Process mining provides a new approach to gathering audit evidence by automatically analyzing the entire population of event logs recorded in a company’s IT system. In other words, the company’s business processes and the actions taken by its employees are chronologically captured in the event log for analysis. This article aims to explain how auditors can use process mining in the audit process, especially in tests of internal controls over financial reporting. Specifically, the authors use the procure-to-pay cycle as an example of how analysis of event logs provides auditors with unique information that can assist in such tests.

What Is Process Mining?

Process mining enables users to analyze a company’s business processes using event logs. Event logs provide an audit trail that captures every user’s actions and every business process performed. As shown in Exhibit 1, an event log contains essential information, including process instance, activity, resource, and timestamp. Exhibit 2 shows a sample event log for an employee who creates a purchase order using the company’s IT system. In addition to understanding the information stored in an event log, it is also important to know the “variant.” A variant in process mining is a group of process instances that have an identical path. For example, if process instance X and process instance Y both have the path “Create Purchase Order → Signature → Goods Receipt → Invoice Receipt → Release → Payment,” then they are grouped into the same variant. The grouping of process instances into variants allows auditors to observe frequent and infrequent paths from an event log; they can then distinguish between standard and nonstandard paths based on the company’s business rules.

Exhibit 1

Information Stored in an Event Log

Information Stored in an Event Log; Example Process instance; A unique purchase order number Activity; An employee signature on a purchase order Resource; An employee who performs an activity Timestamp; The year, month, date, and time of an activity

Exhibit 2

Sample Event Log

Process Instance; Activity; Resource; Timestamp Event Log; 01; Create purchase order; Peter; 2018-01-01 08:19 a.m.

Assume a company’s standard procure-to-pay path is “Create Purchase Order → Signature → Goods Receipt → Invoice Receipt → Release → Payment,” whereas a nonstandard procure-to-pay path is “Create Purchase Order → Goods Receipt → Invoice Receipt → Release → Payment → Signature.” Auditors can separate the event log data into standard and nonstandard variants based on the paths of process instances when performing their audit procedures; this makes it possible for process mining to detect potential internal control ineffectiveness (Tiffany Chiu and Mieke Jans, “Process Mining of Event Logs: A Case Study Evaluating Internal Control Effectiveness,” Accounting Horizons, forthcoming in 2019).

Analyzing a company’s business process using event logs is not new to computer science or management. Nonetheless, only a few studies apply process mining in the auditing field. For example, Mieke Jans, Michael Alles, and Miklos Vasarhelyi (“A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing,” Accounting Review, September 2014, suggest that process mining could assist auditors when performing analytical procedures. Also, the AICPA’s 2017 Guide to Audit Data Analytics states that process mining enables auditors to understand the entity’s internal controls and to identify unauthorized employee actions that could increase the risk of material misstatement.

Using Process Mining in the Audit Process

There are four phases in the audit process: 1) plan and design an audit approach, 2) perform tests of controls and substantive tests of transactions, 3) perform analytical procedures and tests of details of balances, and 4) complete the audit and issue an audit report (Alvin A. Arens, Randall J. Elder, and Mark S. Beasley, Auditing and Assurance Services: An Integrated Approach, 14th edition, Prentice Hall, 2012). Because process mining analyzes a company’s business cycle through the inspection of event logs stored in the accounting information systems, auditors would find process mining more useful in the first and second phases of the audit process. The utilization of process mining in the first phase of the audit process is described in the next section, while the subsequent section covers the application of process mining in the second phase.

Plan and design.

The first phase of the audit process is to plan and design the audit approach. In process mining, a process map and process statistics can be used to help auditors understand a company’s business process. Exhibits 3 and 4 show a sample process map and statistics from a procure-to-pay cycle.

Exhibit 3

Sample Process Map of Procure-to-Pay Cycle

Exhibit 4

Sample Process Statistics of Procure-to-Pay Cycle

Process instance; 20,000 Activity count/name; Activity count: 6; Activity name: Create purchase order; Signature; Goods receipt; Invoice receipt; Release; Payment Variant count; 100 Timestamp (start date–end date); 01/01/2017–01/01/2018 Resource count/name; Resource count: 10; Resource name: John; Elizabeth; Josh; Peter; Daniel; David; Mary; Vicky; Ben; Vincent

By examining the process map and statistics, auditors can answer the following questions:

  • How many activities are in the company’s business process, and are they all relevant to the business (assist in identifying key controls)?
  • Which activity occurs most frequently in the business process?
  • What is the core business process for this organization?
  • How many employees are involved in the company’s business process, and what are the employees’ responsibilities (key to identifying potential segregation of duties violations)?
  • What are the starting and ending date and time for every process instance, and what is the timestamp of each activity (assist in identifying cutoff issues)?

Overall, auditors can assess the effectiveness of the systems of internal control, an essential step in assessing control risk. Process mining allows auditors to do a detailed walkthrough of the transaction cycles. As such, auditors can replace manual audit procedures such as reperforming transaction flows or testing controls using sampling; thus, audit effectiveness and efficiency are enhanced.

Tests of internal controls.

Under section 404 of the Sarbanes-Oxley Act of 2002 (SOX), it is critical for auditors to evaluate a company’s internal control system and identify what can go wrong. Process mining can be a powerful tool to help auditors in performing tests of internal controls. Moreover, the information stored in the event log can also provide audit evidence related to relevant management assertions. Exhibit 5 shows several examples of detecting what could go wrong using event logs from the procure-to-pay cycle.

Exhibit 5

Tests of Internal Controls Using Process Mining

What Could Go Wrong; Assertions; Tests of Internal Controls using Process Mining Purchases received are not recorded; Completeness; Inspect whether all the process instances have activities “Goods Receipt” and “Payment” in the process.; If purchase order X has the following path, then it needs to be further examined:; “Create Purchase Order → Signature → Invoice Receipt → Release → Payment.” In this purchase order, there is no activity indicating goods were received. Examine the “Resource” information from the event log to ensure the following three activities are performed by different employees: “Create Purchase Order,” “Goods Receipt,” and “Payment” (segregation of duties between purchasing, receiving, and accounting).; If an employee performs both “Goods Receipt” and “Payment” in purchase order X, then this purchase order needs to be further investigated. Inspect the “Timestamp” information from the event log to ensure inventory receipts are recorded timely (i.e., ensure vendor's invoices are recorded immediately upon receipt). Purchase amounts not properly recorded/Payment for unauthorized purchases; Accuracy; Conduct three-way match by using quantities, prices, dates, and terms from activities “Create Purchase Order,” “Invoice Receipt,” and “Goods Receipt.” If purchase order X has the purchase of seven items totaling $105 ($15 per item) for activity “Create Purchase Order,” then the quantities and prices for activities “Invoice Receipt” and “Goods Receipt” should reflect this. Purchases recorded in the incorrect accounting period; Cutoff; Examine the “Timestamp” information from the event log.; Compare the timestamps for activities “Invoice Receipt” and “Goods Receipt.” Unauthorized purchase orders or processes; Occurrence; Examine whether all process instances have the activity “Signature” to ensure the authorization process has occurred.; Purchase order X requires future investigation if the activity “Signature” does not appear in its process.

During the second phase of the audit process, process mining can also be useful when performing substantive tests of transactions to inspect the process related to the transaction balance. For example, if the balance of the payment is not correct due to duplicate payments for purchase order X, this can be discovered when analyzing the process of purchase order X. Exhibit 6 shows a sample process for duplicate payments.

Exhibit 6

Duplicate Payment Process

Process Mining as a New Form of Audit Evidence

Process mining is a promising tool that is useful at different stages of the audit process, especially tests of internal controls. The data stored in event logs provides auditors with abundant information that could serve as additional audit evidence when performing tests of controls or other audit procedures. In addition, event logs are automatically recorded in the IT system when activities or business processes take place and therefore are less likely to be altered or distorted.

It is worth noting that applying process mining to audit procedures is still in its infancy, and there are many challenges to both auditors and management. For example, not all companies are willing to keep the entire event log records for every business cycle because the storage of event logs could use up a large amount of disk space and slow down the IT system. In this case, if the company fails to record part of the event log for a business cycle, then the extracted information is incomplete and cannot be used by the auditors. Therefore, auditors need to ensure that the information they use for process mining analysis is complete and accurate.

Tiffany Chiu, PhD is an assistant professor of accounting at the Anisfield School of Business at Ramapo College of New Jersey, Mahwah, N.J.
Helen L. Brown-Liburd, PhD, CPA (inactive) is an associate professor of accounting and information systems at Rutgers Business School, Rutgers University, Newark, N.J.
Miklos A. Vasarhelyi, PhD is the KPMG Distinguished Professor of Accounting and Information Systems and director of the Rutgers Accounting Research Center and Continuous Auditing and Reporting Lab at Rutgers University. He is a member of The CPA Journal Editorial Advisory Board.