As a result of the onward march of digitalisation and the associated explosion of data, the auditing industry is undergoing a profound transformation. In line with the Institute of Internal Auditors’ prevailing standards, internal auditors must consider using technology-assisted data analytics to ensure that they fulfil their professional duty of due diligence and base their audit opinions on suitably accurate assessments. The judicious use of cutting-edge technology for process analytics (such as business process mining) can make a significant contribution to more objective, risk-focused, transparent audit reports. This provides a higher level of assurance regarding the effectiveness of a company’s internal control system, risk management and governance processes. Making digitised business processes more transparent provides further assurance that relevant business risks are being identified, and that management and control processes are all working as they should.
Business process mining, an approach that interconnects the fields of process management and data science, is the discipline of reconstructing or analysing business process models based on their digital footprint (event logs). For this purpose, raw data from various IT sources may be used to represent and analyse business processes (such as purchase-to-pay or order-to-cash processes) as they happen in reality, free from subjective interpretation and taking a full, end-to-end perspective. The minimum requirements for this approach are a unique case ID, a start time (time at which the activity started) and a name for the activity (process descriptor). Compared to more traditional, established audit techniques (such as inquiries or workshops), expert use of this discipline can result in more reliable findings based on data-led analysis and fact-driven collaboration with the audited cost centres. Consequently, business process mining may be useful not only at the annual, risk-focused audit planning stage (establishing the scope of the audit), but also while the audit is being performed and finally at the follow-up stage, if applicable. In effect, business process mining is capable of making tangible contributions to the effectiveness of audit programmes, the streamlining of business processes, and the avoidance of business risks. In this sense, this particular field of data analytics represents a major opportunity to transform internal auditing techniques, making it possible for auditors to act as “trusted advisers”.
For businesses working in the information age, data quality – which depends primarily on the demands placed on the data in question – plays a vital role in corporate success. Despite the intensive research into data and information quality management conducted over the last 30 years and more, in the context of business process mining data QA is still a very young, under-researched discipline. This is all the more surprising in view of the fact that missing, incorrect, inaccurate or irrelevant data can drastically compromise audit findings. Experience shows that many of these data-specific issues are associated with timestamps. For example, if the activities listed in an event log relate to two different source IT systems with divergent timestamp logging protocols (minutes vs milliseconds, for example), the emergent process models will not correspond to reality. Thus data quality represents a key criterion for the implementation and successful utilisation of business process mining. It is crucial that users of this technique should be able to access relevant raw data that meets the required quality standard, because any limitations in the application of business process mining have their origins in the quality of the available data. The less data is generated by the source IT systems, the more limited the process identification and analysis will be. So it is hardly surprising that data preparation and processing represent the most significant expense items in a process mining project.
The big question for staff working in, for example, risk management, compliance and internal audit functions is: how best to use the abundance of digitally available business process data to improve the quality of audit findings and ensure that the audit process is even more risk-focused than before? And there is an even more important question to answer: when is an organisation basically “fit enough” to use business process mining? This key question does not just apply to the availability of suitably high-quality data, but also to broader organisational, cultural, technical and even legal considerations (pertaining to data protection, security, ethics, and so on). Our Certified Audit Data Scientist course answers these questions and explains the very latest methods used in data analytics.