Regulatory Compliance in Information Systems Research - Literature Analysis and Research Agenda

After a period of little regulation, many companies are now facing a growing number and an increasing complexity of new laws, regulations, and standards. This has a huge impact on how organizations conduct their daily business and involves various changes in organizational and governance structures, software systems and data flows as well as corporate culture, organizational power and communication. We argue that the implementation of a holistic compliance cannot be divided into isolated projects, but instead requires a thorough analysis of relevant components as well as an integrated design of the very same. This paper examines the state-of-the-art of compliance research in the field of information systems (IS) by means of a comprehensive literature analysis. For the systemization of our results we apply a holistic framework for enterprise analysis and design. The framework allows us to both point out “focus areas” as well as “less travelled roads” and derive a future research agenda for compliance research.

[1]  James D. McKeen,et al.  Developments In Practice XXI: IT in the New World of Corporate Governance Reforms , 2006, Commun. Assoc. Inf. Syst..

[2]  Wullianallur Raghupathi,et al.  Corporate governance of IT: a framework for development , 2007, CACM.

[3]  Robert Winter,et al.  Business Engineering Navigator - A "Business to IT" Approach to Enterprise Architecture Management , 2009 .

[4]  Joseph J. Schwerha Cybercrime: Legal Standards Governing the Collection of Digital Evidence , 2004, Inf. Syst. Frontiers.

[5]  Arnoud Franken,et al.  SOX, compliance, and power relationships , 2007, CACM.

[6]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[7]  Lee Dittmar,et al.  The unexpected benefits of Sarbanes-Oxley. , 2006, Harvard business review.

[8]  Tom Butler,et al.  Adopting IT to Manage Compliance and Risks: An Institutional Perspective , 2008, ECIS.

[9]  Heinz Roland Weistroffer,et al.  A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process , 2007, Commun. Assoc. Inf. Syst..

[10]  Jeffrey W. Merhout,et al.  Information Technology Auditing: A Value-Added IT Governance Partnership between IT Management and Audit , 2008, Commun. Assoc. Inf. Syst..

[11]  Robert Winter,et al.  Essential Layers, Artifacts, and Dependencies of Enterprise Architecture , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW'06).

[12]  Robert Winter,et al.  Design science research in Europe , 2008 .

[13]  R. Winter,et al.  Business Engineering: Auf dem Weg zum Unternehmen des Informationszeitalters , 2000 .

[14]  James A. Hall,et al.  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007, Commun. ACM.

[15]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[16]  Mark S. Fox,et al.  How To Build Enterprise Data Models To Achieve Compliance To Standards Or Regulatory Requirements (and share data) , 2007, J. Assoc. Inf. Syst..

[17]  T. Tyler,et al.  The Ethical Commitment to Compliance: Building Value-Based Cultures , 2008 .

[18]  Leslie P. Willcocks,et al.  The ranking of top IS journals: a perspective from the London School of Economics , 2008, Eur. J. Inf. Syst..

[19]  Bart Baesens,et al.  Risk Management and Regulatory Compliance: A Data Mining Framework Based on Neural Network Rule Extraction , 2006, ICIS.

[20]  Jeffrey H. Matsuura An Overview of Leading Current Legal Issues Affecting Information Technology Professionals , 2004, Inf. Syst. Frontiers.

[21]  Wendy L. Currie,et al.  Institutionalization of IT Compliance: A Longitudinal Study , 2008, ICIS.

[22]  Veda C. Storey,et al.  Compliance to the fair information practices: How are the Fortune 500 handling online privacy disclosures? , 2006, Inf. Manag..

[23]  Kevin C. Desouza,et al.  Implementing Section 404 of the Sarbanes Oxley Act: Recommendations for Information Systems Organizations , 2006, Commun. Assoc. Inf. Syst..

[24]  Qingxiong Ma,et al.  ISO 17799: "Best Practices" in Information Security Management? , 2005, Commun. Assoc. Inf. Syst..

[25]  Gerald G. Grant,et al.  Framing the Frameworks: A Review of IT Governance Research , 2005, Commun. Assoc. Inf. Syst..

[26]  Guy H. Gessner,et al.  Holistic Compliance with Sarbanes-Oxley , 2004, Commun. Assoc. Inf. Syst..

[27]  C. Coglianese E-Rulemaking: Information Technology and the Regulatory Process , 2004 .

[28]  Peter Goldschmidt,et al.  Managing the false alarms: A framework for assurance and verification of surveillance monitoring , 2007, Inf. Syst. Frontiers.

[29]  Chris Taylor The evolution of compliance , 2005 .

[30]  H. Cooper Organizing knowledge syntheses: A taxonomy of literature reviews , 1988 .

[31]  Ashley Braganza,et al.  Diffusing Management Information for Legal Compliance: The Role of the IS Organization Within the Sarbanes-Oxley Act , 2008, J. Organ. End User Comput..

[32]  Jeremy Fisher,et al.  Regulation as a barrier to electronic commerce in Europe: the case of the European fund management industry , 2004, Eur. J. Inf. Syst..

[33]  Raymond R. Panko,et al.  Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks , 2006, Commun. Assoc. Inf. Syst..

[34]  Charles S. Gittleman,et al.  SEC approves NASD and NYSE uniform branch office definition for broker‐dealers , 2005 .

[35]  Jaap Schekkerman,et al.  How to Survive in the Jungle of Enterprise Architecture Framework: Creating or Choosing an Enterprise Architecture Framework , 2003 .