Embedding process mining into financial statement audits

The audit of financial statements is a complex and highly specialized process. Digitalization and the increasing automation of transaction processing create new challenges for auditors who carry out those audits. New data analysis techniques offer the opportunity to improve the auditing of financial statements and to overcome the limitations of traditional audit procedures when faced with increasingly large amounts of financially relevant transactions that are processed automatically or semi-automatically by computer systems. This study discusses process mining as a novel data analysis technique which has been receiving increased attention in the audit practice. Process mining makes it possible to analyse business processes in an automated manner. This study investigates how process mining can be integrated into contemporary audits by reviewing the relevant audit standards and incorporating the results from a field study. It demonstrates the feasibility of embodying process mining within financial statement audits in accordance with contemporary audit standards and generally accepted audit practices. Implementation of process mining increases the reliability of the audit conclusions and improves the robustness of audit evidence by replacing manual audit procedures. Process mining as novel data mining technique provides auditors the means to keep pace with current technological developments and challenges.     

Internal audit,alternative internal audit structures and the level of misappropriation of assets fraud

In recent years, the importance of good corporate governance has received significant public and regulatory attention. A crucial part of an entity's corporate governance is its internal audit function. At the same time, there has been significant public concern about the level of fraud within organizations. The purpose of this study is to assess whether organizations with an internal audit function are more likely to detect and self‐report fraud than those without. In this study, we use a unique self‐reported measure of misappropriation of assets fraud for the first time. The fraud data are from the 2004 KPMG Fraud Survey, which reported fraud from 491 organizations in the private and public sector across Australia and New Zealand. The internal audit data are from a separate mail survey sent to the respondents of the KPMG Fraud Survey. We find that organizations with an internal audit function are more likely than those without such a function to detect and self‐report fraud. Furthermore, organizations that rely solely on outsourcing for their internal audit function are less likely to detect and self‐report fraud than those that undertake at least part of their internal audit function themselves. These findings suggest that internal audit adds value through improving the control and monitoring environment within organizations to detect and self‐report fraud. These results also suggest that keeping the internal audit function within the organization is more effective than completely outsourcing that function.     

A taxonomy to guide research on the application of data mining to fraud detection in financial statement audits

This paper explores the application of data mining techniques to fraud detection in the audit of financial statements and proposes a taxonomy to support and guide future research. Currently, the application of data mining to auditing is at an early stage of development and researchers take a scatter-shot approach, investigating patterns in financial statement disclosures, text in annual reports and MD&As, and the nature of journal entries without appropriate guidance being drawn from lessons in known fraud patterns. To develop structure to research in data mining, we create a taxonomy that combines research on patterns of observed fraud schemes with an appreciation of areas that benefit from productive application of data mining. We encapsulate traditional views of data mining that operates primarily on quantitative data, such as financial statement and journal entry data. In addition, we draw on other forms of data mining, notably text and email mining.     

The impact of audit penalty distributions on the detection and frequency of fraudulent reporting

We investigate how the distribution of the penalties incurred by auditors for failing to detect fraud influences their effort to detect fraud and auditees’ commission of fraud. We compare a probabilistic, skewed audit penalty to a penalty that automatically imposes the expected penalty of the probabilistic distribution (hereafter, a deterministic penalty). Our experiments show that a deterministic penalty with the same expected value of a probabilistic, skewed penalty increases audit effort to detect fraud and decreases fraudulent reporting by auditees and that these benefits hold in a game involving both auditee and auditor players.     

The Dempster‐Shafer Theory: An Introduction and Fraud Risk Assessment Illustration

This article introduces the Dempster‐Shafer theory (DS theory) of belief functions for managing uncertainties, specifically in the auditing and information systems domains. The use of DS theory is illustrated by deriving a fraud risk assessment formula for a simplified version of a model developed by Srivastava et al. (2007). In this formulation, fraud risk is the normalised product of four risks: risk that management has incentives to commit fraud; risk that management has opportunities to commit fraud; risk that management has an attitude to rationalise committing fraud; and risk that an auditor's special procedures will fail to detect fraud. The article demonstrates how to use such a model to plan for a financial audit where management fraud risk is assessed to be high. In addition, it discusses whether audit planning is better served by an integrated audit/fraud risk assessment as now suggested in SAS 107 (AICPA 2006a, see also ASA 200 in AUASB 2007) or by the approach illustrated here where a parallel, but separate, assessment is made of audit risk and fraud risk.     

Financial process mining - Accounting data structure dependent control flow inference

The increasing integration of computer technology for the processing of business transactions and the growing amount of financially relevant data in organizations create new challenges for external auditors. The availability of digital data opens up new opportunities for innovative audit procedures. Process mining can be used as a novel data analysis technique to support auditors in this context. Process mining algorithms produce process models by analyzing recorded event logs. Contemporary general purpose mining algorithms commonly use the temporal order of recorded events for determining the control flow in mined process models. The presented research shows how data dependencies related to the accounting structure of recorded events can be used as an alternative to the temporal order of events for discovering the control flow. The generated models provide accurate information on the control flow from an accounting perspective and show a lower complexity compared to those generated using timestamp dependencies. The presented research follows a design science research approach and uses three different real world data sets for evaluation purposes.     

Forensic accounting services in English local government and the counter-fraud agenda

ABSTRACT

Fraud is a growing challenge for English local government, yet the resources and support local authorities (LAs) have available to prevent, detect and investigate it are limited. Forensic accounting services (FAS) provided by external specialist private sector firms, particularly those undertaking mandatory external audit, might be one solution. Research reported in this paper suggests, however, that existing English LA users are not all convinced. Nevertheless, better awareness and understanding of what FAS have to offer, perhaps through case studies of successful implementation, would be a valuable contribution to helping local government enhance its counter-fraud capabilities and make informed decisions about how best to meet the increasingly complex fraud challenge.     

The case for process mining in auditing: Sources of value added and areas of application

Process mining aims to extract knowledge from the event logs maintained by a company's ERP system. The objective of this paper is to make the case for why internal and external auditors should leverage the capabilities process mining offers to rethink how auditing is carried out. We do so by identifying the sources of value added of process mining when applied to auditing, which are as follows: 1. process mining analyzes the entire population of data and not just a sample; 2. critically that data consists of meta-data—data entered independently of the actions of auditee—and not just data entered by the auditee; 3. process mining allows the auditor to have a more effective way of implementing the audit risk model by providing effective ways of conducting the required walkthroughs of processes and conducting analytic procedures; 4. process mining allows the auditor to conduct analyses not possible with existing audit tools, such as discovering the ways in which business processes are actually being carried out in practice, and to identify social relationships between individuals. It is our argument that these sources of value have not been fully understood in the process mining literature, which has focused on developing it as a statistical methodology rather than on applying it to audit practice. Only when auditors and audit researchers appreciate what is new and unique about process mining will its acceptance in auditing practice become feasible.     

Fraud dynamics and controls in organizations

This paper develops an agent-based model to examine the emergent dynamic characteristics of fraud in organizations. In the model, individual heterogeneous agents, each of whom can have motive and opportunity to commit fraud and a pro-fraud attitude, interact with each other. This interaction provides a mechanism for cultural transmission through which attitudes regarding fraud can spread. Our benchmark analysis identifies two classes of organizations. In one class, we observe fraud tending toward a stable level. In the other class, fraud dynamics are characterized by extreme behaviors; organizations with mostly honest behavior suddenly change their state to mostly fraudulent behavior and vice versa. These changes seem to occur randomly over time. We then modify our model to examine the effects of various mechanisms thought to impact fraud in organizations. Each of these mechanisms has different impacts on the two classes of organizations in our benchmark model, with some mechanisms being more effective in organizations exhibiting stable levels of fraud and other mechanisms being more effective in organizations exhibiting unstable extreme behavior. Our analysis and results have general implications for designing programs aimed at preventing fraud and for fraud risk assessment within the audit context.     

Bayesian Fraud Risk Formula for Financial Statement Audits

In this article we extend the work of Loebbecke et al. (1989 ) and illustrate the use of an evidential reasoning approach for developing fraud risk analysis models under the Bayesian framework. New formulations facilitating fraud risk assessments are needed because decision tree approaches previously used to develop analytical models are not appropriate in complex situations involving several interrelated variables. To demonstrate the evidential reasoning approach, a fraud risk assessment formula is derived and illustrated. The fraud risk formula captures the impact of the presence or absence of and interrelationships between the three ‘fraud triangle’ risk factors: Incentives, Attitude and Opportunities. The formula includes the impact of risks and controls related to these three fraud risk factors as well as the impact of forensic audit procedures and relevant analytical and other procedures that provide evidence for the presence or absence of fraud. This formula may be used in audit practice both to help plan the audit and to assess fraud risk sequentially as audit evidence is obtained.     

The Effects of Fraud Risk and Management Representation on Auditors' Hypothesis Generation

Hypothesis generation is considered to be critical to the effectiveness and efficiency of diagnostic processes in auditing. Using a between-subjects experimental design, this work examines the impact of fraud risk and the availability of a non-misstatement management explanation on auditors' hypothesis generation performance. The context is when managers undertake analytical procedures at the planning stage of the audit. The results indicate that auditors are sensitive to increased fraud risk by generating more fraud hypotheses, while the number of misstatement hypotheses generated is not affected by fraud risk. The availability of a non-misstatement management explanation was found not to interfere with auditors' hypothesis generation performance, but facilitated the generation of proportionately more misstatement and fraud hypotheses from the same transaction cycle as that indicated by the management explanation. Together, these findings provide some insights on the sensitivity of auditors' hypothesis generation to fraud risk and whether this sensitivity could be undermined by the availability of management representations.     

Waste Is Our Business,Inc.: The importance of non-financial information in the audit planning process

The objectives of this case are: (a) to alert students to the importance of non-financial information in the audit process; (b) to develop students’ ability to search for relevant financial and non-financial information in the audit planning process; and (c) to emphasize the importance of resisting the natural tendency to over-rely on financial information when conducting the financial statement audit. Students are asked to consider both financial and non-financial information when evaluating a client’s account balances. The client is in the waste business where there are a number of market, regulatory, and political factors that may affect the valuation of different accounts. Students are also directed to consider the importance of non-financial information in the integrated audit mandated by PCAOB Standard 5 and in fraud detection. The case can help students learn to explicitly consider non-financial information and understand the significance of integrating such information with financial data. The case is suitable for use in undergraduate or graduate auditing and assurance courses.     

Blockchain as the Database Engine in the Accounting System

This paper examines the prediction that blockchain technology will transform accounting and the profession because transactions recorded on a blockchain can be aggregated into financial statements and confirmed as true and accurate. We argue that blockchain technology affects the database engine of the accounting information system (AIS) through digitisation of the current paper‐based validation process. In a blockchain‐based AIS, accountants will no longer be the central authority but will remain the preparer of financial reports required by regulations; they will continue to influence policies such as the choice and accreditation of validators and serve as validators of last resort. Audit evidence still needs to be gathered for rendering of an audit opinion in a blockchain‐based AIS. While digitisation of the validation process reduces the error rate and lowers the cost of vouching and tracing, and immutability of blockchain data reduces the incentive and opportunities for fraud, a blockchain‐based AIS alone does not guarantee that financial reports are true and fair. Lower error rates and reduced incentives for accounting fraud in a blockchain‐based AIS are expected to improve audit quality. This prediction will need to be empirically tested when blockchain‐based AIS become available. Using the three‐tier architecture of the AIS, this paper addresses the gap in the literature that misses how characteristics of blockchain technology can influence the implementation of a blockchain‐based AIS with related implications for the accounting profession.     

Why computer-mediated communication improves the effectiveness of fraud brainstorming

Current auditing standards require auditors to conduct a fraud brainstorming session aimed at considering ways in which the audit client's financial statements might be fraudulently misstated. Lynch et al. (2009) document that computer-mediated fraud brainstorming is significantly more effective than face-to-face brainstorming for generating relevant fraud risks. In this study, we code and analyze process-level data from the Lynch et al. (2009) study to understand the factors contributing to the greater effectiveness of electronic fraud brainstorming. Specifically, we conduct mediation analysis to discern the degree to which equality of participation and two measures of task focus contribute to greater fraud brainstorming effectiveness when using a computer-mediated communication system compared to traditional face-to-face brainstorming. We also examine participants' perceptions of ease of system use, satisfaction with the process, and satisfaction with the outcome. Overall, the results indicate that the primary reason for the greater effectiveness of electronic fraud brainstorming is the greater degree of task focus as revealed through the length of comments made when using computer-mediated fraud brainstorming. In an absolute sense, participants using electronic brainstorming felt that their brainstorming mode was easy to use and they were satisfied with the process and outcome. The primary contribution of this study is in enhancing our understanding of precisely why computer-mediated fraud brainstorming outperforms face-to-face fraud brainstorming.     

A note on perceptions of auditors’ internal control report mandated by the PCAOB: Can reformatting the report enhance perceived value added?

The auditor’s report is a critical link in communicating financial data to users. Because of substantial audit costs incurred in integrated audits, the perceived value added by the auditor’s report becomes even more important. The auditor’s report prescribed by Auditing Standard No. 2 (and the new Auditing Standard No. 5) issued by the Public Company Accounting Oversight Board (PCAOB) includes a limitations paragraph. The SAS 58 audit report format that has been in use over 15 years does not contain a limitations paragraph. The SAS 58 report likely serves as a mental frame of reference (a referent report) for users evaluating other independent auditor’s report formats relating to assurance services, including the AS2 and AS5 reports. Whether inclusion of a limitations paragraph could adversely affect the users’ evaluation of the AS2 report is the focus of this study. In light of the publicity given to fraudulent financial reporting and other prevailing economic/environmental conditions, it is reasonable for users to expect that the auditor’s report provide a high degree of assurance regarding material fraud.We extend the [Foster, B. P., McClain, G., Shastri, T. (2005). A note on Pre-Sarbanes-Oxley Act users’ and auditors’ perceptions of a limitations paragraph in the auditor’s internal control report. Research in Accounting Regulations, 18, 195-217] study, by focusing on the AS2 report using data obtained about user perceptions from a field experiment conducted with MBA students. Results suggest that users perceive that an internal control report format without the limitations paragraph will enhance the readability and reliability of the report, and reduce the level of accommodation (additional information) required for decision making. Users perceive that the auditors’ exposure/liability is likely to remain substantially the same whether or not the report format includes a limitations paragraph. Also, users perceive that incorporating fraud wording would further enhance the readability and reliability dimensions of the internal control report format without the limitations paragraph. Taken collectively, the auditor’s report format with fraud wording, but without the limitations paragraph likely maximizes economic benefit accruing to users by minimizing their information risk. Policy-making bodies may find the results and approach taken in this study useful to evaluate report formats for assurance services.     

发挥审计监督职能遏制企业会计舞弊

企业会计舞弊危害深重。企业会计舞弊的成因是多方面的,审计监督不力是重要原因之一。遏制企业会计舞弊,必须充分发挥注册会计师和政府审计的监督职能,采取有力措施解决审计监督中存在的各种问题,构建科学、规范、高效的审计监督制度体系和业务规程。     

Computer assisted analytical procedures using Benford's Law

This case introduces students to Benford's Law and Digital Analysis, which can be used as an analytical procedure and fraud detection tool. Digital Analysis (DA) is the analysis of digit and number patterns of a data set. Actual digit frequencies in a data set are compared to the expected frequencies according to Benford's Law [Benford, F. (1938). The law of the anomolous numbers, Proceedings of the American Philosophical Society, 78, 551–572.]. Minor differences suggest that the data have passed a reasonableness test, while major differences signal possible financial statement mis-statements. After describing Benford's Law and the basic DA tests, the case requires auditing students to download DA software and the actual accounts payable file of a software company from a designated Internet site. Students then, (1) analyse the data using three DA tests as an analytical procedure in an external audit context, and (2) graph and a report the results and audit-related conclusions. The teaching note includes the actual findings from the audit of that data set and guidance on using the case in an auditing course.     

头脑风暴法在舞弊审计中的运用研究:回顾与启示

头脑风暴法有助于解决舞弊审计这一类非结构化问题,在舞弊审计中运用头脑风暴法成为美国注册会计师审计中的一项必要程序,头脑风暴技术也成为审计理论界和实务界关注的一个重点问题。本文对相关研究文献进行了梳理和回顾,总结文献研究发现:舞弊审计适合使用开放式头脑风暴法、循环头脑风暴法和电子头脑风暴法;头脑风暴法不仅有助于审计人员识别更多的舞弊风险因素和提高识别因素的质量,而且能够使审计人员表现得更加谨慎,调高了客户舞弊风险的预期水平;此外,头脑风暴讨论会还能够使审计人员更愿意修改拟实施的实质性测试程序,采取更为有效的舞弊风险应对程序。这些实践经验和研究成果对我国审计实践和审计理论研究都具有重要的借鉴作用。     

Great Expectations: Public Perceptions Of The Auditor's Role

The professional accounting bodies in Australia have undertaken a study of the "expectation gap" in perceptions of the auditing role and concluded that the public's image of the auditing profession will be enhanced if the differences in attitudes can be minimised. This paper analyses the views of auditors and financial report users about what the role of the auditor and the nature of an audit should be. The most significant differences between the auditors and the user groups relate to whether the auditor should be responsible for preventing and detecting fraud, detecting illegal acts, reporting whether the company is a reliable debtor or loan prospect and reporting the degree of confidence he or she has that the correct audit opinion has been issued. Where the differences represent "deficient standards" or "unreasonable expectations", the professional bodies should consider changing auditor responsibilities or attempting to change users' attitudes.     

Common sense and computer security

The age of information so frequently described and anticipated in "gee-whiz" language has a darker side. As recent newspaper stories and other media attention show, unauthorized tampering with computer data banks and computer programs is on the rise. And the problem will grow worse with the proliferation of microcomputers, word processors, and data networks and with the swelling ranks of people familiar with their use. Probing beyond the conventional legislative and technological solutions to computer security problems, the authors look at what managers can do to preserve the integrity of their companies' information systems. While it is no longer possible simply to delegate responsibility for computer security to data processing managers, senior managers should not rely on expensive and complex solutions, according to these authors. They argue for simple, commonsense measures and advise how auditing and control systems can be revitalized to help detect security problems before they become serious.