Internal auditors need to accurately understand the underlying business processes within their audit scope. Audit objectives often require auditors to identify deviations from the designed process, determine the potential for automation, and uncover internal control weaknesses.
Traditional methods of reviewing processes — screening narratives, process flowcharts, interviews and walkthroughs with process owners, and rule-based data analytics — have limitations. An effective supplement is to use process mining to reconstruct real processes based on digital traces from information systems to obtain a clear and objective picture of how the processes actually work.
How Process Mining Works
Process mining is based on uncovering digital traces of business process activities. Essential for process mining is an event log that comprises a case ID, activities, and a time stamp. The time stamp brings the activities into chronological order and helps auditors visualize how process instances actually occurred. It makes deviations from the designed process obvious.
The three types of process-mining methods are:
Process Discovery — extracting a process model based on an event log.
Conformance Checking — comparing the actual process as recorded in a log with the designed process to identify deviations from the designed process and vice versa.
Enhancement — improving an existing process model using information extracted from an event log.
Applying process mining can increase internal audit's objectivity and efficiency. It increases objectivity by using digital traces from information systems, while efficiency comes from extracting the corresponding event log from those systems.
When this happens, internal audit can gain a clear picture of the actual process at the beginning of the audit. That can enable auditors to address their risk-based questions more efficiently. Moreover, auditors can conduct fewer interviews with audit clients about the process design and the actual process, saving clients time.
Another advantage is the process visualization, itself, which provides a basis for discussion between internal audit and clients. Additionally, similar to using data analytics, process mining allows internal auditors to analyze the full population of transactions using available digital traces. This enables auditors to provide a higher level of assurance and recommend specific actions.
Despite its advantages, process mining is not suitable for every purpose. One significant limitation is cases, activities, and attributes that do not leave a digital trace. Moreover, internal auditors may encounter unbreachable data discontinuity characterized by unstructured data sets that cannot be linked.
In addition, auditors may have a false expectation that process mining can solve every problem. For example, process mining is not the right tool for detecting duplicate payments not yet returned. Using rule-based data analytics would be more effective.
Process mining can be applied everywhere in which digital traces can be transformed structurally while complying with legal requirements. One common use is examining the transactional flow of the purchase-to-pay and order-to-cash processes.
Beyond transactional flows, internal auditors can use process mining to review how master data quality can be improved. Reviews of customer, material, pricing, and vendor master data have resulted in reducing changes due to inaccurately entered master data, harmonization of responsibilities, and an increased automation rate.
Recurring processes with high transaction volumes serve as a basis for internal auditors to start using process mining. Process mining can pay off especially when internal audit has a limited understanding of the actual process and the process' inherent risks are not covered yet by rule-based data analytics. In such cases, process mining can help auditors raise new questions about potential deviations from the designed process.
Internal audit departments often make several mistakes when they begin to use process mining. Some of these involve their approach to process-mining technology.
Lack of a Systematic Concept A process-mining application does not help if the department does not first have a systematic concept in place. A systematic concept is marked by different cornerstones, including establishing objectives for using process mining (analysis vs. continuous monitoring), defining responsibilities, building competencies within the organization, and maintaining the application on the existing infrastructure.
Reliance on Plug and Play Solutions Caution is needed with plug and play solutions, which often are too generic. Such solutions, which are designated to run with no or very limited upfront implementation efforts, may produce a high number of false positives. Internal audit should not underestimate the organization's specific requirements and special conditions with regard to activities and attributes.
Department-specific Business Cases Internal audit is not the only department that can benefit from process mining. Other departments can use it to execute primary and secondary process activities. Creating an organizationwide business case for process mining is more effective than developing separate plans for each department.
Using Process Mining to Replace Rule-based Data Analytics Process mining can supplement rule-based data analytics, but it cannot replace it. Rule-based data analytics can detect relevant documents that usually are not linked to each other structurally.
Overestimating the Conformance Feature To apply the conformance feature of a process-mining application, a detailed model of the designed process is needed. This model must extend to the granularity of activities and differentiation of process variants. Without this granularity, organizations may have a high number of false positives.
Considering the Visualization to Be the Final Step With the visualization in hand, process mining really is about to start — not to end. The visualization, itself, is of limited value. Internal audit must address a host of questions: Which false positives can be excluded? Are the identified deviations really disadvantageous to the organization? What are the root causes for the identified deviations? Which specific measures can be taken to address any shortcomings?
Internal audit should address these and other potential mistakes proactively. To raise prospects for success, auditors should include all points at the beginning in a systematic and structured roadmap.
A Smarter Event Log
Creating a smart event log provides a basis for value-added process analysis. The quality of event logs can differ significantly from each other. There are different quality attributes such as the number of activities, number of attributes, and accuracy and selectivity of activities. Without these attributes, and especially without company-specific attributes, the prospect of success is decreased dramatically.
Moreover, activities such as "change purchase order" often are too generic. The audit objective may need to be more specific to focus on only selected types of changes that are of interest and require differentiation.
Over time, quality attribute requirements change. For example, the attribute "Differentiation between human being and machine (manual vs. automated)" requires more than just differentiating by the type of user. Transactions recorded by mass uploads and use of robotic process automation applications need to be differentiated from actual manual activities to make valid conclusions and to take the right actions.
Making a Difference
Process mining serves as a supplementary, data-based instrument for internal audit's toolkit — it does not add value by itself. Creating a smart event log and analyzing the visualization requires creativity and logical reasoning. This makes process mining interesting and attractive: Internal auditors can personally make a difference.