doi.org/10.15178/va.2020.150.47-57
RESEARCH

AUDIT 2.0, A PERSPECTIVE FOR ITS EXECUTION IN THE BUSINESS ENVIRONMENT USING PROCESS MINING TECHNIQUES 

AUDITORÍA 2.0, UNA PERSPECTIVA PARA SU EJECUCIÓN EN EL ENTORNO EMPRESARIAL UTILIZANDO TÉCNICAS DE MINERÍA DE PROCESOS

AUDITORIA NÚMERO 2.0, UMA PERSPECTIVA PARA SUA EXECUÇÃO EM UM ENTORNO EMPRESARIAL UTILIZANDO TÉCNICAS DE EXPLORAÇÃO DE DADOS

Isabel González-Flores. Graduated from the University of Informatics Sciences (UCI) in 2010, Master in Support Technologies for Business Decision Making of the Faculty of Industrial Engineering of the CUJAE in 2015. Instructor professor of the subject Methodology of Scientific Research¹
Josué Rivera-Riquenes¹

¹Informatic science University. Cuba

ABSTRACT
Business management needs the development of methods and instruments to establish and improve the performance standards of organizations. An important point is the audit, which allows validating information and business processes. In the Cuban business environment, the execution of audits shows a low level of exploitation of information and communication technologies, which limits the work of the auditors and the follow-up and control actions. The current practices are based on samples, which inevitably provide an incomplete view of the execution of the process, which are usually done manually, consume a lot of time, as well as human and financial resources. The objective of this work is to highlight the benefits of the analysis of the information available in the registers of events of the computer systems, using techniques of Process Mining as a new form of audit. The automation of the audit reduces the corresponding transaction costs, while improving its quality and accuracy, as the case studies analyzed show.

KEYWORDS: audit, process mining, event log, information systems, organizations, business, information technology

RESUMEN
La gestión empresarial necesita del desarrollo de métodos e instrumentos para establecer y mejorar las normas de actuación de las organizaciones. Un punto importante lo constituye la auditoría, que permite validar información y los procesos de negocio. En el entorno empresarial cubano la ejecución de auditorías presenta un bajo nivel de explotación de las tecnologías de la información y las comunicaciones, esto limita el trabajo de los auditores y las acciones de seguimiento y control. Las actuales prácticas se basan en muestras, lo que inevitablemente proporciona una visión incompleta de la ejecución del proceso, generalmente se realizan de forma manual, consumen mucho tiempo, así como recursos humanos y financieros. El objetivo de este trabajo es destacar los beneficios del análisis de la información disponible en los registros de eventos de los sistemas informáticos, utilizando técnicas de Minería de procesos como una nueva forma de auditoría. La automatización de la auditoría reduce los costos de transacción correspondientes, mejorando al mismo tiempo su calidad y precisión, así lo demuestran los casos de estudio analizados. Las organizaciones que asuman esta nueva forma de auditoría para sus procesos de negocio tendrán asegurado un mayor nivel de competitividad frente a sus adversarios en el mercado actual.

PALABRAS CLAVE: auditoría, minería de procesos, registro de eventos, sistemas de información, organizaciones, procesos de negocio, tecnologías de la información

RESUME
A gestão empresarial necessita do desenvolvimento de métodos e instrumentos para estabelecer e melhorar as normas de atuação das organizações. Um ponto importante constitui a auditoria, que permite validar informação e os processos de negócio. No entorno empresarial cubano a execução de auditorias apresenta um baixo nível de exploração das tecnologias da informação e as comunicações, isso limita o trabalho dos auditores e as ações de seguimento e controle. As atuais praticas se baseiam em amostras, o que inevitavelmente proporciona uma visão incompleta da execução do processo, geralmente se realizam de forma manual, consomem muito tempo, assim como recursos humanos e financeiros. O objetivo deste trabalho é destacar os benefícios das análises da informação disponível nos registros de eventos dos sistemas informativos, utilizando técnicas de Extração de processos como uma nova forma de auditoria. A automatização da auditoria reduze os custos de transação correspondentes, melhorando ao mesmo tempo sua qualidade e precisão, assim demonstram os casos de estudo analisados. As organizações que assumam esta nova forma de auditoria para seus processos de negócio terão assegurado um maior nível de competitividade diante de seus adversários no mercado atual.

PALAVRAS CHAVE: auditoria, extração de processos, registros de eventos, sistemas de informação, organizações, processos de negócio, tecnologias da informação

Correspondencia:
Isabel González Flores: Informatic science University. Cuba.
iflores@uci.cu

Josué Rivera Riquenes:. Informatic science University. Cuba.
jrivera@uci.cu

Received: 25/07/2018
Accepted: 19/06/2019
Published: 15/03/2020

How to cite the article:
González Flores, I. & Rivera Riquenes, J. (2020). Audit 2.0, a perspective for its execution in the business environment using process mining techniques. [Auditoría 2.0, una perspectiva para su ejecución en el entorno empresarial utilizando técnicas de minería de procesos]. Vivat Academia. Revista de Comunicación, 150, 47-57.
doi: http://doi.org/10.15178/va.2020.150.47-57
Recovered from http://www.vivatacademia.net/index.php/vivat/article/view/1129

1. INTRODUCTION

The current context, characterized by business competitiveness, globalization and accelerated scientific and technological changes, business management needs the development of methods and instruments to establish and improve the performance standards of organizations. In ( Yzquierdo Herrera, 2013) it is reflected that one of the main priorities of organizations is related to the improvement of their processes supported by the use of information and communication technologies, they usually have a tendency to focus on process implementation and modeling, but in many cases it happens that they have little knowledge about their own processes.
The development of the audit directly affects the effectiveness of the organization’s management system and its improvement. Its integration in different dimensions (documentation, processes and human resources) comes together in an Integrated Management System (Karapetrovi et al., 2010). In the literature there is a group of investigations associated with the development of audit procedures, methodologies or guides with varied objectives, including logistic auditing, human resources auditing, information auditing, among others; in some cases associated with theoretical models, among which those proposed by (Delgado Pérez, 2002) (Sotolongo Sánchez, 2005 ) (Goñi Camejo, 2008) and (Acosta Palmer and Troncoso Fleitas, 2011) are highlighted.
The proposals mentioned limit, from a methodological perspective, the availability of tools that guide auditors in the application of the quality approach, on which there is no evidence associated with efficacy indicators that express quantitatively their status as a function to ensure compliance with the objectives. In spite of the recognition of the contributions of the previous investigations, in audit management, there are insufficiencies related to the low level of exploitation of the information and communication technologies, expressed in the absence of information systems that implement the models and existing procedures and integrate tools for the execution of this process with the required quality (Escobar Rivera et al., 2016).
Auditors validate information about organizations and their business processes. Traditionally, an audit can only provide a reasonable guarantee that business processes are executed within established limits (Van der Aalst et al., 2010). Major corporate and accounting scandals including those affecting Enron, Tyco, Adelphia, Peregrine and WorldCom have boosted interest in more rigorous auditing practices (Van der Aalst, 2016).
In the Cuban business environment, the execution of audits has a low level of exploitation of information and communication technologies, this limits the work of auditors and the monitoring and control actions. Current practices are based on interviews with people in the organization and samples, which inevitably provides an incomplete view of the process execution. They are usually carried out manually and consume much time as well as human and financial resources. These deficiencies not only occur in the Cuban environment, they are also mentioned in (Sayana SA, 2003) (Gallegos and Carlin, 2007) (Stocker T and Müller, 2013) (Werner, 2016). In addition, audits to computerized processes should be audited by tools of the same type and not manually.

2. OBJECTIVES

The objective of this work is to highlight the benefits of the analysis of the information available in the event records of computer systems, using process mining techniques as a new form of audit.

3. METHODOLOGY

Information about business processes is constantly recorded, by information systems, but it is information that is generally rarely used (Yzquierdo Herrera, 2013). Data science is the profession of the future, because organizations that cannot use data intelligently will not survive. Event logs are available in the information systems in which business processes are identified, known in the literature by the acronym PAIS (Process Aware Information Systems), such as the systems workflow, BPMS, ERP - Enterprise Resource Planning, CRM, among others.
Process Mining is a discipline that aims to discover, monitor and improve processes through the extraction of knowledge from the event log of information systems (Van der Aalst, Process Mining. Discovery, Conformance and Enhancement of Business Processes, 2011) (Yzquierdo Herrera, 2013). It can be applied to any type of operational processes, its positive contributions to be applied in the execution of audits are discussed in (Jans et al., 2014) (Van der Aalst et al., 2010) (Werner and Gehrke, 2015) (Jans, Alles, & MA, 2014) (Werner, 2016).
Traditional modeling of business processes that are implemented by computer systems represents what must be done and is subject to errors due to the presence of the human factor. In contrast, Process Mining shows what really happens, so you can analyze the functioning of an organization’s processes, based on the events that have already occurred and are stored in the event logs. Figure 1 shows the types of process mining (Van der Aalst et al., 2010),

•    Discovery: Process Mining techniques can extract, from the information contained in the event records, the most frequent patterns and show them in the models that describe the processes handled (Van der Aalst and Van Dongen, 2002) (de Medeiros et al., 2004) (Van der Aalst and Weijters T, 2004). With the generated model, which we will call the theoretical model, the auditor can have an unbiased view of what has really happened. Among the main algorithms for the discovery are: Fuzzy Miner (Günther and Van der Aalst, 2007), Alpha Miner (Van der Aalst, 2011), Heuristic Miner (Weijters and Ribeiro, 2011) and Genetic Miner (de Medeiros et al., 2007).
•    Verification of conformity: An auditor can use the theoretical model of the process to check if the reality (according to the information in the event log) is in accordance with the model and vice versa, which is very useful to detect deviations, locate them, explain them and measure their severity
•    Improvement: Also known as extension, it makes it possible to extend the theoretical model of the company’s processes, based on the consideration of the information contained in the event log to enrich the model.

Main tools for process mining:

•    ProM: being an open-source and freely distributed tool, it has been used for process mining. It allows the discovery process, conformity checking, social network analysis, organizational mining, decision mining (Van der Aalst, 2011) (Process Mining Group, 2010). It is not focused on usability, so it requires users with experience in Process Mining.
•    Disc: considered to be the most commonly used privative tool for process mining. Developed by Fluxicon in 2009 (Laboratories Fluxicon Process, 2017), the free license for academic purposes has limitations for its use. It is compatible with ProM 5.0 and 6.0 versions.

The remaining tools studied are commercial: QPR Process Analyzer (QPR Software Oyj, 2017), ARIS Process Performance Manager (Fischer, 2008), see others in (Van der Aalst et al., 2011).

4. RESULTS

Below are case studies in which process mining has been used for the execution of audits.
•    In (Yzquierdo Herrera, 2013) a case study developed in Cuba for the Single National Identification System (identity card) is presented. Case study modeling the process of managing the roles of the solution, it contains 31 cases, 804 events. A representative model of the process was obtained by applying the Alpha ++ algorithm. The technique called Advanced Dotted Chart Analysis, implemented as part of the ProM tool, is used to perform a visual diagnosis of the analyzed process. As a result, it was determined that the task that failed more often was Condition Operation, which was executed 31 times and failed 38.7% of the time. 60 failure events were identified, so the failures associated with the Condition Operation task represent 20% of failures.
•    In (Jans et al., 2014) a case study of the banking sector is presented in which 26185 instances of the process were used, related to the payments arranged by 272 workers of a European bank. The Fuzzy Miner discovery algorithm and social network analysis techniques are applied, which made it possible to identify payments made without prior authorization and violations of the company’s internal procedures. These anomalies were not detected by conventional auditing procedures performed by internal auditors on the same data.
•    In (Jans et al., 2012) there was access to data that had been audited by the internal auditors of a company, thus providing a benchmark to assess the incremental contribution of Process Mining by uncovering relevant audit information not previously detected. by the audit procedures standard. After the application of process mining, internal control failures are discovered that the company’s internal auditors themselves could not detect. Relevant audit transactions were identified that justified a deeper investigation by the internal auditors: three purchase orders that went through the acquisition process without any signal or release, in violation of the control procedures, 175 violations of the principle of separation of functions that requires the entry and exit of merchandise, 265 payments that do not have the respective invoice.
•    In (De Weerdt et al., 2013) a case study of the financial sector is presented, specifically referring to a Belgian insurance company. For the analysis of the flow control of the insurance documents that were managed, an analysis of 34,769 cases involving 15 real business activities, corresponding to a period of six months, was carried out. With the Heuristics Miner algorithm, the process was visualized, which indicates a strong freedom of behavior allowed by the existing information system. Document classification errors and inefficiencies in the frequent transfer of documents were identified.
•    In (Van der Aalst et al., 2007) the application of the mining process in one of the provincial offices of the Department of National Public Works of Holland, responsible for the construction and maintenance of the road and water infrastructure is described. The analysis of the processing of invoices sent by the various subcontractors and suppliers, with the help of Process Mining, made it possible to identify unwanted work cycles that have a great impact on the process performance. In this regard, the roles and bad practices that strongly affect the performance of the process in terms of time were identified.
•    In (Ramírez Pérez, 2016) a model is presented for the selection of surgical work teams in health information systems applying organizational intelligence techniques and process mining. Studies show that in hospitals it was not possible to effectively select surgical teams, because the information obtained in the patient care process is not properly managed, interaction between people is not analyzed based on the existing data and analysis are not enhanced to improve the selection of work teams and the quality of surgical operations. The results of the research project were carried out at the Dr. Gustavo Aldereguía Lima Hospital in Cienfuegos and, subsequently, it was validated in eight hospitals in four provinces of the country, selected out of their representativeness in the National Health System. The application of organizational intelligence techniques and process mining made it possible to show a decrease in the occurrence of unsatisfactory surgical operations and a decrease, up to three hours, in the time taken to perform such procedures. An economic analysis of the savings that would imply the application of the model shows that only for an operation with surgical procedure: acute ischemic stroke, the cost would be reduced from $ 9674 to $ 5608.

Since 2010 in (Van der Aalst et al., 2010) it is suggested that, with the detailed information of the processes, increasingly available in the records of high quality events, auditors no longer have to rely on a small set of samples. Instead, using process mining techniques, they can evaluate all events in a business process and do so while they are still running. The omnipresence of electronically registered business events together with Process Mining technology allows a new form of audit that will drastically change the role of auditors: Audit 2.0.

5. DISCUSSION

From the case studies presented, it is evident that Process Mining is a new discipline that can be applied for the development of audits. The detection of irregular behaviors in business processes allows managers to take organizational measures to make improvements in processes. In (Yzquierdo Herrera, 2013) it is affirmed that Process Mining allows an analytical study based on pertinent information, in fact, because, with the abundance of information, today this is not a utopia, it is a reality. According to the expertise of the authors of the aforementioned case studies, so that the analysis is relevant:

•    The activities carried out outside the information systems cannot be analyzed.
•    The quality of the extracted data is directly proportional to the result of the analysis, and its reliability, completeness and validity must be guaranteed.
•    The information systems do not record the event data or use the same data storage structures in a homogeneous manner, so the joint work of the Process Mining analyst and the relevant specialists of the organization is crucial for the extraction of the event log.
•    In the analysis of the results, the workers of the organization that master the business must participate, in order to have a correct vision of each context.
•    The selection of the techniques and algorithms for the analysis with Process Mining must be associated with the objectives of the project and the questions to be resolved (Aguirre Mayorga and Rincón García, 2015).

Process Mining techniques offer a means for more rigorous verification of compliance and determine the validity and reliability of information about the fundamental processes of an organization (Van der Aalst, 2016). Its potential has been modestly used in the Cuban environment for the execution of audits. This may be because there is not enough culture in its use or in the development of information systems that identify the business processes. In addition, it is important to mention that the main bibliographical references on this subject are in English.

REFERENCES

1. Acosta Palmer H, Troncoso Fleitas M. (2011). Auditoría integral de mantenimiento en instalaciones hospitalarias, un análisis objetivo. Ingeniería Mecánica, 14(2), 107-118.
   
2. Aguirre Mayorga H, Rincón García N. (2015). Minería de procesos: desarrollo, aplicaciones y factores críticos. Cuadernos de Administración, 28(50), 137-157.
   
3. de Medeiros A, Weijters AJ, Van der Aalst W. (2007). Genetic process mining: an experimental evaluation. Data Mining and Knowledge Discovery, 14(2), 245-304. doi: https://doi.org/10.1007/s10618-006-0061-7
   
4. De Medeiros A, Dongen VB, Van der Aalst W, Weijters A. (2004). Process mining: extending the alpha-algorithm to mine short loops. Technische Universiteit Eindhoven.
   
5. De Weerdt J, Schupp A, Vanderloock A, Baesens B. (2013). Process Mining for the multi-faceted analysis of business processes - A case study in a financial services organization. Computers in Industry, 64(1), 57-67.
   
6. Delgado Pérez E. (2002). Metodología para la realización del diagnóstico de la Gestión de los Recursos Humanos en empresas en Perfeccionamiento Empresarial. (Tesis inédita de maestría). Universidad de Holguín: Oscar Lucero Moya, Holguín, Cuba.
   
7. Escobar Rivera D., Moreno Pino M, Cuevas Rodríguez L. (2016). La calidad de la auditoría en Sistemas de Gestión. Software AUDIT_INTEGRATED. Ciencias Holguín, 22(2), 77-93.
   
8. Fischer M. (2008). ARIS Process Performance Manager. 14th GI/ITG Conference-Measurement, Modelling and Evalutation of Computer and Communication Systems, 1-3.
   
9. Gallegos F, Carlin A. (2007). IT Audit: A Critical Business Process. Computer, 40(7), 87-9.
   
10. Goñi Camejo I. (2008). El qué y el cómo del diagnóstico del sistema de información gerencial. ACIMED, 17(5), 1-19.
    
11. Günther C, Van der Aalst W. (2007). Fuzzy Mining – Adaptive Process Simplification Based on Multi-perspective Metrics. Business Process Management, 328-343. Recuperado de: https://link.springer.com/chapter/10.1007/978-3-540-75183-0_24
    
12. Jans AM, MA, V. (2014). A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing. Accounting Review, 89(5), 1751-1773.
    
13. Jans M, Alles M, Vasarhelyi M. (2012). Process mining of event logs in internal auditing: a case study. Recuperado de https://uhdspace.uhasselt.be/dspace/handle/1942/14227
    
14. Jans M, Alles M, Vasarhelyi M. (2014). A Field Study on the Use of Process Mining of Event Logs as an Analytical Procedure in Auditing. Accounting Review, 89(5), 1751-1773.
    
15. Karapetrovi S, Casadesus M, Heras I. (2010). Empirical analysis of integration within the standards-based integrated management systems. Int J Qual Res, 4(1), 25-35.
    
16. Laboratories Fluxicon Process. (2017). Process Mining and Automated Process Discovery Software for Professionals - Fluxicon Disco. Recuperado de: https://fluxicon.com/disco/
    
17. Process Mining Group, ET. (2010). ProM 6 tutorial. Recuperado de: http://www.promtools.org/doku.php?id=tutorial:start
    
18. QPR Software Oyj. (2017). QPR ProcessAnalyzer. Recuperado de: https://www.qpr.com/node/4
    
19. Ramírez Pérez J. (2016). Modelo para la selección de equipos de trabajo quirúrgico en sistemas de información en salud aplicando técnicas de inteligencia organizacional. (Tesis inédita de doctorado). Universidad de las Ciencias Informáticas, La Habana, Cuba.
    
20. Sayana SA. (2003). Using CAATs to Support IS Audit. Inf Syst Control J. Recuperado de http://csbweb01.uncw.edu/people/IvancevichD/classes/MSA%20516/Extra%20Readings%20on%20Topics/CAATS/Supplemental%20Reading%20Week%208/Using%20CAATTS%20to%20Support%20IT%20Audit.pdf
21. Sotolongo Sánchez M. (2005). Procedimiento para la auditoria interna del Sistema de Gestión de Recursos Humanos en instalaciones turísticas hoteleras cubanas. Aplicación en pequeñas y medianas instalaciones turísticas hoteleras. (Tesis inédita de doctorado). Universidad Marta Abreu de Las Villas, Santa Clara, Villa Clara, Cuba.
    
22. Stocker TR, Müller G. (2013). On the Exploitation of Process Mining for Security Audits: The Process Discovery Case. Proceedings of the 28th Annual ACM Symposium on Applied Computing (pp. 1462-1468). Recuperado de http://doi.acm.org/10.1145/2480362.2480634
    
23. Van der Aalst W. (2011). Do Petri Nets Provide the Right Representational Bias for Process Mining? ART@ Petri Nets (pp. 85-94). Newcastle upon Tyne, UK: J. Desel & A. Yakovlev.
    
24. Van der Aalst W. (2011). Process Mining. Discovery, Conformance and Enhancement of Business Processes (pp. 85-94). Springer-Verlag Berlin Heidelberg.
    
25. Van der Aalst W. (2016). Process Mining: Data Science in Action (477). Springer.
    
26. Van der Aalst W, Van Dongen B. (2002). Discovering Workflow Performance Models from Timed Logs. Recuperado de http://link.springer.com/chapter/10.1007/3-540-45785-2_4
    
27. Van der Aalst W, Van Dongen B. (2002). Discovering Workflow Performance Models from Timed Logs. Engineering and Deployment of Cooperative Information Systems (pp. 45-63). Recuperado de http://link.springer.com/chapter/10.1007/3-540-45785-2_4
    
28. Van der Aalst W, Weijters T. (2004). Workflow mining: discovering process models from event logs. IEEE Trans Knowl Data Eng, 16(9), 1128-1142.
    
29. Van der Aalst W, Adriansyah A, de Medeiros A, Arcieri F, Baier T, Blickle T. (2011). Process Mining Manifesto. Business Process Management Workshops, 169-194. Recuperado de https://link.springer.com/chapter/10.1007/978-3-642-28108-2_19
    
30. Van der Aalst W, Reijers H, Weijters A, Van Dongen B, de Medeiros AS, et al. (2007). Business process mining: An industrial application. Information Systems, 32(5), 713-732. doi: http://doi.acm.org/10.1016/j.is.2006.05.003
    
31. Van der Aalst W, Van Hee K, Van Werf J, Verdonk M. (2010). Auditing 2.0: Using Process Mining to Support Tomorrow’s Auditor. Computer, 43(3), 90-93.
    
32. Weijters A, Ribeiro J. (2011). Flexible Heuristics Miner (FHM). IEEE Symposium on Computational Intelligence and Data Mining (CIDM), 310.
    
33. Werner M. (2016). Process Model Representation Layers for Financial Audits. 49th Hawaii International Conference on System Sciences (HICSS) (pp. 5338-5347). USA.
    
34. Werner M, Gehrke N. (2015). Multilevel Process Mining for Financial Audits. IEEE Trans Serv Comput, 8(6), 820-832.
    
35. Yzquierdo Herrera R. (2013). Minería de proceso como herramienta para la auditoria. Ciencias de la Información, 44(2), 25-32.

AUTHORS:
Isabel González Flores: Graduated from the University of Informatics Sciences (UCI) in 2010, Master in Support Technologies for Business Decision Making of the Faculty of Industrial Engineering of the CUJAE in 2015. Instructor professor of the subject Methodology of Scientific Research. 6 years of experience as a software analyst of the Computerization Project for the Management of Cuban Popular Courts. Member of the UCI process mining research group. Research lines: Legal informatics, Process mining, Support Technologies for Business Decision Making. He has tutored 6 undergraduate diploma jobs.
iflores@uci.cu
ResearchGate: https://www.researchgate.net/profile/Isabel_Gonzalez_Flores

Joshua Rivera Riquenes: Graduated from the University of Computer Science (UCI) in 2013, an instructor professor in the Computer Graphics subject. Microsoft Technology Associate (MTA) Certificate for Database Administration Fundamentals. 5 years of experience as a software developer of the Computerization Project for the Management of Cuban Popular Courts. Member of the Legal Informatics research group and the UCI process Mining research group. The main lines of research related to the use of ICTs are: Legal informatics, Process mining and development with Arduino technologies. He has been tutor of 1 undergraduate diploma work.
jrivera@uci.cu
Research Gate: https://www.researchgate.net/profile/Josue_Rivera_Riquenes