Process Mining in Internal Audit
Auditors have a very tough job. They must search through all an organization’s transactions to find the specific cases where internal controls were not followed. This job is made even more difficult by a lack of people and other resources. Auditors typically tackle the resource issue by sampling a subset of transactions,leading to an incomplete view of the actual risk. Process Mining provides a new approach to gathering audit evidence by automatically analyzing the entire population of event logs recorded in a company’s IT system. In other words, the company’s business processes, and the actions taken by its employees are chronologically captured in the event log for analysis.
What Is Process Mining?
Process Mining uses data already inside of a company’s systems to visually reverse engineer business processes. Transactional systems today create an audit log of every virtually every action in an organization. Process Mining algorithms use these audit logs to recreate business processes. The Process Mining algorithms need only a few fields to be effective; transaction ID, activity, resource, and timestamp. In addition to recreating the process, these systems also group transactions by execution path, called a variant. A variant in Process Mining is a group of process instances that have an identical execution path. For example, if process instance X and process instance Y both have the path “Create Purchase Order → Signature → Goods Receipt → Invoice Receipt → Release → Payment,” then they are grouped into the same variant. The grouping of process instances into variants allows auditors to observe frequent and infrequent paths from an event log; they can then distinguish between compliant and non-compliant execution based on the organization’s business rules.
These business rules allow auditors to separate transactions into compliant and non-compliant variants based on the paths of process instances when performing their audit procedures. With the algorithms evaluating 100% of a company’s transactions, it’s possible for Process Mining to detect potential internal control ineffectiveness without the need for a sampling plan.
Analyzing a company’s business process using event logs is not a completely new concept to data science or business intelligence. In fact, the concept was developed in the Netherlands over two decades ago. However, only a few studies apply Process Mining in the auditing field. For example, Mieke Jans, Michael Alles, and Miklos Vasarhelyi (“A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing,” Accounting Review, September 2014, suggest that Process Mining could assist auditors when performing analytical procedures. Also, the AICPA’s 2017 Guide to Audit Data Analytics states that Process Mining enables auditors to understand the entity’s internal controls and to identify unauthorized employee actions that could increase the risk of material misstatement.
Using Process Mining in the Audit Process
The audit process contains four unique phases: 1) plan and design an audit approach, 2) perform tests of controls and substantive tests of transactions, 3) perform analytical procedures and tests of details of balances, and 4) complete the audit and issue an audit report (Alvin A. Arens, Randall J. Elder, and Mark S. Beasley, Auditing and Assurance Services: An Integrated Approach, 14th edition, Prentice Hall, 2012). In most instances, auditors typically utilize Process Mining during the 1st and 2nd phases of the audit process.
Phase 1. Plan and design
The first phase of the audit process is to “plan and design the audit approach”. Process Mining provides auditors with process maps and process statistics to be used to understand a company’s business process. These process maps show not only the most common ways that processes are executed, but every way that a process has been executed anywhere in the company. The statistics allow auditors to filter out one-off executions easily identify execution patterns in one or more locations.
The visualization of the process map and associated process statistics allow auditors to answer a number of questions, like:
- How many activities are in the company’s business process, and are they all relevant to the business (assist in identifying key controls)?
- Which activity occurs most frequently in the business process?
- What is the core business process for this organization?
- How many employees are involved in the company’s business process, and what are the employees’ responsibilities (key to identifying potential segregation of duties violations)?
- What are the starting and ending date and time for every process instance, and what is the timestamp of each activity (assist in identifying cutoff issues)?
Phase 2: Tests of internal controls
Process Mining allows auditors to assess the effectiveness of the systems of internal control, an essential step in assessing control risk. Process Mining provides auditors with a detailed walkthrough of the transaction cycles. This technology replaces many manual audit procedures such as reperforming transaction flows or testing controls using sampling, enhancing audit effectiveness and efficiency.
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) mandates auditors to evaluate a company’s internal control system and identify what can go wrong. This process is usually very manual and requires many man-hours of effort. Process Mining can be a powerful tool to help auditors in performing tests of internal controls. The information stored in the event log can also provide audit evidence related to relevant management assertions. Example assertions that can be tested include completeness, accuracy, cutoff, and occurrence. There are several examples of detecting what could go wrong using event logs from the procure-to-pay cycle:
- Purchases received are not recorded
- Purchase amounts not properly recorded
- Unauthorized purchases
- Segregation of duties
- Process conformance
During the second phase of the audit process, Process Mining also helps when performing substantive tests of transactions to inspect the process related to the transaction balance. For example, if the balance of the payment is not correct due to duplicate payments for a purchase order, this can be discovered when analyzing the process of creating and approving that purchase order. Process Mining will also quickly identify transactions where approval levels have been circumvented by splitting transactions and other rogue buying behaviors.
Process Mining as a New Form of Audit Evidence
Process Mining is a promising tool that is useful at different stages of the audit process, especially tests of internal controls. The data stored in event logs provides auditors with abundant information that could serve as additional audit evidence when performing tests of controls or other audit procedures. In addition, IT systems automatically record these event logs when activities or business processes take place and therefore are less likely to be altered or distorted. In addition, Process Mining technology is available today in many of the business intelligence tools, like Power BI, Tableau, and Qlik, that auditors have been using for years.
While Process Mining has been used by thousands of global companies, applying Process Mining to audit procedures is still relatively new, especially in North America. Challenges do exist inside of companies. nFor example, not all companies capture the entire event log records for every business cycle and when they do the data may not be readily reportable. Some companies are hesitant to allow transaction data to be uploaded to the cloud due to security concerns. Also, many Process Mining tools have their own interface and configuration tools that could make adoption an issue.
Auditors looking to take advantage of the data already in their organization and use Process Mining to plan their audits and improve their tests of controls should first assess their company’s current business intelligence tools and data security requirements. From there, evaluate Process Mining tools that fit the company’s technology direction, including the ability for auditors to make use of the audit tool and information security of transactional data.