Standardising business application security assessments with pattern-driven audit automations

In the light of recent corporate corruption scandals the requirement for Corporate Governance and Responsibility has emerged as a top management priority, as reflected on the recent regulatory environment and compliance requirements e.g. Sarbanes–Oxley Act. The need for explicitly demonstrated assurance of the financial and accounting information in an IT-fuelled business environment has shifted interest to the information and the IT systems themselves. Assurance of information is based on the art and science of IT audit, a set of recurring tasks by nature both in time and in space. In environments of integrated business applications and enterprise resource planning systems, auditing is particularly laborious and the requirement for automation of auditing tasks was never more demanding. The belief that audit automation is part of the means to achieve governance is developing amongst scholars and practitioners alike. However there is no common understanding yet developed as of how such automation could be achieved across different systems and applications. We argue that through appropriate standardisation of the automation requirements such cross-system implementation may be possible and we propose as a means of standardisation the use of security design patterns. In this paper we explore the use of security patterns for audit automation and we implement them as a means of supporting its standardisation within integrated business application systems.