Wednesday, August 6, 2014

Worth mentioning: KPMG's take on the state of tech in the audit profession

In a recent post (as in just this week) on Forbes, KPMG's  James P. Liddy who is the Vice Chair, Audit and Regional Head of Audit, Americas put out a great post that summarizes the current state of analytics in financial audits.

He diplomatically summarizes the current state of the financial audit as "unchanged for more than 80 years since the advent of the classic audit" while stating "[a]dvances in technology and the massive proliferation of available information have created a new landscape for financial reporting. With investors now having access to a seemingly unlimited breadth and depth of information, the need has never been greater for the audit process to evolve by providing deeper and more relevant insights about an organization’s financial condition and performance –while maintaining and continually improving audit quality." [Emphasis added]

For those that have started off our careers in the world of financial audit as professional accountants and then moved to the world of audit analytics or IT risk management, we have always felt that technology could help us to get audits done more efficiently and effectively.

I was actually surprised that he stated that auditors "perform procedures over a relatively small sample of transactions – as few as 30 or 40 – and extrapolate conclusions across a much broader set of data". We usually don't see this kind of openness when it comes to discussing the inner-workings of the profession. However, I think that discussing such fundamentals is inevitable given those outside the profession are embracing big data analytics in "non-financial audits". For example, see this post where I discuss the New York City fire department's use of big data analytics to identify a better audit population when it comes to identifying illegal conversions that are a high risk and need to be evacuated.

For those that take comfort in the regulated nature of the profession as protection of disruption, we should take note of how the regulators are embracing big data analytics. Firstly, the SEC is using RoboCop to better target financial irregularities. Secondly, according to the Wall Street Journal, FINRA is eyeing an automated audit approach to monitoring to risk. The program is known as "Comprehensive Automated Risk Data System" (CARDS). As per FINRA:

"CARDS program will increase FINRA's ability to protect the investing public by utilizing automated analytics on brokerage data to identify problematic sales practice activity. FINRA plans to analyze CARDS data before examining firms on site, thereby identifying risks earlier and shifting work away from the on-site exam process". In the same post, Susan Axelrod, FINRA's Executive Vice President of Regulatory Operations, is quoted as saying "The information collected through CARDS will allow FINRA to run analytics that identify potential "red flags" of sales practice misconduct and help us identify potential business conduct problems with firms, branches and registered representatives".

As a result, I agree with Mr. Libby: sticking to the status quo is no longer a viable strategy for the profession.

Tuesday, August 5, 2014

Had the Red Coats monitored Paul Revere's Facebook, would America be independent today?

The Globe and Mail reported  that Canadian intelligence captures private data without a warrant in its fight against Chinese hackers. As one would expect, the article discusses how there is calculation performed to determine whether the harm of invading privacy of Canadians is outweighed by preserving national security.

The privacy debate ranges between two camps. One camp, such as EPIC, work to shed light on how organizations and governments encroach on individual privacy and see encroachment as a threat to the individual's ability to express ideas and the like. The other camp is the likes of Jeff Jarvis, a professor at CUNY and self-admitted-Google-fanboy-extraordinaire, who often defends Google's encroachment on the lives of people by slamming people's fear of Google by forcing his opponents to quantify "what's the harm". He especially takes issue with the emotional response of how of people feel that Google's knowledge of them is "creepy".

In a sense, I understand where Professor Jarvis is coming from: consumers want more customized services and they don't want to pay cash for them, so companies have to resort to advertising revenues to be paid. Google, Facebook, et al, are profit making companies and they want to be paid.

To me this is not the real cost in terms of privacy.

The real cost is how the government uses that data it gathers directly, or indirectly via Facebook (according to RT the mood study FB was performing was part of a gov't contract to deal with "civil unrest") , Google, et al,  to interact with the politically objectionable.

One way to look at the cost is being spied upon, deemed a threat to national security and then sent somewhere to be tortured. This is what happened to Maher Arar. He was allegedly fingered by 15-year old Omar Khadr to be a terrorist. Based on this information, the US sent him to Syria to be tortured. According to the Garvie Report, the RCMP gave sensitive information about Arar to the US government. Ultimately, Arar was exonerated and all charges were cleared. The Canadian government paid him 10.5 million + legal fees and apologized to him. But how do you put a price on torturing an innocent man?

And to be sure democratic government do actively monitor the political active within the countries. For example, this article in the New York Times goes to describe in great detail how the government captured this information. Ultimately, Occupy was defeated through by police actions resulting in 8,000 arrests as well as other means. If it hadn't, how would the government have used this information to interact with the protesters on a go-forward basis?

From another perspective, the harm is also political engagement. Although the Maher Arar case shows that the government can mishandle the data it gathers about people and put them in harms way, this happens to a few people (e.g. Ahmad El Maati, Muayyed Nureddin and Abdullah Almalki) and is not a commonly used approach with dealing with protesters. For example, it's not like the Occupy protesters were rounded in the 1,000s and sent to Syria.

But there is another cost. Such surveillance and the potential for being harmed, puts a chilling effect for those that want to speak out against the way things are running. Why protest when you will lose your job and can't pay the bills?  Think about the American War of Independence. If the British were able to spy on the "facebook" pages, email accounts and cell phones of  Sam Adams, Paul Revere and pro-separatist sympathizers in the colonial militias - would the British had been able to arrest these separatists in a timely manner? Or would have pre-colonial surveillance society taught the Founding Fathers to self-censor and tow the pro-British line?  It is pure speculation, but I think the Union Jack would still be flying in the land we now call America.