Making Business Processes Compliant to Standards & Regulations Michael P. Papazoglou European Research Institute in Service Science (ERISS), Tilburg University, 5000 LE, Tilburg, the Netherlands e-mail: mikep@uvt.nl Abstract Compliance regulations require enterprises to review their SOA applications to ensure that they satisfy the set of relevant compliance requirements. Despite an increasing number of methods and tools, organizations have a pressing need for a comprehensive compliance framework to help them ensure that their business processes comply with requirements set forth by regulations, laws, and standards. In this paper we explain how to cope with business process compliance requirements and present a framework to capture and manage compliance requirements. We introduce a declarative Compliance Request Language for specifying compliance requirements. We also examine a set of compliance patterns to support the definition of frequently recurring compliance requirements in association with business processes. This approach enables the application of automated tools for compliance analysis and verification. Keywords Regulatory compliance; Compliance constraint detection and prevention; Compliance Request Language; Compliance patterns; Root-cause analysis. I. INTRODUCTION Business processes form the foundation for all organizations, and as such, they are impacted by industry regulations. Without explicit business process definitions, flexible rule frameworks, and audit trails, organizations face litigation risks and even criminal penalties. Compliance regulations, such as HIPAA, Basel II, Sarbanes-Oxley, standards and codes of practice, e.g., SCOR or the ISO9000 standard for certification, require all organizations to review their business processes and ensure that they meet the relevant derictives. Business process compliance is about ensuring that business processes, operations and practices are in accordance with a prescribed and/or agreed on set of norms [1]. A business process compliance constraint refers to any explicitly stated rule or regulation that prescribes any aspect of an internal or cross-organizational business process. Compliance constraints may emerge from different sources, such as legislation and regulatory bodies, standards and code of practices and contracts between interacting parties, e.g., Service-Level Agreements (SLAs). Business process compliance rules may include terms relating to data acquisition and archival, document management, data security, financial accounting practices, and financial reporting. In all cases, these new control and disclosure requirements create auditing demands for SOAs. Internal control is associated intrinsically with business process compliance. Internal control can be defined a set of directives designed to provide reasonable assurance on achievement of company’s objectives in areas of effectiveness and efficiency of processes and economic use of resources, reliability of financial reporting information and compliance with external rules and regulations as well as internal policies and procedures [2]. Internal controls are preventive or detective in nature. Examples of preventive controls include authorization lists, computer edits, segregation of duties, and prior supervisory approval. Preventive controls may be time consuming and expensive. Detective controls do not prevent fraud or errors. They will identify that a problem has occurred. Examples of detective controls include reconciliation, exception reports, and supervisory review. Compliance regulations influence the process of internal control, demanding that internal control procedures are continuously monitored, tested and improved. At the business process level, internal controls are applied to specific business activities and associated business process segments. Most business processes are automated and integrated with enterprise application systems, resulting in many of the controls at this level being automated as well. For instance, typical financial reporting control might mitigate the risk of misstating revenue due to inadequate physical or electronic security over documents and electronic files. However, some controls within the business process remain as manual procedures, such as authorization for transactions, separation of duties and manual reconciliations. Accordingly, controls at the business process level are a combination of manual controls operated by the business and automated controls. Contemporary approaches to managing internal controls are rather fragmented, costly, and lead to reactive – rather than proactive – risk prevention, inefficient compliance procedures, and a lack of visibility into access risk. Existing solutions and tools are rather outdated, mainly offering solutions for monolithic applications (such as ERP systems) that are not feasible in SOA environments [3]. Most existing Computer Assisted Audit Techniques, provide support merely for document management, financial data-analysis and flowcharting [4], [5]. On the other hand, Business Process Management (BPM) and