A system theoretical perspective of IT audits in the financial sectors

The importance of the financial market in economy, society and politics has led to a reciprocal interdependent relationship that influences almost every part of our daily lives. As a consequence, negative effects of the financial sector can be fatal, not only for institutions within the financial sector but also society as a whole. Financial institutions are exposed to risks threatening the whole institute. This vulnerability to failures could be observed in the financial crisis of 2007 and consequently politics reacted. As a result of political efforts laws and regulations, namely in MaRisk and KWG, were adopted and imposed on banks and other financial institutions to enforce adequate and comprehensive risk management.

IT has become fundamental for many different business units in banks and is therefore necessary for a well-functioning, stable and robust financial system. Consequently, IT is affected by those changed laws and regulations and has to meet upcoming requirements effectively. The federal financial supervisory authority (BaFin) is auditing banks in regards to their conformance to requirements and regulations to guarantee the implementation within companies.

These audits check the appropriateness of IT from a risk management perspective. There\-by several areas are of great importance and play a pivotal role, namely IT strategy, IT revision, IT emergency management, application development, IT outsourcing, information risk management and user credential management.

This work identifies the IT architecture model that underlies those BaFin audits. Additionally, the question which entities and relationships between IT systems are important for the audit and thus relevant for risk management will be answered. Furthermore, this work uses and argues for a modeling paradigm in which legal requirements are going to be associated with concrete objects of an enterprise architecture. This is done using the enterprise architecture modeling language ArchiMate and its motivation extension.

The legislator is significantly intervening in the area of IT architecture management, an established scientific discipline within computer science. However, a scientific reflection of the scope of those interventions is still missing. This work will narrow the gap between regulations via laws on one side and the effects on IT architectures on the other.