Professional Documents
Culture Documents
ABSTRACT
Numerous studies increasingly investigate the application of process mining in governance, risk
management, compliance, and auditing in response to changing business processes brought about by digital
transformation. Audit on business processes is an interesting issue in the process mining literature. This
study seeks to specifically map the types, areas, objectives, and frameworks of process mining application
in governance, risk management, compliance, and auditing. The mapping process results in the
classifications of components and sub-components. We use the systematic literature review (SLR) on the
application of process mining in governance, risk management, compliance, and auditing. The SLR
approach makes use of 34 papers selected based on the exclusive and inclusive terms and the mapping
process related to the research questions. The data extraction results show that the financial domain
dominates the research topics. Besides, we identify 6 phases as components and 32 concrete steps or
activities sub-components. The SLR findings contributes to future research on the application of process
mining to governance, risk management, compliance, and auditing in various research areas.
Keywords: Process Mining, Governance, Risk Management, Compliance (GRC), Auditing, Systematic
Literature Review.
4334
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
methods in modern audits [12]. PM for audit within and mapping based on the research questions; and
the GRC framework is a rapidly research topic lastly analyzing the SLR results.
along with changes in organizational business
This study produces several understudied
processes [13].
areas: PM research areas in GRC and auditing, their
Several studies have investigated the use of PM research objectives, and, most significantly, our
for audits, and anomaly and fraud detection within findings of the components and sub-components of
the GRC framework. For example, Wil van der PM frameworks. These results contribute to
Aalst in 2010 introduced the Auditing 2.0 development of PM science in GRC and auditing
framework based on the PM method [14]. PM can by defining the components and sub-components of
serve as new audit evidence for auditors that PM frameworks in GRC and auditing that have
facilitates the evaluation of internal control been adjusted to the phases of PM methods2 [31].
effectiveness, audit risk assessment, and fraud Our findings also help scholars and practitioners
scheme identification [15]. Prior studies by Jans understand the state-of-the-art of PM application in
[11], [16]–[20] showed the use of PM for internal GRC and auditing. Technically, this research
audit activities. Werner has also analyzed the PM contributes to the implementation of PM types in
implementation for financially-related audits [7], the context of auditing. The implementation of PM,
[18], [21]–[24]. The facts indicate that studies on which is a wedge between Business Process
PM in GRC and audits largely focus on the Management (BPM) and data mining, is still rare,
financial [25] and manufacturing domains [26]. PM so the results of this study contribute significantly
in GRC and audits can be widely used in various to the development of information systems and
domains, especially for process audits. The PM technology.
methods enable the evaluation of historical data in
This paper is organized as follows; the
event-log according to the desired models. This
introduction that consists of background and
advantage is important to detect deviations and find
research motivations, literature review explaining
and measure their error levels.
process mining theories and GRC and auditing,
Nevertheless, these studies have not research methods that consist of SLR research
systematically and comprehensively investigated phases, analysis that explains SLR results and
the implementation of PM in GRC and audit. discusses the results based on research questions,
Systematic and comprehensive studies in this topic and conclusions that contain research conclusions
use various settings, including health [27], and suggestions for future studies.
information system security [28], supply chain
management [29], and the application of PM in
2. LITERATURE REVIEW
manufacturing processes [26]. Like prior systematic
reviews, this study is mainly motivated to define This part discusses theories related to the
specifically research types and areas, research research issues, namely PM, GRC, and auditing
objectives, and particularly the frameworks or theories. Each issue is discussed separately.
methodologies of PM application in GRC and
auditing. Hence, this study aims to offer a 2.1 Process Mining
systematic understanding, based on prior studies,
PM is the intersection between data mining and
that is crucial to develop comprehensive analysis of
business process management that focuses on
the main components of PM methodologies and
understanding the processes and capturing more
frameworks in GRC and auditing.
significant findings [32]. PM seeks to search,
Based on these arguments, our research monitor, and enhance real processes (as opposed to
questions are (1) What are the research types and assumed processes) by extracting knowledge from
areas of PM in GRC and auditing, (2) What are the event-logs from information systems. PM consists
research purposes of PM in GRC and auditing, and of process discovery, conformance checking, dan
(3) What are the framework components and steps performance measurement [33], as illustrated by the
of PM in GRC and auditing. We use the systematic following Figure 1.
literature review (SLR) to answer these research
questions as introduced by Petersen [30]. The SLR
consists of several phases, starting from
determining the scope; searching, determining, and
filtering or selecting the literature; extracting data
4335
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
4336
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
Based on the above process stages, the following a) Electronically available and found by the
are SLR’s stages and outcomes: search strings in all fields and periods.
b) At least reviewed by two journal or
• Defining research scope: determining research
conference reviewers.
questions designed to offer research scope.
c) Published online from 2000 to February
• Searching: identifying papers with search strings 2020.
in selected scientific databases based on d) Snowball technique that includes some
publication periods. referenced papers not indexed in selected
digital libraries.
• Screening papers: screening relevant papers by
applying suitable inclusion and exclusion criteria. • Exclusion criteria, papers that:
a) Are not written in English.
• Identifying and combining based on keywords in
b) Are duplicated work.
the abstracts to have a better understanding of
c) Do not focus on process mining, e.g.: mining
research topics and generate a better organized
iron, metal mining, pollution, chemistry, or
paper classification according to the research
environmental impacts.
objectives.
d) Refer to process mining for GRC and
• Extracting data and mapping: extracting, auditing only in introduction, or
mapping, and visualizing the results to answer fundamentals, or part of the state-of-art.
the research questions. e) Refer to process mining only as a further
research direction.
3.2 Research Questions f) Are only related to the author’s biography.
Based on the research objectives, we propose g) Not real scientific papers, such as only
the following research questions (1) What are the content guides, indexes, or marketing
research types and areas of PM in GRC and information.
auditing, (2) What are the research purposes of PM h) Contribute very shortly, only one or two
in GRC and auditing, and (3) What are the pages.
framework components and steps of PM in GRC i) Are unavailable, removed, or retracted.
and auditing. 3.5 Identification and Combination
3.3 Search Strings This stage identifies the most relevant papers
After proposing the research questions, the next based on keywords in papers’ abstracts and
stage searches for papers in scientific databases contents. Besides, we also combine and classify
with the following keywords as search strings: papers based on their types.
• “Process Mining” AND “Auditing”; 3.6 Data Extraction and Mapping
• “Process Mining” AND “Governance” OR
“Risk Management” OR “Compliance”; This stage extracts data from paper contents
• “Process Mining” AND “Governance, Risk based on the research questions and objectives.
Management, Compliance” OR “GRC”. Data extraction focuses on data related to
components and sub-components as illustrated by
We use the following 8 research databases in the the PM2 method’s stages [31]. We use this method
analysis: to identify components and sub-components better
• IEEE Digital Library based on prior studies on PM in GRC and auditing.
• Indersience
• Sciencedirect (Elsevier) 4. RESULTS AND DISCUSSIONS
• ACM Digital Library
• Emerald This section discusses the results of the SLR
• AISNet based on the research questions and objectives. The
• Google Scholar. focus of analysis and discussion is on PM
components and sub-components in GRC and
3.4 Inclusion and Exclusion Criteria auditing based on PM2 theory [31]. As a form of
Next, the most crucial stage is screening more SLR, the findings will be described in the form of
specifically based on inclusion and exclusion types of research (review or research paper);
criteria: research area or domain (financial, manufacturing,
healthcare, information systems, etc.); and
• Inclusion criteria, the selected papers must be:
4337
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
components/sub-components as well as the stages title Auditing 2.0: Using Process Mining to Support
of the PM method on GRC and auditing. Tomorrow's Auditor in 2010 [14]. Subsequently in
2011, Wil van der Aalst introduced a conceptual
4.1 Paper Selection Results
model for online auditing [36]. These two studies
Based on the stages and paper selection have greatly influenced PM research on GRC and
process, a total of 34 papers were found to be the subsequent auditing [37].
most relevant to the search strings and selection
Research in this domain then continues to grow
criteria as shown in Table I. In stage 1, 1,459
to this day. Based on the data in Figure 4, for 2020
papers were found from 8 scientific article
only 1 article were identified, due to the SLR time
databases. This search used the search strings as
limit until February 2020.
described above. In the second stage there were 50
selected papers and in the third stage there were 34.
Based on the SLR method proposed by Petersen
[30], these 34 papers were then systematically
extracted to answer research questions.
Table 1: Paper Selection
No Database SLR
Stage 1 Stage 2 Stage 3
1 Emerald 48 1 1
2 AISnet 57 3 2
3 IEEE 176 8 8
4 Sciencedirect 203 10 9
5 Inderscience 13 3 -
Figure 4: Number and Types of Research and
Publication
6 ACM Digital 48 3 1
Library 4.3 Most Prolific Author
7 Springer Link 572 7 5
8 Google 342 15 8 Table 2 shows the most prolific authors based
Scholar on the 34 selected papers. Due to space limitations,
Sum 1.459 50 34
this section only presents the 14 most productive
The data extraction came up with 26 papers researchers with at least 2 papers published. The
discussing the framework and stages of using PM. total number of researchers from the 34 selected
While the remaining 8 papers do not discuss the papers are 64 people. Mieke Jans is the most
framework and stages. Next was the identification prolific researcher in PM research on GRC and
of components and sub-components in accordance auditing. The terminology used by Jans at the
with the stages in the PM2 method. This method beginning of his PM research was Business Process
was chosen because this method was a refinement Mining [38]. The next most productive researcher
of the existing PM implementation methods [31]. is Michael Werner whose research focus is on
This identification and mapping process was financial audits using PM. One of the fundamental
carried out to determine what components and sub- findings that also became the basis for determining
components were relevant in the context of PM PM components and sub-components in GRC and
implementation on GRC and auditing. auditing is Multilevel Process Mining for Financial
Audits [22].
4.2 Types of Research and Publication
Table 2: Most Prolific Author
The results of research data extraction showed
No Name # Papers
that there were 22 studies published in the form of
1 Jans, Mieke 6
journal articles and 12 others at conferences.
2 Werner, Michael 5
Furthermore, from the type of research, there were 3 Wisudiawan, Gede Agung Ary 4
5 review articles and the remaining 29 were 4 van der Aalst, Wil M.P. 3
empirical research articles with various approaches, 5 Kurniati, Angelina Prima 3
models, datasets and especially the PM framework 6 van Der Werf, Jan Martijn 3
on GRC and auditing. 7 Gehrke, Nick 3
8 Alles, Michael 2
Based on the available data, it could be seen 9 Herdiani, Anisa 2
that there has been an increase in the number of 10 Nüttgens, Markus 2
11 Verdonk, Marc 2
research on GRC and auditing, especially since Wil 12 Vanhoof, Koen 2
van der Aalst launched a scientific article with the 13 Vasarhelyi, Miklos 2
4338
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
The research domain refers to the area or field The purpose of the Planning phase was to
of PM application in GRC and auditing. For ease of prepare the PM project. For this reason, the
grouping, the application domain refers to the area identified sub-components include the aspects of
of application of PM as described by Garcia et al business process selection related to the selected
[13]. The determination of the research domain is in process which can be answered using event-logs
line with one of the research questions, because and so on. The purpose of the Extraction stage was
apart from finance, the application of PM to GRC to extract the event-log and process model. To that
and auditing has also begun to be widely used in end, the identified sub-components include the
other domains. This increase is due to the extraction process, the number and form of
digitization process in various sectors [33] datasets, business process modeling, and so on. The
requiring audits, especially process audits to ensure purpose of the Data Processing stage was to process
performance and conformance [37]. the event-log in such a way that it was optimal for
the analysis stage. To that end, the identified sub-
Most PM research domains on GRC and components include the data import/export
auditing are in the financial area. This is in line functions, automatic data processing, data
with several previous SLR studies [13][39]. One of processing capabilities, and so on. The purpose of
the research domains that has also begun to apply the Mining & Analysis stage was to answer PM's
PM on GRC and auditing is the manufacturing objectives on GRC and auditing and get a complete
domain. This is related to how to ensure picture of process performance and compliance. For
governance and risks in the production process. The this reason, the identified sub-components include
following in Figure 5 is the domain of PM research the process discovery, conformance checking,
on GRC and auditing. process analysis & enhancement, and so on. The
purpose of the Evaluation phase was to link the
findings of the analysis with ideas for improvement
that achieve the project objectives. To that end, the
identified sub-components included the evaluation,
verification, and validation of the diagnosis and so
on. The objective of the Process Improvement &
Support stage was to use the PM results on the
GRC and auditing obtained to modify the actual
process execution. The input from this stage was
the idea of improvement from the evaluation stage.
Figure 5: PM Research Domain on GRC and Auditing The output of this stage was the process
4.5 PM Components on GRC and Auditing modification and improvement.
Method components and sub-components were To that end, the identified sub-components
the result of mapping of 26 frameworks from include facilitation of business process
various PM research on GRC and auditing to PM2 improvement and so on. In full, Table 3 is
methods, as shown in Figure 2 above. PM2 was comprised of the 6 components and 32 sub-
designed to support the implementation of PM components identified from the selected paper.
which aimed to improve process performance Table 3: Mapping of Components and Sub-Components
(performance) and measure compliance with rules
No Components Sub- Reference
and procedures (conformance). It covers a wide Components
range of mining processes and other analytical 1 Planning Business [34] [40] [14] [36]
techniques and is suitable for both structured and processes and [38] [17] [41] [21]
unstructured process analysis. event-logs [42] [7] [19] [20]
identified as a [43] [22] [10] [44]
Each stage in PM2 is defined as a component, whole [23] [45] [24] [46]
while concrete steps as well as activities are defined [47] [48] [49] [50]
Integration of [40] [14] [36] [38]
as sub-components. This sub-component came information [17] [41] [21] [19]
from the 26 papers that empirically use the stages systems as the [43] [22] [45] [51]
and frameworks in PM in GRC and auditing. PM2 source of [46] [47] [52] [11]
has 6 stages which are then called components, business [53]
4339
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
4340
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
No Components Sub- Reference of GRC, and auditing are also opened to be carried
Components out. One of the research opportunities that can be
participatory
analysis and continued is GRC and auditing on an ongoing basis
questionnaires as an answer to the challenges of a dynamic,
for process iterative, and sustainable digital era.
mining
analysis This research opportunity is focused on
involving IT, automation algorithms based on the PM method
business
process & audit
which is implemented in the GRC and auditing
experts processes. This automation is to ensure that audits
5 Evaluation Strict PM [41] [36] [38][21] and monitoring are carried out on an ongoing basis.
artifact testing [19] [42] [7] [20] This is important, because in the digital era most
with real data [43] [54] [10] [23]
business processes run automatically and
testing [45] [24] [51] [46]
[47] [49] [48] [58] continuously. Based on the results of this SLR, it
[59] [53] was also found that research on the automation of
Evaluation of [34] [40] [14] [38] the audit process and continuous monitoring had
relevance and [17] [21] [42] [20] never been carried out.
reliability [43] [22] [23] [24]
[51] [46] [47] [48]
[58] [52] [59] [53]
Process [17] [19] [43] [10]
5. CONCLUSIONS
attribute [44] [24] [51] [55] Based on the results of the SLR stage, all
ranking [48] [53]
Verification [34] [38] [36] [21] research questions have been answered. 34 selected
and validation [19][42] [20] [44] papers have described the types and areas or
[24] [45] [55] [47] domains of PM research on GRC and auditing.
[49] [48] [11] [53] Most of the papers are empirical studies that
Artificial [17] [20] [22] [10]
diagnosis and [24] [49] [48] [56]
comprehensively discuss PM design and
evaluation [52] [11] [59] methodology. Furthermore, the most productive
6 Process Facilitation and [34] [40] [14] [17] authors were identified as well as research
Improvement improvement [38] [36] [41] [21] objectives using PM in GRC and auditing. Most
& Support of compliance [19] [42] [20] [43]
management [54] [10] [44] [23]
PM objectives offer multiple perspectives that are
activities [24] [51] [47] [49] important for GRC analysis and auditing. Some of
[57] [52] [59] [11] them are control flow, which is used to analyze the
[53] order of execution of activities and the time
Process [34] [14] [38] [36]
perspective, which focuses on the duration and
improvement [41] [19] [42] [43]
and support [22] [10] [44] [23] frequency of occurrence of events.
through [24] [45] [24] [51]
implementing [46] [47] [49] [48] The stages and frameworks in each of these
innovation [58] [52] [59] [53] papers have been mapped and classified based on
Use and [17] [19] [42] [20] the PM2 method. These are then referred to as
implementation [54] [10] [44] [23] components and sub-components. This study
of PM to [24] [51] [47] [49]
support [48] [57] [11] [52]
resulted in 6 components and 32 sub-components
operations [59] forming the PM method on GRC and auditing. This
has never been studied before and becomes and
4.6 Implication and Future Research becomes the main contribution in this research.
This is the main finding of the research These findings are expected to contribute to the
questions that have been described previously. The development of PM knowledge on GRC and
results of this identification are particularly useful auditing through the availability of mapping
for mapping the components and sub-components components and sub-components of the PM
that make up the PM method in GRC and auditing. framework on GRC and auditing that has been
The implication of this research is that PM on GRC adjusted to the stages of the PM2 method [31].
and auditing which has been equipped with these The results of this study have succeeded in
components and sub-components can be researched mapping the components and sub-components of
continuously, especially to measure performance PM on GRC and auditing. This mapping has never
and suitability in the context of changing business been done before because PM on GRC and auditing
processes. In addition, research opportunities to research using the SLR approach is also still rarely
develop special algorithms that match the character done. Components are stages, while sub-
4341
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
4342
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
4343
Journal of Theoretical and Applied Information Technology
30th September 2021. Vol.99. No 18
© 2021 Little Lion Scientific
4344