Compliance by design – Bridging the chasm between auditors and IT architects

Julisch, Klaus; Suter, Christophe; Woitalla, Thomas; Zimmermann, Olaf

doi:10.1016/j.cose.2011.03.005

Cited by 29 publications

(21 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Data-oriented methods are well suited to identify Information Holder endpoints, but sometimes go too far. 18 The counter position is taken by a post in M. Nygard's blog 19 for a responsibility-based strategy for avoiding pure Information Holder Resources, which he refers to as "entity service anti-pattern": He recommends to always evolve away from this pattern 20 (because it creates high semantic and operational coupling) and rather "focus on behavior instead of data" (which we describe as Processing Resource and "divide services by life cycle in a business process" (which we see as one of several service identification strategies). In our opinion, this advice goes too far as well: Information Holder Resources do have their place, but any usage should be a conscious decision motivated and justified by the business and integration scenario at hand -because of the impact on coupling that Nygard describes.…”

Section: Resolution Of Forcesmentioning

confidence: 99%

Data-Oriented Interface Responsibility Patterns

Zimmermann

Pautasso

Lübke

et al. 2020

Proceedings of the European Conference on Pattern Languages of Programs 2020

Self Cite

View full text Add to dashboard Cite

Remote Application Programming Interfaces (APIs) are used in almost any distributed system today, for instance in microservicesbased systems, and are thus enablers for many digitalization efforts. API design not only impacts whether software provided as a service is easy and efficient to develop applications with, but also affects the long term evolution of the software system. In general, APIs are responsible for providing remote and controlled access to the functionality provided as services; however, APIs often are also used to expose and share information. We focus on such data-related aspects of microservice APIs in this paper. Depending on the life cycle of the information published through the API, its mutability and the endpoint role, data-oriented APIs can be designed following patterns such as Operational Data Holder, Master Data Holder, Reference Data Holder, Data Transfer Holder, and Link Lookup Resource. Known uses and examples of the patterns are drawn from public Web APIs as well as application development and integration projects we have been involved in.

show abstract

Section: Resolution Of Forcesmentioning

confidence: 99%

Data-Oriented Interface Responsibility Patterns

Zimmermann

Pautasso

Lübke

et al. 2020

Proceedings of the European Conference on Pattern Languages of Programs 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…Compliance is a well-known research subject in IS. The literature addresses topics such as the compliance of business processes and services [14][15][16], requirements engineering and conceptual modeling [17,18], auditing IS compliance [19,20], and the alignment between law and IT compliance [21]. However, the majority of studies focus on the perspective of modeling and checking compliance [10], lacking the human behavior in that regulatory space and the guidance to allow cooperation between different experts, not specific to a technology or IT architecture.…”

Section: Is Design and Compliancementioning

confidence: 99%

“…There are similarities between the development methods of the IS and of specific systems that define the ORS, for instance, the ISO 9001 management system [27]. As stated by [2,20,21], both the IS and regulatory compliance should be achieved by an holistic design.…”

Section: Is Design and Compliancementioning

confidence: 99%

Modeling the Organizational Regulatory Space: A Joint Design Approach

Barata

Cunha

2013

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

Part 5: Enterprise Modelling and Information SystemsInternational audienceWe present an approach for the joint design of organizational regulatory spaces (ORS). The approach was validated through action research, integrating the components of context, people, process, information, and IT. The design of the ORS is usually performed by distinct teams, with unconnected viewpoints, using different vocabularies and tools. Similarly to information systems, there are business experts that define the regulatory goals and rules. The ORS modeling is problematic, and is fragmented. We have adopted the O2 framework to provide a common level of abstraction for the design. The result is a comprehensive and layered map of the ORS. This approach has proved to offer an effective representation of the ORS for external auditors and business associations. Internally, we provide organizations with new ways to model, communicate, and improve the regulatory space

show abstract

“…Audits commonly validate the adequacy and effectiveness of internal controls (Carlin and Gallegos, 2007;Julisch et al, 2011). Currently, auditors performing audits at service providers largely rely on manual approaches to information procurement.…”

Section: Introductionmentioning

confidence: 99%

Auditing service providers: supporting auditors in cross-organizational settings

Bachlechner

Thalmann²,

Manhart³

2014

Managerial Auditing Journal

View full text Add to dashboard Cite

If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information. About Emerald www.emeraldinsight.comEmerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services.Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. AbstractPurpose -The purpose of this paper is to shed light on the particular information needs of external auditors performing information technology (IT) audits at service providers in cross-organizational settings and to promote a software-based approach towards their satisfaction. The approach is intended to supplement the manual approaches currently adopted by auditors to procure information in such settings. Design/methodology/approach -The authors analyzed data collected by means of a series of 16 interviews and four think-aloud sessions with experienced professionals. Findings -Information procurement is perceived as tedious by auditors and largely relies on repeat interviews and perusal of documents. Given the growing complexity of cross-organizational settings, manual approaches to information procurement are reaching their limits. A considerable portion of the information required is often stored by service providers using software that is inaccessible to auditors. The authors argue that a software-based approach providing an interface for auditors to access relevant information held by such software presents an avenue worth exploring. Practical implications -The authors outline how the information stored by service providers using software can be made accessible with reasonable effort. Complementing manual approaches to information procurement with an audit interface would reduce workload and increase quality. Originality/value -The concept of an audit interface represents a novel and promising approach to meeting the information needs of auditors performing IT audits in cross-organizational settings more effectively. Both auditors and service providers would benefit from its implementation.

show abstract

Compliance by design – Bridging the chasm between auditors and IT architects

Cited by 29 publications

References 10 publications

Data-Oriented Interface Responsibility Patterns

Data-Oriented Interface Responsibility Patterns

Modeling the Organizational Regulatory Space: A Joint Design Approach

Auditing service providers: supporting auditors in cross-organizational settings

Contact Info

Product

Resources

About