A Comprehensive Framework for the Application of Process Mining in Risk Management and Compliance Checking

As process-aware information systems are becoming omnipresent in contemporary organizations, the requirements for risk management and compliance checking have evolved and demand a more process-centered approach. The business events recorded by these information systems are systematically and securely logged, which results in a wide variety of opportunities to evaluate dynamic or multi-state process properties. Process mining research has proposed a spectrum of techniques for analyzing the functional, control-flow, organizational and data perspective of the business processes. The framework presented in this paper structures the relationship between the process mining techniques, the organization's stakeholders with a control function and their activities. Focus will be placed on proposing a process-oriented approach that enables a timely analysis of large amount of event data and provides a high process deviation detection effectiveness. Additionally, in this contribution we analyze the optimal settings for the process mining techniques and provide suggestions for further adapting the techniques to the specific needs of risk management and compliance checking. The applicability of the framework is tested and evaluated.

[1]  Herbert A. Simon,et al.  The Sciences of the Artificial , 1970 .

[2]  Henry Mintzberg,et al.  Structure in Fives: Designing Effective Organizations , 1983 .

[3]  Bruce Kogut,et al.  Designing global strategies: profiting from operation flexibility , 1986 .

[4]  Bill Curtis,et al.  Process modeling , 1992, CACM.

[5]  Ramez Elmasri,et al.  Towards an infrastructure for temporal databases: report of an invitational ARPA/NSF workshop , 1994, SGMD.

[6]  Louis Braiotta The Audit Committee Handbook , 1994 .

[7]  S. Sutton,et al.  An Analysis of Potential Legal Liability Incurred Through Audit Expert Systems , 1995 .

[8]  Peter J. Denning,et al.  A new social contract for research , 1997, CACM.

[9]  Kim Langfield-Smith,et al.  Management control systems and strategy: A critical review☆ , 1997 .

[10]  Dimitrios Gunopulos,et al.  Mining Process Models from Workflow Logs , 1998, EDBT.

[11]  Alexander L. Wolf,et al.  Discovering models of software processes from event-based data , 1998, TSEM.

[12]  Peter Bernus,et al.  Handbook on Architectures of Information Systems , 1999 .

[13]  Alexander L. Wolf,et al.  Software process validation: quantitatively measuring the correspondence of a process to a model , 1999, TSEM.

[14]  Joachim Herbst,et al.  A Machine Learning Approach to Workflow Management , 2000, ECML.

[15]  Silvana Castano,et al.  Using Patterns to Design Rules in Workflows , 2000, IEEE Trans. Software Eng..

[16]  Michael Rosemann,et al.  Workflow-based process monitoring and controlling-technical and organizational issues , 2000, Proceedings of the 33rd Annual Hawaii International Conference on System Sciences.

[17]  Tom M. van Engers,et al.  Modeling legislation using natural language processing , 2001, SMC.

[18]  Boudewijn F. van Dongen,et al.  Discovering Workflow Performance Models from Timed Logs , 2002, EDCIS.

[19]  Randal J. Elder Mark S. Beasley Alvin A. Arens Auditing and Assurance Services: An Integrated Approach , 2002 .

[20]  Gregory Gutin,et al.  Digraphs - theory, algorithms and applications , 2002 .

[21]  Boudewijn F. van Dongen,et al.  Workflow mining: A survey of issues and approaches , 2003, Data Knowl. Eng..

[22]  Wil M. P. van der Aalst,et al.  Rediscovering workflow models from event-based data using little thumb , 2003, Integr. Comput. Aided Eng..

[23]  James M. Utterback,et al.  The Dynamics of Innovation , 2003 .

[24]  L. Spira,et al.  Risk Management: The Reinvention of Internal Control and the Changing Role of Internal Audit , 2003 .

[25]  H. Walker,et al.  Risk in supply networks , 2003 .

[26]  Ronald G. Ross,et al.  Principles of the business rule approach: Ronald G. Ross, Addison-Wesley Information Technology Series, February 2003, 256pp., price £30.99, ISBN 0-201-78893-4 , 2004, Int. J. Inf. Manag..

[27]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[28]  George S. Dallas Governance and risk : an analytical handbook for investors, managers, directors, and stakeholders , 2004 .

[29]  Wil M. P. van der Aalst,et al.  Workflow mining: discovering process models from event logs , 2004, IEEE Transactions on Knowledge and Data Engineering.

[30]  Wil M. P. van der Aalst,et al.  Process mining: a research agenda , 2004, Comput. Ind..

[31]  H. Beer,et al.  The LTL Checker Plugins: A Reference Manual , 2004 .

[32]  Wil M. P. van der Aalst,et al.  Mining Social Networks: Uncovering Interaction Patterns in Business Processes , 2004, Business Process Management.

[33]  van der Wmp Wil Aalst,et al.  Process Mining , 2005, Process-Aware Information Systems.

[34]  R. M. van Giessel,et al.  Process mining in SAP R/3 , 2004 .

[35]  Wil M.P. van der Aalst,et al.  Process Mining : Extending the α-algorithm to Mine Short Loops , 2004 .

[36]  Manfred Reichert,et al.  Adeptflex—Supporting Dynamic Changes of Workflows Without Losing Control , 1998, Journal of Intelligent Information Systems.

[37]  Miklos A. Vasarhelyi,et al.  Principles of Analytic Monitoring for Continuous Assurance , 2004 .

[38]  Elinor M. Madigan,et al.  The cost of non-compliance: when policies fail , 2004, SIGUCCS '04.

[39]  Wil M. P. van der Aalst,et al.  Conformance Testing: Measuring the Fit and Appropriateness of Event Logs and Process Models , 2005, Business Process Management Workshops.

[40]  Maria E. Orlowska,et al.  Specification and validation of process constraints for flexible workflows , 2005, Inf. Syst..

[41]  Gerd Wagner Rule Modeling and Markup , 2005, Reasoning Web.

[42]  Roger S. Debreceny,et al.  Embedded Audit Modules in Enterprise Resource Planning Systems: Implementation and Functionality , 2005, J. Inf. Syst..

[43]  Wil M. P. van der Aalst,et al.  Business alignment: using process mining as a tool for Delta analysis and conformance testing , 2005, Requirements Engineering.

[44]  Wil M. P. van der Aalst,et al.  Genetic Process Mining: A Basic Approach and Its Challenges , 2005, Business Process Management Workshops.

[45]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .

[46]  Giancarlo Guizzardi,et al.  Ontological foundations for structural conceptual models , 2005 .

[47]  Guido Governatori,et al.  Dealing with contract violations: formalism and domain specific language , 2005, Ninth IEEE International EDOC Enterprise Computing Conference (EDOC'05).

[48]  Boudewijn F. van Dongen,et al.  Process Mining and Verification of Properties: An Approach Based on Temporal Logic , 2005, OTM Conferences.

[49]  Birgit Pfitzmann,et al.  From Regulatory Policies to Event Monitoring Rules: Towards Model-Driven Compliance Automation , 2006 .

[50]  Diogo R. Ferreira,et al.  An Integrated Life Cycle for Workflow Management Based on Learning and Planning , 2006, Int. J. Cooperative Inf. Syst..

[51]  Jan Vanthienen,et al.  Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[52]  Wil M. P. van der Aalst,et al.  A Declarative Approach for Flexible Business Processes Management , 2006, Business Process Management Workshops.

[53]  Jan Vanthienen,et al.  Compliant and Flexible Business Processes with Business Rules , 2006, BPMDS.

[54]  Terry Halpin,et al.  Object-Role Modeling (ORM/NIAM) , 2006, Handbook on Architectures of Information Systems.

[55]  Frank Leymann,et al.  Taming Compliance with Sarbanes-Oxley Internal Controls Using Database Technology , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[56]  Wil M. P. van der Aalst,et al.  Fuzzy Mining - Adaptive Process Simplification Based on Multi-perspective Metrics , 2007, BPM.

[57]  Boudewijn F. van Dongen,et al.  Process Mining Framework for Software Processes , 2007, ICSP.

[58]  Wil M. P. van der Aalst,et al.  Constraint-Based Workflow Models: Change Made Easy , 2007, OTM Conferences.

[59]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[60]  Boudewijn F. van Dongen,et al.  Business process mining: An industrial application , 2007, Inf. Syst..

[61]  Boudewijn F. van Dongen,et al.  ProM 4.0: Comprehensive Support for Real Process Analysis , 2007, ICATPN.

[62]  Jan Vanthienen,et al.  Specifying Process-Aware Access Control Rules in SBVR , 2007, RuleML.

[63]  Harald C. Gall,et al.  Generation of Business Process Models for Object Life Cycle Compliance , 2007, BPM.

[64]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[65]  Wil M. P. van der Aalst,et al.  Finding Structure in Unstructured Processes: The Case for Process Mining , 2007, Seventh International Conference on Application of Concurrency to System Design (ACSD 2007).

[66]  Jon Espen Ingvaldsen,et al.  Preprocessing Support for Large Scale Process Mining of SAP Transactions , 2007, Business Process Management Workshops.

[67]  Aditya K. Ghose,et al.  Auditing Business Process Compliance , 2007, ICSOC.

[68]  Wil M. P. van der Aalst,et al.  Towards comprehensive support for organizational mining , 2008, Decis. Support Syst..

[69]  Wil M. P. van der Aalst,et al.  Process-Aware Information Systems: Design, Enactment, and Analysis , 2009, Wiley Encyclopedia of Computer Science and Engineering.

[70]  Jan Mendling,et al.  Detection and prediction of errors in EPCs of the SAP reference model , 2008, Data Knowl. Eng..

[71]  Wil M. P. van der Aalst,et al.  Conformance checking of processes based on monitoring real behavior , 2008, Inf. Syst..

[72]  Wil M. P. van der Aalst,et al.  Trace Clustering in Process Mining , 2008, Business Process Management Workshops.

[73]  Wil M. P. van der Aalst,et al.  Process Flexibility: A Survey of Contemporary Approaches , 2008, CIAO! / EOMAS.

[74]  Wil M. P. van der Aalst,et al.  Semantic Process Mining Tools: Core Building Blocks , 2008, ECIS.

[75]  Paola Mello,et al.  Checking Compliance of Execution Traces to Business Rules , 2008, Business Process Management Workshops.

[76]  M Maja Pesic,et al.  Constraint-based workflow management systems : shifting control to users , 2008 .

[77]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[78]  Wil M. P. van der Aalst,et al.  Application of Process Mining in Healthcare - A Case Study in a Dutch Hospital , 2008, BIOSTEC.

[79]  Rose Hightower,et al.  Internal Controls Policies and Procedures , 2008 .

[80]  Bharat Maheshwari,et al.  Challenges in enhancing enterprise resource planning systems for compliance with Sarbanes‐Oxley Act and analogous Canadian legislation , 2008 .

[81]  Wil M. P. van der Aalst,et al.  Towards a Taxonomy of Process Flexibility , 2008, CAiSE Forum.

[82]  Koen Vanhoof,et al.  Internal Fraud Risk Reduction - Results of a Data Mining Case Study , 2010, ICEIS.

[83]  Akhil Kumar,et al.  Conceptual Model for On Line Auditing , 2009 .

[84]  Guido Governatori,et al.  The Journey to Business Process Compliance , 2009, Handbook of Research on Business Process Modeling.

[85]  Bart Baesens,et al.  Robust Process Discovery with Artificial Negative Events , 2009, J. Mach. Learn. Res..

[86]  Boudewijn F. van Dongen,et al.  ProM: The Process Mining Toolkit , 2009, BPM.

[87]  Kees M. van Hee,et al.  Auditing 2.0: Using Process Mining to Support Tomorrow's Auditor , 2010, Computer.

[88]  A Anne Rozinat,et al.  Process mining : conformance and extension , 2010 .

[89]  Jan Mendling,et al.  Seven process modeling guidelines (7PMG) , 2010, Inf. Softw. Technol..

[90]  Steve G. Sutton,et al.  Continuous Auditing in ERP System Environments: The Current State and Future Directions , 2010, J. Inf. Syst..

[91]  Koen Vanhoof,et al.  A business process mining application for internal transaction fraud mitigation , 2011, Expert Syst. Appl..

[92]  Marta Indulska,et al.  Do Ontological Deficiencies in Modeling Grammars Matter? , 2011, MIS Q..

[93]  A. J. M. M. Weijters,et al.  Flexible Heuristics Miner (FHM) , 2011, 2011 IEEE Symposium on Computational Intelligence and Data Mining (CIDM).

[94]  Jochen De Weerdt,et al.  Process discovery in event logs: An application in the telecom industry , 2011, Appl. Soft Comput..

[95]  Bart Baesens,et al.  Advanced Care-Flow Mining and Analysis , 2011, Business Process Management Workshops.

[96]  Remco M. Dijkman,et al.  Similarity of business process models: Metrics and evaluation , 2011, Inf. Syst..

[97]  Mario Piattini,et al.  Generating event logs from non-process-aware systems enabling business process mining , 2011, Enterp. Inf. Syst..

[98]  Jan Vanthienen,et al.  An Exploratory Approach to Process Lifecycle Transitions from a Paradigm-Based Perspective , 2011, BMMDS/EMMSAD.

[99]  K. C. Sharp,et al.  International Auditing and Assurance Standards Board , 2012 .

[100]  Bart Baesens,et al.  Rule-Based Business Process Mining: Applications for Management , 2012, IS-MiS.

[101]  Wil M. P. van der Aalst,et al.  Process diagnostics using trace alignment: Opportunities, issues, and challenges , 2012, Inf. Syst..

[102]  Wil M. P. van der Aalst Process mining , 2012, CACM.

[103]  Yuchun Xu,et al.  Process mining: from theory to practice , 2012, Bus. Process. Manag. J..

[104]  Jan Vanthienen,et al.  Applications of business process analytics and mining for internal control , 2012 .

[105]  Bart Baesens,et al.  Comprehensive rule-based compliance checking and risk management with process mining , 2013, Decis. Support Syst..

[106]  Isaca Standards Board,et al.  Continuous Auditing: Is It Fantasy or Reality? , 2022 .