Monday, April 10, 2017

[Update] Do 2 non-CPA audits equal 1 CPA audit? Zcash gets non-audit firms to issue audit reports.

Last year, Zcash went live.

What is Zcash?

Zcash is a public blockchain similar to bitcoin. Zooko Wilcox, the founder of Zcash, explains what it is in the following video:



As he notes in the video, what distinguishes Zcash from bitcoin is that it offers greater privacy of the users as they don't have to disclose their private key (which is a pre-requisite for bitcoin). However, because Zcash uses zero knowledge proofs (see the amazingly easy to follow explanation below), there is no need for the private key to be revealed - thereby offering extra anonymity to the user.


However, what I thought was exceptional noteworthy about the Zcash is how it went about proving to the world that its code is sound. When Zcash went live, Coindesk reported the following:

"Notably, the development team released two audits conducted by NCC Group and Coinspect, respectively, ahead of the launch.

The reports sought to identify potentially harmful bugs in the cryptocurrency's code prior to launch. (The audits can be found here and here)."
The article referenced, a blogpost, which described the scope of the security audits as follows:

"Today we are publishing the final reports of each external security auditor we contracted this summer to review our code. We've triaged the issues found and addressed any we considered severe (e.g. could compromise user privacy, lose funds, break consensus, etc...).

NCC Group's conclusion was (also available here):

“NCC Group performed a two-part targeted review of the Zcash cryptocurrency implementation. The first part, performed by the Group's Cryptography Services practice, focused on validating that Zcash's implementation adhered to the Zcash Protocol Specification. An assessment looking for security errors within the cryptographic implementation was also performed. The second part was a C++ source code review for vulnerabilities using static and dynamic analysis and fuzz testing. The review also included a cursory assessment of dependent libraries and recommendations for improving software assurance practices at Zcash.

NCC Group identified an issue that would allow an adversary to tamper with the verification and proving keys used by the Zcash daemon as well as a number of C++ coding errors that could result in stack-based buffer overflows, data races, memory use-after-free issues, memory leaks, and other potentially exploitable runtime error conditions. Additionally, most, if not all, third-party open source library dependencies were identified as being out-of-date. In the end, NCC Group did not find any critical severity issues that would undermine the integrity of the Zcash blockchain or undermine the security of confidential transactions during the time that the review was conducted (from August 8 – September 2, 2016).”

As for Coinspet, they noted (also available here): 

"Coinspect reviewed Zcash's innovations over the Bitcoin Core source code, focused on evaluating its resistance against specific threats to cryptocurrencies. Coinspect identified high-risk and moderate-risk issues during the assessment that affected the performance and availability of the Zcash p2p network. The security issues identified did not allow remote code execution nor allowed an attacker to steal funds or compromise the privacy of Zcash users. However we found exploitable 51% and isolation attacks with minimum resources.

It is an honor for Coinspect to contribute with our cryptocurrency security experience to the exceptional team behind this exciting project."

What I thought was interesting, was a couple of things.

Firstly, these are purely tech experts, not CPAs. They are producing "audit reports" that users will rely on for privacy, ability for the protocol to generate consensus, and loss of funds. 

Of course, these are all things that a CPA firm couldn't opine on such things because the liability would be too much for the firm to bear.

But I think that's the point: if things are so complex/risky that a CPA firm can't produce the audit report, it leaves the field wild open for competitors like Coinspect and NCC Group (who were likely paid $250,000).

And is the twist, that they retained 2 or 3 firms to do this. I think that's the real interesting part. 

Audits completed by CPA are governed by strict standards of independence to ensure that the auditors are independent.  However, what Zcash is in effect saying that such issues can be overcome by getting two "unlicensed" auditors to opine on the same thing. Implicitly, why would the two independent parties collude on a lie? 

Initially Zcash as a cryptocurrency was not doing so well price-wise. When this post was originally written (on Dec 23rd) there were 188,905 transactions executed on this by blockchain. Today, roughly 3 months later on April 10th, the transaction count has more than doubled to 463,560. Furthermore, it is now the 9th most popular by market capitalization.

Te world of cryptocurrency is not as conservative world of financial statements. However, the approach that Zcash to gain trust essentially. Although we can have philosophical debates on whether this meets GAAS or not, the reality is someone has found a way to eat our lunch. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. 

Saturday, April 1, 2017

Cafe X and Amazon Go: Auditing a robot-operated store?

By now you've probably heard of the robot-barista - Cafe X.  If not check out this video from Wired, where David Pierce walks us not only through how the robot will make your latte, but why he thinks it better than the human alternative:



Amazing isn't it?

In a presentation I did last year on how these forces of automation could impact auditing & accounting, I noted it's easier to see how technology disrupts someone other than you.

And so it looks like baristas have met their match.

As Pierce notes in the video, the inconvenience of dealing with imperfect people is something that most people want to avoid in the rat-race we live in: who wants the barista to remake your coffee 11 times as he says? ;) 

The Wired article also notes that Cafe X is 'high-quality at a cheaper price': 

"Surprisingly delicious coffee, starting at $2.25—cheaper than you’d find at Sightglass or even Starbucks. Cafe X’s location in the corner of the Metreon may not entice you out of your daily routine."

Amazon Go: Walkthrough Technology 
Amazon has also wowed the "techthusiasts" out there with their cashier-less store concept:



In the FAQ section, Amazon summarizes how this cashier-less store works:

"Our checkout-free shopping experience is made possible by the same types of technologies used in self-driving cars: computer vision, sensor fusion, and deep learning. Our Just Walk Out Technology automatically detects when products are taken from or returned to the shelves and keeps track of them in a virtual cart. When you’re done shopping, you can just leave the store. Shortly after, we’ll charge your Amazon account and send you a receipt."

Although this has the potential to revolutionize retail, Amazon has experienced some setbacks of late. The store can allegedly only handle 20 people at a time. So there maybe some kinks to work out before this goes mainstream.

Obviously, this could have a massive impact on entry level jobs: most of us who were young a while ago relied on these McJobs for spending money and funding our college/university tuition. They also gave students some practical work experience to help land a career accounting profession ;)

But let's save this discussion for a future post.

How would you audit cashier-less stores, like Cafe X or Amazon Go?

The retail industry has been a manual intensive industry that requires cashiers, stock room personnel and the like. Such a process naturally requires policies and procedures (aka internal controls) that ensure that merchandise makes it from the shelf to the cash register and into the customers possession. And there are those anti-theft mechanisms to prevent shoplifting as well. In the industry, "shrinkage", the amount of merchandise that is stolen, robbed, damaged, etc, is estimated by the National Retail Federation to be 1.38% of sales or $45.2 billion for 2015.

Cafe X and Amazon Go offer a glimpse into how automating traditional businesses can alter these fundamental risks that impact the way we go about conducting our financial audits.

With Cafe X, shrinkage is almost eliminated as there is no humans involved in the production process. Once the kiosk is loaded up with cups, coffee, syrup, sugar, milk, etc. the system is essentially fully automated - no manual intervention by baristas or customers.

Amazon Go, on the other hand, uses a whole lot of automation that is watching and analyze every move of the customers (and employees) throughout the store. Consequently, this would not be the store to steal from! And let's not forget Amazon is experimenting with those drones and are we really sure that they are unarmed?


Given this level of automation of the actual business process and controls, could auditors stick to the tried, tested and true retail audit procedures? Or would this enable a more automated approach?

I was directly involved with the recent test-audit of the blockchain involving loyalty points. One of the realities of auditing such exponential technologies is that it makes controls testing a must. For example, for the financial auditor to rely on the digital signatures there needs to be some testing around the wallets to ensure that the signatures are reliable.

Consequently, testing such automated stores would require either a SOC2 or modified SOC report to meet the needs of such a store. For example, the SOC2 would need to have some way of having comfort of how the stock and inventory gets loaded into the store. Likely the auditor would rely on the automated process which the store uses to replenish stock, but it's that hand off between the delivery person (assuming it's still human) that would be the area there is a risk of shrinkage. For example, how does legitimately damaged inventory get accounted for at that point? Whatever process and controls Amazon/Cafe X put in place would need to be tested from a controls perspective.

For the substantive component, I think that's where things get interesting: enter the "embedded audit module". This concept has been around since at least 1989. The idea is that the auditor installs independent software onto the client's system and then transmits it back to the auditor, who uses it as a basis for conducting the necessary audit procedures and tests. The core idea is that the auditor has full control over such a system and the client cannot tamper with the code.

What would be relatively straightforward would be the data capture-component: sales data, stock data, spoilage, etc. would be uploaded from the automated store right into the auditor's system. But this then requires the additional step of verifying the data to independent source documents (e.g. invoices, purchase orders, etc.). In other words, the audit procedure would still require manual intervention as the auditee would need to send this information back to the auditor to complete their audit.

Where I think the audit innovation would be is exploring how video footage can act as a substitute for physical/direct observation by the auditor. That is, could the auditor install a video camera in the automated store as a part of the EAM that would then act as actual independent audit evidence of the actual sale or purchase? For example, in the Cafe X example the auditor could actually use the footage and the visual software to count the cups sold that day and reconcile that to the sales data transmitted back from the EAM for the day?

Although one can argue such transactions are not material and therefore such procedures are overkill.

However, I think now is the right time to conduct experiments and test audits to see whether we can reinvent the classic audit to meet the technology of today. In a future post, we will explore what this means broadly for jobs and more specifically how this could impact the profession.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. 

Thursday, January 12, 2017

Change Management: Norway's switch to Digital Radio

Norway is making the switch: moving from FM Radio to digital audio broadcasting (DAB).

As reported in the Local, an English Norwegian news site, Ole Jørgen Torvmark, the head of Digitalradio Norge, (jointly owned by the private and public radio stations):

"The big difference and the main reason behind this big technological shift is that we want to offer a better radio service to the whole population."

The article also notes that FM can only support 5 national stations, whereas DAB can support 22 national stations and 20 smaller ones. Furthermore, they make the case it is:
  • Cheaper: Will cost an eighth of FM.
  • Better: Better coverage, ability to catch up on programs.
  • Faster: Easier to get Emergency messages out.
However, not all are happy. According to the WSJ, 2/3rds of people are actually against the move. The Local noted that people are not pleased about paying the extra money for getting the new radio to receive the signals - despite the advertised benefits.

For those interested in the technology behind AM and FM radio check out this:



But for more on the challenges of abandoning this decades old technology check the following BBC report:


As any technology professional knows, one of the most difficult aspects of making change is the people aspect of the technology. For example, Norwegians would be collectively better off if the switched to DAB as the overall cost of operating radio would be much cheaper.

But is that good enough for people to pay the costs for getting a new radio?

It's important to recognize that people need more than cold facts to be positive towards change. Organizations that need to make such changes - technology or otherwise - need to also address the emotional nature of people by addressing the fear, uncertainty and doubt that comes along with such change. 

Monday, January 9, 2017

SEC and Whistleblowers: Can robots come to the rescue?

Saw this following news alert from AccountingToday:

"The Securities and Exchange Commission announced that it had awarded more than $5.5 million to a whistleblower. According to the SEC, the whistleblower directly reported critical information to the commission about an ongoing scheme at their workplace, and that led to a successful enforcement action..."

The article also gives some useful stats on the number of whistle-blowers coming out and the total number of payouts, so check it out.

This is good news in terms of promoting the idea of speaking truth to power. Without such assistance it can be quite difficult to encourage whisteblowing.

We often have a romantic notion of what it is like to tell the truth when there is a drive by all of those around us to commit fraud. Too many Hollywood blockbusters make us believe, falsely, that there is always a happy ending where the good guys win.

For a reality check, we should take a look at Alayne Fleischmann's ordeal in attempting to blow the whistle on the mortgage fraud at Jamie Dimon's JP Morgan Chase. As Rolling Stone's Matt Taibbi notes:

"Fleischmann...had to struggle to find work despite some striking skills and qualifications, a common symptom of a not-so-common condition called being a whistle-blower...Thanks to a confidentiality agreement, she's kept her mouth shut since then. "My closest family and friends don't know what I've been living with," she says. "Even my brother will only find out for the first time when he sees this interview."

As she notes in the video below, the reality of such environments is that there is subordination of the "compliance" functionsto enable the fraud to go through (e.g. the Due Diligence manager got angry when people thought that the loans were bad), lack of effective segregation of duties (e.g. sales people were involved in the due diligence review), and other issues:



Can robots come to the rescue?

When looking at process automation more broadly, we see that one of the "side benefits" is compliance. For example, when library loans out e-books they are never returned late as the patron's access to the digital copy on the reading device is removed right on the due date. Similarly, with autonomous vehicles they never speed, fail to complete to a full stop and the like.

Insurance companies have attempted to use what we can call "compliance tech" by offering drivers a discount for good driving if they are willing to install a monitoring device in their car. As noted in the CBC article, Desjardin Insurance has noted that 7000 people have for this offer which they call Ajusto. As can be seen in the video, Ajusto also leverages gamification and social to promote this program.


Although they have promised that such technology can't be used to penalize the driver, many skeptics are not sure that it will turn out that. For example,  Leonard Kunka, a motor vehicle litigation lawyer, notes:

"It's an invasive technology. It provides a lot more information than insurers currently have to set premiums, and I question whether it's any better than what the insurers use today to set premiums, which is a person's driving record and their history of collisions and accidents."

In other words, can we expect the insurance companies to maintain rates when they can "see" the driver constantly breaking speed limits? Conversely, can we expect them to lower rates when they see that people can drive safely above the speed limits?

Although I doubt it, the reality of such compliance-tech is that it is only used by people who are already compliant: the others who are not compliant would not sign-up for such technology and even if they did would somehow subvert it - as we saw with the whole Volkswagen emission debacle:

"In the test mode, the cars are fully compliant with all federal emissions levels. But when driving normally, the computer switches to a separate mode—significantly changing the fuel pressure, injection timing, exhaust-gas recirculation, and, in models with AdBlue, the amount of urea fluid sprayed into the exhaust. While this mode likely delivers higher mileage and power, it also permits heavier nitrogen-oxide emissions (NOx)—a smog-forming pollutant linked to lung cancer—up to 40 times higher than the federal limit. That doesn’t mean every TDI is pumping 40 times as much NOx as it should. Some cars may emit just a few times over the limit, depending on driving style and load."
Ultimately, technology is only good as the people that support it and so we can't abdicate such responsibility to technology. Instead, we need to continue to encourage people morally and financially to speak the truth when the see things go awry.

Monday, January 2, 2017

Millennials: Are we influencing them or are they influencing us?

Millennials. Most of have heard something about them by now. A friend of mine, who is a millennial, shared this video with me via Facebook:


Given that it's been a few years since I uncovered this generation, I thought it was a good refresher on the topic. However, I think a couple of caveats are important to the phenomenon:

  • Millennials are middle class: As Sinek notes that millennials have the entitlement notion. However, that can only develop if they've been insulated from reality of life. That is, they've always had a "safe zone" to fall back on: namely the bank and couch of mom and dad. This is not a reality of people who live in poverty inside or outside of Canada/US/Europe/Australia. 
  • Boys adrift phenomenon may be a confounding factor: Dr Leonard Sax wrote, Boys Adrift, a phenomenal book that explores why boys - specifically - have "failed to launch". This includes video games, pornography, misguided education approaches education and other factors. Definitely important to look at Sax's work when the individual in you are trying to help or advise is male. 
That being said, what I thought was interesting is: who is influencing who? Specifically, when Sinek spoke about smartphone addiction I thought "uh oh is he talking about me?" 

I recently commented to a colleague about how I have a propensity to ensure that I clear all my notifications and maybe that's a good thing because that way I am up to date on all my emails, slacks, and texts. However, after watching this I realize that in my desire to remain constantly productive, I am favouring the virtual world or the physical world. 

Although these devices are amazing in terms of helping us doing more with our dead time (e.g. driving ). That's how I "read" Dr. Sax's book - by listening to it on Audible while on the go. However, am I now at the point where I tend to prefer the screen of the smartphone? It is truly a strange thing for me. Early on in my career as a junior auditor I found the most effective way to deal with clients and colleagues was not by phone but actually going and discussing with the person live. In fact, when I returned to Deloitte in 2012 the new virtual mode of connection took a while for me to adjust as we used Lync (now Skype for Business) to conduct meetings - no more physical presence. 

So how can it be that I've been accustomed to the "millennial approach" to interaction?
Neuroplasticity. 

Nicholas Carr, who wrote an article for the Atlantic "Is Google Making Us Stupid?", which he later followed up with "The Shallows" actually talks about a similar phenomenon that he went through. He noticed how it was hard for him to get through books. What he discusses in his book is how by being immersed in the era of tweets, blogposts, and YouTube clips is that our brains are actually been reshaped by neuroplasiticity to favour this type of engagement over reading. 

Combine that with the dopamine bursts that Sinek talks about, it's no surprise that I have suddenly become millenialized. 

However, there is hope. 

Carr discusses how by disconnecting and forcing himself to read he is able to restore his brain and once again consume long-form material. The key is to purposely retrain our habits  to return to world of physical interaction and put away the smartphones as Sinek suggests. 

For more on the positive side of neuroplasticity see the work of Barbara Arrowsmith-Young who was able to rewire her brain. It's a truly inspirational story about how a woman was able to overcome her learning disabilities and help others as well.

Friday, December 30, 2016

RPA and the Accountant: A path out of the mundane?

One of the latest hype technologies is Robot Process Automation (RPA).

My first question when coming across this, is what is the difference between this and cognitive computing? 

As can be seen by these videos, it's more about "dumb" automation instead of "smart" innovation: where routine tasks are handled by the system instead of a person. This is in contrast to something like IBM's Watson, which attempts to understand language and offer probabilistic judgments as to what is the right answer to a question like it did on Jeopardy!


The first video (produced by Deloitte UK) does a great job of actually showing us how RPA can automate the process of extracting information/documents from email and the generating invoices through the company's ERP:



The strength of this video (produced by EY) is showing us the business case for RPA:


The idea is that RPA can automate routine tasks, instead of offshoring. In other words, it brings the world of automation onced reserved for the assembly line to the back office.

As described in this Deloitte publication, it puts RPA as the first step towards a cognitive enterprise - automate the task and then bring cognitive, AI, machine learning, etc., into the process to make it smarter.

To use a maturity model approach, RPA is the first level in bringing together the necessary data and processes to actually train the algorithm to make it smarter.

What does this mean for auditors and accountants?

For accountants, the back office is going to require less people in terms of executing these mundane tasks.

However, this doesn't necessarily mean that jobs will be lost.

As with the advent of cloud computing, the enterprises will have to determine whether such talent can be used more effectively to improve the quality of financial reporting and work on the back log of finance projects that haven't been attended due to staff working on these low-value tasks. That being said, the problem of meeting quarterly targets to feed investors insatiable desire for profits is something that can't be ignored when discussing whether management will choose profits over better processes.

For auditors the story is a little different.

The reality of the profession is that it can't retain talent because people find the work unsustainable: it's hard to shutdown your personal life for a third of the year or more to meet the needs of clients during busy season.

RPA and automation could make the profession more sustainable, as these mundane tasks could be handed to a system instead of a junior. This is similar to the "race with the machine" concept I mentioned in this post, when referring how Watson is helping doctors treat cancer.  Auditor could then focus on more value added tasks, such as assessing aggregate risks, industry trends, etc. Such insights will improve audit quality and give clients better understanding of business and audit risks, making the work more interesting for both auditors and auditees alike. 

Thursday, December 29, 2016

Blogging for bitcoins? A look at the crypto-change alternative to paywalls

Another interesting talk at the American Banker conference discussed how cryptocurrency more broadly could address the issue of advertising, ad blockers and paywalls.

One of the presenters, Victoria Van Eyk, wrote a post on medium that essentially summarizes the issues as follows:
  • Advertisers loses one to many medium to the Internet: Although not explicitly mentioned in her post, our journey begins with the Internet displacing the incumbents - TV, print and radio - as the advertisers destination of choice. It was the Internet that enabled the "attention merchants" (as Tim Wu puts in his latest book) to better target us in terms of ads.
  • Targeted Ads, Privacy and the Invasion of our minds: The post does a good job in terms of summarizing the creep factor of the ads - in terms of how technology has been developed to actually follow you around on the web to get you buy something based on your habits. The other aspect is the whole idea of advertising itself or as Tim Wu puts the "sale of attention". In his talk at Google, which summarizes the history of how both public and private enterprises used the media and "sticky eyeballs" to attract attention; see this video below for a quick snippit of the type of things he discusses.


  • Ad Blockers - the remote control of the Internet: Of course technology is a double-edged sword. So like the remote control that enabled people to skip commercials (which Tim Wu explains was invented by the eccentric owner of Zenith, Eugene F. McDonald, as an electronic device that would literally zap the commercial), ad-blockers came to be our best friend in terms of protecting us from these unwanted ads.
  • Media companies strike back: Just when you think the consumer rebellion would succeed against the corporate empires, they strike back. Companies make you turn off the ad blocker to use their website. As the hold access to the material, they ultimately have the power to withhold the content unless we comply with their demands. 
  • Enter crypto-currency based micro-payments: The solution to this tug-of-war? Micropayments. When I heard the panelist discuss this, I thought this made a lot of sense. Being someone who has given into paywalls, I would most likely have a media budget set aside that would allow me to pay for articles - 10 cents here or 25 cents there - to consume content. This is much better than being on the hook for hundreds of dollars a month for subscriptions you may or may not use. In Victoria's post, she mentions a number of services that are working on this model, including Brave (which uses cryptocurrency) as well as Patreon (see video below). 


As I mentioned in my last post, the bitcoin represents the world of open and this is one of the use cases that illustrates its potential. With bitcoins micro-payments can be potentially cheaper, friction-less way of making these types of payments that were prohibitive in the credit card centric world that we currently inhabit. For example, Brave notes that they charge 5% in their FAQ. However, without bitcoin they would have to charge a 2.5% credit card fee on top of that for their business to be viable.

Although it would be nice for us to see this hit a critical mass, I think one of the challenges beyond the cost is the underlying psychology that prevents people from paying out: I think many would rather sell access to their mind to the attention merchants instead of paying out digital cash.