Keywords

1 Introduction

Financial auditing refers to an external independent party that examines the financial statements of an organization and formulates an opinion on how well those statements present a true and fair view of its financial performance and position. Apart from hiring external auditors to conduct such investigations, larger companies also have an internal department that conducts comparable audits, albeit through a wider lens. Where external auditing is only concerned with assuring the quality of financial reporting, internal auditing extends this with an efficiency perspective on the entire functioning of an organisation. Independent from the business units, the internal audit department examines the organisation’s governance mechanisms. A key aspect for both external and internal audits is to assess whether processes are in control, whether prominent risks are mitigated (partly by their process design), and whether the input data for the financial statements are complete, accurate, and valid. Consequently, both internal and external audits can benefit from process mining, since it provides the auditor with a realistic view on how processes, that indirectly impact the financial reporting, are being executed. Not surprisingly, process mining has in recent years increasingly demonstrated its potential as a valuable tool for financial auditing.

Running a process mining analysis in the context of an audit, internal or external, requires a specific approach that takes into account the preliminaries of audit engagements. This chapter will take the reader through these audit-specific concerns. The chapter starts with a short introduction into financial auditing. Both internal and external audit will be introduced, along with the connection between the two audits. Readers that are familiar with this topic, can immediately proceed with the next section, that discusses process mining in the internal audit function. All phases of the internal audit are explained first, and then revisited while integrating process mining in it. Section 4 brings the external audit in the picture. How does a process mining approach differ between the external and the internal auditor? Sects. 5 and 6 deal with the practical organisation of bringing the right expertise in-house and how to move from data to audit evidence. We end the chapter with open challenges in Sect. 7 and conclude in Sect. 8.

2 Financial Auditing

Financial statements are key when a stakeholder wishes to inform him- or herself about an organization. Investors, banks, employees, customers, vendors, etc. are all parties that might be interested in the financial situation of an organization before partnering up. To this end, the officially published financial statements of an organization are the primary documents to consult. These statements are prepared by the organization, adhering to (national or international) accounting standards. The statements include minimally a balance sheet and an income statement. Depending under which legislation the organization reports, also a cash-flow statement is included. The balance sheet presents an overview of the assets, liabilities, and capital that the organization possesses at a particular moment of time. The income statement provides an overview of the revenues and the incurred expenses over a period of time, mostly one year. The combination of the revenues and expenses presents the monetary gain or loss that the organization realized over that accounting year.

It goes without saying that it is important that the statements are reliable, given the numerous decisions that are taken based on this information: investors start, continue, or quit investing, banks offer loans or not, customers churn or not. The guiding principle is that the statements need to present a ‘true and fair view’ of the financial situation of the organization. It is the key responsibility of the auditor to safeguard this principle: they provide reasonable assurance that the statements indeed present such a view. This assurance is primarily given by the external auditor (legal requirement for companies from a certain size onward), but this can also be assisted by the internal auditor.

This section will provide a general overview on the governance mechanism that financial auditing holds for companies. It will explain the goals and characteristics of both external and internal auditing and the interaction between these two. The internal audit department has the latitude to fully implement process mining at the core of the business in a continuous fashion. The findings of these continuous monitoring efforts can be passed on to the external auditor who can use these findings as input for their own investigation. Alternatively, the external auditor can run their own ‘one shot’-process mining analysis during the annual audit engagement. The biggest traction of process mining in the auditing field is achieved through the internal audit, due to its possible embedding in the core of the organization. The interplay between these two audit settings is elaborated on further in this section.

2.1 Purpose of the External Financial Audit

The external auditor typically conducts an annual audit [1]. The auditor audits and reports on the procedures and the recorded transactions relied upon to prepare the financial statements. When the auditor reports a ‘clean opinion,’ the financial statements are presumed to be free of material misstatements and hence reliable to share- and stakeholders for decision making [2].

As mentioned, the objective of an external audit is to obtain reasonable assurance about whether the financial statements are free of material misstatement. It is intended to increase the reliability of the information contained in the annual financial statement. Nevertheless, an audit must be carried out efficiently, which might create tension with the goal of providing assurance. To meet the two requirements, efficiency and reasonable assurance, in the context of the audit, the so-called risk-based audit approach is applied. Following this approach, the external auditor first assesses the risks of the organisation in general, but also per department or business process. Based on this risk assessment, resources are allocated to the riskiest parts of the organization. If, for example the sales process is assessed as a key process to have under control, the auditor will put more emphasis on this process. Differently stated, more resources are allocated to auditing this element, compared to other processes that are assessed less risky.

The concept of risk-based auditing is also regulated through the relevant standard setters. For example the International Auditing and Assurance Standards Board (IAASB) issued the revised auditing standard ISA 315 (Revised 2019) “Identifying and Assessing the Risks of Material Misstatement”. This standard establishes the risk identification and assessment procedures that form the basis for a risk-based financial statement audit. The risk assessment procedures are described “to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement...”. It is clear that the auditor is expected to understand how the organisation (the ‘entity’) is organized and how they mitigate risks by their internal control system. Precisely this internal control system is also a responsibility of the internal audit department, tying the goals of the internal audit and the external audit to each other. A control refers to a measure that is implemented to mitigate a certain risk. An example is the design of proper access rights to the financial accounting module to mitigate the risk of having unauthorized bookings in the financial ledger.

2.2 Purpose of the Internal Financial Audit

Internal auditing is a support unit of the company’s management that is embedded in the organization and supports the company on two levels. On one hand it aims to detect and manage potential misstatement risks and on the other hand guards the operational performance [3]. The officially established definition of internal auditing by the global Institute of Internal Auditors (IIA) is as follows:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” [4]

Furthermore, the IIA defines a mission of internal auditing, which states that the value of an organization is to be increased and protected through risk-oriented and objective auditing, consulting and insights.

As for external auditing, similar risk assessment standards exist for the internal audit. The IIA addresses the risk-based audit planning in their Standards 2010 - Planning, 2010.A1, 2010.A2, and 2010.C1. These standards stipulate how the Chief Audit Executive (CAE) has the responsibility to develop a plan of all upcoming internal audit engagements based on a risk assessment that is performed at least annually.

2.3 Internal and External Audit: Interplay and Common Challenges

In many respects, the practical procedure of conducting an audit is similar for both internal and external auditors. Especially since both audits include the investigation of recorded financial transactions in the light of the prepared financial statements. In the course of all audits of a materialFootnote 1 and formal nature, the regularity and reliability of the generated data must be assessed. Hence, the overall aim is to ensure quality control of all published financial information, taking into account the processes that precede the reporting.

Fig. 1.
figure 1

Interplay between internal and external audit

Full size image

Figure 1 provides a simplified overview of the primary responsibilities of the external and the internal audit. The external auditor is ultimately concerned with the accuracy of the financial statements, which is basically a summary of the recorded business transactions that are encapsulated in business processes. These processes typically integrate one or more recording steps since executing a business transaction alters the financial situation of the organisation and this change needs to be recorded. Figure 2 visualizes an example business process (purchase-to-pay) and its relationship to the financial statements. The process envisions an efficient execution of the purchase, but it also incorporates controls like approving once or twice a purchase order, before the purchase is placed. These type of control measures increase the level of assurance that the reported financial information is accurate and valid. In the designed process three activities trigger the reporting of a financial impact: entering a Goods Receipt document in the system should be reflected in the books by increasing the assets and booking an invoice increases your liability (you owe money to a vendor), while paying the invoice clears that liability again. Hence, during the execution of the procurement process, in parallel to the business transactions the impact on the financial situation of the company is tracked in the general ledger. All these bookings together form the basis for preparing the financial statements that are issued and audited once a year.

Fig. 2.
figure 2

Example relationship between the purchase process and the financial statements

Full size image

The external audit traditionally focuses on the bookings in the general ledger and the financial statements, whereas the internal audit typically starts from the designed procedures and how they translated into financial bookings. In a world without resource limitations, the external auditor could trace back every recorded transaction to its origin and double-check whether the recorded transaction is backed-up by a real transaction (Is there for example evidence of delivering goods or encountering certain expenses?). In reality, however, the external auditor examines the organization’s controls to ensure that only legitimate transactions get recorded. The auditor investigates the design of the controls and tests their effectiveness. In our procurement process, the auditor might test whether it is indeed not possible to enter an invoice and have it paid, without creating a purchase order and having it approved by someone else than the auditor. These checks make part of ‘understanding the entity’s control environment’, an essential aspect of risk assessment as stipulated in ISA 315 and mentioned before. The working assumption is that if the processes, foreseen of enough controls, are under control, the generated financial data is accurate.

The above described examination of the control environment is not only the responsibility of the external auditor, but is also part of the internal auditor’s function. Although the internal auditor includes an additional efficiency point of view, auditing the control structure and installed control measures is a core responsibility of the internal audit department. Consequently, the external auditor may rely on the internal auditor’s findings. Of course, additional checks are always required.

3 Process Mining in the Internal Audit Function

Given the increasing complexity and availability of information in accounting, digital data analysis has emerged as an innovative audit approach to perform financial audits by internal and external auditors [5]. Given the strong connection between the internal audit function and the organization, we start from the perspective of internal auditing. How can process mining support the internal audit? Subsequently, this perspective will be expanded by looking at the application of process mining by external auditors over the course of their audit engagements.

3.1 Internal Auditing Background

The range of internal auditing tasks is subject to constant change, which is reflected in not only a shift of focus within the individual audit areas but also a varying understanding of the role of internal auditing. Within the traditional range of auditing activities, a distinction is made between audits of financial processes, operational processes, and management processes [6]:

  • Audits of financial processes describe formal audits in finance and accounting with the primary objective of determining compliance with laws and to guarantee a reliable financial reporting process. The audit is aimed at ensuring the appropriateness, correctness, and reliability of the financial information. Within the scope of the audit, the aspect of compliance is expanded to include determining whether all relevant legal framework conditions and internal guidelines have been adhered to. Thus, this type of audit is focusing especially on the conformance with laws and regulations.

  • Audits of operational processes refer to the audit of systems and processes in an organization. Its purpose is to examine the structural and procedural organization of a company by looking at the present or the future. The aim of this audit procedure is to determine whether the design of corporate processes, structures, and systems is appropriate. At the very center of this process is a review of the appropriateness and cost-effectiveness of essentially all corporate processes to ensure future viability. In this context, no common standards can be established as criteria of comparability. The target values must first be determined by internal auditing through analyses of relevant processes. This type of internal audit increasingly adopts the function of an advisory activity and can be seen in the light of continuous process improvement, a key goal of business process management.

  • Audits of management processes focus on assessing the performance of management processes and institutions. The audit process in this field includes a past-oriented root cause analysis, paired with a potential identification of future points of weakness. In contrast to operational auditing, the focus of the review is no longer on the operational process but on management and its strategic decisions. Just as in operational auditing, the audit criteria - efficiency and effectiveness - remain to be the focus, and thus contribute to the future safeguard of the organization.

A major trend can be noted in the field of internal auditing activities. The solely past-oriented audit is increasingly complemented by future-oriented auditing activities. This expansion is accompanied by a further development of auditing activities. Namely, internal auditing is more and more intended to initiate approaches to solve organizational problems. Providing improvement recommendations can therefore be referred to as the overall mission of all internal audit activities. Consequently, the internal audit shifts from a purely control-oriented view towards an enterprise-wide view.

3.2 The Internal Audit Process

The internal audit process generally pertains to the structure and standardized procedure of auditing activities of the internal audit function and can be structured following the so-called phase model (see Fig. 3). The phase model of the audit activity is organized according to a sequence of audit phases. These audit phases are inherently separate units in terms of both content and methodology, yet there is a predetermined order for their execution. In fact, they are connected in such a manner that the start of the respective phase is directly linked to the completion of the preceding phase. As a result, the phase model is in effect the process model of the internal audit.

  1. 1.

    The traditional internal audit process typically starts with the (risk-based) planning of the (annual) audit schedule in order to allocate the internal audit resources (e.g. staff) to various potential audit objects. Usually, this phase is performed by the chief audit executive and defines the areas of the organization that will be audited in the forthcoming year.

  2. 2.

    Subsequently, the planning of the process audit is being conducted. Thus, each auditor or audit team plans and prepares their upcoming audit engagement in terms of objectives, scoping, and needed audit methodologies.

  3. 3.

    The third phase of the audit process consists of conducting the audit on-site, namely the actual audit. In this phase, the internal auditors apply different methodologies, such as data analysis, interviews, walk-throughs, etc., to gather audit evidence and achieve the overall objective of the audit.

  4. 4.

    The final phase of each audit process is the preparation and finalization of an audit report for the audited entity and relevant stakeholders, such as the CEO, CFO, or the Audit Committee to communicate the results. This report encompasses the main objectives of the audit and outlines any performed audit steps and the obtained evidence. Ultimately, the report evaluates the findings and offers additional recommendations.

  5. 5.

    As an additional phase - directly linked to the specific audit engagements - a follow-up attempts to monitor the enhancement and improvement of the audited entity based on the previously defined recommendations.

Figure 3 visualizes the phase model of the internal audit, along with possible ways to integrate process mining activities in the different phases. The following paragraphs will describe these starting points in greater depth. We present a running example to further explain the connection between internal auditing and process mining.

Fig. 3.
figure 3

Integration of process mining activities in the internal audit process

Full size image

3.3 Planning the Audit Schedule

Imagine an exemplary audit engagement that should assess the functioning and the exposure to risk of a manufacturing company. Through an internal audit, the auditor needs to determine whether the internal rules and guidelines (controls) are fulfilled, if the processes are efficient, if there are specific risks that are not mitigated by appropriate controls and whether there is room for improvement.

The first phase of this audit entails planning the audit; determining the allocation of resources. In order to do so effectively, the auditor could visualize the organization’s core business processes and then analyze them in terms of conformity and process efficiency. This would require the use of process discovery algorithms (as described in [7, 8]). Any variances, weaknesses, and risks identified throughout this phase can subsequently serve as indicators to guide the allocation of resources. In other words, this phase involves an attempt to “explore” the processes and process discovery is well-positioned to support this phase. In a more mature setting, where the core business processes are efficiently logged and event logs can be extracted automatically, a quick discovery step can yield insights in which processes are highly structured and which aren’t simply by looking at the discovered process models and their level of ‘spaghettiness’Footnote 2 (see [9]).

Measures of ‘structuredness’ are necessary to turn this step objective, to select which process to give prior attention. For example, one could identify processes with a very high number of variants. In the running example, the purchase-to-pay (P2P) process might show a high number of variants, whereas the hiring process only exhibit a low number of process variants. This is an indication of a myriad of possible execution variants in the P2P process, accompanied with higher risk exposure. However, indicators such as ‘20 variants per 100 cases’ are very generic. This can relate to two extremes (and everything in between): one variant representing 81 cases and 19 variants each representing a single case is one extreme, versus all 20 variants representing five cases as the other extreme. Consequently, the distribution of variants might be more insightful. Possible measures for structuredness are variance, self-loops, repetition and batch-processing [10]. This enables the identification of potential audit objects (risky processes) and, preferably, a simultaneous assessment of the risks inherent to these objects. In this phase of the audit process, process mining is consequently used to support the creation of the risk-based audit plan.

For Example, Table 1 presents a set of different structuredness measures to gain an insight in which process is more or less structured than other processes. The structuredness measures are calculated for the P2P process of different plants, helping the auditor to classify the individual risk level of each business unit. Based on this exploratory phase, the audit schedule would reserve resources to an audit of the P2P process in the Norway facility in year n, and leave the audit of the P2P process of the USA for year n+1, and the audit of Germany for year n+2, perhaps together with the Belgium plant. Also the other processes would be integrated in the audit schedule, typically covering a cycle of four to six years.

Table 1. Measures of process structuredness, used to plan the Audit Schedule
Full size table

3.4 Planning the Audit

Once the audit object of a specific audit is identified -the P2P process in the Norwegian facility in our example- the audit is scheduled and the audit engagement needs to be planned in more detail. Starting with process discovery, the individual steps of the audited unit can be visualized and analyzed before the actual on-site audit. This helps the auditor gain a better understanding of the area to be audited and familiarize with the unique features of the process environment. The deduction of the process model based on available transactions facilitates identifying parallel process steps, loops, and undesired process skips [11, 12]. This approach bears the advantage of verifying the assurance of the process flows on one hand and revealing process steps that require further examination on the other hand. A first scan of the discovered process model involves a critical look at the discovered edges. Even when not looking at complete process executions from start to end, examining the most frequent direct flows yields interesting information.

For example, when the default discovered process shows an edge between ‘book invoice’ and ’first approval order’, it is clear that unexpected sequences are present in a significant part of the transactions. This information is valuable when planning the audit, since it provides indicators of which directions should be investigated more thoroughly.

After process discovery, the auditor can perform a first conformance check against the normative model to verify whether the individual process steps of the examined transactions comply with the previously defined process. In contrast with the exploratory process discovery step, the focus now shifts towards complete process executions. Since the auditor is still in the planning phase, it is recommended to compare the logged transactions with a procedural normative process model (like a BPMN-model that represents the ‘to be’-model). The idea is to have a first impression of the level of business alignment: “Are the real process and the process model properly aligned?”[13]. This approach enables identifying variants that are not in line with the (often overly simplified) normative process model. Further investigation during the audit will reveal the real, associated risks. However, during the phase of planning the audit, the auditor can already have a first look at variants that represent a majority of non-conforming cases.

Table 2. Example output of non-conforming variants
Full size table

For example, Table 2 presents a set of variants in our P2P process that deviate from the normative model in Fig. 2 and that could be skimmed during this audit phase (see how to analyze deviations between observed and modeled behavior in [14]).

  • The first variant presents a double second approval, which indeed deviates from the process model, but would not trigger any additional audit inquiries in the next phase. This is called an exception: a deviation from the normative model, but not presenting a risk according to the auditor. In these cases, the auditor can clear the deviation’.

  • The second example shows that 16\(\%\) of the cases are not associated with a receipt of goods. Although this comes across worrisome initially, there might be a perfectly reasonable explanation. Perhaps these purchases relate to services and not to goods. The auditor should test this hypothesis in the next audit phase, however. As for now, this deviation is classified as potential compliance issue.

  • The last example deviating variant in Table 2 is an example where the auditor cannot formulate any hypothesis on situations where this deviation would not represent a risk. As such, the deviation can directly be classified as an anomaly. This, too, will be taken as input to the next audit phase.

So within the scope of planning the process audit, both process discovery and conformance checking can be used to determine the focus of the audit. The insights that are gained during this phase provide guidance on which special features or possible deviations of the prescribed process warrant further investigation. Sometimes, these analyses already allow for the identification of potential findings before the actual audit takes place. It should be noted that although process deviations might be identified, it does not necessarily represent a financial statement risk. Further tests are required to uncover potential “false positives” [15]. This will be elaborated on in the next phase.

3.5 Conducting the Audit

When conducting the audit, the auditor takes a deep dive into the control and operational environment. Specific analyses are conducted during this audit phase. Whereas the previous phases were preparatory, this phase is targeted to identifying risks and weaknesses in the reviewed process. As mentioned before, the opinion that auditors issue at the end of the engagement is partly based on an evaluation of the existing controls in terms of their effectiveness and efficiency [16].

The rationale of how internal controls are evaluated by making use of transactional data is presented as a process in Fig. 4 [17]. During the previous two audit phases, potential violations of internal controls have been identified. Also, a preliminary start of deviation analysis is taken in these phases (see example in Table 2). When conducting the audit, this preliminary analysis is extended. The purpose is to classify all deviations that stem from a procedural conformance check as either an exception or an anomaly. To date, in practice these conformance checks are solely using a control-flow perspective. In theory, however, this can be extended to a multi-paradigm conformance check that, for example, includes a Segregation of Duties control between two activities.

Starting from deviations, an iterative cycle presents itself, until all deviations are classified as either an anomaly or an exception. When the deviation is classified as a potential compliance issue, a follow-up investigation is triggered. Taking back our example of missing the receipt of goods, this might–or might not–be a compliance issue. It was not classified as anomaly, because a possible explanation could be formulated: perhaps the purchase related to services, making the receipt of goods an illogical activity. The auditor should test this potential explanation in order to reach a conclusion on whether this deviation is an anomaly or an exception to the normative process. To do so, the auditor collects all cases where the receipt of goods is missing, and subjects this (filtered) log to a conformance check where the formulated hypothesis is tested. Hence, a declarative constraint is checked on this set of transactions: ‘if the receipt of goods is missing, the purchase relates to services’. The cases that follow this rule can be cleared and listed as exception. If there are still cases that are not cleared by this possible explanation, the same approach is repeated.

The cycle, as described above, presents the theory. In practice, too many deviations are presented to inspect all of them and auditors fall back to a sampling approach. Current research is looking into weak supervision and active learning to support the auditor in the iterative cycle such that a full-population testing can be reached [18]. The goal is to present deviations in an intelligent way to the auditor whom provides a classifier with the labels anomaly, exception, or uncertain. In case of uncertainty, the auditor provides a possible rule to check (the hypothesis). Based on the iterative human input the classifier can support a classification of all identified deviations, preferably with minimal expert knowledge input [17].

By identifying deviations that can be tracked to the document level, the auditor can also direct the auditing activities in a target-oriented manner. More specifically, in-depth variant analysis and case analysis can be used to evaluate both the functioning of the internal controls and the process performance. The majority of process mining solutions offer various metrics in this regard, such as duration of the process, number of process steps, number of loops, number of variants, etc. Internal auditors can create additional value through this third dimension by auditing, analyzing, and identifying improvement opportunities and utilize process mining for consulting activities in addition to its conventional auditing activities.

Fig. 4.
figure 4

Internal control testing rationale, including process mining (Source: [17])

Full size image

3.6 Communicating the Result

The advantages of visualizing processes and existing process deviations as well as conformance checks and identification of control weaknesses can also be used by the auditor as part of the audit report and the presentation of audit results. The visualization generally leads to the audited entity or report addressees being even more receptive to the potential findings or recommendations for improvement. Clearly, this area is of limited relevance compared to those mentioned previously, yet it provides an advantage that should not be overlooked.

3.7 Follow-up

During the follow-up of an audit, the auditor normally tries to check if the problems and negative findings of the initial audit were solved and whether the recommendations were implemented. Thus, the auditor can actually use all of the prior process mining analysis to double-check if the expected improvements were realized.

3.8 Maturity Levels

Although a match between the different internal audit phases and separate process mining activities is presented in the previous sections, sometimes an internal auditor only relies on process mining during the core of the audit (the phase ‘Conducting the audit’), as visually presented in Fig. 5, or another single phase. After building the event log, process discovery can help the auditor to understand the existing process variants and identify potential risk areas. Furthermore, the check of the existing process structure compared to the process model allows the internal auditor to clarify existing deviations or identify additional risks. Checking the process executions against business rules offers an additional way to gather evidence of, for example internal control weaknesses or potential fraud cases. The variant analysis allows the auditor to compare different variants to identify additional risks, but also opportunities, since the as is-process might be a more efficient or effective way to organize the process instead of the intended process model. Finally, the case analysis allows a deep-dive of the auditor on the transaction level to analyze the identified cases. It goes without saying that integrating process mining throughout the entire internal audit is next-level in terms of maturity, compared to the integration in only one phase.

Fig. 5.
figure 5

Example of how process mining can be integrated in a single phase of the internal audit

Full size image

4 The Symbiosis Between Internal and External Auditing When Using Process Mining

As mentioned before, the external and internal audit have partially overlapping goals. Although internal audits include the investigation of process improvement from an efficiency point of view, both audits have the goal to assure the validity of the reported financial statements. As a result, the audit phases of the external and internal audit are not that different in nature. However, differences exist; some in nature and some in terminology.

4.1 External Auditing and Process Mining

Where the internal audit starts with planning the audit schedule for a period of one or several years, the external audit does not have such a long-term setting. The external audit standards also describe a phase of planning the audit, but this is in the light of a running audit engagement and relates to the audit of that specific accounting year. In order to plan the audit approach, a risk assessment phase takes place. Based on the risk assessment, the auditor decides where to allocate most resources to. This is comparable with the internal audit phase ‘planning the process audit’. Similarly, this phase would rely mostly on process discovery and a rather high-level conformance check against a procedural model (Fig. 6).

Fig. 6.
figure 6

Integration of process mining activities in the external audit process

Full size image

Based on the assessed risks, targeted business processes will be investigated through ‘tests of controls’ and ‘tests of details’. The tests of controls are related to examining the design and implementation of the organisation’s control environment. The tests of details are checks that take place at the transaction level. This distinction stems from before the digital era, where tests of controls were not executed at a detailed level. Nowadays, however, the distinction is less clear. For example, checking whether all documents in a system have been approved, is a test of details that also checks the effectiveness of a control. Given the lesser delineation between these two concepts, these tests are often intertwined and form, together with other analytical proceduresFootnote 3, the core of the external audit. Similar to the internal audit phase of conducting the audit, these tests would heavily rely on checking rules, a more in-depth variant analysis and case analysis [11, 20]. The driver of the tests is currently stemming from the traditional audit. The check-lists that were used before, are now automated and extended with additional dimensions. Still, the core of the audit did not yet change drastically. This can be devoted to the standards that remain unchanged, creating some reluctance with the auditors to turn to new techniques.

After the tests of details and controls, the results are communicated. As with the internal audit, the visual aspect of process mining is an important characteristic. A graphical presentation of the phases of the internal and external audit, along with the process mining analysis phases that can be used, is given in Fig. 7.

Fig. 7.
figure 7

Parallels between internal and external auditing and the process mining analysis phases that support the audits.

Full size image

4.2 Relying on Internal Audit’s Process Mining Efforts

If the external auditor can start from the process mining efforts of the internal auditor, obviously, more can be reached than if this is not the case. In this setting, the external auditor would have to examine the process that was followed by the internal auditor when conducting the process analysis. Following questions will be important to have a clear answer to (and hence clear documentation on):

  • Which information is used to build the event log?

  • How exactly is the event log built? (which process instance was selected, which activities were included, based on which tables and fields in the information system,...)

  • Which filters were applied before starting the analyses?

  • How is dealt with running cases?

  • How are the analyses run? (in which tool, with which commands,...)

  • How are the results written away? Is there an unmodified audit trail?

  • ...

So although the external auditor does not have to start from scratch, a lot of effort will still be devoted to having assurance over the process of process mining. Only with a reasonable level of assurance of this internal process, the external auditor can rely on the outcome of the internal auditor.

The alternative is that the auditor takes full control of the process mining analysis. They can still start from the internal auditor’s expertise, which will speed-up the process of building the event log for instance. But the external auditor would extract the data from the information systems himself, build the event log and run the analysis himself. This trade-off between control and depth of analysis is related to the personal preference of the external auditor.

5 Organizational Integration of Process Mining in the Auditing Function

Aside from the theoretical integration of process mining in the auditing process, organizational integration is equally important. There are different approaches how internal and external auditors can implement process mining in the auditing process. The following options present potential approaches and should be examined individually for the respective auditor. Of course, the best-fitting solution always depends on the financial, technical and human resources available. Also, the time factor for the implementation of process mining and the necessary training of the employees are not to be neglected.

5.1 Individual Process Mining Experts

Solutions with one or few process mining experts are conceivable, especially in smaller and medium-sized audit departments. The required profile is comparable to the members of a specialized team described above. Aside from profound process mining knowledge, the expert should have an excellent command of data analysis tools and, consequently, design and manipulate queries and data easily. This enables the expert to create the analyses necessary for successful use in the auditing process. As a direct contact person, the expert becomes a shorter link to the auditor than when working with process mining teams. On one hand, the advantage is the lower financial investment and the possibility to easily upscale the team. On the other hand, a challenge could be that the expert’s capacity is too low when there are frequent requests.

5.2 Specialized Process Mining Team

It is a good idea to set up an independent process mining team, especially for sizeable internal audit functions or functions with solid data analysis activities. This team specializes in data analysis and process mining and prepares reports to support each audit. Consequently, this team belongs to the core of the audit function and is heavily involved in audit preparations. In such a team, especially auditors with profound ERP systems and process expertise should be involved. This know-how enables the team to develop and prepare target-oriented analyses of data and processes, such that the auditors outside the team reap significant benefits from this. Since the experts can reuse some procedures to prepare different dashboards and process analyses, learning effects can be assumed. While the high degree of specialization of the team brings numerous advantages, the disadvantages of this approach should not be neglected either. The team members are primarily “remote” active, potentially leading to isolation from the actual audit process. Such an approach is also associated with high personnel costs, so it must be examined per company to what extent this can be realistically implemented. If individual teams for data analysis already exist in the auditing function, this would, of course, be a sensible starting point for this approach.

5.3 Training of All Staff

When process mining becomes an integral part of the auditing function, comprehensive training of all auditors working with it is unavoidable. Depending on the selected process mining software, specific levels of training are required. The training should include the connection to the ERP system: understanding the ERP data structure is a prerequisite to building a suitable event log. The connection to the corresponding process specifications of the company is also of central importance against this background. What do the processes in our company look like? What controls have been implemented? Where are the critical points? All these questions need to be translated into clear questions to feed the process analysis of the auditor. These sample questions show how demanding training on this topic is. The high demands on training must also be understood against the background of the local or global orientation of the internal audit function of the respective company. If the auditing functions have several locations, possibly even in different nations, a corresponding global training concept to roll out to the different nations is recommended. Overall, training should help standardize procedures, develop appropriate competencies, and build a shared knowledge base across the audit function. Only with a sound thought-out training concept, the auditing department can successfully implement process mining in their processes.

5.4 Process Mining Competencies of Other Departments or Outsourcing

In addition to building up process mining competencies within the auditing team, the auditing function can also draw on support from outside. Numerous companies have now implemented process mining solutions in various areas of the company, which is why a cooperation with other functions in the context of process mining analyses is conceivable. This approach is particularly useful if the auditing department has not yet been able to think through the process mining approach or if initial trial analyses are to be carried out. The great advantage of this approach is that the auditing team has to expand relatively limited resources in order to fundamentally evaluate the possible applications. An important note is, however, that audit-specific aspects that should be included during the log building phase, might not be included. To mitigate this risk, it is important to team-up with a partner that has process mining expertise in an auditing context. Another important characteristic that holds for every outsourcing act, is that the auditor doesn’t develop deep in-house expertise. Alternatively, an outsourcing is possible, in order to maintain the flexibility of the auditing function. However, outsourced analyses will probably produce comparable costs due to the enormous implementation effort later on.

6 From Data to Audit Evidence

When the auditor decides to apply a process mining approach, there are two preparatory steps that are key to success: identify the scope of your process under investigation and formulate (upfront!) the most important questions that need to be answered. The process can be either a core business process, like purchase or sale, or a supporting process like an incident management or change management process. It is paramount to identify which activities are subject (and which are not) to the audit. Aside from the process scope, the formulated key questions are of paramount importance. Based on these questions, the event log can be built. Although research on object-centric process mining is on the rise, in practice, process mining for audit is still document-centric: a case is either an order, or a journal posting, or an invoice, or another document of relevance.

Based on the audit questions, the relevant information can be extracted from the information system. Unfortunately, the selection of a case identifier potentially creates noise on the analyses to follow. When many-to-many relationships exist between a document at the beginning of the process and another document that is created near the end, choosing one or the other document always has its up- and downsides. In general, it seems that the auditor prefers to select a document that leads to a financial transaction and at the same time is earlier in the process [21]. If a choice needs to be made on whether to follow that document on its header level, or on a more detailed level, the auditor is attracted to examine the case at the lower level.

To select activities to include in the event log, most ERP systems give a plethora of options to enrich the log with. A lot of recorded events could be included on top of the most straight forward (process) activities. It is for example possible to include both, the moment an invoice was put in the system and the date that it was posted, where the former is cpu-timestamped and the latter timestamp is manually entered. These additional insights are still to be integrated in regular audits. To date, the auditor is not yet fully grasping these opportunities. In a future audit, perhaps when standards have been updated, these type of activities should find their way into typical standard analyses.

As the event log serves as ‘audit evidence’Footnote 4 in the context of an external audit, it is tied to audit regulations. To assemble the audit evidence, and hence build the event log, the auditor is expected to obtain sufficient appropriate audit evidence. This leaves room for discussion on whether, according to this stipulation, an auditor can ask full access to a client’s information system or not. If not, the auditor will need to submit a detailed data request. This is the standard procedure for regular audits where you can request ‘information’. However, when you are interested in the data underneath the information, this is more difficult. Submitting a sufficient data request to build an event log later is only possible if the auditor is acquainted with the company’s information system.

Once the auditor has access to information, the auditor has to decide on whether it is suited to use as audit evidence and base an opinion on this information. Particularly relevant to the case of process mining in auditing are the stipulations on audit evidence that has been prepared using the work of a management’s expert. In such cases, the auditor is expected to “evaluate the competence, capabilities and objectivity of that expert; obtain an understanding of the work of that expert; and evaluate the appropriateness of that expert’s work as audit evidence for the relevant assertion.” [22]. When using information produced by the entity, the auditor is expected to have a view on the accuracy and completeness of the information, and whether the information is sufficiently precise and detailed [22]. Taking these regulations into account makes it clear that it is not straightforward for an external auditor to rely on other parties to conduct process mining analyses and build further on this.

7 Open Challenges

Although the preceding discussion demonstrates the numerous benefits of applying process mining within internal and external auditing, numerous fundamental challenges also exist. These challenges can be divided into four areas:

  • Data quality

  • Auditor skill-set

  • Stakeholder

  • Full-population testing

All four areas have varying degrees of relevance to their respective organizations and include numerous broader challenges and components.

Data Quality. With regard to data, the application of process mining within the audit is jeopardized if the available data is either not usable or irrelevant. Also, data integrity and compatibility play a key role against this backdrop. For example, having different source systems implies that the creation of a usable data model for process mining is not straightforward. Consequently, all known problems and challenges of data analyses and IT systems are also valid for process mining in the context of auditing.

Auditor Skill-Set. Both, internal and external auditors must have the required know-how and appropriate training for the use of process mining in the context of the audit. However, information systems, data analytics, and process mining are no standard topics in auditing education curricula. Although programs are increasingly including these topics in courses and providing good starting points, the acceleration must be sustained during career development. Therefore, it is equally important that audit companies (or departments) sharpen these skills with the new hires. Only then can this lead to a know-how flow through the entire audit firm.

Stakeholder. It is important for the auditor to clarify the compliance with auditing standards during the financial audit with process mining and get the commitment from the audit committee or the audited entity while using process mining. The regulator or the respective professional association must also support the use of new technologies for obtaining an audit result accordingly.

Full-Population Testing. Process mining often extends the traditional sampling approach, where a sample is taken from a population as audit evidence. Process mining, on the other hand, generally uses the entire population of transactions, so that the potential alpha and beta errors of a sample no longer exist. However, this consideration becomes difficult if, for example, several hundred or even thousands of deviations (‘red flags’) are identified during the audit. In such a case, it is necessary to decide how the auditor arrives at the intended reasonable assurance. Does the auditor draw a sample from the identified red flags, because of resource constraints? Or does the auditor use additional resources, because the risk of not evaluating all red flags impairs the audit judgment? In practice, the latter is often not feasible, pushing auditors sometimes back to traditional sampling approaches. This is of course not the way forward when new techniques are around to move closer to full-population testing. The answer should be sought in providing support to dealing with all these deviations (see Sect. 3.5).

In addition to these general areas, further challenges can be identified, such as the high entry barriers and costs for smaller audit functions or audit firms.

8 Conclusion and Outlook

The use of process mining in internal and external auditing offers a magnitude of potential benefits. Through the visualization and analysis of process steps, especially in combination with an in-depth data analysis, auditors can use numerous new ways and approaches to generate unique insights. For example, process mining can support compliance with (global) process governance and thereby improve the process landscape in national and international organizations. Moreover, by combining data from different areas of the company, completely new contexts can be mapped and a true added value for auditing can be created. Process mining can support all areas of auditing work. This includes the identification of risk areas or compliance violations, the audit of the internal control system, and the compliance with governance requirements.

Of course, process mining is a tool on the process level, which is why the link to real business processes and data is of decisive importance for a successful implementation in auditing. When reaching this process connection through the audit, process mining offers numerous approaches and applications for both, experienced and novice auditors. Depending on the focus and experience of the auditor, the field of application can be completely different. Successfully applying process mining in auditing is hitting the balanced combination of the right process mining techniques and skills with the right level of audit expertise. Only running an analysis, without the interpretation of a domain expert, is like any other data analysis meaningless. The added value is found in the powerful combination of techniques and domain expertise. This is where future investigations of this topic should focus at.