Process mining provides a new approach to gathering audit evidence by automatically analyzing the entire population of event logs recorded in a company’s IT system. In other words, the company’s business processes and the actions taken by its employees are chronologically captured in the event log for analysis. This article aims to explain how auditors can use process mining in the audit process, especially in tests of internal controls over financial reporting. Specifically, the authors use the procure-to-pay cycle as an example of how analysis of event logs provides auditors with unique information that can assist in such tests.
What Is Process Mining?
Process mining enables users to analyze a company’s business processes using event logs. Event logs provide an audit trail that captures every user’s actions and every business process performed. As shown in Exhibit 1, an event log contains essential information, including process instance, activity, resource, and timestamp. Exhibit 2 shows a sample event log for an employee who creates a purchase order using the company’s IT system. In addition to understanding the information stored in an event log, it is also important to know the “variant.” A variant in process mining is a group of process instances that have an identical path. For example, if process instance X and process instance Y both have the path “Create Purchase Order → Signature → Goods Receipt → Invoice Receipt → Release → Payment,” then they are grouped into the same variant. The grouping of process instances into variants allows auditors to observe frequent and infrequent paths from an event log; they can then distinguish between standard and nonstandard paths based on the company’s business rules.
Information Stored in an Event Log
Sample Event Log
Assume a company’s standard procure-to-pay path is “Create Purchase Order → Signature → Goods Receipt → Invoice Receipt → Release → Payment,” whereas a nonstandard procure-to-pay path is “Create Purchase Order → Goods Receipt → Invoice Receipt → Release → Payment → Signature.” Auditors can separate the event log data into standard and nonstandard variants based on the paths of process instances when performing their audit procedures; this makes it possible for process mining to detect potential internal control ineffectiveness (Tiffany Chiu and Mieke Jans, “Process Mining of Event Logs: A Case Study Evaluating Internal Control Effectiveness,” Accounting Horizons, forthcoming in 2019).
Analyzing a company’s business process using event logs is not new to computer science or management. Nonetheless, only a few studies apply process mining in the auditing field. For example, Mieke Jans, Michael Alles, and Miklos Vasarhelyi (“A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing,” Accounting Review, September 2014, http://bit.ly/2QbPbun) suggest that process mining could assist auditors when performing analytical procedures. Also, the AICPA’s 2017 Guide to Audit Data Analytics states that process mining enables auditors to understand the entity’s internal controls and to identify unauthorized employee actions that could increase the risk of material misstatement.
Using Process Mining in the Audit Process
There are four phases in the audit process: 1) plan and design an audit approach, 2) perform tests of controls and substantive tests of transactions, 3) perform analytical procedures and tests of details of balances, and 4) complete the audit and issue an audit report (Alvin A. Arens, Randall J. Elder, and Mark S. Beasley, Auditing and Assurance Services: An Integrated Approach, 14th edition, Prentice Hall, 2012). Because process mining analyzes a company’s business cycle through the inspection of event logs stored in the accounting information systems, auditors would find process mining more useful in the first and second phases of the audit process. The utilization of process mining in the first phase of the audit process is described in the next section, while the subsequent section covers the application of process mining in the second phase.
Plan and design.
The first phase of the audit process is to plan and design the audit approach. In process mining, a process map and process statistics can be used to help auditors understand a company’s business process. Exhibits 3 and 4 show a sample process map and statistics from a procure-to-pay cycle.
Sample Process Statistics of Procure-to-Pay Cycle
By examining the process map and statistics, auditors can answer the following questions:
- How many activities are in the company’s business process, and are they all relevant to the business (assist in identifying key controls)?
- Which activity occurs most frequently in the business process?
- What is the core business process for this organization?
- How many employees are involved in the company’s business process, and what are the employees’ responsibilities (key to identifying potential segregation of duties violations)?
- What are the starting and ending date and time for every process instance, and what is the timestamp of each activity (assist in identifying cutoff issues)?
Overall, auditors can assess the effectiveness of the systems of internal control, an essential step in assessing control risk. Process mining allows auditors to do a detailed walkthrough of the transaction cycles. As such, auditors can replace manual audit procedures such as reperforming transaction flows or testing controls using sampling; thus, audit effectiveness and efficiency are enhanced.
Tests of internal controls.
Under section 404 of the Sarbanes-Oxley Act of 2002 (SOX), it is critical for auditors to evaluate a company’s internal control system and identify what can go wrong. Process mining can be a powerful tool to help auditors in performing tests of internal controls. Moreover, the information stored in the event log can also provide audit evidence related to relevant management assertions. Exhibit 5 shows several examples of detecting what could go wrong using event logs from the procure-to-pay cycle.
Tests of Internal Controls Using Process Mining
During the second phase of the audit process, process mining can also be useful when performing substantive tests of transactions to inspect the process related to the transaction balance. For example, if the balance of the payment is not correct due to duplicate payments for purchase order X, this can be discovered when analyzing the process of purchase order X. Exhibit 6 shows a sample process for duplicate payments.
Process Mining as a New Form of Audit Evidence
Process mining is a promising tool that is useful at different stages of the audit process, especially tests of internal controls. The data stored in event logs provides auditors with abundant information that could serve as additional audit evidence when performing tests of controls or other audit procedures. In addition, event logs are automatically recorded in the IT system when activities or business processes take place and therefore are less likely to be altered or distorted.
It is worth noting that applying process mining to audit procedures is still in its infancy, and there are many challenges to both auditors and management. For example, not all companies are willing to keep the entire event log records for every business cycle because the storage of event logs could use up a large amount of disk space and slow down the IT system. In this case, if the company fails to record part of the event log for a business cycle, then the extracted information is incomplete and cannot be used by the auditors. Therefore, auditors need to ensure that the information they use for process mining analysis is complete and accurate.