2-pager leaflet How well do understand your clients environment - PhD proposal summary Geskus,Jos Dec 2014 FINAL
•
1 like•199 views
This document summarizes Jos Geskus' PhD proposal on applying principles of Enterprise Engineering to auditing. It discusses how understanding clients as complex social systems is key for auditors. Technological advances like cloud computing increase complexity, requiring methods to reduce complexity and identify significant parts. Enterprise Engineering uses Enterprise Ontology, Architecture, and Governance as pillars. The proposal aims to develop tools using Enterprise Ontology to better understand clients' enterprises and improve audit quality.
Report
Share
![How well do you
understand your client’s
enterprise?
A summary of Jos Geskus’ PhD proposal
Application of Enterprise Engineering principles to (IT-) auditing
In our profession understanding
our clients is key, in order to
comply to standards and deliver
high quality services. Our clients
are enterprises that can be consi-
dered as complex social systems.
Fast technological developments,
such as Cloud Computing, lead to
an increase in complexity.
Our challenge is to keep a grip on
our clients by understanding the
essence to keep clear insight and
overview.
Figure 1 medium numbers of
organised complexity [2]
IT is an integral part of business
change and business processes
The significance of information and IT
is all around us in every aspect of busi-
ness and public life. The need to get more
value from IT investments and manage
an increasing array of IT-related risks has
never been higher. According to Hardy [1],
business executives and managers realise
that IT does not exist on its own; it is an
integral and key part of business change
and business processes.
They are taking ownership and are making
organisational changes to create a more
effective structure for overseeing and
monitoring IT- related goals and issues. IT
controls continue to gain importance for
enterprises, because both corporate relian-
ce on technology and compliancy require-
ments increase. As a result, deficiencies in
IT controls can have a significant impact
on the enterprise. As Hardy stated [1], IT
does not exist on its own, as IT is integrated
in almost every enterprise process. Due to
this, IT-auditing is an growing profession
that receives more and more attention and
is playing an increasingly important role.
Understanding an enterprise is
key for doing a good job
A prerequisite for an (IT) auditor is to have
a good understanding of the
audit object (an object can be a system or
process that is subject to the audit)
and its environment. Although IT-auditors
can be specialised in specific systems, tech-
niques and environments, the increasing
organisational and technological com-
plexity demands that IT-auditors are able
to reduce this complexity and identify the
significant parts relevant to the audit.
Systems thinking
By means of figure 1 Weinberg [2] explains
why we need ‘systems thinking’ in order
to understand enterprises and software
systems. Region I, ‘organized simplicity’,
comprises machines or mechanisms. In this
area complexity as well as randomness is
low and the behaviour of every element can
be predicted using an analytical approach.
Region II, ‘unorganized complexity’, com-
prises populations or aggregates. In this
region the amount of randomness is high
enough to rely on averages. This justifies a
statistical approach for making predictions.
In region III, ‘organized complexity’, we
face a problem with both the analytical and
the statistical approach, because we are de-
aling with medium numbers. In this region
we find too much complexity for analysis
and too much organization for statistics.
Weinberg calls this ‘yawning gap in the
middle’ the region of systems. He proposes
to take a ‘systems thinking approach’ for
dealing with theorganized complexity as
found in modern enterprises.
Enterprises are social systems
Back in the 60’s Herbert A. Simon [3]
wrote an article in which he addressed
the complexity of systems in different
categories such as biological, physical and
social systems. Simon mentions enterprises
as an example of complex social systems.
He describes how in a formal enterprise
each system consists of a “boss” and a set
of subordinate subsystems. Each of these
subsystems also has a “boss” who is the
immediate subordinate of the boss of the
system. In actual practice, enterprises may
be designed this way but not organised as
such. This is endorsed by Simons state-
ment: “In fact, even in human organisati-
ons, the formal hierarchy exists only on
source: avanada.com](https://cdn.statically.io/img/image.slidesharecdn.com/ca708906-6f09-4acb-a3ca-f2ba12c9713b-141229052132-conversion-gate02/85/2-pager-leaflet-How-well-do-understand-your-clients-environment-PhD-proposal-summary-Geskus-Jos-Dec-2014-FINAL-1-320.jpg)
![paper; the real flesh-and-blood enterprise has
many inter-part relations other than the lines of
formal authority”. Yet, Simon’s definition from
the 60’s is limited to the people working in the
enterprise and the hierarchy between them. Back
in the 60’s the involvement of supporting IT
systems (and necessary processes to interact with
them) was a fraction compared to the tremen-
dous role that IT plays in enterprises these days.
This significant increase of the role of IT has
unfortunately led to considerably more complexi-
ty, in the already complex enterprises.
Enterprise Engineering is built on
three pillars: Enterprise Ontology,
Enterprise Architecture and Enterpri-
se Governance
Enterprise Engineering (EE) is the scientific
discipline in which enterprises are considered
to be designed systems, which consequently
can be redesigned. EE is built on the following
three foundational pillars: Enterprise Ontology,
Enterprise Architecture and Enterprise Gover-
nance [5]. Each of these fields has the following
defined goal:
1. Intellectual manageability - In order to bring
about organisational changes, one needs to have
insight and overview. This implies a well devised
systematic reduction of complexity (Enterprise
Ontology).
2. Organisational concinnity - For an enterprise
to be a coherent and consistent whole, its parts
must be arranged in a skilful and harmonious
way. This implies well devised design (Enterprise
Architecture).
3. Social devotion - Enterprise Engineering takes
a human-centred view on enterprises. This im-
plies a well devised distribution of authority and
responsibility (Enterprise Governance).
Enterprise Ontology is the main pillar of my
research [5].
Fundamentals of Enterprise Ontology
The notion of Enterprise Ontology and the
accompanying DEMO methodology [4] provide a
means for modelling enterprises in a very precise
way and at a high level of abstraction. By making
the ontological model of an enterprise we can
quickly get an understanding of the essence of
this enterprise. Enterprise Ontology is built on
the following two fundamentals: 1. strict distinc-
tion between function and construction and 2.
focus on essential transactions and actors.
Figure 2 Three human capabilities performa, informa and forma [8]
Function versus construction
In (re-)developing an enterprise, the conscious
distinction between a system’s function and
construction, and the insight in their alternating
roles in system development, is of paramount
importance [5]. Only the construction of a system
is objective. A constructional model (or white-box
model) of an enterprise, can always be valida-
ted from the actual construction. By contrast, a
functional model (or black-box model) is by its
very nature subjective, because function is not a
system property but a relationship between the
system and a stakeholder. Consequently, every
system has (at any moment) one construction, but
it may have at least as many functions as there
are stakeholders. All these functions are brought
about by one and the same construction [5].
Focus on essential transactions
and actors
The complexity of enterprises necessitates a divi-
sion of tasks to be performed. The organisational
sciences have for long recognised the non-trivial
issues of differentiation and integration [6,7].
However, an effective approach to identify tasks is
still lacking. A major contribution of EO to maste-
ring the complexity of enterprises emerges from
the distinction between three human capabilities:
performa, informa and forma [4]. These
capabilities and examples of coordination
and production are shown in figure 2 [8].
Aim of my research
In my research I aim to develop tools
(methods/guidelines etc.) to get a grip on
the complexity of our clients’ enterprise
to ensure that we comply to standards
(including law and regulatory) and ena-
ble the delivery of high quality services to
our clients. Given the promising features
of enterprise ontology (EO), my starting
point is to apply enterprise ontology to
a selected project in order to explore its
added value in terms of gaining a better
understanding of our client’s enterpri-
se and therefore quality improvement
of our services. The observant reader
may have noted that, so far, IT was the
dominating subject in the previous para-
graphs. Despite the fact that IT plays an
increasingly dominant role in organisati-
ons, my starting point is that enterprises
are complex social systems in which IT
plays a supporting role in the functioning
of the organization. Therefore, my rese-
arch is not solely applicable to IT-related
projects.
References
[1] G. Hardy. The Role of the IT Auditor in IT Governance. ISACA, 1:1{2, 2009}.
[2] G.M. Weinberg. An Introduction to General Systems Thinking. Dorset House Publishing Company, 2001.
[3] H. A. Simon. The Architecture of Complexity. 1962.
[4] J. L. G. Dietz. Enterprise Ontology Theory and Methodology. Springer, 2006.
[5] J. L.G. Dietz, J. A.P. Hoogervorst et al. The Discipline of Enterprise Engineering. International Journal of Organisational Design and
Engineering, 3(1):86, 2013.
[6] R.L. Daft. Organization Theory and Design. South-Western Publishing, Mason, 2001.
[7] P. Lawrence and J., Lorsch. Organization and Environment. Harvard Business School Press, Boston, 1967.
[8] J. L. G. Dietz. The Deep Structure of Business Processes. Communications of the ACM, 2006.
Jos Geskus is a manager within Risk Assurance.
Jos has a strong technical background in computer science. His focus is on performing Third
Party Assurance engagements, ISO 27001 certifications, and the design of integrated control
frameworks. In addition to his professional career at PwC, Jos is a PhD candidate at the Uni-
versity of Antwerp. The objective of his research is to increase the adequacy of risk analysis
and, following from this, control objectives and controls by applying Enterprise Engineering
principles.
Jos Geskus
jos.geskus@nl.pwc.com
+ 31 64 18 01 69 0](https://cdn.statically.io/img/www.slideshare.net/data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
2-pager leaflet How well do understand your clients environment - PhD proposal summary Geskus,Jos Dec 2014 FINAL
- 1. How well do you understand your client’s enterprise? A summary of Jos Geskus’ PhD proposal Application of Enterprise Engineering principles to (IT-) auditing In our profession understanding our clients is key, in order to comply to standards and deliver high quality services. Our clients are enterprises that can be consi- dered as complex social systems. Fast technological developments, such as Cloud Computing, lead to an increase in complexity. Our challenge is to keep a grip on our clients by understanding the essence to keep clear insight and overview. Figure 1 medium numbers of organised complexity [2] IT is an integral part of business change and business processes The significance of information and IT is all around us in every aspect of busi- ness and public life. The need to get more value from IT investments and manage an increasing array of IT-related risks has never been higher. According to Hardy [1], business executives and managers realise that IT does not exist on its own; it is an integral and key part of business change and business processes. They are taking ownership and are making organisational changes to create a more effective structure for overseeing and monitoring IT- related goals and issues. IT controls continue to gain importance for enterprises, because both corporate relian- ce on technology and compliancy require- ments increase. As a result, deficiencies in IT controls can have a significant impact on the enterprise. As Hardy stated [1], IT does not exist on its own, as IT is integrated in almost every enterprise process. Due to this, IT-auditing is an growing profession that receives more and more attention and is playing an increasingly important role. Understanding an enterprise is key for doing a good job A prerequisite for an (IT) auditor is to have a good understanding of the audit object (an object can be a system or process that is subject to the audit) and its environment. Although IT-auditors can be specialised in specific systems, tech- niques and environments, the increasing organisational and technological com- plexity demands that IT-auditors are able to reduce this complexity and identify the significant parts relevant to the audit. Systems thinking By means of figure 1 Weinberg [2] explains why we need ‘systems thinking’ in order to understand enterprises and software systems. Region I, ‘organized simplicity’, comprises machines or mechanisms. In this area complexity as well as randomness is low and the behaviour of every element can be predicted using an analytical approach. Region II, ‘unorganized complexity’, com- prises populations or aggregates. In this region the amount of randomness is high enough to rely on averages. This justifies a statistical approach for making predictions. In region III, ‘organized complexity’, we face a problem with both the analytical and the statistical approach, because we are de- aling with medium numbers. In this region we find too much complexity for analysis and too much organization for statistics. Weinberg calls this ‘yawning gap in the middle’ the region of systems. He proposes to take a ‘systems thinking approach’ for dealing with theorganized complexity as found in modern enterprises. Enterprises are social systems Back in the 60’s Herbert A. Simon [3] wrote an article in which he addressed the complexity of systems in different categories such as biological, physical and social systems. Simon mentions enterprises as an example of complex social systems. He describes how in a formal enterprise each system consists of a “boss” and a set of subordinate subsystems. Each of these subsystems also has a “boss” who is the immediate subordinate of the boss of the system. In actual practice, enterprises may be designed this way but not organised as such. This is endorsed by Simons state- ment: “In fact, even in human organisati- ons, the formal hierarchy exists only on source: avanada.com
- 2. paper; the real flesh-and-blood enterprise has many inter-part relations other than the lines of formal authority”. Yet, Simon’s definition from the 60’s is limited to the people working in the enterprise and the hierarchy between them. Back in the 60’s the involvement of supporting IT systems (and necessary processes to interact with them) was a fraction compared to the tremen- dous role that IT plays in enterprises these days. This significant increase of the role of IT has unfortunately led to considerably more complexi- ty, in the already complex enterprises. Enterprise Engineering is built on three pillars: Enterprise Ontology, Enterprise Architecture and Enterpri- se Governance Enterprise Engineering (EE) is the scientific discipline in which enterprises are considered to be designed systems, which consequently can be redesigned. EE is built on the following three foundational pillars: Enterprise Ontology, Enterprise Architecture and Enterprise Gover- nance [5]. Each of these fields has the following defined goal: 1. Intellectual manageability - In order to bring about organisational changes, one needs to have insight and overview. This implies a well devised systematic reduction of complexity (Enterprise Ontology). 2. Organisational concinnity - For an enterprise to be a coherent and consistent whole, its parts must be arranged in a skilful and harmonious way. This implies well devised design (Enterprise Architecture). 3. Social devotion - Enterprise Engineering takes a human-centred view on enterprises. This im- plies a well devised distribution of authority and responsibility (Enterprise Governance). Enterprise Ontology is the main pillar of my research [5]. Fundamentals of Enterprise Ontology The notion of Enterprise Ontology and the accompanying DEMO methodology [4] provide a means for modelling enterprises in a very precise way and at a high level of abstraction. By making the ontological model of an enterprise we can quickly get an understanding of the essence of this enterprise. Enterprise Ontology is built on the following two fundamentals: 1. strict distinc- tion between function and construction and 2. focus on essential transactions and actors. Figure 2 Three human capabilities performa, informa and forma [8] Function versus construction In (re-)developing an enterprise, the conscious distinction between a system’s function and construction, and the insight in their alternating roles in system development, is of paramount importance [5]. Only the construction of a system is objective. A constructional model (or white-box model) of an enterprise, can always be valida- ted from the actual construction. By contrast, a functional model (or black-box model) is by its very nature subjective, because function is not a system property but a relationship between the system and a stakeholder. Consequently, every system has (at any moment) one construction, but it may have at least as many functions as there are stakeholders. All these functions are brought about by one and the same construction [5]. Focus on essential transactions and actors The complexity of enterprises necessitates a divi- sion of tasks to be performed. The organisational sciences have for long recognised the non-trivial issues of differentiation and integration [6,7]. However, an effective approach to identify tasks is still lacking. A major contribution of EO to maste- ring the complexity of enterprises emerges from the distinction between three human capabilities: performa, informa and forma [4]. These capabilities and examples of coordination and production are shown in figure 2 [8]. Aim of my research In my research I aim to develop tools (methods/guidelines etc.) to get a grip on the complexity of our clients’ enterprise to ensure that we comply to standards (including law and regulatory) and ena- ble the delivery of high quality services to our clients. Given the promising features of enterprise ontology (EO), my starting point is to apply enterprise ontology to a selected project in order to explore its added value in terms of gaining a better understanding of our client’s enterpri- se and therefore quality improvement of our services. The observant reader may have noted that, so far, IT was the dominating subject in the previous para- graphs. Despite the fact that IT plays an increasingly dominant role in organisati- ons, my starting point is that enterprises are complex social systems in which IT plays a supporting role in the functioning of the organization. Therefore, my rese- arch is not solely applicable to IT-related projects. References [1] G. Hardy. The Role of the IT Auditor in IT Governance. ISACA, 1:1{2, 2009}. [2] G.M. Weinberg. An Introduction to General Systems Thinking. Dorset House Publishing Company, 2001. [3] H. A. Simon. The Architecture of Complexity. 1962. [4] J. L. G. Dietz. Enterprise Ontology Theory and Methodology. Springer, 2006. [5] J. L.G. Dietz, J. A.P. Hoogervorst et al. The Discipline of Enterprise Engineering. International Journal of Organisational Design and Engineering, 3(1):86, 2013. [6] R.L. Daft. Organization Theory and Design. South-Western Publishing, Mason, 2001. [7] P. Lawrence and J., Lorsch. Organization and Environment. Harvard Business School Press, Boston, 1967. [8] J. L. G. Dietz. The Deep Structure of Business Processes. Communications of the ACM, 2006. Jos Geskus is a manager within Risk Assurance. Jos has a strong technical background in computer science. His focus is on performing Third Party Assurance engagements, ISO 27001 certifications, and the design of integrated control frameworks. In addition to his professional career at PwC, Jos is a PhD candidate at the Uni- versity of Antwerp. The objective of his research is to increase the adequacy of risk analysis and, following from this, control objectives and controls by applying Enterprise Engineering principles. Jos Geskus jos.geskus@nl.pwc.com + 31 64 18 01 69 0