Regulatory Compliance in Information Systems Research Literature Analysis and Research Agenda Anne Cleven Research Assistant Chair of Prof. Dr. Robert Winter Institute of Information Management University of St. Gallen Müller-Friedberg-Strasse 8, CH-9000 St. Gallen Tel: +41 71 224 2192 Fax: +41 71 224 2189 anne.cleven@unisg.ch www.iwi.unisg.ch

1 2 3 4 5 Motivation Business Engineering Literature Analysis – Source Selection 3 Literature Analysis – Systemization 4 Conclusion & Future Research Agenda 5

Corporate Information Management Compliance affects… Swartz (2007) “[], a June 2006 AIIM survey co-sponsored by Xerox Global Services revealed that 63 percent of the 741 companies polled had not analyzed the risk they face from mismanaging electronic information. Forty-three percent said their firm did not have a clear approach for meeting compliance requirements. Worse, only 34 percent said that their organizations have widespread understanding of what electronic records are and how they should be retained.“ Corporate Information Management

… and … 94% Financial Reporting Panko (2006)

… and … “While much has been written about how SOX affects corporate CEOs and their external auditors, little attention has focused on its potential effect on corporate IT departments. Consequently, the full implications of SOX for IT are not well understood. One survey [11] reported “an astounding 93% of chief information officers and other senior IT executives were unaware of their information technology control assessment responsibilities under SOX.” This confusion has led to uncertainty and inconsistency regarding the use of IT outsourcing to address SOX challenges. A survey [9] of 261 corporate decision makers by the consulting firm Meta Group found that 25% had no way of determining the appropriate IT sourcing response to SOX; 21% intended to outsource more in response to SOX; and 19% intended to outsource less.” Hall, Liedtka, e.a. (2007) IT Outsourcing

1 2 3 4 5 Motivation Business Engineering Literature Analysis – Source Selection 3 Literature Analysis – Systemization 4 Conclusion & Future Research Agenda 5

Business Engineering company culture, leadership style, behavior patterns, incentive/sanctioning systems, communication practices organizational goals, success factors, products/services, targeted marked segments, core competencies, strategic projects organizationsl units, business roles, business functions, business processes, metrics, service flows, business information objects enterprise services, applications, domains software components, data resources, hardware, network architecture Terminologies, theories, generic methods, reference models, exemplary successful practices

1 2 3 4 5 Motivation Business Engineering Literature Analysis – Source Selection 3 Literature Analysis – Systemization 4 Conclusion & Future Research Agenda 5

Literature Analysis – Source Selection Based on capacious catalog of IS outlets provided by the London School of Economics (LSE) IS outlets focused on the social study of ICT Outlets focused on mainstream IS and management research Practitioner journals Conferences Search period: 2002 – today Search strategy Contributions on regulatory and/or legal compliance Keyword search using the search term ‘compliance’ Abstract evaluation 26 relevant articles

Literature Search Results 1/2

Literature Search Results 2/2

1 2 3 4 5 Motivation Business Engineering Literature Analysis – Source Selection 3 Literature Analysis – Systemization 4 Conclusion & Future Research Agenda 5

Literature Analysis – Systemization - 2 overviews on leading legal issues that affect IT and IT professionals - 1 analysis of different impacts of regulations on IT - 5x institutional and 1x neo-institutional theory as a theoretical lens through which authours investigate experiences made by companies with the implementation of regulations & deduction of respective guidelines IT auditing as a strategic approach to compliance SOX and strategic IT outsourcing correlation between SOX and strategic success - Regulation, risk and control frameworks and financial reporting, review on corporate governance frameworks, validation of ISO 17799 standard, method to develop an enterprise IT-governance - model-based proof of compliance, compliance verification knowledge management, method for rule extraction, compliant SD process, data mining in Basel II context

1 2 3 4 5 Motivation Business Engineering Literature Analysis – Source Selection 3 Literature Analysis – Systemization 4 Conclusion & Future Research Agenda 5

Conclusion & Future Research Agenda 1/2 e.g. methods and approaches for the identification of relevant regulations, deduction of a corporate culture that is in line with compliance objectives, operationalization of strategic compliance objectives,… e.g. compliance-related business roles, authorization concepts, control metrics for compliance, standardized transaction control processes,… e.g. common terminology, industry-specific reference models for corporate and IT governance, …

Conclusion & Future Research Agenda 2/2 Implications of regulatory compliance on the conduct of daily business have intensely been investigated IS discipline is however still somehow limping behind with the development of suitable concepts and solutions Holistic frameworks supporting the aligned implementation of compliance throughout each of the business engineering layers are missing

Thank you for your attention! Anne Cleven anne.cleven@unisg.ch www.iwi.unisg.ch +41 71 224 2192