Scribd
Upload
32 views

ARCM - Semantics Verification

ARCM - Semantics verification

Uploaded by

Alberto R. Pérez Martín
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views

ARCM - Semantics Verification

ARCM - Semantics verification

Uploaded by

Alberto R. Pérez Martín
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

ARIS RISK AND COMPLIANCE

SEMANTICS VERIFICATION
FOR EXPORTING DATA

VERSION 10.0 - SERVICE RELEASE 18


MAY 2022
This document applies to ARIS Risk and Compliance Version 10.0 and to all subsequent
releases.
Specifications contained herein are subject to change and these changes will be reported in
subsequent release notes or new editions.
Copyright © 2010 - 2022 Software AG, Darmstadt, Germany and/or Software AG USA Inc.,
Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
The name Software AG and all Software AG product names are either trademarks or
registered trademarks of Software AG and/or Software AG USA Inc. and/or its subsidiaries
and/or its affiliates and/or their licensors. Other company and product names mentioned
herein may be trademarks of their respective owners.
Detailed information on trademarks and patents owned by Software AG and/or its
subsidiaries is located at https://softwareag.com/licenses.
Use of this software is subject to adherence to Software AG's licensing conditions and terms.
These terms are part of the product documentation, located at
https://softwareag.com/licenses and/or in the root installation directory of the licensed
product(s).
This software may include portions of third-party products. For third-party copyright notices,
license terms, additional rights or restrictions, please refer to "License Texts, Copyright
Notices and Disclaimers of Third Party Products". For certain specific third-party license
restrictions, please refer to section E of the Legal Notices available under "License Terms and
Conditions for Use of Software AG Products / Copyright and Trademark Notices of Software
AG Products". These documents are part of the product documentation, located at
https://softwareag.com/licenses and/or in the root installation directory of the licensed
product(s).
SEMANTICS VERIFICATION FOR EXPORTING DATA

Contents
Contents ........................................................................................................................................................... I

1 Introduction ............................................................................................................................................. 1

2 Run semantics reports ......................................................................................................................... 2


2.1 Example of a report without error messages ..................................................................... 3
2.2 Example of a report with error messages ........................................................................... 3

3 What additional components do you need for the semantics reports? .................................... 4

4 What semantics reports are available? ............................................................................................. 5

5 What verifications are defined for audit templates? ..................................................................... 6

6 What verifications are defined for controls and control execution definitions? ..................... 8

7 What verifications are defined for hierarchy structures? .......................................................... 10

8 What verifications are defined for policy definitions? ................................................................. 12

9 What verifications are defined for questionnaire templates? ................................................... 14

10 What verifications are defined for risks? ........................................................................................ 16

11 What verifications are defined for control test definitions? ....................................................... 17

12 What verifications are defined for user groups? .......................................................................... 19

13 What verifications are defined for users? ...................................................................................... 20

14 Legal information................................................................................................................................. 21
14.1 Documentation scope............................................................................................................ 21
14.2 Support ..................................................................................................................................... 22

I
SEMANTICS VERIFICATION FOR EXPORTING DATA

1 Introduction
When modeling in ARIS, certain conventions must be adhered to. If these conventions have
not been observed, the synchronization of data from ARIS into ARIS Risk and Compliance is
canceled. You can run the report Check for compliance with ARIS Risk and Compliance
modeling conventions to check data before you transfer data to make sure that guidelines
have been met. When you run this master report, the subordinate semantics reports run
automatically.
You can use the resulting log to correct the modeling errors, which ensures that the
synchronization to ARIS Risk and Compliance is performed correctly. For a detailed
description, from the conceptual design and modeling to the handling of synchronization,
refer to the ARCM - Modeling Conventions manual.
The following descriptions of the reports for semantics verifications are based on the
standard definitions of the configuration file ARCM-Semantics_Properties.js and the
reports.
By default, the ARIS Risk and Compliance semantics reports are available in the report
category ARIS Risk and Compliance. The master report Check for compliance with ARIS
Risk and Compliance modeling conventions executes all individual semantic reports. Only
the master report can be run by report wizard.

1
SEMANTICS VERIFICATION FOR EXPORTING DATA

2 Run semantics reports


You can run the report Check for compliance with ARIS Risk and Compliance modeling
conventions to check data before you transfer data to make sure that guidelines have been
met. When you run this master report, the subordinate semantics reports run automatically.

Prerequisite
 You need the Read access privilege for the groups in which the database items are
saved.
 The items were saved.
 You have access to this script. Access to scripts can be restricted to certain user groups.

Procedure
1. Start ARIS Architect.

2. Click ARIS > Explorer. The Explorer tab opens.

3. Click Navigation in the bar panel if the Navigation bar is not activated yet.
4. Right-click the relevant group or database.
5. Click Evaluate > Start report. The Report Wizard opens.
6. Select the ARIS Risk and Compliance category and the Check for compliance with
ARIS Risk and Compliance modeling conventions report.
7. Click Next.
8. Select the output settings.
9. Click Finish.
All available reports are started. The result is a cumulative report on the results of all
individual reports that is output as a text file.

2
SEMANTICS VERIFICATION FOR EXPORTING DATA

2.1 Example of a report without error messages


*************************************************************
Error report on semantic verification of control test definitions
*************************************************************

No errors found.

2.2 Example of a report with error messages


**************************************************************
Error report on semantics verification for hierarchy structures
**************************************************************

Hierarchy structure of the "Regulations & standards" checked. Contains errors!

Required attribute(s) not defined!!

Technical term - (Untitled)


Required attribute(s) not defined: AT_NAME
Required attribute(s) not defined: AT_AAM_SIGN_OFF_RELEVANT

Exists in:
Group: 1.5 Regulations
Model: Regulation hierarchy

Several parent nodes found!

Technical term - (Untitled)


Exists in:
Group: 1.5 Regulations
Model: Regulation hierarchy
Parent 1: Technical term
Parent 2: Regulations

3
SEMANTICS VERIFICATION FOR EXPORTING DATA

3 What additional components do you need for the


semantics reports?
The logic of the semantics verification is divided into four components.

THE REPORTS FOR PERFORMING THE RELEVANT VERIFICATIONS


 Verify semantics of hierarchy structures
 Verify semantics of risks
 Verify semantics of controls
 Verify semantics of control test definitions
 Verify semantics of users
 Verify semantics of user groups
 Verify semantics of questionnaire templates
 Verify semantics of audit templates

THE JAVASCRIPT FILES THAT PROVIDE THE BASIC FUNCTIONALITY OF THE REPORTS
AVAILABLE
 arcm-common.js (Common files section)
 arcm-mapping.js (Common files section)
 aris2arcm-mapping.xml (Common files section)
 ARCM-Semantics_BaseDataFunctions.js
 ARCM-Semantics_BaseReportAndOutputFunctions.js

THE JAVASCRIPT FILE FOR CONFIGURING THE VERIFICATIONS


 ARCM-Semantics_Properties.js

THE MASTER REPORT FOR EXECUTING ALL AVAILABLE REPORTS IN ONE STEP
The Check for compliance with ARIS Risk and Compliance modeling conventions report
runs all assigned reports, bundles the results and outputs them.

4
SEMANTICS VERIFICATION FOR EXPORTING DATA

4 What semantics reports are available?

Report Context Executable by


report wizard
Check for compliance with ARIS Risk and Database, Yes
Compliance modeling conventions group
 Verify semantics of hierarchy structures Group No
 Verify semantics of risks Group No
 Verify semantics of controls Group No
 Verify semantics of control test definitions Group No
 Verify semantics of user groups Group No
 Verify semantics of users Group No
 Verify semantics of questionnaire templates Group No
 Verify semantics of survey schedulers Group No
 Verify semantics of audit templates Group No
 Verify semantics of policies Group No

5
SEMANTICS VERIFICATION FOR EXPORTING DATA

5 What verifications are defined for audit templates?


This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of audit templates

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the Transfer data to ARIS Risk and Compliance attribute is set to true. Only audit
templates for which this attribute is activated are considered.
 an audit is connected to exactly one audit owner group, exactly one audit reviewer group,
and no more than one audit auditor group.
 an audit step is connected to exactly one audit step owner group.
 no more than one connection of the is within the scope of type exists for a hierarchy
type in the model.
 an audit step is connected to exactly one superior audit step or exactly one audit via a
connection of the belongs to type, so that a unique tree structure is provided.
 an audit template or an audit step template exists only once in a model.
 the start date of the preparation of an audit occurs before or is identical with the audit
period.
 the audit step period occurs within the audit period or whether start and end date of audit
step period and audit period are identical, with the end date of the audit period being
calculated from the start date and maximum total time taking into consideration the
value specified for the Weekend off attribute.
 the mandatory attributes for the following objects are specified:
 Audit template:
 Name
 Start date
 Maximum total time
 Start date of audit preparation
 Start date of control period
 End date of control period

6
SEMANTICS VERIFICATION FOR EXPORTING DATA

 Audit step template:


 Name
 Start date
 Maximum total time
 Desired processing time
 hierarchy types (risk category, application system type, function (process), organizational
unit, or technical term) are connected to the task allocation diagram using the is within
the scope of connection for the purpose of defining the scope of an audit template or
audit step template.
 the value of the maximum total time and the relevant processing time is not
0000:00:00:00.
 the value of the relevant processing time does not exceed the value of the maximum total
time.

7
SEMANTICS VERIFICATION FOR EXPORTING DATA

6 What verifications are defined for controls and control


execution definitions?
This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics for controls and control execution definitions

VERIFICATIONS TO BE PERFORMED

CONTROLS
The report verifies whether:
 the required attributes are set:
 Name
 the control is unique within the modeled business controls diagram.
 a control has an occurrence in no more than one business controls diagram.
 the Transfer data to ARIS Risk and Compliance attribute is set to true. Only controls
for which this attribute is activated are considered.
 the controls are connected to a risk for which the Transfer data to ARIS Risk and
Compliance attribute is set to true (does not apply if the verification was started on a
risk diagram for which the Transfer data to ARIS Risk and Compliance attribute is set to
true).
 the controls are each connected to a maximum of one control manager group.

CONTROL EXECUTION DEFINITIONS


The report verifies whether a control execution definition is linked to the control. If so, verifies
whether:
 the required attributes are set:
 Name and
 Control documentation frequency and
 Time limit for documentation of control execution in days and
This attribute is not mandatory if the Control documentation frequency attribute
has the value Event-driven.
 Start date and
This attribute is not mandatory if the Control documentation frequency attribute
has the value Event-driven.
 Length of documented period

8
SEMANTICS VERIFICATION FOR EXPORTING DATA

 a control execution definition is linked to only one organizational unit.


 a control execution definition is linked to only one group (there must be only one Control
execution owner group).
 the Event-driven control documentation allowed attribute is set to true, when the
value Event-driven is set for the control documentation frequency.
 the start date is before the end date.
 the control execution definition is unique within the modeled business controls diagram.
 a control execution definition has a single assigned control. A control can have multiple
control execution definitions but each control execution definition can only ever have one
control.
 a control execution definition occurs in no more than one business controls diagram.

9
SEMANTICS VERIFICATION FOR EXPORTING DATA

7 What verifications are defined for hierarchy structures?


This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of hierarchy structures

CONTEXT
According to the default definition, the verification uses the hierarchy structures with the
following models:

PROCESS
EPC, Value-added chain diagram, and Function allocation diagram

ORGANIZATIONAL UNIT
 Organizational chart

REGULATIONS & STANDARDS


 Technical terms model
Special for Regulatory Change Management
The report verifies whether:
 the Review-relevant attribute is selected. If so, the following mandatory attributes and
conditions are checked:
 Review frequency
 Time limit for the execution of the review in days
 Start date of review
 The technical term must be connected to precisely one hierarchy owner group.

TESTER
No models can be specified for the tester organization. The models that were specified for the
organizational unit are used.

APPLICATION SYSTEM TYPE


 Application system type diagram

RISK CATEGORY
 Risk diagram

10
SEMANTICS VERIFICATION FOR EXPORTING DATA

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the required attributes are specified for all hierarchy structures:
 Name
 each element of the hierarchy has a maximum of one parent node.
 a hierarchy element is connected to no more than one sign-off owner group (not relevant
for application system type and risk category hierarchy).
 there are no overlaps between tester organization and organization hierarchy. An
organizational unit must not belong to the tester organization and the organization
hierarchy at the same time.
Only trees are permitted for structuring the hierarchy in ARIS Risk and Compliance, no net
structures.

11
SEMANTICS VERIFICATION FOR EXPORTING DATA

8 What verifications are defined for policy definitions?


This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of policies
(Object type name is Policy in ARIS, policy definition in ARIS Risk and Compliance)

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the Transfer data to ARIS Risk and Compliance attribute is set to true. Only policy
definitions for which this attribute is activated are considered.
 a policy definition is connected to exactly one policy owner group.
 a policy definition is connected to no more than one policy auditor group.
 at least one policy addressee group is connected if the policy is of the Confirmation
required type.
 the publishing start date is after the start date of the publishing preparation period.
 the end date of the publishing period is after the start date of the publishing period.
 the end date of the publishing preparation period is after the start date of the publishing
preparation period.
 the end date of the approval period is after the start date of the approval period.
 the approval period of the approvers is completely within the publishing preparation
period of the owners.
 the mandatory attributes for the following objects are specified:
 Policy definition:
 Name
 Policy type
 Start date of publishing preparation period
 End date of publishing preparation period
 Latest publishing date
 Start date of approval period
 End date of approval period
 Confirmation duration if the policy is of the Confirmation required type

12
SEMANTICS VERIFICATION FOR EXPORTING DATA

 Policy review task:


 Review frequency if the policy is marked as review-relevant.
 Event-driven task allowed if the policy is marked as review-relevant.
 Time limit for task processing if the policy is marked as review-relevant.
(This attribute is not mandatory if the Review frequency attribute has the value
Event-driven.)
 Start date if the policy is marked as review-relevant.
(This attribute is not mandatory if the Review frequency attribute has the value
Event-driven.)

13
SEMANTICS VERIFICATION FOR EXPORTING DATA

9 What verifications are defined for questionnaire


templates?
This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of questionnaire templates

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the Transfer data to ARIS Risk and Compliance attribute is set to true. Only
questionnaire templates for which this attribute is activated are considered.
 the mandatory attributes for the following objects are specified:
 Questionnaire template:
 Name
 Section:
 Name
 Question:
 Question text and
 Question type:
- Single choice or
- Multiple choice or
- Text or
- Numerical (integer) or
- Numerical (floating point number) or
- Date or
- Date range
If the question type is Single choice or Multiple choice, then either an option set
or at least one answer options must be assigned (mandatory fields).
If the Text, Numerical, Date, or Date range question type is selected, the
Evaluation by reviewer field becomes mandatory. If the Evaluation by
reviewer attribute is set to Yes, then either an option set or an answer option
must be assigned (mandatory fields).
Several answer options or one option set can be assigned to a question. You
cannot simultaneously assign answer options and an option set. The respective
assignment must be removed before another one can be added.

14
SEMANTICS VERIFICATION FOR EXPORTING DATA

 Option set:
 Name
 Answer option:
 Answer
 a question only occurs once in a section. It is, however, possible to use a question in
different sections.
 an option set is always assigned at least one answer option.
 all connected survey schedulers are connected to at least one interviewee group and
precisely one survey reviewer group.
 all connected survey schedulers are connected to a maximum of one survey manager
group (the assignment is not mandatory).
 the mandatory attributes for these survey schedulers are specified:
 Frequency
 Start date
(This attribute is not mandatory if the Frequency attribute has the value
Event-driven.)
 Time limit for execution in days
(This attribute is not mandatory if the Frequency attribute has the value
Event-driven.)

15
SEMANTICS VERIFICATION FOR EXPORTING DATA

10 What verifications are defined for risks?


This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of risks

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the required attributes are set:
 Name
 the Transfer data to ARIS Risk and Compliance attribute is set to true. Only risks for
which this attribute is activated are considered.
 a risk is connected to no more than one risk manager group.
 the risks are unique within the modeled business controls diagrams.
 a risk has an occurrence in no more than one business controls diagram.
 the Risk Management-relevant attribute is selected. If so, the following mandatory
attributes and conditions are checked:
 Assessment frequency
 Time limit for execution in days
(This attribute is not mandatory if the Assessment frequency attribute has the
value Event-driven.)
 Start date of risk assessments
(This attribute is not mandatory if the Assessment frequency attribute has the
value Event-driven.)
 the risk is assigned a single risk owner group and a single risk reviewer group.

16
SEMANTICS VERIFICATION FOR EXPORTING DATA

11 What verifications are defined for control test


definitions?
This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of control test definitions

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the required attributes are set:
 Name
 Test type:
 Test of design and/or
 Test of effectiveness and
 Test frequency and
 Time limit for execution in days (the value must be between 1 and 365) and
(This attribute is not mandatory if the Task frequency attribute has the value
Event-driven.)
 Start date of control test definition and
(This attribute is not mandatory if the Task frequency attribute has the value
Event-driven.)
 Length of control period.
 the control test definitions are unique within the modeled business controls diagram.
 a control test definition has an occurrence in no more than one business controls
diagram.
 the control test definitions are each connected to precisely one tester group and one
reviewer group, and then only if each group member is assigned to only one of the two
groups.
 the control test definitions are each connected to a maximum of one test manager group
(the group assignment is not mandatory)
 the control test definitions are each connected to precisely one organizational unit.
Assignment to the organization hierarchy is required in ARIS Risk and Compliance.
 the tester group connected to the control test definition is also connected to a single
element of the tester organization.

17
SEMANTICS VERIFICATION FOR EXPORTING DATA

 the Event-driven control tests allowed attribute is set to true, when the value
Event-driven is set for the test frequency.
 a control test definition is connected to precisely one control for which the Transfer data
to ARIS Risk and Compliance attribute is set to true.

18
SEMANTICS VERIFICATION FOR EXPORTING DATA

12 What verifications are defined for user groups?


This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of user groups

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the required attributes are set:
 Name
 an object of the Role type is connected to more than one object of the Role type. A group
can only have a single role in ARIS Risk and Compliance. The report does not verify
whether a group is connected to precisely one role, or whether a user group is connected
to the Tester role with exactly one hierarchy element of the Tester type.

19
SEMANTICS VERIFICATION FOR EXPORTING DATA

13 What verifications are defined for users?


This description relates to the default definition of the configuration file and reports.

REPORT NAME
Verify semantics of users

VERIFICATIONS TO BE PERFORMED
The report verifies whether:
 the required attributes are set:
 Login and
 First name and
 Last name and
 E-mail address
 the user name consists of alphanumeric characters and period (.), hyphen (-) or
underscore (_) only.

20
SEMANTICS VERIFICATION FOR EXPORTING DATA

14 Legal information

14.1 Documentation scope


The information provided describes the settings and features as they were at the time of
publishing. Since documentation and software are subject to different production cycles, the
description of settings and features may differ from actual settings and features. Information
about discrepancies is provided in the Release Notes that accompany the product. Please
read the Release Notes and take the information into account when installing, setting up, and
using the product.
If you want to install technical and/or business system functions without using the
consulting services provided by Software AG, you require extensive knowledge of the system
to be installed, its intended purpose, the target systems, and their various dependencies. Due
to the number of platforms and interdependent hardware and software configurations, we
can describe only specific installations. It is not possible to document all settings and
dependencies.
When you combine various technologies, please observe the manufacturers' instructions,
particularly announcements concerning releases on their Internet pages. We cannot
guarantee proper functioning and installation of approved third-party systems and do not
support them. Always follow the instructions provided in the installation manuals of the
relevant manufacturers. If you experience difficulties, please contact the relevant
manufacturer.
If you need help installing third-party systems, contact your local Software AG sales
organization. Please note that this type of manufacturer-specific or customer-specific
customization is not covered by the standard Software AG software maintenance agreement
and can be performed only on special request and agreement.
If a description refers to a specific ARIS product, the product is named. If this is not the case,
names for ARIS products are used as follows:

Name Includes
ARIS products Refers to all products to which the license regulations of
Software AG standard software apply.

ARIS Clients Refers to all programs that access shared databases via ARIS
Server, such as ARIS Architect or ARIS Designer.

ARIS Download clients Refers to ARIS clients that can be accessed using a browser.

21
SEMANTICS VERIFICATION FOR EXPORTING DATA

14.2 Support
If you have any questions on specific installations that you cannot perform yourself, contact
your local Software AG sales organization
(https://empower.softwareag.com/Products/default.aspx). To get detailed information and
support, use our websites.
If you have a valid support contract, you can contact Global Support ARIS at: +800
ARISHELP. If this number is not supported by your telephone provider, please refer to our
Global Support Contact Directory.

ARIS COMMUNITY
Find information, expert articles, issue resolution, videos, and communication with other ARIS
users. If you do not yet have an account, register at ARIS Community.

SOFTWARE AG EMPOWER PORTAL


You can find documentation on the Software AG Documentation website. The site requires
credentials for Software AG's Product Support site Empower. If you do not yet have an
account for Empower, send an e-mail to [email protected]
(mailto:[email protected]) with your name, company, and company e-mail address
and request an account.
If you have no account, you can use numerous links on the TECHcommunity website. For any
questions, you can find a local or toll-free number for your country in our Global Support
Contact Directory and give us a call.

TECHCOMMUNITY
On the TECHcommunity website, you can find documentation and other technical
information:
 Use the online discussion forums, moderated by Software AG professionals, to ask
questions, discuss best practices, and learn how other customers are using Software AG
technology.
 Access articles, code samples, demos, and tutorials.
 Find links to external websites that discuss open standards and web technology.
 Access product documentation, if you have TECHcommunity credentials. If you do not,
you will need to register and specify Documentation as an area of interest.

EMPOWER (LOGIN REQUIRED)


If you have an account for Empower, use the following sites to find detailed information or
get support:

22
SEMANTICS VERIFICATION FOR EXPORTING DATA

 You can find product information on the Software AG Empower Product Support website.
 To get information about fixes and to read early warnings, technical papers, and
knowledge base articles, go to the Knowledge Center.
 Once you have an account, you can open Support Incidents online via the eService
section of Empower.
 To submit feature/enhancement requests, get information about product availability, and
download products, go to Products.

FURTHER INFORMATION AND TRAININGS


Learn from your laptop computer, tablet or smartphone.

23

You might also like