This article describes the basics of how to model for SOX Compliance in ARIS Business Architect/Designer.
To begin with, a high-level understanding of SOX and the Top-Down/Risk-based Approach will be useful. You can find an article and links to downloadable subject-matter here:
- What is SOX? http://www.ariscommunity.com/users/fengelbert/2010-11-02-loungetalk-sox-sarbanes-oxley-act-2002
- Risk-based Approach: http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx
In short: look at your financial statements and determine processes which impact the same, financial as well as business. Within those processes, define the ‘points’ (= process steps/activities in ARIS terminology) at which risks can occur.
For each significant risk, a control needs to be in place that mitigates/reduces the risk. (Note, once you start modeling controls, you should do so in an ARIS model type called ‘Business Controls Diagram’)
To verify if controls are in place and function correctly, the concept of test comes in. Tests monitor controls for effectiveness.
The entire Meta model for SOX Compliance in ARIS can be easily extended to Compliance in general, with other regulations, policies, and procedures, as well as Quality Management Systems. In fact, the framework is suitable to measure compliance with or deviations from, any conceivable target indicator.
For example, looking at the harvesting process of genetically-engineered (GE) organisms, there is a risk that GE organisms remain in the field after harvest, leading to unintended volunteer growth over the following years. A necessary control would be that fields are physically monitored for volunteers for a pre-defined period of time, in line with the growth characteristics of the organism, and records of the monitoring results are maintained. A test should be to verify that the fields were properly inspected, in line with guidelines, and whether the records were correctly kept.
Extending beyond SOX, the mechanics of control stay the same: Document what your business does (= your processes), document them ideally in an End-2-End fashion (due to the concept of mitigating controls downstream), identify risks within the same, define controls, and have tests in place to monitor control effectiveness.
As an outlook, ARIS platform has capabilities for dynamic compliance testing in line with the above framework. For further information, please see the links below
Additional links:
- ARIS Risk & Compliance Manager Video Tutorial: http://www.ariscommunity.com/users/elba/2010-10-11-loungetalk-aris-risk-compliance-manager-video-tutorial-2-testing-internal-control
- Software AG GRC website: http://www.softwareag.com/corporate/solutions/grc/overview/default.asp
- ARIS Mashzone GRC App: http://www.mashzone.com/en/GRC-Mashup/173331.htm
- Further articles of the #LoungeTalkseries
- www.grc-lounge.com
- GRC discussion group at ARIS Community
- Governance, Risk, and Compliance category