Process Mining of Event Logs: A Case Study Evaluating Internal Control Effectiveness

Abstract

Unlike traditional audit techniques, process mining of event logs provides a new aspect for auditing by tracking and capturing every single routing in the dataset. This paper aims at adopting process mining to evaluate the effectiveness of internal control using a real-life event log from a large European bank. Specifically, the evaluation is based on the full population of event logs and contains four analyses: (1) variant analysis that identifies acceptable and notable variants, (2) segregation of duty analysis that examines process instances and employees that violate segregation of duty controls, (3) personnel analysis that investigates employees who are involved in multiple potential control violations, and (4) timestamp analysis that detects time related issues such as the ones performed during the weekends and process instances that have lengthy process duration. The results from the case study indicate that process mining could assist auditors in identifying audit-relevant issues such as notable variants, activities performed during the weekends and personnel violating segregation of duty controls or involved in multiple violations..., etc. By examining the entire population of event logs, process mining enables auditors to detect potential risks, ineffective internal controls, and inefficient processes. Therefore, process mining of event logs generates a new type of audit evidence and could potentially revolutionize the traditional audit procedure.