This document discusses using process mining to audit the cash-to-cash cycle. [1] Process mining takes event logs as input to generate a process flow chart that can be used to automatically assess processes and internal controls. [2] The approach outlined strategically positions process mining by evaluating the completeness of system loggings against the cash-to-cash cycle. [3] Mapping the cycle against existing logs identifies gaps where additional logging or controls are needed to fully enable process mining for audit.

1. SIKS Master Class on Smart Auditing
March 21, 2012, Vught
Top Cycle Mining
Philip Elsas, ComputationalAuditing.com
Hans Blokdijk, Limperg Institute
Robert Nehmer, Oakland University
1

2. Introduction
• Process mining is a technique that takes
business event logs as input and generates
a smart flow chart as output
• The business case for process mining:
– Automatically generated flow chart
– Flow chart is not documentation-only
2

3. Process Mining
• References
– Aalst, W. van der (2011). Process Mining:
Discovery, Conformance and Enhancement of
Business Processes. Springer Verlag, Berlin
(ISBN 978-3-642-19344-6).
– Jans, M., van der Werf, J.M., Lybaert, N.,
Vanhoof, K. (2011) A business process mining
application for internal transaction fraud
mitigation, Expert Systems with Applications,
38 (10), 13351-13359
– http://www.processmining.org/
3

4. Our Approach
• Our approach is to strategically position
process mining for the cash-to-cash top cycle
by assessing and assuring completeness of
loggings
• The cash-to-cash cycle is central in the
integrated owner-ordered and
management-ordered audit approach
– To Be modality ('Soll')
– As Is modality ('Ist')
4

5. • Owner-ordered auditing addresses understatement of profits:
whether revenues are understated and expenses are overstated
As an owner you want assurance that management, who you
entrusted your money, is not making profits while keeping
parts of it unstated, since profits are the basis of your
dividends and stock quotation
• Management-ordered auditing addresses
overstatement of profits
As management you want to attract investment capital by
increasing your credibility that the profits you state are all
real, not overstated, and so you hire the independent auditor to
provide this assurance
• Management's illegitimate interest (overstating or
understating profits) determines the direction of the audit
from a market-driven value-adding perspective 5

6. Owner-ordered audit: to check management
to increase credibility that
profits aren't understated
Owners
Money-inflow for
management
maximize equity
Management
Money-inflow
for owners
long-term ROI
Potential
Owners Management-ordered audit:
to attract new investors
to increase credibility that
profits aren't overstated
6

7. • In the owner-ordered audit tradition the auditor
determines completeness of profits using the
cash-to-cash top cycle
• Quantitative:
enterprise-level spanning reconciliation checks
(also known as: comprehensive coherence tests):
central norm connecting:
- ‘buy side’ and ‘sell side’ transaction volumes
- generated ‘gross profit’ margins
• Qualitative: enterprise-level segregation of duties:
non-identical and preferably opposite interests in
top cycle logging locations 7

8. Cash-to-cash top cycle
8

9. Top cycle represented as a smart flow chart:
transaction, or flow, as a box with adjacent arrows (active),
state or stock as a circle (passive)
9

10. Top cycle represented as matrices with
quantitative aspects (prices & volumes) and
qualitative aspects (authorizations by
agents/departments: S,B,F,D,C,W)
10

11. Top cycle represented as a set of equations with the primary
audit direction per equation parameter in an owner-ordered audit:
overstatement (overlining in dark orange color) or
understatement (underlining in light orange color) 11

12. $0 + $30 * (900+100) - $0 => $27,000+$3,000
$0 + $30 * (900+100) - $0 => $27,000+$3,000
0 + 900+100 - 0 => 900+100
0 + 900+100 - 0 => 900+100
$0 + $18,000+$2,000 - $0 => $20 * (900+100)
$0 + $18,000+$2,000 - $0 => $20 * (900+100)
$0 + $27,000+$3,000 - $9,000+$1,000 => $18,000+$2,000
$0 + $27,000+$3,000 - $9,000+$1,000 => $18,000+$2,000
recording + omitted recording
reality + omitted reality
12
unstated revenues, spanning reconciliation checks & detectability

13. Economic substance of the business
can be represented by a
‘Web of equations’
which inevitably includes:
‘stocks’ and ‘flows’ outside of
the basic cash-to-cash top cycle,
such as transactions regarding:
- fixed assets;
- financing;
- general expenses.
13

14. The complete ‘web of equations’ is indispensable
to compose an ‘audit plan’,
for all the ‘stocks’ and ‘ flows’.
Main question:
Should a particular ‘stock’ or ‘flow’ be tested
- for: overstatement,
- or: understatement?
Requires different auditing techniques.
14

15. The analysis in owner-ordered auditing starts with:
testing sales for understatement
Equation:
Inv[B] + Pur – Inv[E] → Sales
But then, testing Sales for understatement means:
testing Inv[E] for overstatement!
15

16. The analysis should be pursued for all equations,
and there is no need to audit any item, in either
B/S or P&L, for both under- and overstatement.
The general result is:
test all debits for overstatements (assets in
the B/S and expenditures in the P&L),
and
test all credits for understatements (liabilities in
the B/S and revenues in the P&L).
16

17. The International Standards on Auditing (ISA’s)
do not specify audit plans.
However, they require that all items in the accounts
are tested both for over- and understatements.
But this does not generally require two different
tests on an item:
if a debit is tested for overstatement, the
corresponding credit is implicitly tested for
overstatement as well!
Double-entry bookkeeping. 17

18. One specific challenge in every audit:
Equation: Inv[B] + Pur – Inv[E] → Sales
is right in terms of quantities (of goods or services),
not in terms of money, like all the other equations!
The difference: ‘Gross Profit’,
which is to be audited for understatement.
Main challenge to be solved in every audit.
18

19. Mapping out the cash-to-cash top cycle enables
the auditor to perform:
‘comprehensive coherence testing’ (CCT)
extensively described in
‘Reflections on Auditing Theory’, chapter 3
(Kluwer Bedrijfswetenschappen,
Limperg Instituut, 1995).
19

20. But: CCT does not discover ‘shop in the shop’:
Entire cycle of purchases, sales, payments and
receipts fraudulently omitted from the accounting
records.
To be prevented by segregation of duties.
Mapping out the top cycle enables the evaluation
of internal controls.
20

21. System Logging in Our
Approach
• Information System (IS) server software is
developed with built in logging capabilities
and default log levels
• Log levels specify the amount of details
logged
• The IS function uses logs to help control
day-to-day operations and maintenance
• Auditors can mine existing logs for audit
evidence in our approach
21

22. Benefits of the approach
• Uses existing logs as a baseline
• Allows a critique of existing controls when
combined with the top cycle approach
• IS personnel are already familiar with
logging and require little or no additional
training
22

23. Example: Database server logging
• Access logging
– Logs data about connections to a data base server:
time stamp, duration, user ID, table accessed, etc.
This data can be used to test separation of duties
and appropriate access from the audit perspective.
• Write-ahead logging
– Logs transaction details for transactions still in
volatile areas of the system. Used to recover data in
case of system failure but can be mined for
transaction details. This data can include purchase
cost, direct labor, and overhead details.
23

24. Full Coverage of Loggings
Access log
Write-ahead log
24

25. Logs Mapped to Matrix
25

26. Assessment with Top Cycle:
Partial Coverage
26

27. Partial Coverage
Mapped to Matrix
27

28. Assessment Part 1
Absent logged measures can be corrected in one
of two ways:
1) Increase logging levels and have the
built in logging capture the measures
2) Write a custom system to capture the
measures
• In either case, costs are determinable and
comparable with the value of the missing
measures
28

29. Assessment Part 2
• Problems in qualitative design of the system
of segregation of duties would be discovered
by setting expectation for access to the
database and that necessary transactions are
occurring.
• The logs can be checked to make sure these
access points exist and are being routinely
used.
29

30. http://www.promtools.org/prom5/
30

31. Mining the top cycle business process
31

32. Concluding remarks
• Based on existing logs in appropriate segregation of
duties an organization may already be very close to
boost audit power by process mining
• Additionally required logging detail or additional
segregation of duties is systematically identified
using the cash-to-cash top cycle from the proven
owner-ordered audit tradition
32