Embedding process mining into ﬁnancial statement audits

The audit of ﬁnancial statements is a complex and highly specialized process. Digitalization and the increasing automation of transaction processing create new challenges for auditors who carry out those audits. New data analysis techniques offer the opportunity to improve the auditing of ﬁnancial statements and to overcome the limitations of traditional audit procedures when faced with increasingly large amounts of ﬁnancially relevant transactions that are processed automatically or semi-automatically by computer systems. This study discusses process mining as a novel data analysis technique which has been receiving increased attention in the audit practice. Process mining makes it possible to analyse business processes in an automated manner. This study investigates how process mining can be integrated into contemporary audits by reviewing the relevant audit standards and incorporating the results from a ﬁeld study. It demonstrates the feasibility of embodying process mining within ﬁnancial statement audits in accordance with contemporary audit standards and generally accepted audit practices. Implementation of process mining increases the reliability of the audit conclusions and improves the robustness of audit evidence by replacing manual audit procedures. Process mining as novel data mining technique provides auditors the means to keep pace with current technological developments and challenges. (cid:1)


Introduction
This study concerns the application of data science in the profession of auditing and explores how the technique of process mining can conceptually be embedded into the audit of financial statements. This paper answers the call from Appelbaum et al. (2017) for more research in the context of big data and analytics in modern audit engagements. Guidance and evidence on how this can be done to meet the requirements of contemporary International Standards on Auditing (ISA) are provided.
Companies have automated their increasingly complex operations using advanced computer systems. This development has also affected the accounting and audit profession. Public accountants face new challenges because of this increase in automated transaction processing, the growing heterogeneity of source systems, the greater complexity of business processes and the increasing volumes and variety of created data. International and national audit standards do not directly specify how data analysis techniques can or should be employed in contemporary audits (IFAC, 2016). Historically, computer assisted audit tools (CAATs) have seldom been used as technological support in external audits (Braun and Davis, 2003;Debreceny et al., 2005). The acceptance of advanced data analysis techniques like regression or classification has generally been low in the audit profession (Kim et al., 2009), although these are particularly important in the context of big data (Chen et al., 2012).
Although CAATs have not previously been especially popular among the Big Four accounting firms (Bierstaker et al., 2014), a change in this trend appears to be taking place. In recent years, all large audit firms have embedded advanced data analysis techniques into novel audit tools such as Deloitte's Spotlight (Deloitte, 2019), EY's Helix (EY, 2019a), KPMG's Clara (KPMG, 2020) or PwC's Halo (PwC, 2019a). The analysis techniques embedded in these tools typically rely on data that are financial in nature. Analyses focus on testing individual transactions in the general ledger to support journal entry testing and on performing partially automated analytical procedures to address the audit objectives of specific account balances (FRC, 2017). To date, analysing and evaluating audit clients' internal processes and controls is primarily a manual task that involves the observation of employees performing process and control activities, inquiries with process owners, reviews of process documentation and manually testing samples of source documents.
This study focuses on process mining as a relatively novel data analysis technique (van der Aalst, 2016). Process mining algorithms analyse data from operational computer systems to provide information about the business processes within an organization. This has the potential to help auditors overcome severe limitations and inefficiencies in present-day audits, particularly in assessing the design and operating effectiveness of internal controls. Typical traditional audit procedures provide little if any reliable information when business transactions are largely processed by computers instead of humans and control procedures are embedded and automated in the software itself. The individual and manual inspection of a sufficiently large sample of transactions becomes inefficient or even impossible in industries that process millions or billions of transactions every day, as in the retail or telecommunications industries.
Novel data analysis techniques which can deal with big data can help overcome the challenges associated with extremely voluminous, heterogeneous and rapidly accumulating data (De Mauro et al., 2016). Process mining techniques make it possible to create reliable business process models automatically by analysing the recorded data produced by a company's operational computer systems during the course of transaction processing. It can be a substitute for time-consuming and errorprone manual data collection to aid in understanding and testing an audited entity's business processes and internal control system. Application of process mining enables the auditor to assess standard processes very efficiently and to allocate audit resources to those occurrences that deviate from standard procedures. They usually exhibit a much higher audit risk than standard transactions. The application of process mining further provides a foundation of empirical quantitative data that enables the auditor to employ additional data analytics and artificial intelligence approaches, as suggested by Jans and Hosseinpour (2018).
All Big Four companies have started to adopt process mining techniques for auditing or consulting services (Deloitte, 2020;EY, 2019b;KPMG, 2018;PwC, 2019b). Although the potential of novel data analytics is significant for financial statement audits, there is uncertainty about how such techniques can be integrated into existing audit approaches and applied in accordance with relevant audit standards (IFAC, 2016). This uncertainty is a severe impediment to the use of novel data analysis techniques in the audit profession. This study seeks to reduce this uncertainty and to lower perceived barriers to adoption. It relies on the analysis and interpretation of the relevant ISA, as well as related studies and the results from a field study to discuss how process mining can be embedded into contemporary financial statement audits. Although several publications describe case studies in the context of internal (Jans et al., 2013(Jans et al., , 2014 and external auditing (Werner and Gehrke, 2019), as well as the technical aspects of process mining algorithms from an external audit perspective (Werner, 2017;Werner and Gehrke, 2015), we are not aware of any conceptual study that investigates how process mining can be embedded into currently prevailing audits as required by the ISA.
This study is organized as follows. The next section describes the chosen methodology. Section three provides an overview of existing studies and introduces the fundamental aspects of process mining relevant for this study. Section four describes the current use of data analysis techniques in the audit of financial statements as a foundation to illustrate, in section five, how process mining can be embedded in contemporary external audits as a novel data analysis technique. The study closes with a summary in the last section.

Methodology
This study relies on the systematic analysis of the ISA and related literature, as well as insights gained from a field study on the application of process mining in the audit practice. It is also informed by one of the authors' engagement as an academic adviser to the International Auditing and Assurance Standards Board (IAASB) Data Analytics Work Group (DAWG).
Financial statement audits are carried out by chartered public accountants: ''The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements" (ISA 200 sec. 3, IFAC, 2009a). These audits are important for the functioning of economic markets and serve as a safeguard to ensure that financial statements present a true and fair view of the reporting entities' financial position and performance in accordance with relevant accounting frameworks. They prevent the publication of false financial information that might detrimentally impact decisions made by stakeholders.
Organizations are legally obliged to prepare their financial statements fairly and truthfully. They have to apply generally accepted accounting principles (GAAP) and standards when preparing their financial statements. This ensures that the published statements display correct and comparable information to their audience. Governments have entrusted the issuing of accounting standards to specific entities. Such standard-setting bodies include the International Accounting Standards Board (IASB) at the international level and, at the national level, the Financial Accounting Standards Board (FASB) in the USA and the Deutsches Rechnungslegungs Standards Committee (DRSC) in Germany, for example. These organizations issue the International Financial Reporting Standards (IFRS), the FASB Accounting Standards Codification (ASC) and the Deutsche Rechnungslegungs Standards (DRS), respectively.
Chartered public accountants are in charge of auditing the financial statements prepared by reporting companies, and auditing standards provide guidance to auditors in doing so. The standards are issued by regulatory bodies such as the International Auditing and Assurance Standards Board (IAASB) for the ISA, the Public Company Accounting Oversight Board (PCAOB) for the Auditing Standards (AS), and the Institut der Wirtschaftsprüfer (IDW) for the IDW Prüfungsstandards (IDW PS). Laws, regulations and standards differ by country, but a convergence has taken place over the past few decades between different accounting frameworks (Barth, 2008). This study primarily relies on the systematic analysis of relevant ISA, as these have been adopted by most countries around the world including the USA and the member states of the European Union (IFAC, 2012a).
The discussion of how to embed process mining into contemporary audit approaches is here substantiated by means of a field study -that is, the implementation of process mining for external audit purposes at one of the world's leading audit firms. The development of suitable process mining tools and their implementation into pilot projects across central European countries involved two of the authors of this study via direct supervision. Formal focus group meetings of the authors with experts from the case company's research and development unit took place several times between August 2016 and March 2019. The case company developed a proprietary mining tool and application procedures tailored to financial statement audits. Process mining was integrated into financial statement audits for several pilot engagements in 2018 and 2019. The outcomes of applying process mining to analyse the procurement process for one audited entity serve as an example for demonstration purposes. The analysis of the traditional use of data analysis techniques during an audit served as a reference point to discuss how the process mining techniques can complement these.
One of the authors of this study serves as an academic adviser to the DAWG as a member of its project advisory panel. The IAASB set up the DAWG to explore emerging developments in the effective and appropriate use of technology, to enhance audit quality and to explore how the IAASB can most effectively respond to these emerging developments by revising existing ISA or preparing non-authoritative guidance (IFAC, 2018a). Of particular interest is the DAWG's request for input (IFAC, 2016) summarizing contemporary challenges related to novel technologies in the audit profession and the need to revise existing audit standards. These challenges form the motivation for the study at hand. The document emphasizes that the concept of technology used to support financial statement audits (CAATs) emerged in a very different technological era (IFAC, 2016, sec. 9). It is therefore necessary to develop solutions for how to use and integrate contemporary data analysis techniques into existing audit approaches. As a result of this work, the exposure draft for revising ISA 315 (IFAC, 2018b) explicitly recognizes the importance and use of automated tools and techniques to perform risk assessment procedures. This includes, for example, using technology to perform procedures on large volumes of data to provide information that is useful for the identification and the assessment of risks of material misstatement. The work of the DAWG takes place on the institutional level of standard setters. This study deals with the question of how a specific data analysis technique -process mining -can be embedded into contemporary audits for concrete audit settings in compliance with contemporary ISA.

Background and related literature
Process mining uses recorded event log data, which can be extracted from a source system, to provide information about business processes (van der Aalst, 2016), as well as graphical representations. The source system can be any process-aware information system (Dumas et al., 2005), such as enterprise resource planning (ERP) or workflow management systems. In recent years, sophisticated general-purpose mining algorithms have been developed, including heuristic (Weijters et al., 2006), fuzzy (Günther and van der Aalst, 2007) and genetic (de Medeiros, 2006) mining algorithms. More recent examples include the Split Miner (Augusto et al., 2017) or those using integer linear programming (van Zelst et al., 2018). Several companies offer sophisticated commercial process mining tools (Celonis, 2020a;fluxicon, 2020;LANA Labs, 2020;UiPath, 2020;Zapliance, 2020). Process mining packages also exist for programming languages such as Python (Fraunhofer Institute for Applied Information Technology, 2020) and R (Janssenswillen et al., 2019).
A mining algorithm analyses input data to create the process models as output. Input data have to be extracted from the relevant source information systems and transformed into an event log, which contains all of the recorded events that relate to the executed business activities. A process model abstracts from the observed behaviour of individual business process executions, which are called process instances. A process model therefore represents a set of different process executions with identical or similar behaviour. Each executed process activity is recorded as an event in the event log. Every event is mapped to a case, which represents a single process instance. The sequence of recorded events in a case is called trace, which in turn describes the sequence of activities as they have been recorded, and this sequence determines the control flow modelled in the corresponding process models. Cases belonging to the same business process exhibit identical or similar traces, and process executions of a specific process that represent identical traces are called variants (Chiu and Jans, 2019;Jans et al., 2014). A complete specification for event logs is available in Günther and Verbeek (2012). Fig. 1 provides a visual example of the type of business process model that can be produced by mining algorithms. It shows a model of specific procurement process that was mined using the Celonis process mining software (Celonis, 2020a). 1 The depicted process consists of 10 different activities, which are shown as hexagons that are labelled with names of the represented transaction and the number of executions. This number states how often the respective activity was carried out in the analysed process; the frequency of each activity is also illustrated by the degree of shading -the darker the symbol the more frequent the represented activity. The hexagons with the embedded triangle and rectangle indicate the start and end of the process model. The arrows define the sequence of activities (control flow). The inscriptions on these arrows indicate how often one activity was followed by another, while the shading and thickness of the lines highlight their relative frequency.
Process mining has served as an analysis technique in various scientific investigations for process discovery, conformance checking, enhancement and social network analysis (Maita et al., 2017). It has been applied in scientific studies to a variety of different application domains, ranging from the healthcare (Yoo et al., 2016) and IT (Edgington et al., 2010) sectors to textiles (Lee et al., 2016), shipping (Wang et al., 2014) and the manufacturing industry (Lee et al., 2013).
Process mining has also been applied for auditing (Jans et al., 2013(Jans et al., , 2014 and fraud detection (Baader and Krcmar, 2018), but scientific publications related to process mining in the context of external auditing are scarce. Jans (2012); Jans et al. (2013) have discussed opportunities, challenges and limitations related to process mining in the context of internal auditing and have also conducted related case studies (Jans et al., 2014(Jans et al., , 2008. Another research group has focused on the application of process mining in the context of external statutory audits (Gehrke, 2010;Gehrke and Müller-Wickop, 2010;Müller-Wickop et al., 2011;Werner, 2013;Werner et al., 2013Werner et al., , 2012Werner and Gehrke, 2015. Although these publications deal with process mining in the context of internal or external auditing, we are not aware of any study that conceptually investigates how process mining can be embedded into the overall audit process.

Contemporary use of data analysis techniques in the audit
The ISA 2 do not require a specific process to carry out statutory audits, but the typical phases of an audit of financial statements in practice are shown in Fig. 2. 3 Generalized audit software such as IDEA (CaseWare International Inc., 2020) or Galvanize (formerly known as ACL, Audit Command Language; Galvanize, 2020) have existed since the 1990s and are used for different purposes in financial audits (Arens et al., 2017). CAATs have historically not been be used extensively in external audits (Bierstaker et al., 2014;Braun and Davis, 2003;Debreceny et al., 2005), but all large audit firms have embedded data analysis techniques into their audit approach (Deloitte, 2019;EY, 2019a;KPMG, 2020;PwC, 2019a). Data analysis techniques can, in principle, be used to support procedures in all audit phases. Fig. 3 provides an overview of audit activities which are currently supported using data analysis techniques; this overview also provides references to relevant ISA which specify the requirements for each listed activity.
Data analyses play a particularly important role for gaining an understanding of the audited entity and for risk assessment. They are used for analysing general ledger data, re-building the balance sheet and income statement from the population of transactions, and gaining an understanding of the composition of account balances and classes of transactions (ISA 315 sec. 11, IFAC, 2012b). Key performance indicators are calculated from aggregated financial statement data, and trends are analysed based on account balance data. The partially automated identification of significant changes or the absence of expected changes from prior periods supports the identification of risks of material misstatements (ISA 315 sec. A19, IFAC, 2012b).
Examples of data analysis techniques that auditors use for designing and executing procedures to address the identified risks of material misstatements include the recalculation (ISA 500 sec. 7 and A19, IFAC, 2009f) of documents to assess the reliability and completeness of evidence or testing populations of journal entries recorded in the general ledger to support the identification of unusual items (ISA 240 sec. 33, IFAC, 2009c). Data analyses are also performed as substantive analytical procedures (ISA 520 sec. 5, IFAC, 2009g); these include gross margin analysis, trend analysis of specific accounts and the analysis of debtor or creditor balances and open items, as well as their movements over time. CAATs support the stratification of populations for audit sampling (ISA 530 sec. 5 and appendix 1, IFAC, 2009h). Partially automated techniques that summarize the general ledger data and provide descriptive analyses, including significant changes compared to the prior period (ISA 520 sec. 6, IFAC, 2009g) support auditors in forming, communicating and documenting an audit conclusion (ISA 230 sec. 8, IFAC, 2009b;ISA 330 sec. 38, IFAC, 2009e).
These examples illustrate the different purposes for data analysis throughout an audit. They can be applied along the entire audit process and to all types of audit procedures (AICPA, 2017). Although data analysis techniques are used for various purposes the field study revealed that they currently just cover the analysis of business processes and the test of controls to a very limited extent, as highlighted in Fig. 4. Data analyses are sometimes used as reperformance procedures (ISA 500 sec. A20, IFAC, 2009f) that supplement the understanding of internal controls. They can also be used to assess already identified controls by reviewing system parameters for automated controls (Gehrke, 2010). Such analyses only consider individual controls in an isolated manner. Traditional data analytics tools do not provide algorithms to construct process views from readily available data. The use of business process analytics in the audit profession is still generally limited (FRC, 2017).
Process mining complements other data analysis techniques (AICPA, 2017 example 2-5), which primarily rely on financial data, while process mining uses data from event logs. This makes it possible to analyse whole processes and the controls that govern these processes. This is the key characteristic of process mining techniques, whose algorithms produce process models as visualizations and provide quantitative information about the analysed processes. A Benford analysis (Nigrini, 2012) carried out as a traditional data analysis technique for the identification of unusual items (ISA 240 sec. 33, IFAC, 2009c) by analysing journal entry data, for example, makes it possible to identify potential outliers in a given data set. Process mining makes it possible to gain a complete understanding of an analysed process, including the activities that are carried out and by whom, which data elements and documents are created, and their effect on the financial accounts. This provides a process-level perspective on the analysed data and can serve as the input to test relevant internal controls (Chiu and Jans, 2019;Jans et al., 2014) and to apply further advanced data analysis techniques (Jans and Hosseinpour, 2018;Werner and Gehrke, 2019). We are not aware of any other data analysis technique that provides this kind of information.
A challenge for using audit data analytics is identifying control overrides and changes to data during the course of processing, such as price changes to purchased goods or the authorization of payments using a system administrator account. Overrides can be authorized after the fact, and the data can be brought back into compliance before the end of a reporting 2 The exposure draft and corresponding implications of the planned revision of ISA 315 have not been considered for this study, as the draft has not yet been released as a standard. 3 There are currently 37 standards included in the ISA, but the diagram only shows the selected standards that are important for each phase, provide general information about the contemporary audit approach and are particularly relevant for the context of this study. period. Process mining reveals these kinds of activities. The time relationships and sequence of events are made explicit and can be analysed accordingly, and this reveals changes and temporary control deviations. Necessary process data are readily available. The same is true for mature process mining algorithms and scientific publications dealing with process mining in the context of internal and external auditing. One of the major obstacles seems to be uncertainty regarding whether and how the application of process mining complies with contemporary audit standards and how it can be embedded into contemporary audit approaches. These questions have remained unanswered, although they are highly relevant for the audit profession. The next section discusses possible answers to these questions and demonstrates how to apply process mining conceptually and practically in contemporary audit engagements.

Embedding process mining into the financial statement audit process
Process mining is particularly relevant for assessing the design and operating effectiveness of internal controls during an audit and thus fills a gap in the portfolio of currently available data analysis techniques. It can also serve several alternative purposes throughout the different phases of an audit. Fig. 5 provides an overview of how process mining can be embedded into the audit process to support the execution of audit activities required by the ISA for each audit phase. It follows the same structure as Fig. 3. The next subsections explain how process mining can conceptually and practically be employed for each phase.

Phase I: Understanding the entity
ISA 315 requires the auditor ''(. . .) to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity's internal control" (ISA 315 sec. 1, IFAC, 2012b). To achieve this, the auditor has to ''obtain an understanding of (. . .) the related business processes, relevant to financial reporting (. . .)" (ISA 315 sec. 18, IFAC, 2012b). Process mining provides the auditor information about how the business processes in an audited entity relate to the entity's financial accounts. This enables the auditor to provide an initial assessment of relevant risks using analytical procedures (ISA 315 sec. 6, IFAC, 2012b), to establish a preliminary audit strategy (ISA 300 sec. 2, IFAC, 2009d) and to assess the overall expected audit effort. The relationship between processes and specific financial accounts can be visualized and analysed quantitatively to get an understanding of how the balance sheet and income statement accounts are composed. It is possible to reconcile the mined process models to the financial accounts. Each mined pro-

Planning an Audit of Financial Statements (ISA 300)
• Planning is not a discrete phase of an audit, but rather a conƟnual and iteraƟve process

Forming an Opinion and ReporƟng on Financial Statements (ISA 700)
• Form an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporƟng framework This provides information about whether the analysed data elements are accurate and complete. While other data analysis techniques are useful to analyse the composition of financial statement account balances, process mining can establish an understanding of how the business processes relate to those accounts. Fig. 6 shows a screenshot from the case company's process mining tool for an audited client. It illustrates the reconciliation of the values discovered by process mining with the account balances for the relevant period. The Debit and Credit columns show the total values of debit and credit postings yielded by the analysed process. The respective financial accounts are listed in the left-hand column. The column Net activity shows the corresponding balance for each account at the end of the reporting period. It can be seen that the mined process covered 90.63 per cent of all debit and 90.43 per cent of all credit posting to the Goods Received / Invoices Received (GR/IR) clearing account for trading goods, as well as 95.27 per cent of debit and 95.14 per cent of credit postings for the Trade accounts payable -third local.
The mined process appears to cover the vast quantity of transactions that occurred within the audited company which relate to the procurement of products held for trade from local third parties. Reconciliation with further accounts shows,       Fig. 7 shows the mined process model for the procurement process of the audited entity. It visually represents the complexity of the analysed process. By inspecting the model, auditors can assess if important control activities, such as the approval of purchase orders, were present or missing (ISA 315 sec. 20, IFAC, 2012b). By analysing processing times and uncommon control flow paths -as well as infrequent activities -auditors can assess the inherent audit risk (ISA 315 sec.16, IFAC, 2012b) and initially assess whether the testing of related internal controls is a feasible audit strategy to address identified risks (ISA 330 sec. 6, IFAC, 2009e, sec. 6).
Documentation of the obtained understanding of the audited entity is an important requirement for external audits (ISA 330 sec. 28, IFAC, 2009e, ISA 230 sec. 8, IFAC, 2009b, ISA 315 sec. 32, IFAC, 2012b. It is commonly a time-intensive manual task, and auditors usually carry out inquiries with key personnel and review existing process documentation to prepare process charts or textual process descriptions. There are frequently significant differences between these process descriptions, the views of the process owners and the understanding obtained by the auditor. The results of process mining, such as the process model shown in Fig. 7, provide reliable documentation of the audited process which is created automatically, and can be used as the auditor's working papers.

Phase II: Identify and assess risks
Process mining enables the auditor to understand and deconstruct significant classes of transactions by identifying the control flow paths in a mined model which represent a notable proportion of the overall recorded transactions that are significant for the financial statements (ISA 315 sec. 18(a), IFAC, 2012b). Fig. 8 shows the results for the analysis of different classes of transactions. It reveals that the mining algorithm discovered 2,393 variations of the procurement process. A process variant in this context is understood as a process model which represents cases with identical traces, hence identical control flow paths. 4 The bar charts on the left side of Fig. 8 show that a single variation of the process represents 37.32 per cent of all analysed cases. The second most common variant only covers 9.92 per cent of all cases, whereas the vast majority of variants represent only single cases, which is in line with the results from related studies (Jans et al., 2014). The process model representing the most frequent variation of the business process (also called the critical path) is shown on the right-hand side of Fig. 8. This visualization shows the auditor whether control activities were recorded which govern the represented class of transactions (ISA 315 sec. 20, IFAC, 2012b).
Through the analysis of different classes of transactions via process mining -in combination with the financial reconciliation mentioned earlier -the auditor receives quantitative information about the degree of automation in the transaction processing. The information gained from the financial reconciliation tells the auditor the quantity of transactions relevant for a financial account that were actually recorded via semi-or full-automated processes. Fig. 9 shows the results of a social network analysis for those (anonymized) users that executed activities in the source system related to the analysed process. These users can be humans or system users; the activities executed by system users are guided by the rules embedded in the source system's software itself without the interaction of human users. The higher the quantity of transactions processed by system users and the more central they are in the network, the higher the degree of automation. This allows the auditor to assess risks associated with the automation of transaction processing (ISA 315 sec. 30, IFAC, 2012b), such as incorrect implementation or manipulation of system users, to determine appropriate responses for assessing the design and operating effectiveness of relevant internal controls (ISA 330 sec. 8, IFAC, 2009e).
In summary, the information gained through process mining makes it possible to identify the relevant risks of material misstatements in financial statements (ISA 315 sec. 5, IFAC, 2012b) because the auditor receives reliable information about the business processes in the audited entity, their characteristics and potential weaknesses via novel analytical procedures (ISA 315 sec. 6, IFAC, 2012b). This information helps the auditor to identify and assess the risk of material misstatement at the assertion level 5 for significant classes of transactions, account balances and disclosures (ISA 315 sec. 25, IFAC, 2012b).
The ISA require auditors to assess the design of internal controls for identified risks in terms of their suitability to achieve relevant control objectives (ISA 315 sec. 29, IFAC, 2012b). For each significant risk, the auditor can identify whether control activities existed that mitigated that risk. A risk in the procurement process could be, for example, the processing of fictitious payments which might lead to incorrect postings in financial accounts. A corresponding control would be that no payments were processed without existing invoices, as in the process model representing the critical path shown in Fig. 8. By inspecting the mined process model, the auditor can determine when and by whom control activities were performed and whether the sequence of activities within the critical path supports the control objectives (ISA 315 secs. 13, 20, and 21, IFAC, 2012b). For each identified control, the auditor can decide whether to rely on its operating effectiveness or to follow up on exceptions to identify material weaknesses.

Phase III: Design and execute responses to risks
During the third phase of an audit, the auditor designs and executes responses to the risks of material misstatement identified in the previous audit phases (ISA 330 sec. 6, IFAC, 2009e). The chosen audit procedures can differ in nature, timing and extent. They can include tests of controls or substantive audit procedures. Substantive audit procedures consist of tests of details or substantive analytical procedures. Test of controls are conducted, for example, via observation of control activities when these are carried out, the inspection of source documents such as approved purchase orders, the reperformance of control activities or through the application of analytical procedures (ISA 330 sec. A5, IFAC, 2009e). Tests of details related to account balances, for example, include the inspection of supporting documentation for individual financial transactions. Substantive analytical procedures can include the comparison of accounting information and ratios such as inventory turnover and development of revenues during a reporting period to assess the plausibility of account balances. Based on the understanding of the audited entity, its business processes and internal control system, the auditor decides which type of testing is most suitable to gain sufficient audit evidence.
Other studies have already demonstrated that process mining can support auditors in assessing whether an internal control system was implemented appropriately and if it can be relied on for a specific business process (Chiu and Jans, 2019;Jans et al., 2014). By using these techniques, the auditor can assess whether internal controls were appropriately designed to address relevant control objectives, as well as their operating effectiveness (ISA 330 sec. 8, IFAC, 2009e). Assessing the operating effectiveness of internal controls is necessary to ensure that they were indeed operated appropriately during the complete relevant reporting period.
With process mining, the auditor can inspect those process variants in detail that represent material classes of transactions. The data attributes for each individually recorded event within such a variant can be analysed to identify what was done, by whom and when (ISA 330 sec. 10, IFAC, 2009e). A control exception is indicated if a significant control activity was not executed as expected to a material extent in a process variation.
The operating effectiveness of internal control components which are not embedded in a process as a dedicated control activity can also be assessed. These controls are usually not recorded as separate events in the event log themselves, but they can be assessed by analysing relevant transaction data values which are available as event attributes in the event log for events that have been recorded. An example of such a control is the three-way match, which ensures that the quantities and prices of ordered goods and services are the same as the ones that were received and invoiced. This control activity can be executed manually or implemented into the source system (Chuprunov, 2012). Fig. 10 visualizes the analysis of the three-way match for the audited entity. Based on the analysis of the data created by process mining, this control can be re-performed for all relevant transactions automatically without having to inspect prepared source documents manually or to check the actual implementation of this control in the source system, which would require highly specialized proprietary knowledge. Fig. 10 shows the results from the case company's process mining tool for comparing the prices between ordered and invoiced goods (PO vs. INV) for the audited entity. The diagram in the lower left corner illustrates that the ordered prices were identical to the invoiced prices for 8,284 cases. The expected invoice price was lower than the actual invoice price for 1,805 cases and higher for 480 cases. The diagram in the right lower corner illustrates some of the effects on the financial accounts. The price differences where the ordered prices exceeded the invoiced prices were higher than those where the invoiced prices exceeded the ordered ones. In total, the invoiced prices were $3,017,914 below the prices of the originally ordered goods. Via these types of analysis an auditor can assess the operating effectiveness of internal controls directly, reliably and extremely efficiently. The gained information helps the auditor to evaluate found exceptions quantitatively, identify material weaknesses, assess the control risk and determine the impact on the nature, timing and extent of further audit procedures. The price differences between ordered and invoiced goods, for example, could be the result of missed or realized discounts for early payment depending on the chosen accounting methods by the audited entity. But it remains unclear if the respective control failed or was subject to valid overrides in the given cases. The results from the analysis can be used to guide further substantive audit procedures when the auditor notices deviations from controls (ISA 330 sec. 17, IFAC, 2009e). Outliers and unusual items can also be directly identified. An auditor could, for example, individually inspect those cases where the difference between the invoiced and order prices was above a certain threshold, or the auditor could inspect those process variants where invoices were posted for ordered goods without any corresponding recording of received goods, as can be observed when comparing the alternative control flow path from the activity purchase order modification to activity invoice posting in Fig. 7. Further substantive audit procedures can be guided by directly selecting those cases that exhibit a suspicious pattern, as has already been suggested in other studies (Werner and Gehrke, 2019).
The use of process mining has a profound impact on the testing of the operating effectiveness of internal controls and for the planning of further substantive audit procedures. Manual control tests -which usually rely on the time-consuming inspection of relevant source documents or the inspection of system parameters in the source systems, which requires highly specialized knowledge for each individual source system -are no longer necessary. The totality of business transactions, including metadata, can be analysed (Jans et al., 2013), which shifts the audit from a sampling approach to one that uses novel data analytics to consider all relevant transactions in a smart and automated manner. The process mining tool assists the auditor in assessing the gained information and making decisions on the use of further substantive audit procedures.

Phase IV: Conclude and communicate
The audit concludes with forming and reporting an opinion (ISA 700, IFAC, 2016) based on an evaluation of the conclusions drawn from the obtained audit evidence (ISA 700 sec. 6, IFAC, 2016b). The use of process mining enhances the precision and reliability of audit results by providing quantitative data on the performed audit procedures and their outcomes. Root causes for identified deviations can be analysed by targeted additional substantive audit procedures, which can be integrated into the audit as mitigating actions (ISA 330 sec. 17, IFAC, 2009e). Based on the quantitative data, it is possible to quantify control exception rates and to assess whether these remain within acceptable tolerances (ISA 530 sec. 13, IFAC, 2009h). The number of transactions and the total amount affected by a control exception can be calculated and documented. In combination with the gained process documentation, this serves as evidence to document which risks and internal controls have been considered (ISA 315 sec. 20, IFAC, 2012b), the consequences of identified deviations (ISA 330 sec. 17, IFAC, 2009e) and how a conclusion was drawn (ISA 230 sec. 2, IFAC, 2009b).
As part of the conclusion process, risk assessment can be confirmed or modified if control exceptions were systematic and no sufficient compensating controls were identified (ISA 330 sec. 17, IFAC, 2009e;ISA 315 sec. 20, IFAC, 2012b). The nature of control exceptions, as well as the identified root causes, can be explained and communicated to management and those charged with governance in the audited entity (ISA 330 sec. 12, IFAC, 2009e;ISA 530 sec. 12, IFAC, 2009h).
Process mining can be employed in different phases of an audit, as summarized in Fig. 5 and discussed in detail in the previous subsections, to support the auditor in various ways. The information gained from process mining complements information gathered from traditional data analysis techniques during the different audit phases by establishing the link between business processes, financial accounts and internal controls. It is especially valuable in carrying out tests of controls where other types of support via data analysis techniques are currently lacking.
The review of relevant audit standards did not reveal any requirements which would hinder auditors from applying process mining accordingly. This study focuses on process mining as a specific novel data analysis technique. Contemporary studies show that a rich body of literature exists that discusses aspects of analytical procedures in external audit engagement (Appelbaum et al., 2018). Despite the availability of this scientific knowledge, the acceptance of innovative analytics has been low in auditing practice. Certainly, the availability of data suitable for such analytics is a critical prerequisite. The current extent of data was not available in the past. There are also institutional barriers in the audit profession that impede innovation (Curtis et al., 2016). But the opinions expressed during the focus group meetings which formed part of the field studyas well as feedback received as a result of the IAASB DAWG initiative -indicate that uncertainty about whether novel data analytics and their application comply with contemporary audit regulations is a major concern for decision makers. Audit results are regularly reviewed as part of mandatory peer-reviews or by regulatory authorities. Non-compliance can have extremely detrimental consequences for the responsible audit partners. Although this study only deals with process mining as a particular data analysis technique, it might be fruitful to consider if similar studies related to other innovative data analysis techniques identified by Appelbaum et al. (2018) might reduce uncertainty and foster acceptance in the profession.

Summary
External auditors face new challenges due to the increasing integration of computer technology for the processing of business transactions. Traditional audit procedures become inefficient and ineffective in audit environments that are characterized by a high degree of integration of information systems for transaction processing. Process mining is a novel data analysis technique that can support the auditor in carrying out necessary audit procedures in a manner that overcomes contemporary challenges. With process mining auditors can analyse business processes and relevant internal controls effectively and efficiently. The entirety of recorded business transactions can be analysed and deviations identified automatically to guide further substantive audit procedures. Process and related internal controls can be analysed and assessed in a quantitative manner which makes it possible to determine the impact of control deficiencies on the financial accounts quantitatively. Audit firms have started to react to market demands and have developed proprietary software tools and first solutions to implement process mining into existing audit approaches. Although the potential benefits are significant for the audit profession, little guidance exists related to the question of how process mining techniques can be conceptually embedded into financial statement audits and how this can be done to meet the requirements of contemporary audit standards. This study has discussed how process mining can be embedded throughout the different phases of an audit to support the auditor by considering the requirements formulated in the ISA and using illustrative examples from a field study.
Although process mining is highly relevant as a novel data analysis technique, several limitations should be taken into account. During an audit, only those transactions and internal controls which have been recorded in the source systems can be inspected via process mining. Transactions and control procedures conducted outside of the source system are not covered per se, but can only be assessed indirectly by potentially analysing patterns within the recorded data (Werner and Gehrke, 2019). The algorithms used to discover processes models meet different quality criteria (Rozinat et al., 2008). External auditors generally require algorithms that provide no false negative and as few false positive audit results as possible, otherwise compliance violations might remain undetected or apparent compliance violations might be flagged which did not occur in reality. Most mining algorithms in commercial applications are able to create perfectly fitting process models that prevent false negative audit results, but at the potential cost of high rates of false positives (Baader and Krcmar, 2018). Currently it is unclear how this might affect the usability of process mining in external audit settings on an operational level. Another challenge in process mining is the generation of the event log. The field study on the application of process mining for a procurement process operated in a specific type of ERP system. Building the event log requires specific knowledge of the implementation of the analysed business processes in the source system (Werner, 2017). It remains unclear if the application of process mining can be extended for audit purposes to arbitrary processes and source systems that might span across system and organization boundaries.
This study contributes to the professional and academic discussion of the effects novel data analytics have on statutory financial audits (IFAC, 2016). It relies on a structured review and interpretation of relevant ISA. Results from a field study exemplify how process mining can be conceptually embedded into real audits while satisfying the requirements expressed in the ISA. It therefore demonstrates the feasibility of embodying process mining within financial statement audits.
This study does not measure and compare the outcome of its implementation in actual audits as a comparative study. An interesting aspect in such an investigation would be to assess the outcomes of financial statement audits qualitatively and quantitatively where process mining was used, against those that relied only on traditional audit techniques. This should also consider assessing the availability of source data sets necessary for process mining and how their size compares to source data needed for other data analysis techniques that are currently used in external audits. This consideration might reveal insights to what extent the availability and size of event log data influences the usefulness of process mining in such settings. Providing insights into these questions is planned by conducting a follow-up study that analyses qualitative and quantitative data from the different pilot projects conducted by the case company.