A Multi-Agent Systems Contribution for Audit and Change Management

The progress made in Information Technology and the popularity of best practices have grown to give rise to new applications such as IT GRC. the good use of these applications requires communication and exchanges between these architectures. In front for a high number of standards and best practices, the model of management in Information system department becomes very dynamic. In this model, audit and change management are two problematics that are rarely automated in the function of information systems. These systems must adapt to new management methods and practices in order to improve innovation and management within companies. The major challenge of these standards and best practices is to adapt the target processes to the existing context and to have automatic mechanisms for auditing and generating a plan of evolution in an application. In this paper we propose an approach for Audit and Change Management in IT GRC tools. Our approach uses multi-agent systems to give the evolution plan in order to generate a road map for implementation the IT governance framework.


I. INTRODUCTION
The evolution of information systems since the 1960 has enabled the profound changes having evolved the needs of management tools in information systems. The appearance of the term Information System is indicative of the changes in attitudes: this stems resulted the emergence of new actors and new management entities of information systems. This management approach reveals the challenge of the evolution of the information system, which must be managed and controlled by strategic alignment. Strategic alignment is an approach to align the strategy of information system on the business rules of company. This approach has purpose of enhancing the value in use of the information system and makes it an asset to the company. To do this, a new system design was passed; this system is based on modeling a multi-Architecture environment, the aim of this practice is to define how organizations can align Information Technology (IT) strategy with business strategy ensures that companies can measure their performance. Today, this mode of management is called IT Governance. IT Governance describes how an Information System (IS) is directed and controlled by defining approaches and good principles to implement the search for performance and reducing costs and risks. It can also define the relationship between IS users, the key processes and the common points between technical and functional architectures [1]. In this paper, we will focus on IT GRC architectures. GRC is the acronym for "Governance, Risk and Compliance". It is a concept that describes the integration of activities to improve the efficiency and effectiveness of many functions of organizations. By way of explanation, IT Governance, IT Risk and IT Compliance, ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options, setting direction through prioritization and decision making, and monitoring performance, compliance and progress against agreed-on direction and objectives [2]. Currently, implementing the techniques and tools of Audit and change management becomes a key element of the innovation and management system within companies.

II.
STAT OF ART Like Enterprise Resource Planning (ERP), GRC is becoming one of the most important business requirements of an organization [3], mainly due to rapid globalization, increasing regulation and growing demand for transparency for companies, [4], [5], and [6]. The GRC methods are based on the process approach.
A. IT Processes IT Governance, IT Risk and IT Compliance are based on a set of processes to ensure that the objectives assigned to the IS are well considered. There are a variety of processes to meet the needs of the activities of an IS department. These processes can be divided as follows: • Management planning: is the process of definition and assessing an organization's goals and creating a realistic detailed plan of action for meeting those goals. The basic steps in the management planning process involve creating a road map that outlines each task the company must accomplish to meet its overall objectives. • Service Management: refers to the entirety of activities that are performed by an organization to plan, design, deliver, operate and control information technology (IT) services offered to customers.
• Project Management: is the discipline of initiating, planning, executing, controlling, and closing the work of a team to achieve specific goals and meet specific success criteria.
• Cost Management: is the process of planning and controlling the budget of a business. Cost management is a form of management accounting that allows a business to predict impending expenditures to help reduce the chance of going over budget.
• Software Management: is the process of planning and leading software projects. It is a sub-discipline of project management in which software projects are planned, implemented, monitored and controlled. Realizes software and implements them using programming languages.
• Security Management: This is a broad field that encompasses several aspects; these processes protect by appropriate measures and detect as soon as possible the security problems that could threaten the information system of an organization.
• Provider Management: the processes that give specialist advice and support with contracts between customers and provider in order to get more value in the customer-provider relationship.
• Resource Management: The process of using a company's resources in the most efficient way possible. These resources can include goods and equipment, financial resources, and human resource.
• Quality Management: Set of activities allowing the determination of the quality policy and its implementation in order to maintain and improve the services and products of an IT organization.

B. IT GRC Processes
Today, there are several best IT frameworks in the IT market to implement the IT GRC concept, each standard is specialized in a specific field. In the following, we will cite the main best practices and standards used by companies in the IT domain. • COBIT (Control Objectives for Information and related Technology): is a framework developed and delivered by ISACA (Information Systems Audit and Control Association), he Allows to control the objectives and to manage the IT processes, to do this, COBIT provides a set of practices to manage the levels of control that must be applied on IT processes and resources.
• ITIL (Information Technology Infrastructure Library): is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. The main goal of ITIL is to improve service to the customer. • CMMI (Capability Maturity Model Integration): was developed by a group from industry, government, and the Software Engineering Institute (SEI). CMMI models provide guidance for developing or improving engineering processes of an organization. A CMMI model may also be used as a framework for appraising the process maturity of the organization. The main goal of CMMI is to ensure to customers of a certain level of maturity of the company's engineering processes.

• PMBOK (Project Management Body of Knowledge):
developed by the Project Management Institute (PMI), PMBOK is a guide and global standards provide guidelines, rules and characteristics for project, program and portfolio management. The PMBOK Guide is process-based, meaning it describes work as being accomplished by processes. The main goal of PMBOK is to improve life cycle management of any project, program and project portfolio.

• ISO 27001(International Standard Organization):
specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The main goal of ISO 27001 is to protect the information asset and to comply with legal and regulatory requirements. • ISO 20000: Is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, execute, monitor, review, maintain and improve an SMS. Requirements include design, transition, provision and improvement of services to meet service requirements.

C. Overview of EAS-IT GRC
The IT GRC assures the alignment of the objectives of the organization as regards needs defined by the stakeholders. This is illustrated by the progress strategic of a given organization and also by the taken decisions. The proposed solution supplies a high-level model for the IT GRC who will allow the implementation of the IT GRC in an intelligent way. We give a brief description of every layer of the platform EAS-IT GRC (figure 1) for a good understanding of the global architecture [7]. IT GRC platform is composed of four principle layers:  .org/10.22161/ijaers.4.8.14  ISSN: 2349-6495(P) | 2456-1908(O) www.ijaers.com Page | 82 stakeholders' participation. Its role is to propose new processes of management for the IT department.
• Decision layer: assures making a comparative analysis between the best frameworks for each IT process in order to make a decision for the best reference to set up.
• Processing layer: This layer is composed of different systems, which can be implemented; it defines the processes and actions to be deployed according to the chosen framework.
• Communication layer: It is responsible for all communications between layers of the IT GRC platform.

III. PROPOSED ARCHITECTURE EAC-ACM
The bibliographic study on IT solutions GRC enabled us to identify several architectures and solutions of IT governance for companies. The analysis of these solutions allowed us to identify limitations of the IT GRC relative to the actual needs of different companies. Among these limitations we quote: • The company's IT strategic plan changes after 3 to 5 years because of the new vision of the company, the current IT GRC platforms do not offer solutions for aligning the IS with the strategy business.
• The change in the company's IS strategy directly implies a change in practices of users IT system, which requires auditing existing activities to propose new solutions, the current IT GRC platforms do not allow auditing of existing practices based on best practices and standards.
• The change in IS governance requires new actions to be taken; the current IT GRC platforms cannot generate an IT action plan to implement the new solutions. In this paper, we focus on the following issue: How can we audit existing practices and plan changes automatically in IT governance in order to implement a new actions and recommendations?

A. Proposed Architecture
Our approach based on EAS-IT GRC allows the audit and generation an IT planning in order to assist the change management. Our proposal proposes a new layer for audit and change management using Multi-Agent Systems (MAS) in order to automate the link between the actions to be implemented and the roadmap for IT planning towards the implementation of the IT governance. This proposal is structured in two phases: Audit and Gap Analysis, and change management. The phase of ensuring Audit and Gap Analysis involves the following steps: • Information gathering: this step allows to list the processes to be implemented communicated by the communication layer and explore the current practices in order to update the knowledge base of the information system. • GAP Analysis: this step allows GAP Analysis between the existing and the proposals of improvements. We believe that developing an expert system will bring significant advantages such as the statistics calculated from the facts base and the use the tools for analysis. Our system is also based on multi agent systems because agents exhibit a high level of autonomy and function successfully in situations with a high level of uncertainty.

International Journal of Advanced Engineering Research and Science (IJAERS)
[ Vol-4, Issue-8, Aug-2017]  https://dx.doi.org/10.22161/ijaers.4.8.14  ISSN: 2349-6495(P) | 2456-1908(O)  Fig.2: EAS-ACM architecture B. System Expert Expert system is one of the areas of artificial intelligent. An expert system also known as knowledge based system is a computer program that contains the knowledge and analytical skills of one or more human experts in a specific problem domain. The goal of the design of the expert system is to capture the knowledge of a human expert relative to some specific domain and code this in a computer in such a way that the knowledge of the expert is available to a less experienced user [8]. It is divided into two sub-systems: The inference engine and the knowledge base The Knowledge base contains accumulated experience and a set of rules. The inference engine applies the rules to the known facts to deduce new facts. This process would iterate as each new fact in the knowledge base could trigger additional rules in the inference engine. Inference engines work primarily in one of two modes: Forward chaining and backward chaining. Forward chaining starts with the known facts and asserts new facts. Backward chaining starts with goals, and works backward to determine what facts must be asserted so that the goals can be achieved. Four main characteristics distinguish an expert system from a conventional program are as the following: Expertise: Expert systems use a large amount of knowledge about a particular domain, this knowledge is often subjective, possibly incomplete and subject to change. However, expert systems must have the skills to use this knowledge efficiently in order to solve complex problems quickly. Symbolic reasoning: In an expert system, the knowledge is explicitly represented in symbolic form, in a structure called the knowledge base.
The inference engines manipulate this knowledge using a set of heuristic rules appropriate to the given domain. Depth: Expert systems operate in a narrow domain, dealing with hard and challenging problems. They have to use complex rules. Self-knowledge: An expert system has the feature of explanation capability. It should be able to explain how it has arrived at a particular conclusion. Besides to that, an expert system can advise, modifies, update, expand and deals with uncertain and irrelevant data C. Agent and Multi Agent System An agent is a computer system within an environment and with an autonomous behavior made for achieving the objectives that were set during its design [9]. A multi-agent system (MAS) is a system that contains a set of agents that interact with communications protocols and are able to act on their environment. Different agents have different spheres of influence, in the sense that they have control (or at least can influence) on different parts of the environment. These spheres of influence may overlap in some cases; the fact that they coincide may cause dependencies reports between agents [10]. Starting from the definitions cited above, we can identify the following agent types [11] • The reactive agent is often described as not being "clever" by itself. It is a very simple component that perceives the environment and is able to act on it. Its capacity meets mode only stimulus-action that can be considered a form of communication.
• The cognitive agent is an agent more or less intelligent, mainly characterized by a symbolic representation of knowledge and mental concepts. It has a partial representation of the environment, explicit goals, it is capable of planning their behavior, remember his past actions, communicate by sending messages, negotiate, etc. • The intentional agent or BDI (Belief, Desire and Intention) is an intelligent agent that applies the model of human intelligence and human perspective on the world using mental concepts such as knowledge, beliefs, intentions, desires, choices, commitments. Its behavior can be provided by the award of beliefs, desires and intentions.
• The rational agent is an agent that acts in a manner allowing it to get the most success in achieving the tasks they were assigned. To this end, we must have measure of performance, if possible objective associated with a particular task that the agent should run. • The adaptive agent is an agent that adapts to any changes that the environment can have. He is very intelligent as he is able to change its objectives and its knowledge base when they change.