Tuesday, February 26, 2013

Technology and Audit: Rising tide of tech floats all boats

Norman Marks, evangelist at SAP, neatly summarizes  in this 5 minute video the implications of the how the recent technologies, such as cloud, analytics, and the like has implications on the auditing profession.

As he notes, "if it's good enough for our clients, it's good enough for us" (i.e. us being the auditing profession).  He mentions how individual analysts and other business professionals are using tablets and other devices to perform analytics. He also cautions that we should not make the same mistake as we did when analyzing the potential for desktop computing. In the video he narrates an amusing anecdote about the reaction of the accounting firm that he worked at to the nascent, desktop computer in the 70s.

Although I agree with his comments, I would say that this also extends beyond the corporate IT environment I have written in the past about cloud and mobile tech and what I see is that these technologies favour the small and medium sized business (SMBs) over the large ones. Basically, SMBs can now afford enterprise class technology and are probably using this technology within their personal spheres. Hence the term "consumerization of IT": advances in technology are focused in the consumer space not the corporate IT Department. As illustrated by the use of the iPhone within the corporate IT, consumers brought or demanded that IT let them use the iPhone instead of the standard  issue (e.g. BlackBerry) smartphone. Furthermore, widespread familiarity with these technologies allows SMBs access to employees who know how to use these technologies - without specialized training. The sum of it: it is much harder for auditors to justify being low-tech, when even the employee of the SMB has gone high tech.


Sunday, February 17, 2013

NYT vs Tesla: Sustainability, Electric Cars and Data Audits

On February 10th, the New York Times posted a negative review of the Tesla S Sports car. The article entitled, "Stalled Out on Tesla’s Electric Highway", painted a bleak picture of the ability of the Tesla to keep its charge and travel long distances. This is obviously a big concern for those that would purchase such a car.  The reporter who drove the car noted the following with respect to his experience during the test drive:
  • Charge was dropping faster than anticipated.
  • In order to extend the charge, the reporter reduced the temperature to the point where he was feeling uncomfortable.
  • The reporter barely made it to the next charging station, even though he should have been able to make it (easily) based on the amount of charge indicated at the outset of his journey.
  • Car did not retain its charge overnight after. When the reporter went to sleep it stated 79 miles was required, but in the morning it stated that 25 miles was remaining
  • On another leg of the trip the reporter never made it to the next charge station, even though the driver drove the car at a modest 45 miles per hour. Instead, the car shut down on the road, requiring the reporter to wait 45 minutes for the car to be put on the flat bed truck.

Billionaire Elon Musk, the co-founder and CEO of Tesla and founder of PayPal, was not going to take this review lying down. As it turns out, the Tesla S sports car had data logs recording the drivers actions. So, Elon reviewed the logs and fired back with the following post, disputing the claims of the NY Times article. He noted the following:

  • The temperature was not turned down, but instead turned up to 74 degrees.
  • Insufficient time was spent charging the car (47 minutes instead of 59 minutes).
  • On the last leg of the trip where the car died, the reporter actually missed the recharge station.
  • He drove between 61 and 81 mph, well beyond the 45 mph claimed.
The blog post also points a link to the following article, highlighting that the report had previously noted that electric cars were "dismal, the victim of hyped expectations, technological flops, high costs and a hostile political climate", pointing to the writer's bias against electric cars. 

Of course, the report was also not going to take this rebuttal lying down either. And so he fired back with the following "rebuttal of the rebuttal". (I am not going to summarize what he said, but you can read it there).

The point is who is correct? 

Although Tesla is stating that the reporter has an axe to grind, the same argument can be made against Tesla. That is, they want electric cars to be viewed favourably so that their company succeeds. 

And that's where the importance of data audits and system controls come in.

How do we know the logs that Tesla are using are not tampered with? What are the system controls that are in place to ensure that there is data integrity? 

The importance of this topic goes beyond a tussle between a media outlet and company. What's really being discussed is here is environmental sustainability. The tussle illustrates the increasing importance of data for society to make critical judgments on how to think about sustainability. And this goes to my next question: are assurance practitioners ready to tackle these types of third party reporting challenges? 

As I've mentioned in previous posts, auditing information is skill that goes beyond the actual information being audited. In terms of the Tesla car, audit procedures could be performed to see whether there were controls over the data logs exist to ensure they were not tampered with,  the sensors that report the data generated could also be tested for completeness, accuracy and validity, etc. For example, Musk claims that the car never ran out of energy, where as the reporter (in his rebuttal) claims it did. So is it the reporter right and the sensors wrong? Or the sensors right and the reporter are wrong? You can only know if someone independent of the NYT and Tesla tested the controls. 

As we know from the increased interest in big data (e.g. it was a big part of the last US federal election), these types of disagreements are going to become more common place. It illustrates the financial auditors need to become more proficient in technology and be able to port over their skills from one arena of financial information to sustainability, etc.

However, the world waits for no one. 

Non-accountants have already started to dabble in the world of assurance. Although not an audit per se, CloudAudit  is an attempt by members of the Cloud Security Alliance to allow potential cloud customers to view "audit artifacts" (which I would translate to source documents or audit evidence) maintained by a cloud service provider and gain some comfort over the state system controls at the cloud customer. Consequently, if audit professionals choose to stay on the sidelines and stick to the traditional financial audit, some other tech savvy professional group will be needed to fill this gap.  

Sunday, February 3, 2013

CNET, CES and Crowd-sourced audits: Independence does matter

In a previous post, I looked at how the editorial interference from CBS forced CNET to award the Best in Show category to another contestant because CBS was involved in litigation against the company who actually did win best in show. The perspective that I took was more of a "decision usefulness" perspective: could a reader actually figure out who the real winner is due to the use of disclaimers. 

Others were much more outraged over this lack of objectivity. 

Since my post, Greg Sandoval, a reporter at CNET, has resigned over the controversy (click here to see his tweet).  More importantly, the Consumer Electronics Association (CEA) itselft has taken a firm stand against this move by CBS. As noted in this press release, they have effectively overturned CNET's decision and have awarded the Best in Show to both the Hopper and Razor's Edge (effectively CNET's second choice). They have also are requesting a request for proposal for "a new partner to run the Best of CES awards program". 

Looking at the heart of the issue, the question is how does one maintain independence when reporting on a matter? 

We can take a look at what the Canadian Institute of Chartered Accountants (CICA) and the Canadian Public Accountability Board (CPAB) have written about independence in this publication. On page 7, they cite the International Ethics Standards Board for Accountants (IESBA) and breakdown independence in two categories: 
  • "Independence of mind: The state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.
  • "Independence in appearance: The avoidance of facts and circumstances that are so significant that a reasonable and informed  third party would be likely to conclude, weighing all the specific facts and circumstances, that a firm’s, or a member of the audit team’s, integrity, objectivity or professional skepticism has been compromised."
The publication also a number of threats to independence. The two probably most relevant are the "self-interest threat" and the "intimidation threat", which I think are probably most relevant to the CNET-CES controversy. Effectively, CBS's objectivity of the reporters was put aside in favour of the self-interest emanating from their litigation against DISH (who makes the Hopper). 

But the more interesting one to explore is the "intimidation threat". And this is most felt by reporters and editors who are pressured to abandon their view in favour of what the parent company wanted. And it speaks to a fundamental flaw in journalism: the press depends on money from the companies and others that they need to write about. The biggest illustration of this is what went down between Fox News and Jane Akre and Steve Wilson when they were forced to stop reporting about the health effects of drinking milk from cows that had been given Monanto's Bovine Growth Hormone. The reporters were fired when they refused to give into the "intimidation threat". They initially won their case under Florida's whistle blower law, but when Fox appealed they lost. The reason? The media has no obligation to tell the truth.  

So the challenge remains as to how does one remain independent when they need to eat and pay their bills in a free market system? Greg took the principled stance as, Jane Akre and Steve Wilson did, but not everyone can afford to pay the prices. People have to pay rent and take care of their families. The reality is that if society really cares about have access to information that has integrity they need to pay for it.

Is it time to have audited standards for the media, similar to the one used for financial information generated by financial companies? 

Although not perfect by any stretch of the imagination - the accounting scandals, a la Enron, serve as an important reminder of the lack of perfection in the system - the way financial information is subjected to testing serves at least as a starting to point as way to understand what needs to be there to ensure the information has integrity. 

Another probably more plausible approach is to leverage crowd sourcing and organize it to enable people comment or blow the whistle on information that is produced in a manner that is inaccurate, incomplete or invalid. The Guardian actually did this for the MPs expenses: they built an app that allowed ordinary users to analyze MPs expenses (if interested check out the Google Docs Spreadsheet with this info). As noted in the article, there was another attempt to build such an app (see here for the alternative). This is both good and bad. It's good in the sense that no one organization has the ability to monopolize such initiatives. However, it is bad in the sense that the efforts of the crowd are effectively divided. Regardless, it does illustrate that the potential for "crowd sourced audits".