A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing

Practical Implications:

This paper is the first to demonstrate the value added that process mining of event logs can play in auditing. Using real data drawn from the purchasing process of a global bank we show that process mining can detect information that is of relevance to internal auditors that was missed when those same auditors examined the same data using traditional analytical procedures. These results can be attributed to two distinct differences/advantages of process mining over the standard audit procedures used by the internal auditors:

  1. The richness of the event log, which contains input and meta-data as well as a comprehensive set of attributes and its systematic arrangement by time and originator.
  2. The ability to analyze the entire population instead of being forced to use only a sample.

The creation of event logs is a complex procedure that may require the use of consultants, but it is likely that ERP vendors will make this process more automated as process mining becomes a vital tool in operational management. Several large audit firms in Europe are beginning to offer process mining as consulting tool and are experimenting with it in external audit engagements.

For more information on this study, please contact Michael Alles.


Jans, M., M. Alles and M. Vasarhelyi. 2014. A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing. The Accounting Review. 89 (5): 1751-1773.

Purpose of the Study:

In this paper, we demonstrate, using procurement data from a leading global bank, the value added in auditing of a new type of analytical procedure: process mining of event logs. Process mining is the systematic analysis of the data automatically recorded by a modern information technology system, such as the Enterprise Resource Planning systems (ERP) which form the IT infrastructure of most large and medium sized businesses today.

Design/Method/ Approach:

The field study location is a leading European bank which ranks among the top 25 in the world by asset size. It is also subject to provisions of the Sarbanes Oxley act because of its operations in the United States. We focus on the bank’s procurement process because it is a typical, standardized business process in most businesses around the world, and, hence, makes the field study more generalizable. Moreover, procurement represents a large expense item totaling some 1.4 billion Euros in the period covered in this field study. The transactions in the field study consist of all the invoices paid during the month of January 2007, which were then traced back to their accompanying purchase orders. This population data, which consisted of some 31,817 payments, were analyzed using a variety of data mining tools developed by process mining researchers to identify audit relevant information missed by the bank’s own internal auditors.


The bank’s internal auditors did not find any significant ICFR weaknesses with the procurement process, and judged that its SAP™ controls were appropriately set to ensure a strong control environment. By contrast, the process mining analysis identified numerous instances of audit relevant information that warranted follow-up manual investigation by the internal auditors under SAS 56:

  1. Purchase control procedures require Sign and Release for each purchase order, but the process mining analysis detected three PO’s which lacked these activities.
  2. SOD control procedures require Goods Receipt and Release not to be undertaken by the same employee, but the process mining analysis detected 175 violations of this control.
  3. The Process mining analysis detected 265 payments which lacked a matching invoice.
  4. The Process mining analysis detected three PO’s which lacked a Goods Receipt entry in the system, although the Goods Receipt indicator was flagged.
  5. Purchase control procedures require a Sign activity in all cases except when certain exceptional circumstances occur, but the process mining analysis detected 742 occurrences where a Sign activity was lacking even though the conditions for this exception were not met.