Programación plurianual y anual

This section will summarize the findings of the literature study and will also underline the connections between the different disciplines used in this paper, in relation to our research and artifact. The literature will function as a guideline for the construction of the three lines of defense organizational framework, which will be constructed in the next chapter. The problem statement provided to us by our Ernst & Young supervisors on behalf of their clients encompasses three domains: People, process and technology. Because the field of internal and external audit is practically very much interwoven with risk literature nowadays, we first looked into academic literature about governance risk and compliance (GRC) in order to answer research question one:

RQ1: “What are the different corporate risk categories and how do they relate and differ?”

We discovered six risk categories in literature: Technology risk, operational risk, strategic risk, compliance risk, financial risk and information risk [24]. Between these categories there is a lot of overlap. Our paper focuses on operational and IT audit, even though financial audit incorporates a lot of operational audit too nowadays. For this reason the combination of technology, operational and information risks categories are interesting. Noticeable is, that these risks overlap with each other [24]. According to academic literature the category of information risks has not really been practically adopted in contrast to the other two categories, which indicates to the origin of our thesis problem [24], [12]. In order to answer research question two we investigated which risk frameworks are available and are used in practice:

RQ2: “What are well established risk frameworks?”

Practically companies use several control based frameworks to assess risks to their company. Examples of well adopted risk frameworks are COSO, ISO/IEC 27001 and mainly COBIT [7], [25], [23]. Since COBIT 5.0 information risks have been incorporated better, but this revision of COBIT has happened in the last five years. Because we want to put an emphasis on providing audit trails of complete business processes and the data flowing in these processes from system to system, this paper looks at operational audit from a data/information perspective in addition to a control perspective. It is important to say that this does not mean that this paper discards control based audit methods, but rather adds another dimension to what is already there. Because we look at audit from an information perspective we have researched several academic papers in the field of information and data management to provide us with high level frameworks on which we can map our developments [37], [15], the same way as that risk frameworks can be mapped on high level risk literature. This in order to answer research question three:

RQ3: “How is information management related to risk?”

Literature provided us with the knowledge management cycle, which is a high level framework for a data life cycle, explaining the transitions from data into information and information into knowledge, as shown in figure 29. We also discovered an information management (IM) framework, as shown in figure 28. This framework is encompasses the people, process and technology domains earlier described and combines that with the process of converting data to

FIGURE 29. KMC [15]. FIGURE 28. IM FRAMEWORK [37].

information and putting information to use in order to solve several issues relating to strategy, structure and operations. These two frameworks also provide us with an answer to research question 5:

RQ5: “What information management theories are available that encompass business information derived from business processes?”

The high level Information management framework [37] was used to map the other literature analyzed in this paper on it. One of the academic domains used in this paper is the domain of business process management (BPM), for the simple reason that it does also look at processes from a process perspective and a dataflow perspective [58], [30]. For the purpose of this paper and because of the role of internal auditors in a company we are mostly interested in the monitoring aspect of BPM. This subdomain of BPM is called business activity monitoring (BAM) and involves using event data to discover, audit and enhance business processes in order to improve business performance [30]. BAM can therefore easily be mapped on the IM framework, where the usage of event data fits into the technology column, the extraction of process information from this data fits into the information column and the application of the information to improve processes fits into the business column. The ability to map BAM on IM provides us with an answer to research question 4:

RQ4: “What is the relation between business processes and information management?”

In order for this paper to provide practical knowledge to practitioners in the field our framework will also need to encompass practical implementations of BAM. Therefore we have also looked into process mining, which has given insight in the establishment of objectives and KPI’s prior to executing process mining. Furthermore literature has shown that in order for companies to enhance their business performance the combination of real-time data and historical data is needed. Van der Aalst et al. have combined this knowledge into a process mining life cycle model

shown in figure 30 [59]. The practice of process mining as explained by Van der Aalst et al. [59] and as shown in figure 30 provides us with an answer to research question nine:

RQ9: “What practical applications are already available that use log files for control purposes?” Using event data in process mining makes the practitioner very dependable on the business environment and the company’s systems. In an effort to make generalization possible academics have set up a mining data metamodel that can be used to convert different event data sources and formats into a single format XES file, called the XES

standard. The requirements for event data are as follows according to literature [21]: • Concept extension: Attribute that stores the name of the element.

• Lifecycle extension: Attribute specifying the lifecycle transition the element is in (standard is the value used as standard).

• Organizational extension: Three attributes specifying for an event which actor has invoked, which role the actor has and what group it belongs to.

• Time extension: Attribute defining the exact date and time the event occurred.

• Semantic Extension: Attributes specifying references to model concepts in an ontology. The ontology concepts are specified with URI’s.

• ID extension: Unique element ID.

• Cost extension: Attribute specifying the costs associated with an activity within the log.

This list of requirements and the XES mining metamodel provides this research with an answer to research question six and seven:

RQ6: “What are the requirements for log files in order for them to be useful in internal audit?”

RQ7:“Are any log file frameworks available that support the necessary requirements, so that practical usage is possible?”

From the paper of Van Dongen et al. and prior papers of Van der Aalst [58], [57], [59], [60], we can derive that using log files in internal audit processes will result in providing a clearer picture of how business processes perform in real life, which cannot really be accomplished from the traditional control based audit approaches. This notion provides us with an answer to research question eight:

RQ8: “How can log files contribute to internal audit processes?”

We have discussed the process and technological aspects of the problem, but the people aspect is also important. According to literature a company’s governance structure dictates its hierarchy. In addition to hierarchy a company also has an active set of rules, called policies, which dictate communication patterns based on the hierarchy. Policies are often imposed in a top-down manner and this means that managers might encounter resistance from employees [6], [61]. When regarding information security policies the adoption of these policies correlates with the amount of training provided to the employees in regard of information security. This human aspect must also be represented in the framework that we will create in the next part of this thesis.

DESIGN