6 Reasons for Internal Auditors to Get Familiar with Process Mining

The role of internal audit departments is to help organizations ensure effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations in an independent and objective manner.

Due to scandals and the economic downturn, there have been ongoing discussions that internal audit must be proactive and redefine its value.
While PricewaterhouseCoopers’ Internal Audit study 2009 still emphasized the need to do more with less, the 2010 study sounds somewhat less urgent.
But regardless of whether the pressure is high or moderate, process mining fits into trends such as continuous auditing, where the use of technology plays a key role.

In contrast to other Computer Aided Audit Tools (CAATs), process mining provides an explicit process perspective. This EDP-Auditor article (in Dutch) describes an example and the possibilities of process mining in the auditing field.
[Update: This IEEE Computer article on ‘Auditing 2.0’ describes a new auditing framework based on process mining.]
Overall, one can foresee that process mining tools will be one of the many in the auditor’s tool box.

Here are 6 reasons why process mining should be interesting for auditors:

1. Audit the actual process reality

Process audits are still too often just based on Interviews, What if analyses, and Design reviews that review the intended but not necessarily the real process.
Today’s business processes are supported by ERP en WFM-applications that are too complex to understand but also record detailed information about the execution of these processes. Process mining can be used to make the actual transaction flows visible by evaluating these IT audit trails in an automated fashion.

2. Test entire data populations

To improve effectiveness in search for errors or unusual transactions internal audit should test entire data populations automatically. Process mining techniques such as LTL checking and Conformance checking can be used to verify the compliance to rules (e.g., segregation of duty constraints) or prescribed procedures based on the actual process execution records.

3. Make control processes visible

Also built-in controls such as authorization steps are usually reviewed on a design level. For example, there are tools that verify whether people currently have conflicting access roles that may put the organization at risk (but not whether there are conflicting roles at different points in time). An automatic mining of the control processes can help to audit the effectiveness of these controls by making visible when these built-in controls take place, who performed them, when controls lead to rejection, etc.

4. Targeted audits

Especially in large organizations audits are still performed based on a yearly audit plan. Conducting audits on a more targeted basis helps to concentrate on higher-risk areas. But it also requires continuous data analysis and needs to be facilitated by technology. Process mining can be leveraged in the context of such a continuous monitoring infrastructure to do quick scans and bring potential problems to attention.

5. Improve auditing process

To improve the efficiency and quality of the auditing process itself, there are several tools that support the auditor’s workflow and make sure that all tasks are done and found issues are resolved. By analyzing the logs of these audit support systems one can go a step further and evaluate the efficiency and quality of the audit process in an objective way.

6. Add value by delivering business insight

Internal auditors are independent of the operational side and often report directly to the CEO of the company. But although their role is also to monitor the efficiency of operations, actual business insight is usually only delivered on an ad-hoc basis. Process mining can be used to detect bottlenecks and other inefficiencies in the actual business processes, which can then be shared with the relevant stakeholders to expand the overall value of the audit function.

Let me know where you agree or disagree, and how you would rank these points in importance!