This is Flux Capacitor, the company weblog of Fluxicon.
You can find more articles here.

You should follow us on Twitter here.

6 Reasons for Internal Auditors to Get Familiar with Process Mining 4

The role of internal audit departments is to help organizations ensure effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations in an independent and objective manner.

Due to scandals and the economic downturn, there have been ongoing discussions that internal audit must be proactive and redefine its value.
While PricewaterhouseCoopers’ Internal Audit study 2009 still emphasized the need to do more with less, the 2010 study sounds somewhat less urgent.
But regardless of whether the pressure is high or moderate, process mining fits into trends such as continuous auditing, where the use of technology plays a key role.

In contrast to other Computer Aided Audit Tools (CAATs), process mining provides an explicit process perspective. This EDP-Auditor article (in Dutch) describes an example and the possibilities of process mining in the auditing field.
[Update: This IEEE Computer article on ‘Auditing 2.0’ describes a new auditing framework based on process mining.]
Overall, one can foresee that process mining tools will be one of the many in the auditor’s tool box.

Here are 6 reasons why process mining should be interesting for auditors:

1. Audit the actual process reality

Process audits are still too often just based on Interviews, What if analyses, and Design reviews that review the intended but not necessarily the real process.
Today’s business processes are supported by ERP en WFM-applications that are too complex to understand but also record detailed information about the execution of these processes. Process mining can be used to make the actual transaction flows visible by evaluating these IT audit trails in an automated fashion.

2. Test entire data populations

To improve effectiveness in search for errors or unusual transactions internal audit should test entire data populations automatically. Process mining techniques such as LTL checking and Conformance checking can be used to verify the compliance to rules (e.g., segregation of duty constraints) or prescribed procedures based on the actual process execution records.

3. Make control processes visible

Also built-in controls such as authorization steps are usually reviewed on a design level. For example, there are tools that verify whether people currently have conflicting access roles that may put the organization at risk (but not whether there are conflicting roles at different points in time). An automatic mining of the control processes can help to audit the effectiveness of these controls by making visible when these built-in controls take place, who performed them, when controls lead to rejection, etc.

4. Targeted audits

Especially in large organizations audits are still performed based on a yearly audit plan. Conducting audits on a more targeted basis helps to concentrate on higher-risk areas. But it also requires continuous data analysis and needs to be facilitated by technology. Process mining can be leveraged in the context of such a continuous monitoring infrastructure to do quick scans and bring potential problems to attention.

5. Improve auditing process

To improve the efficiency and quality of the auditing process itself, there are several tools that support the auditor’s workflow and make sure that all tasks are done and found issues are resolved. By analyzing the logs of these audit support systems one can go a step further and evaluate the efficiency and quality of the audit process in an objective way.

6. Add value by delivering business insight

Internal auditors are independent of the operational side and often report directly to the CEO of the company. But although their role is also to monitor the efficiency of operations, actual business insight is usually only delivered on an ad-hoc basis. Process mining can be used to detect bottlenecks and other inefficiencies in the actual business processes, which can then be shared with the relevant stakeholders to expand the overall value of the audit function.

Let me know where you agree or disagree, and how you would rank these points in importance!

Comments (4)

Feel free to post also other links and resources on process mining and auditing below in the comments.

Hi Anne, I agree that processes should not just be executed but their history are essential for a business. Therefore I propose that process mining must not be an add-on, but completely integral and mainly used for process improvement. All processes with all details of execution must be archived.

I posted on process mining recently:

Hi Max,

Thanks for your comment and the pointer. I agree that adaptive process management and process mining are a particularly good fit because mining less rigid, unstructured processes is just more interesting than re-discovering fixed, hard-coded workflows. It’s not a trivial problem to integrate the two in practice, though. Would be a good topic for a new post.

Hi all,

I got two great comments offline that I would like to share with you.

Comment No. 1) Auditing focuses on three aspects:

  • design (‘soll’ –> documents and interviews),
  • effectiveness of controls (‘ist’ –> I do testaudits for those, others go into the system themselves),
  • effectiveness of controls over a certain period (like over the past 6 months).

The latter one, over a certain period, is a great benefit for me about process mining. Another great benefit is that process mining is generic, I can use a standardized file from different kinds of systems without knowing all the IT-systems.

But what I can’t do with process mining is to see the true effectiveness of controls, for this I use testaudits (for example, to see whether it is really impossible to go higher than the maximum that is allowed). In other words: if it didn’t happen that doesn’t mean that it won’t happen!

Comment No. 2) Add a magic number 7: ‘focus on the real issues’. It may have some overlap with #5, but by incorporating process mining into the internal audit field I think one can really focus on what’s goes wrong because in a quick way you will also see what’s going right (from a risk perspective).

Leave a reply