Process Mining in The Assurance Practice — Applications and Requirements
This is a guest article by Suzanne Stoof and Nils Schuijt from KPMG and Bas van Beek from PGGM based on an article that has previously appeared in Compact magazine. If you have a guest article or process mining case study that you would like to share as well, please contact us via email@example.com.
PGGM provides Assurance Standard 3402 and Assurance Standard 3000 reports that are specific for each customer. Within PGGM, process mining is used to show that a number of processes can also be tested for multiple clients at once because these processes are generic for multiple pension funds.
We describe the experiences of PGGM with regard to process mining based on a practical example. Specifically, the impact on the work of the auditor for the Assurance Standard 3402 and Standard 3000 report and the conditions are described. We also outline how process mining can be deployed to perform the audit more efficiently and with a higher quality in the future.
PGGM is one of the largest pension administration organizations in the Netherlands. It is responsible for the management of the pension administration for multiple pension funds, including the Pension Fund Care and Welfare (PFZW). To demonstrate to its customers that processes are controlled properly, the PGGM Service Organization Control (SOC) provides reports in accordance with the Assurance Standard 3402 and the Assurance Standard 3000. These Assurance Standard 3402 and Standard 3000 Reports are provided specifically for each pension fund.
PGGM and their auditors have discussed the options that may exist to shape the process of testing the internal control measures for the SOC reporting more efficiently. PGGM wants to keep providing separate Assurance Standard 3402 and Standard 3000 reports per pension fund. To be able to test a process in a multi-client fashion, it is important that it can be demonstrated that these processes and corresponding control measures are performed in a generic way for all pension funds. In this context, process mining can help by showing that certain processes are indeed performed in the same way for multiple pension funds. That is why PGGM started to experiment with process mining. Their aim was to achieve both more efficiency and a higher quality for their audits.
Process mining in the audit practice
Within the audit practice [Rama16]1, process mining can be deployed during multiple phases in the audit process:
- During walkthroughs. For this, process mining is used to visualize the walkthrough based on the event data. The advantage of this is that not only the happy flow but all possible paths within a process are mapped.
- As a basis for sampling or partial observations. By doing this, it is possible to audit only items with a higher risk, for example, because they do not follow the happy flow, but go through an alternative path.
- For compliance checking. With this, control measures like a four-eyes principle can be tested in a process for the entire population, for example.
Process mining was initially deployed to perform a line audit of the processes at four PGGM customers. Subsequently, these four process flows were put next to each other to demonstrate that each of the four pension funds follows exactly the same steps within the process.
Experiences with process mining at PGGM
PGGM has established a multidisciplinary process mining project team with expertise in both the domain of pension processes as well as with expertise in process analysis and data analysis.
The first phase of the experiment was focused on the exploration of the possibilities of process mining and the tooling. The added value of process mining quickly became visible as it provided insight into the actual execution of the processes, including the bottlenecks. For instance, it became clear that activities existed that were forwarded many times and without any need, and that the waiting times at the transfer of work between departments were long. PGGM was able to solve these bottlenecks by a redesign of the process flow. Other examples of initiated process improvements are:
- reduction of the lead time and the creation of customer value by the elimination of activities that do not provide added value to the process;
- realization of better process control by insight in first time right;
- design of a multi-client process execution instead of a fund-specific implementation;
- application of Robotic Process Automation in processes. This means that repeating human activities within administrative processes are performed by software robots.
The next step was to examine how process mining can be deployed to obtain insight into process controls. That was performed based on the principles that process mining results in:
- a more efficient implementation of the controls;
- time-saving of the audit work for the second and third level;
- in the long term probably a greater assurance, because entire populations are checked instead of partial observations.
Process mining can provide additional certainty, because it is based on a comprehensive analysis of the entire population. Therefore, the selection of partial observations, which is often the current methodology, becomes superfluous. Instead, all the activities and underlying relations in the entire population are shown. One example of the application of process mining on an entire population is the confirmation whether all letters sent to the participants were checked by an employee. Another example is the check whether for each change a segregation of duties rule was followed.
Limiting factors of process mining are often (as PGGM experienced as well) that the data architecture is not designed for simple use of process mining. The data preparation takes a lot of time, because the required information is stored in different systems. Furthermore, not all manual activities within the workflow system are logged, which means that not all processes can be covered by the data. A well-structured data-architecture is essential to make optimal use of a process mining tool.
The case of the ‘Disbursement’ process
We explain the application of process mining at PGGM more detail based on a practical example: The Disbursement process.
The starting point for the process mining analysis was a consultation with all parties involved in the disbursement process within PGGM. The purpose of this consultation was to determine the viability of the multi-client execution of the audit work. As a result of the consultation, it has been concluded that the Disbursement process would be eligible to be performed multi-client. The actual viability should, inter alia, be demonstrated by process mining.
In the disbursement process, the pension rights and awards of participants are converted into an actual disbursement. An important part therein is the conversion of the gross amount awarded to the net disbursement rights: The gross/net-calculation. Furthermore, the process includes various checks and authorizations that are necessary due to the nature of the process. The disbursement process includes three main activities (see Figure 1).
The first step in the analysis was the creation of an event log. As data source, the payment and financial systems were used. Subsequently, the data was loaded into the process mining-tool.
The first results based on the event log were not satisfactory yet, upon which the event log was enriched with data from other sources, where the auditor was able to follow the data trail. In the end, the final event log that was created resulted in the overview as shown in Figure 2.
The outcome of the analysis in Figure 2 shows that the process flows of the four pension funds A, B, C, and D work identically. At first, a gross file is generated in the system, where the pension rights are administrated (process step: Gross file). In the gross file, the gross pension rights are recorded. In the next step, the conversion of the gross pension rights into the net payment rights takes place. This calculation is performed by an external party (process step: Gross net calc’). Subsequently, the net disbursement file is received back (process step: Net file). Hereafter, verifications take place if the gross/net-calculation was done properly, after which the authorization and approval of the net disbursement file occur (process step: Authorization). Finally, this disbursement is provided to the payment department, that performs the payment made by the bank (process step: Disbursement).
Another approach that can be applied is that process mining shows the entire process flow. The cases included in the ‘happy flow’ are considered to be in control. What is interesting are any exceptions that become visible. These non-‘happy flow’ paths have to be analyzed and explained, because they are undesirable in the context of process control. As visible in Figure 2, in this process, no exceptions existed.
By means of the analysis and the outcome, as shown in Figure 2, it is demonstrated that the processes are performed identically for multiple pension funds. Making use of process mining, it has been demonstrated that all activities in the process, regardless of which pension fund, follow the same process flow. For the documentation of this conclusion, a description of the log and the way of data extraction from the workflow-tool is included. It is also described which filters have been used in the process mining tool, and the controls are plotted on the process map. In addition to the use of process mining, the analysis is further substantiated by interviews with subject matter experts, a walkthrough, and inspection of, inter alia, operational instructions, policies, and manuals.
Based on the experiences of PGGM, the following lessons learned’ were derived:
- Ensure an appropriate design of the data architecture;
- Take advantage of the existing knowledge in the organization and activate it. Think of data analysts, SQL-specialists, process analysts and auditors;
- Do not only focus on process mining but make use of a combination of data analysis techniques;
- Experiment and be receptive to new insights and techniques.
Impact on the audit work of the auditor and requirements
During the preliminary stage, PGGM and their auditors talked a lot about the conditions and opportunities to apply process mining in the context of the Assurance Standard 3402/3000-audit, to show that a certain process is generically applied for multiple pension funds.
PGGM wishes to keep the Assurance Standard 3402/3000-reports specific per pension fund. In the event that several processes will be tested multi-client, it is essential that it can be demonstrated that these processes and corresponding control measures actually take place in a generic way for all pension funds.
For this, from the auditor’s point of view, a number of matters are important. They are:
- Scoping. Beforehand, consideration should be given to the scoping, i.e. which pension funds, processes, process steps, etcetera, belong to the audit object;
- Being able to demonstrate the reliability of the data that is used is of importance. For instance, not all systems are yet able to unlock the data that can be used for process mining;
- Procedures other than process mining provide additional audit evidence to determine if the process and the control measures are generic, including the review of process descriptions;
- Explanation of this approach in the Assurance Standard 3402/3000 report.
Because at PGGM two different applications were used in which the pension administrations are performed, the decision was taken that, for this reason, it is not possible to follow a generic methodology for all pension funds. For four pension funds, of which the pension administration is performed within one application, it was decided to further investigate this.
With the help of process mining, it can be demonstrated that the processes follow the same flow for all four pension funds. This shows that the processes and corresponding control measures in the application are performed in a generic way. To the auditor, it was important that PGGM had clearly documented how it came to this conclusion. This, inter alia, means that PGGM had to show the auditor how it had performed the analyses using process mining, and which conclusions have been drawn. The analysis and explanation of the exceptions were then repeated by the auditor. It was also important that the reliability of the data, including the population based on which the process mining took place, could be determined. This includes that it must be traceable how the data (the so-called information produced by the entity’) was obtained from the system, and that it is correct and complete. For this, among other things, it is important that it can be guaranteed that, after downloading the data from the pension administration, no more manual adjustments have been made.
To the auditor, it is also important to confirm that the processes that will be treated as multi-client are carried out by one team, instead of by specific customer teams. Specific customer teams would imply the risk that certain audits could still be performed in another way. Based on process descriptions, we have established that there is one Shared Service Center that performs the processes in a generic way for all pension funds.
From the point of view of the auditor, it is also important that in the Standard 3402/3000-report it is clearly explained to the users that not all processes were individually tested for that specific user, but that it was performed for a number of processes based on a multi-client approach. Both PGGM as well as the auditor clearly explain this in the report. Process mining can thus generate added value to the user of the Assurance Standard 3402/3000-report. In addition to the written explanation, it is recommended to inform the pension funds in time and orally during periodic discussions about this approach.
Currently, we are also looking into the future, where, inter alia, the possibilities are investigated to integrate process mining in the control measures. An example of this is that an employee of the pension administration determines, based on process mining, if no exceptions compared to the standard process exist for an entire population over a certain period. In case there are exceptions, they analyze the exceptions. An advantage of this method is that the complete population is considered in the execution of the control measure. Furthermore, also the auditors base themselves on entire populations, instead of selecting a number of partial observations based on which a conclusion is drawn.
In this way, assurance can be provided based on the complete population in an efficient way, which can also generate added value for the user of the Assurance Standard 3402/3000-report. Additionally, process mining could be deployed as a continuous monitoring tool, where the data could be loaded repeatedly to directly detect deviations within the process.
During the audit of the Assurance Standard 3402 reports by PGGM, it deployed process mining in consultation with KPMG. Hereby it was demonstrated that four of the pension funds follow the same process and that they also make use of the same controls within the process. Process mining provides insight into the entire population, while the auditor usually makes use of partial observations. The next steps in the implementation of process mining at PGGM concern both the combination with other processes and the introduction of process mining as an audit tool within the Assurance Standard 3402/3000 reporting. By the deployment of process mining as control, continuous monitoring also comes a step closer.