Top Cycle Mining

Philip Elsas, ComputationalAuditing.comHans Blokdijk, Limperg Institute

Robert Nehmer, Oakland University

SIKS Master Class on Smart Auditing

March 21, 2012, Vught

1

• Process mining is a technique that takes business event logs as input and generates a smart flow chart as output

• The business case for process mining:– Automatically generated flow chart– Flow chart is not documentation-only

2

Introduction

Process Mining• References

– Aalst, W. van der (2011). Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer Verlag, Berlin (ISBN 978-3-642-19344-6).

– Jans, M., van der Werf, J.M., Lybaert, N., Vanhoof, K. (2011) A business process mining application for internal transaction fraud mitigation, Expert Systems with Applications, 38 (10), 13351-13359

– http://www.processmining.org/

3

• Our approach is to strategically position process mining for the cash-to-cash top cycle by assessing and assuring completeness of loggings

• The cash-to-cash cycle is central in the integrated owner-ordered and management-ordered audit approach– To Be modality ('Soll')– As Is modality ('Ist')

4

Our Approach

• Owner-ordered auditing addresses understatement of profits: whether revenues are understated and expenses are overstated As an owner you want assurance that management, who you entrusted your money, is not making profits while keeping parts of it unstated, since profits are the basis of your dividends and stock quotation

• Management-ordered auditing addresses overstatement of profitsAs management you want to attract investment capital by increasing your credibility that the profits you state are all real, not overstated, and so you hire the independent auditor to provide this assurance

• Management's illegitimate interest (overstating or understating profits) determines the direction of the audit from a market-driven value-adding perspective 5

Owners

Management

Potential Owners

Owner-ordered audit: to check management

Management-ordered audit: to attract new investors

to increase credibility that profits aren't overstated

to increase credibility that profits aren't understated

Money-inflow for management

maximize equity

Money-inflow for owners

long-term ROI

6

• In the owner-ordered audit tradition the auditor determines completeness of profits using the cash-to-cash top cycle

• Quantitative: enterprise-level spanning reconciliation checks (also known as: comprehensive coherence tests): central norm connecting: - ‘buy side’ and ‘sell side’ transaction volumes - generated ‘gross profit’ margins

• Qualitative: enterprise-level segregation of duties: non-identical and preferably opposite interests in top cycle logging locations

7

Cash-to-cash top cycle

8

Top cycle represented as a smart flow chart:transaction, or flow, as a box with adjacent arrows (active), state or stock as a circle (passive)

9

Top cycle represented as matrices with quantitative aspects (prices & volumes) and qualitative aspects (authorizations by

agents/departments: S,B,F,D,C,W)10

Top cycle represented as a set of equations with the primary audit direction per equation parameter in an owner-ordered audit: overstatement (overlining in dark orange color) or understatement (underlining in light orange color)

11

unstated revenues, spanning reconciliation checks & detectability

$0 + $30 * (900+100) - $0 => $27,000+$3,000

0 + 900+100 - 0 => 900+100

$0 + $18,000+$2,000 - $0 => $20 * (900+100)

$0 + $27,000+$3,000 - $9,000+$1,000 => $18,000+$2,000

0 + 900+100 - 0 => 900+100

$0 + $27,000+$3,000 - $9,000+$1,000 => $18,000+$2,000

recording + omitted recording reality + omitted reality

$0 + $18,000+$2,000 - $0 => $20 * (900+100)

12

$0 + $30 * (900+100) - $0 => $27,000+$3,000

Economic substance of the business can be represented by a

‘Web of equations’

which inevitably includes:‘stocks’ and ‘flows’ outside of the basic cash-to-cash top cycle, such as transactions regarding:

- fixed assets; - financing; - general expenses.

13

The complete ‘web of equations’ is indispensableto compose an ‘audit plan’, for all the ‘stocks’ and ‘ flows’.

Main question:

Should a particular ‘stock’ or ‘flow’ be tested- for: overstatement,- or: understatement?

Requires different auditing techniques.

14

The analysis in owner-ordered auditing starts with:

testing sales for understatement

Equation:

Inv[B] + Pur – Inv[E] → Sales

But then, testing Sales for understatement means:

testing Inv[E] for overstatement!

15

The analysis should be pursued for all equations, and there is no need to audit any item, in either B/S or P&L, for both under- and overstatement.

The general result is:

test all debits for overstatements (assets in the B/S and expenditures in the P&L),

and

test all credits for understatements (liabilities in the B/S and revenues in the P&L).

16

The International Standards on Auditing (ISA’s)do not specify audit plans.

However, they require that all items in the accountsare tested both for over- and understatements.

But this does not generally require two differenttests on an item:

if a debit is tested for overstatement, thecorresponding credit is implicitly tested for overstatement as well!

Double-entry bookkeeping.17

One specific challenge in every audit:

Equation: Inv[B] + Pur – Inv[E] → Sales

is right in terms of quantities (of goods or services),not in terms of money, like all the other equations!

The difference: ‘Gross Profit’,

which is to be audited for understatement.

Main challenge to be solved in every audit.

18

Mapping out the cash-to-cash top cycle enables the auditor to perform:

‘comprehensive coherence testing’ (CCT)

extensively described in

‘Reflections on Auditing Theory’, chapter 3

(Kluwer Bedrijfswetenschappen, Limperg Instituut, 1995).

19

But: CCT does not discover ‘shop in the shop’:Entire cycle of purchases, sales, payments and receipts fraudulently omitted from the accounting records.

To be prevented by segregation of duties.

Mapping out the top cycle enables the evaluation of internal controls.

20

System Logging in Our Approach

• Information System (IS) server software is developed with built in logging capabilities and default log levels

• Log levels specify the amount of details logged

• The IS function uses logs to help control day-to-day operations and maintenance

• Auditors can mine existing logs for audit evidence in our approach

21

Benefits of the approach

• Uses existing logs as a baseline• Allows a critique of existing controls when

combined with the top cycle approach• IS personnel are already familiar with

logging and require little or no additional training

22

Example: Database server logging

• Access logging– Logs data about connections to a data base server:

time stamp, duration, user ID, table accessed, etc. This data can be used to test separation of duties and appropriate access from the audit perspective.

• Write-ahead logging– Logs transaction details for transactions still in

volatile areas of the system. Used to recover data in case of system failure but can be mined for transaction details. This data can include purchase cost, direct labor, and overhead details.

23

Full Coverage of LoggingsAccess log

Write-ahead log

24

Logs Mapped to Matrix

25

Assessment with Top Cycle: Partial Coverage

26

Partial Coverage Mapped to Matrix

27

Assessment Part 1

Absent logged measures can be corrected in one of two ways: 1) Increase logging levels and have the

built in logging capture the measures 2) Write a custom system to capture the

measures• In either case, costs are determinable and

comparable with the value of the missing measures

28

Assessment Part 2

• Problems in qualitative design of the system of segregation of duties would be discovered by setting expectation for access to the database and that necessary transactions are occurring.

• The logs can be checked to make sure these access points exist and are being routinely used.

29

30

http://www.promtools.org/prom5/

Mining the top cycle business process

31

• Based on existing logs in appropriate segregation of duties an organization may already be very close to boost audit power by process mining

• Additionally required logging detail or additional segregation of duties is systematically identified using the cash-to-cash top cycle from the proven owner-ordered audit tradition

32

Concluding remarks