of   business   processes   that   are   implemented  in  enterprise  systems.  Formalizations  should  be  applied  only  for  those  controls  that   can   be   checked   effectively   through   automated   verification   activities.   A   control   rule   is   usually   specified  in  the  form  of  ‘if-­‐then’  statements  consisting  of  a  set  of  conditions  followed  by  one  or  more   conclusions.   Business   process   elements   and   their   attributes   are   the   building   blocks   of   the   conditions   and   conclusions   in   rules.   For   example,   a   control   for   checking   ‘customer   loan   requests   above  1  million  $  to  be  approved  by  supervisors’  can  be  formally  specified  using  Linear  Temporal   Logic  (LTL)  as:    “G(Loan.Amount>  1.000,000  $  →  F(ApproveLoan.Role(Supervisor))”   BPM Lifecycle & BP Compliance Management Activities

Key Elements exemplified for the "Loan Approval" Process

Key Elements of the Compliance Repository

c.source

Objective Setting & Boundary Identification

Compliance Source (Directive)

originate Compliance Requirement from

/Objective

compromise

Risk Assessment & Response

Define/ Implement Controls

compromise

Risk

implement,

Control Rule formalize refer/use

Preventive Design-time Compliance Verification

c.req/obj

Fraud/ misuse

fulfill

Control

have

Process Element

Process

have

have

"VerifyBankingPrivilege" & "Check rule CreditWorthiness" activities should be performed by different users. Formal Statement: G((VerifyBanking Privilege.User(User1)→ G(¬ (CheckCreditWorthiness.User(User1))

Preventive Runtime Compliance Monitoring

Business Process Monitoring & Optimization

Detective Offline Comp. Analysis & Monitoring

Process Element Instance

risk

Financial loss

risk

Loan granted with inadequate level of assurance

prevent,detect, mitigate implement, formalize

"VerifyBankingPrivilege" & "Check CreditWorthiness" activities should be assigned to different roles. Formal Statement: G(VerifyBanking Privilege.Role(Role1) → G(¬(Check CreditWorthiness.Role(Role1)))

control

Customer bank privilege verifications are segregated from credit worthiness checks Credit worthiness of customers requesting loans above 1M $ are checked by the Clerk Supervisor

refer/use have p.element

Business Process Execution

Duties should be adequately segregated

originates from

risk

prevent, detect, mitigate

Business Process Analysis & Design

COBIT PO4.11 ISO/IEC 27002 - Sec. 10.1.3

Process Instance

CheckCredit Worthiness

process

Loan Approval

VerifyBanking Privilege

  Figure  1.  

(a)  BP  Lifecycle  and  BP  Compliance  Management  Activities,  (b)  Key  Elements  of  the   Compliance  Repository,  (c)  Examples  for  the  key  elements    

v1  –PrePrint  Draft  

6  

  Preventive  Design-­‐time  Compliance  Verification   This   activity   is   key   to   ensure   that   business   processes   progressing   to   execution   are   ‘compliant   by   design’.   It   mainly   involves   the   static   verification   of   process   specifications   against   formal   control   rules.   The   rules   employed   at   this   stage   are   preventive   in   nature   and   involves   only   those   that   can   be   checked   during   design-­‐time   phase   of   the   BP   lifecycle.   Examples   include   rules   regarding   the   (control)  flow  of  processes,  such  as  activity  sequencing.     Business  Process  Execution:     Once   the   process   specifications   are   verified   against   compliance,   tested,   and   reach   a   steady   state,   they  are  deployed  and  executed.     Preventive  Runtime  Compliance  Monitoring   Compliance   verification   of   process   models   during   design-­‐time   is   not   always   possible,   as   some   rules   may   require   variable   instantiations   or   runtime   information   that   are   not   available   at   design-­‐time.   Like   design-­‐time   verification,   runtime   compliance   monitoring   is   preventive   aiming   to   detect   violations   before   they   occur.   Hence,   during   runtime   the   process   executions   are   often   suspended   preventing  violations  to  arise.     Business  Process  Monitoring  &  Optimization:     Process  executions  are  subsequently  monitored  for  their  performance  by  tracking  the  progress  of   individual  process   instances.   Inefficiencies   are   analyzed   and   improvement   actions   are   developed  to   achieve  increased  performance.     Detective  Offline  Compliance  Analysis  and  Monitoring   Following   a   detective   approach,   offline   compliance   analysis   and   monitoring   complements   prior   assurance   activities   (design-­‐time   and   runtime)   to   provide   a   lifetime   guarantee   for   business   processes.     This   activity   mainly   involves   the   analysis   of   process   execution   data   to   detect   possible   violations  and  trends.  Findings  are  presented  on  monitoring  dashboards  in  the  form  of  compliance   performance  indicators.  If  monitoring  indicates  deviations  from   (compliance)  objectives,  corrective   adjustments   of   process   definitions   might   be   necessary.     This,   in   turn,   brings   organization   back   to   the  initial  stages  of  process  analysis  &  design,  and  risk  assessment  &  response.    

v1  –PrePrint  Draft  

7  

  The   assurance   activities   (design-­‐time,   runtime   and   offline)   depicted   in   Figure   1a   employ   only   automated  verification  and  monitoring  practices  that  are  enabled  through  formal  specifications  of   rules.   However,   not   all   requirements   over   business   processes   can   be   formally   specified.   Manual   controls   that   involve   full   or   partial   human   intervention   might   be   necessary   for   these   cases.   For   instance,  checking  the  quality  of  a  particular  document  may  involve  a  manual  control.  

3

Process  Control  Patterns    

Formal   specification   of   rules   for   automated   compliance   assurance   offers   great   value   to   business   process   compliance.     However,   complexity   of   formal   languages   and   inherent   usability   problems   pose  significant  difficulties  for  end-­‐users.  We  developed  process  control  patterns  to  help  compliance   and   business   experts   to   specify   semi-­‐formal   representations   of   process   controls   and   to   generate   formal  rules  that  are  used  for  subsequent  compliance  verification  and  monitoring  activities.         Process   control   patterns   are   high-­‐level   domain-­‐specific   templates   used   to   represent   desired   properties   that   apply   to   process   specifications   [10].   For   instance,   the   expression   ‘Receive_Invoice   LeadsTo  Make_Payment’  uses  the  LeadsTo  pattern  to  express  a  control  that  requires  ‘Make_Payment’   to  follow  ‘Receive_Invoice’  activity.  Expressions  are  built  using  patterns  and  process  elements  (such   as  activities,  data  objects,  roles,  etc.),  their  attributes,  or  conditions  based  on  them.    To  address  the   specification  of  complex  controls,  expressions  can  be  combined  and  nested  via  Boolean  operators   (e.g.,  and,  or,  xor).     In   order   to   discover   patterns   for   recurring   types   of   controls,   we   analyzed   a   wide   range   of   regulations,  standards  and  frameworks,  and  worked  on  diverse  compliance  requirements  through   case   study   conducts.   We   also   investigated   works   (such   as   [15-­‐17])   on   the   specification   of   various   requirements  on  business  processes.     In  identifying  patterns,  we  focused  on  preventive  process  controls  that  can  be  applied  for  automated   design-­‐time   compliance   verification   and   runtime   monitoring.   The   patterns   that   we   defined   are   listed  in  Table  1.  We  distinguished  four  types  of  patterns:    

v1  –PrePrint  Draft  

8  

  •

Occurrence  patterns  address  rules  concerning  the  existence  of  process  elements.  For  example,     ‘Approve_Order  Exists’  expression  indicates  a  rule  mandating  ‘Approve_Order’  activity  to  occur   in  the  process  specification.    

•

Order  patterns  involve  rules  concerning  mainly  the  behavioral  aspect  of  process  specifications.    

•

Resource  patterns  address  authorizations,   assignments   and   segregation   of   duties   requirements.   For  example,  ‘Create_Order  SegregatedFrom  Approve_Order’  expression  specifies  a  segregation   of   duties   rule   to   indicate   that   these   activities   must   be   performed   by   different   roles   and   users   (actors).  

•

Time   patterns   are   used   with   Order   and   Occurrence   patterns   to   address   time-­‐related   requirements   over   processes.   For   example,   ‘‘Receive_Invoice   LeadsTo   Make_Payment   Within   5(days)’.    

Pattern   categories   are   also   grouped   into   basic   and   advanced   to   distinguish   patterns   that   are   commonly  used  and  those  that  are  less  frequent  and  typically  addressing  complex  controls.    

Advanced   Advanced  

Order  

Basic  

Occurrence  

Basic  

 

Pattern  *  

Description*  

P  Exists  

P  must  exist  in  the  process  specification  

P  Absent  

Process  specification  must  be  free  of  P  

P  Universal  

P  must  occur/be  valid  throughout  the  specification  

P  CoExists  Q  

If  P  is  present  then  Q  must  also  be  present  

P  CoAbsent  Q  

If  P  is  absent  then  Q  must  also  be  absent  

P  Exclusive  Q  

If  P  is  present  then  Q  must  be  absent  and  vice  versa.    

P  CoRequisite  Q  

Either  P  and  Q  must  be  present  together  or  absent  together  

P  MutexChoice  Q  

Either  P  or  Q  must  be  present  but  not  any  of  them  or  both  of  them  

Q  Precedes  P  

P  must  be  preceded  by  Q  

P  LeadsTo  Q  

P  must  be  followed  by  Q  

P  XLeadsTo  Q  

P  must  immediately  be  followed  by  Q  

P  PLeadsTo  Q    

P  and  Q  should  occur  and  must  occur  sequentially  

P  ChainLeadsTo  (Q,  T)  

P  must  be  followed  by  a  Q  and  T  

(P,  S)    ChainLeadsTo  Q  

P  and  S  must  be  followed  by  a  Q  

Q  ChainPrecedes  (P,  S)     P  and  S  must  be  preceded  by  Q     (Q,  T)  ChainPrecedes  Q   P  must  be  preceded  by  Q  and  T  

v1  –PrePrint  Draft  

9  

 

Basic   Advanced  

Resource  

 

Time  

 

 

 

Pattern  *  

Description*  

P  PerformedBy  Q  

Activity  Q  must  be  assigned  to  (performed  by)  Role  P    

P  SegregatedFrom  Q    

Activities  P  and  Q  must  be  performed  by  different  roles  and  users  

P  USegregatedFrom  Q  

Activities  P  and  Q  must  be  performed  by  different  users  

P  BondedWith  Q  

Activities  P  and  Q  must  be  performed  by  the  same  role  and  user  

P  RBondedWith  Q  

Activities  P  and  Q  must  be  performed  by  the  same  role  but  different  users  

(P,  Q,  S)  M-­‐Segregated    

Activities  P,  Q,  and  S  must  all  be  performed  by  different  roles  and  users  

(P,  Q,  S)  M-­‐USegregated   Activities  P,  Q,  and  S  must  all  be  performed  by  different  users   (P,  Q,  S)  M-­‐Bonded  

Activities  P,  Q,  and  S  must  all  be  performed  by  the  same  role  and  user  

(P,  Q,  S)  M-­‐RBonded  

Activities  P,  Q,  and  S  must  all  be  performed  by  the  same  role  but  different  users  

Within  k  

Used  with  order  patterns  to  denote  a  given  P  to  happen  within  k  time  units.  E.g.:   ‘P  LeadsTo  Q  Within  k’  indicates  that  P  must  be  followed  by  Q  within  k  time  units.    

After  k  

Used  with  order  patterns  to  denote  a  given  P  to  happen  after  k  time  units.  E.g.:  ‘P   LeadsTo  Q  After  k’  specifies  that  P  must  be  followed  by  Q  after  k  time  units.  

ExactlyAt  k  

Used  with  order  and  occurrence  patterns  to  denote  a  given  P  to  happen  exactly   at  time  k.  E.g.:  ‘P  Exists  ExactlyAt  k’  indicates  that  P  must  occur  at  time  k,  starting   from  the  initial  state  of  the  process  instance.    

*  Given  P,  Q,  S,  and  T  as  states  representing  process  elements,  their  attributes  or  conditions  based  on  them  (e.g.:  ‘Loan.Amount   >  100.000’).  

Table  1.    

Process  Control  Patterns  

A   pattern-­‐based   expression   exhibits   a   generic   nature   and   can   be   transformed   into   a   set   of   formal   statements  based  on  a  mapping  between  patterns  and  appropriate  formal  languages.   We  selected   Linear  Temporal  Logic  (LTL)  and  Metric  temporal  logic  (MTL)  as  formal  languages,  mainly  due  to   their   expressive   power   and   widespread   use   in   research   and   practice   to   address   problems   in   different   domains.   MTL   provides   the   support   to   formalize   expressions   that   use   Time   patterns,   as   LTL   lacks   support   for   such   properties.   For   each   pattern,   we   developed   a   mapping   to   LTL/MTL   statements   to   automatically   generate   corresponding   formal   statements.     An   expression   ‘Create_Order  SegregatedFrom  Approve_Order’  can  generate  the  following  LTL  statements  that  can   be  used  as  input  to  compliance  verification  and  monitoring:     •

F(Create_Order):    To  check  whether  ‘Create_Order’  activity  exists  in  the  specification.    

•

F(Approve_Order):  To  check  whether  ‘Approve_Order’  activity  exists  in  the  specification  

•

G(Create_Order.Role(Role1)   →   G(¬(Approve_Order.Role(Role1)))):     To   check   whether   two   activities  are  assigned  to  different  roles  

v1  –PrePrint  Draft  

10  

  •

G(Create_Order.User(User1)→   G(¬(Approve_Order.User(User1)))):   To   check   whether   two   activities  are  performed  by  different  users  

4

Implementation  and  the  Case  Studies  

To  help  ascertaining  the  soundness  of  the  concepts  and  approaches  we  described  in  this  paper,  we   developed   and   integrated   a   set   of   software   applications   implementing   these   concepts   and   employed  the  toolset  in  two  case  studies.     The  Toolset  Implementation:   Figure   2   shows   a   high-­‐level   architectural   view   of   some   key   software   components   of   the   toolset,   depicting   their   data   relationships   between   them.   The   Compliance  Requirements  Manager  (CompRM)   component  is  a  web-­‐based  application  (accessed  through  http://eriss.uvt.nl/compas)  for  defining,   storing   and   managing   compliance   elements   in   the   Compliance   Repository.     The   Compliance   Rule   Manager   is   a   standalone   application   used   for   building   graphical   representations   of   pattern-­‐based   expressions  and  automatically  generating  corresponding  formal  statements.  It  retrieves  the  process   elements   that   are   used   in   building   the   pattern-­‐based   expressions   from   the   Business   Process   Repository.   Compliance Rule Manager Business Process Elements

Control Definitions

(Preventive) Design-time Compliance Verification Manager

Pattern-based Expressions & Formal Control Rules

Compliance Verification Results Formal Control Rules (in LTL/ MTL)

Business Process Repository

Business Process Models & Elements

Compliance Elements (reqs., risk, controls, etc.)

Compliance Requirements Manager

Formal Check Results

Verification Handler

Compliance Repository Business Process Specifications (in BPEL)

Dashboard (Design-time)

BP SPecification (in Promela Lang.)

Selected Formal Control Rules (in LTL/MTL) & BP

SPIN Model Checker

Specifications (in Promela)

WSAT for Model Transformation

  Figure  2.  

v1  –PrePrint  Draft  

A  general  architectural  view  of  the  toolset  components    

11  

  Case  Studies:   We   selected   case   studies   in   the   e-­‐business   and   banking   domains   due   to   the   strict   and   diverse   regulations   applied   in   these   sectors.     The   case   study   in   the   banking   environment   involved   ‘loan   processing’,   while   the   second   case   study   was   performed   within   an   Internet   reseller   company   and   covered  processes,  such  as  order  processing,  invoicing,  payments,  ledger  maintenance,  and  delivery.   The   case   studies   gave   valuable   opportunity   to   observe   the   application   of   the   compliance   management   approach   depicted   in   Figure   1a   and   the   use   of   the   toolset   we   developed.   We   also   tested   the   expressiveness   of   the   patterns   in   capturing   control   rules   originating   from   real   life   requirements.     The  processes  covered  in  the  case  studies  were  constrained  by  (in  total)  59  high-­‐level  compliance   requirements   of   different   concerns   (such   as   segregation   of   duties,   information   processing,   authorizations,   etc.)   and   originating   from   ISO/IEC   27000   (2009),   Sarbanes-­‐Oxley   (2002)   and   internal  policies.   The  team  involved  in  the  case  studies  comprised  three  compliance  and  two  business  experts,  who   worked  together  and  followed  our  approach  to  identify  risks  and  define  controls  to  be  employed  on   the  processes.  Using  the  Rule  Manager  they  developed  graphical  pattern-­‐based  expressions  for  the   controls.   The   approach   followed   by   the   case   study   team   resulted   127   controls.   The   participants   used  the  web-­‐based  CompRM  tool  to  store  and  manage  these  concepts.  The  participants  were  able   to  express  90  controls  (out  of  127)  using  the  Rule  Modeller  tool.  Remaining  37  controls  were  either   technical   controls   (involving   rules   regarding   data   encryption   and   retention)   or   detective   process   controls   that   cannot   be   expressed   using   patterns,   as   patterns   are   design   to   express   preventive   process   patterns.   In   particular,   the   concerns   relevant   to   control-­‐flow,   data,   resource   and   temporal   aspects  of  processes  were  accurately  expressed  with  patterns.     Figure  3(a)  presents  a  screenshot  of  the  user  interface  of  the  Rule  Manager.  The  generated  rules  for   the   same   examples   that   are   transferred   to   the   compliance   repository   are   shown   in   Figure   3(b).   Although  we  didn’t  conducted  empirical  tests  on  the  usability  of  the  Rule  Manager,  initial  feedback   from   the   case   study   participants   suggest   that   the   graphical   environment   and   automated  

v1  –PrePrint  Draft  

12  

  transformation   features   of   the   Rule   Manager   would   bring   about   significant   increases   on   the   degree   of  the  efficiency  and  usability  over  the  use  of  formal  languages.  

  (a)   Figure  3.  

  (b)  

(a)  A  screenshot  from  the  C.  Rule  Manager:    

(b)  Generated  compliance  rules  to  be  transferred  to  the  compliance  repository    

Our   research   and   development   work   is   ongoing   in   several   directions   to   enhance   and   support   the   entire   framework.   The   validation   of   the   proposed   concepts,   and   the   usability   and   efficacy   of   the   tools  should  further  be  intensified  by  their  application  on  various  case  studies  and  empirical  tests   on   prospective   users.   Compliance   entails   different   aspects   and   requires   knowledge   of   various   domains.   Future   case   studies   should   also   consider   further   evaluating   the   efficacy   of   the   solutions   in   different   domains   (such   as   health,   safety,   environment,   etc.)   to   better   address   their   unique   requirements.  

Acknowledgements   The   authors   gratefully   acknowledge   PricewaterhouseCoopers   (NL),   Thales   Services   (FR),   and   other   COMPAS   Project   Partners   for   their   effort   in   providing   and   participating   in   the   case   studies   and   scenarios,  and  their  valuable  contributions.    

v1  –PrePrint  Draft  

13  

 

References   [1]   [2]   [3]   [4]   [5]   [6]   [7]   [8]   [9]   [10]   [11]   [12]   [13]   [14]   [15]   [16]   [17]  

Canadian  Institute  of  Chartered  Accountants,  "Guidance  on  Control,"  1995.   SOX,  "Sarbanes-­‐Oxley  Act  of  2002,  U.S.  Congress,"  2002.   Directive   2008/30/EC:   Amd.   to   2006/43/EC   on   statutory   audits   of   annual   accounts   and   consolidated  accounts,  2008.   Bank   for   International   Settlements,   "BaselII:   International   Convergence   of   Capital   Measurement  and  Capital  Standards:  A  Revised  Framework,"  2004.   T.   Meservy,   C.   Zhang,   E.   T.   Lee   et   al.,   “The   Business   Rules   Approach   and   Its   Impact   on   Software  Testing:  A  Case  Study,”  IEEE  Software,  vol.  PrePrint,  2011.   S.   Sadiq,   G.   Governatori,   and   K.   Namiri,   “Modeling   Control   Objectives   for   Business   Process   Compliance,”  in  Business  Process  Management,  Brisbane,  Australia,  2007,  pp.  149-­‐164.   C.  Zhang,  T.  Meservy,  E.  T.  Lee  et  al.,  “An  Exploratory  Case  Study  of  the  Benefits  of  Business   Rules  Management  Systems,”  in  ICIS  Proceedings,  2009.   COSO,   "Internal   Control   –   Integrated   Framework.   The   Committee   of   Sponsoring   Organizations  of  the  Treadway  Commission,"  1994.   PCAOB,   "Auditing   Standard   No.   5:   An   Audit   of   Internal   Control   Over   Financial   Reporting   That   Is   Integrated   with   An   Audit   of   Financial   Statements,   Release   No.   2007-­‐005A,"   Public   Company  Accounting  Oversight  Board  (PCAOB),  2007.   O.   Turetken,   A.   Elgammal,   W.-­‐J.   v.   d.   Heuvel   et   al.,   “Enforcing   Compliance   on   Business   Processes   through   the   use   of   Patterns,”   in   European   Conference   in   Information   Systems   (ECIS),  Helsinki,  Finland,  2011.   COBIT,   "Control   Objectives   for   Information   and   related   Technology   -­‐   COBIT,   4.1.   IT   Governance  Institute.,"  2007.   M.   P.   Papazoglou,   and   W.-­‐J.   v.   d.   Heuvel,   “Business   process   development   life   cycle   methodology,”  Commun.  ACM,  vol.  50,  no.  10,  pp.  79-­‐85,  2007.   OCEG,  "GRC  Capability  Model,  Ver  2.0.  Open  Compliance  and  Ethics  Group,"  2009.   IT  Governance  Institute,  IT  Control  Objectives  for  Sarbanes-­‐Oxley,  2nd  Ed.,  2006.   C.  Wolter,  and  A.  Schaad,  “Modeling  of  Task-­‐Based  Authorization  Constraints  in  BPMN,”  in   Business  Process  Management  (BPM)  2007,  2007,  pp.  pp.  64–79.   V.   Gruhn,   and   R.   Laue,   “Specification   Patterns   for   Time-­‐Related   Properties,”   in   12th     Int’l     Symposium  on  Temporal  Representation  and  Reasoning,  USA,  2005,  pp.  198-­‐191.   M.   Dwyer,   G.   Avrunin,   and   J.   Corbett,   “Property   Specification   Patterns   for   Finite-­‐State   Verification,”  in  2nd  International    workshop  on  Formal  Methods  on  Software  Practice,  USA,   1998,  pp.  7-­‐15.  

   

v1  –PrePrint  Draft  

14  

 

Author  Biographies   OKTAY  TURETKEN  is  currently  a  researcher  at  the  European  Research  Institute  in  Service  Science   (ERISS),   Tilburg   University.   He   holds   a   Ph.D.   in   Information   Systems.   His   research   focuses   mainly   on   business   process   management,   governance,   risk   and   compliance,   project   management,   and   software  measurement  &  prediction.  Contact  him  at  [email protected].   AMAL   ELGAMMAL   is   finishing   her   Ph.D.   in   Information   Management   at   the   ERISS,   Tilburg   University.   She   has   been   awarded   for   the   best   masters   thesis   at   Cairo   University   in   2007.   Her   main   research  interests  include  Business  process  verification,  business  process  compliance  management,   service-­‐oriented   computing,   business   process   monitoring   and   auditing,   and   service   engineering.   Contact  her  at  [email protected].   MICHAEL  P.  PAPAZOGLOU  is  the  chair  of  the  Computer  Science  Department  at  Tilburg  University.   He’s   also   the   scientific   director   of   the   ERISS   and   the   EC’s   Network   of   Excellence,   S-­‐Cube.   His   research   interests   include   service-­‐oriented   computing,   Web   services,   large-­‐scale   data   sharing,   business   process   management,   and   federated   information   systems   and   distributed   computing.   Papazoglou   has   a   PhD   in   microcomputers   systems   engineering   from   the   University   of   Dundee,   Scotland.   He’s   a   Golden   Core   Member   and   a   Distinguished   Visitor   of   the   IEEE   Computer   Society.   Contact  him  at  [email protected].   WILLEM-­‐JAN   VAN   DEN   HEUVEL   is   a   full   professor   in   computer   science   at   the   Department   of   Information  Systems,  Tilburg  University,  managing  director  of  the  ERISS,  and  program  director  of   the  Erasmus  Mundus  Joint-­‐Degree  Master  Program  on  Service  Science.  His  main  research  interests   revolve  around  (cloud)  service  engineering,  service  governance,  performance  analytics  of  software-­‐ enabled  service  networks,  and  business  transaction  management.  Contact  him  at  [email protected].      

v1  –PrePrint  Draft  

15