ANÁLISIS E INTERPRETACIÓN DE LOS DATOS

The methodology used in this paper, based on the Sein et al. methodology [51], will be further elaborated upon in this chapter. This methodology will serve as a guideline for assessing the impact of our information management organizational framework on the overall internal audit in a financial company. This is done through multiple sequential steps.

Each step consists of multiple tasks which require multiple skills, tools and techniques. These skills, tools and techniques are based on scientific literature and practice literature used by Ernst & Young. Experts within Ernst & Young and their clients were asked for best practice literature and insights to help solve multiple issues within the activities.

As stated in part one – introduction, this paper proposes a new systematical data-driven way of working for internal audit departments. This new way of working is built upon the existing three lines of defense model of the IIA [27]. This means that in order to evaluate our proposed framework it is vital that we provide a gap analysis that indicates the added value of our framework and the usability in comparison to the current way of working.

As stated before during the literature study we will approach developing the framework from three angles, being: • People: Governance, training, theory of planned behavior

• Process: BPM, BAM, process mining, risk management • Technology: Event data requirements, process mining, BAM

This means that the processes in this methodology must encompass aspects of all three domains. A similar approach is followed by Ernst & Young consultants [13]. The methodology steps that this paper follows, based on the design goals, are as follows:

1. Model the “as-is” situation: Creating a process model overview of the current situation of the three lines of defense.

2. Determine requirements for the “to-be” situation: Use literature and stakeholder knowledge to determine people, process and technology requirements for the “to-be” situation.

3. Model the “to-be” situation: Creating a process model overview of the “to-be” situation improving upon information management.

4. Perform a GAP analysis between “as-is” situation and the “to-be” situation to determine effectiveness of the framework in improving information management: Show off the added value of working with the framework. 5. Provide a migration plan to practitioners in order for them to implement the “to-be” situation in their

companies.

In order to model the process models Business Process Modeling Notation 2.0, also called BPMN 2.0, is used [43]. The semantics of BPMN 2.0 can be found in appendix D. The reason for choosing this language is because BPMN is a widely used language that is both very flexible as well as extensive. It provides the possibility to model the different activities in a process model as well as model the information inputs for every activity. In order to model the

stakeholder driver analysis, the requirement analysis and the migration plan the Archimate 3.0 language [54] will be used, as this language is widely used for these purposes and this language also provides flexibility, as well as an extensive set of semantics. The semantics of Archimate 3.0 can also be found in appendix D.

Figure 31 is based on the iterations described in the action design science methodology used in this paper and described in figure 5 of chapter 3.6 and displays the research model used in this chapter graphically.

8.1. Model the ‘As-Is” Situation

As described in the chapter 3.6 and in the research methodology of figure 31 we will start our first iteration by developing the current, or “as-is” situation, way of working within the three lines of defense for an organization that does not work data-driven at all. This “as-is” situation will be used as baseline throughout the development of the “to- be” model and the migration plan. The “as-is” model will provide us with valuable insights into the practical capabilities and the lack of some capabilities of the current way of working of internal audit. Expert observations and literature will also provide us with information about the considerations that have already been identified when establishing this “as- is” situation. When establishing the “to-be” situation in a later stage of this chapter we will also have the opportunity to compare the “to-be” model with the “as-is” situation in terms of expected information management performance and usability.

The research methodology of figure 31 proposes two actions that have to be performed in order to model and validate the “as-is” situation. The first of these actions focuses on the actual modeling of the “as-is” model and uses process information as an input as can be seen in figure 32. The second action focuses on validating the “as-is” situation model by means of expert interviews and will use the process model and process information of the first action as input. The “as-is” process model will be developed in the language of BPMN 2.0 [43].