Compliance by design - Bridging the chasm between auditors and IT architects

Abstract

System and process auditors assure - from an information processing perspective - the correctness and integrity of the data that is aggregated in a company's financial statements. To do so, they assess whether a company's business processes and information systems process financial data correctly. The audit process is a complex endeavor that in practice has to rely on simplifying assumptions. These simplifying assumptions mainly result from the need to restrict the audit scope and to focus it on the major risks. This article describes a generalized audit process. According to our experience with this process, there is a risk that material deficiencies remain undiscovered when said simplifying assumptions are not satisfied. To address this risk of deficiencies, the article compiles thirteen control patterns, which - according to our experience - are particularly suited to help information systems satisfy the simplifying assumptions. As such, use of these proven control patterns makes information systems easier to audit and IT architects can use them to build systems that meet audit requirements by design. Additionally, the practices and advice offered in this interdisciplinary article help bridge the gap between the architects and auditors of information systems and show either role how to benefit from an understanding of the other role's terminology, techniques, and general work approach. © 2011 Elsevier Ltd. All rights reserved.