Process Deviation Categories in an Auditing Context

Abstract

Continuous auditing is introduced as a method of auditing to provide assurance on a full population of data in real-time or in near-real time by applying data analytics. However, applying currently existing data analysis techniques in an auditing setting has some limitations. First, the number of alarming cases detected by continuous auditing projects is too large to examine completely and secondly, the current algorithm provide the output as a set of deviations. This set is provided a too technical language, which is not per defi nition of interest to an auditor. In this paper, we address the latter drawback: when an auditor is confronted with deviating transactions (like a missing approval), how does the auditor classify these deviations? Is there a speci c set of categories that the auditor uses to group these deviations? We conducted a literature study to extract a set of deviation categories from the existing theory in business process management. Then by conducting a fi eld study, we confronted auditors with 82 process deviation in total. Having more insights in how they perceive these deviations and attribute characteristics to them, will enable future research to map the large number of deviations in sets of deviation types that are aligned with how the auditor perceives deviations. The results of our study suggest that auditors broadly categorize deviations in three groups: activities that are missing, activities that are reordered, and activities that are repeated. This fi nding is to a large extent consistent with literature in the business process management domain. However, one primary group of deviations in the business process management literature, activities that are inserted, does not seem to be used actively by auditors. These ndings may have implications for the acceptability of certain data analysis techniques by auditors.