UK Business Transformation Customer Forum (ARIS & Alfabet)
Register
ARIS Process Mining in action - Live Demo
Register
ARIS User Group Meeting Wien (German)
Register
View all
Join now

How to model for (SOX) Compliance in ARIS

Profile picture for user fengelbert
Posted by Frank Engelbert
Posted on in Professional ARIS

This article describes the basics of how to model for SOX Compliance in ARIS Business Architect/Designer.

To begin with, a high-level understanding of SOX and the Top-Down/Risk-based Approach will be useful. You can find an article and links to downloadable subject-matter here:

In short: look at your financial statements and determine processes which impact the same, financial as well as business. Within those processes, define the ‘points’ (= process steps/activities in ARIS terminology) at which risks can occur.

For each significant risk, a control needs to be in place that mitigates/reduces the risk. (Note, once you start modeling controls, you should do so in an ARIS model type called ‘Business Controls Diagram’) 

To verify if controls are in place and function correctly, the concept of test comes in. Tests monitor controls for effectiveness.

The entire Meta model for SOX Compliance in ARIS can be easily extended to Compliance in general, with other regulations, policies, and procedures, as well as Quality Management Systems. In fact, the framework is suitable to measure compliance with or deviations from, any conceivable target indicator.

For example, looking at the harvesting process of genetically-engineered (GE) organisms, there is a risk that GE organisms remain in the field after harvest, leading to unintended volunteer growth over the following years. A necessary control would be that fields are physically monitored for volunteers for a pre-defined period of time, in line with the growth characteristics of the organism, and records of the monitoring results are maintained. A test should be to verify that the fields were properly inspected, in line with guidelines, and whether the records were correctly kept.   

Extending beyond SOX, the mechanics of control stay the same: Document what your business does (= your processes), document them ideally in an End-2-End fashion (due to the concept of mitigating controls downstream), identify risks within the same, define controls, and have tests in place to monitor control effectiveness.

As an outlook, ARIS platform has capabilities for dynamic compliance testing in line with the above framework. For further information, please see the links below

Additional links:

28.6k
0

Featured achievement

Rookie
Say hello to the ARIS Community! Personalize your community experience by following forums or tags, liking a post or uploading a profile picture.
Recent Unlocks

Leaderboard

|

View posts by tag

icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock