Does Process Mining Add to Internal Auditing? An Experience Report
In this paper we report on our experiences of applying business process mining in a real business context. The context for the application is using process mining for the purpose of internal auditing of a procurement cycle in a large multinational financial institution. One of the targeted outcomes of an internal audit is often the reporting on internal controls over financial reporting (ICFR), since this reporting is mandatory for Sarbanes-Oxley regulated organisations. Our process mining analyses resulted in more identified issues concerning ICFR than the traditional auditing approach. Issues that were identified using process mining analysis concerned violations of the segregation of duties principle, payments without approval, and violations of company specific internal procedures.
Keywordsprocess mining internal audit control monitoring
Unable to display preview. Download preview PDF.
- 1.Masli, A., Peters, G.F., Richardson, V.J., Sanchez, J.M.: Examining the potential benefits of internal control monitoring technology. Accounting Review 85(3), 1001–1034Google Scholar
- 2.van der Aalst, W.: Business process management center (2011), http://bpmcenter.org/
- 3.van der Aalst, W.M.P., Reijers, H.A., Weijters, A.J.M.M., van Dongen, B.F., Alves de Medeiros, A.K., Song, M., Verbeek, H.M.W.: Business process mining: An industrial application. Information Systems 32(5), 713–732Google Scholar
- 4.van der Aalst, W., Weijters, T., Maruster, L.: Workflow mining: Discovering process models from event logs. IEEE Transactions on Knowledge and Data Engineering 16(9), 1128–1142Google Scholar
- 6.Kopp, L.S., O’Donnell, E.: The influence of a business-process focus on category knowledge and internal control evaluation. Accounting Organizations and Society 30(5), 423–434Google Scholar
- 7.Bierstaker, J.L., Hunton, J.E., Thibodeau, J.C.: Do client-prepared internal control documentation and business process flowcharts help or hinder an auditor’s ability to identify missing controls? Auditing: A Journal of Practice and Theory 28(1), 79–94Google Scholar