ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Lessons Learned From Pilot Projects Using Audit-focused Mining

Lessons Learned From Pilot Projects Using Audit-focused Mining

| Published: 6/2/2014 8:24 AM | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)
By Martin Schultz, CISA, CIA, Alexander Ruehle, CISA, CIA, and Nick Gehrke, Ph.D., CISA
 
Martin Schultz Alexander Ruehle Nick Gehrke
Our recent Journal article discusses the ways auditors can use IT resources to make process audits more efficient. Although not a substitute for human auditors, these automated processes can revolutionize the way audits are executed., We have applied audit-focused mining in several pilot projects for diverse companies. Three major benefits have been experienced by using an audit-focused mining approach for these audit assignments:
  1. The scoping of critical processes and transactions has improved significantly. Based on a list of significant financial statement accounts, the complete as-is processes are automatically derived. As a result of audit-focused mining, no time-consuming walkthroughs are needed, and no discussions are held on which process variants do exist and which ones need to be considered for the audit. The automatically generated process models are accepted as single point of truth, which is the practice of structuring information models so that every data element is only stored once. Although manually documented process models are available, the whole project team solely relies on the automatically generated ones. Furthermore, the internal audit department provides process transparency. This was perceived as value added by the process owner and management.
  2. The fieldwork starts earlier and is more focused. With the process-mining-based approach, a comprehensive overview of the auditee’s processes is easily gained. Accordingly, in the early stages of the pilot projects, the focus (in terms of time and budget) shifts from process-understanding tasks to process-auditing tasks. Process flows that deviate from defined standard processes are immediately identified. With a drill down to related financial documents, suspicious business transactions can be investigated in detail, along with the responsible process owner or involved employees. During the pilot programs, obtaining a sample-based selection of documents was omitted, although it was part of the initial project plan. However, after having the complete process models available, all project members agreed that a blind sampling is of less value for the effectiveness of the audit project.
  3. New audit analyses are enabled. With this approach, single financial documents are connected to complete end-to-end business transactions. This integrated view enables new analyses that are of high value for a process audit and were not possible by solely looking at single documents. For instance, during  the pilot projects, especially the segregation-of-duties (SoD) analyses on enacted business transactions, revealed several severe audit findings (e.g., invoice and payment posting by the same user along with changes to the bank account of the corresponding vendor). With the help of a standardized SoD matrix, business transactions with the most critical combinations could be easily identified and investigated. The major difference of our findings compared to common SoD analysis based on granted system access rights is that they do not just constitute potential risk of misuse. Instead, in these cases, far too extensive access rights have been exploited. Accordingly, within the pilot projects, these findings were used to set up projects for reworking the access rights management of the enterprise resource planning (ERP) systems.
Against this background, the next step in the development road map is a type of intelligent dragnet investigation, which applies several independent analytics and measures to the end-to-end business transactions and calculates an aggregated risk score for every business transaction. By doing so, high-risk transactions can be identified right at the beginning of an audit, reduce false positives and identify business transactions that put financial statements at risk.

Read Martin Schultz, Alexander Ruehle and Nick Gehrke’s recent Journal article:
Audit-focused Mining—New Views on Integrating Process Mining and Internal Control,” ISACA Journal, volume 3, 2014

Comments

There are no comments yet for this post.
Email