Compliance to regulatory demands has become a crucial matter for organizations. Non-observance
may lead to far-reaching consequences, e.g. damage to reputation, decline of credit rating or market
value, fraud and fines. The success of compliance management correlates with the frequency of
monitoring and reporting and is affected by complex and often time-consuming manual validation
tasks. To address this problem, organizations implement corresponding IT solutions. However, the
often heterogeneous system landscapes, the different information sources and their integration
represent major challenges.
This paper presents an implementation of a novel process-oriented and cross-system compliance
monitoring approach. The approach is based on a model which provides for the annotation of
business processes with internal controls, critical permissions and roles as well as an architecture
which provides for the automatic detection, timely communication and deep analysis of control
exceptions. It solely relies on established standards (i.e. XACML, BPMN, COSO and SWRL) and
existing technologies. The implementation has been deployed in a productive SAP ERP and BI
environment. It automatically converts access control data from the proprietary SAP model and
publishes control exceptions to the BI system. The effects and causes of these control exception can be
appropriately analyzed using BI queries and reports.