Wednesday, May 17, 2017

Will auditors go the way of horses?

In late 2015, MIT Professors Erik Brynjolfsson and Andrew Mcafee penned an article entitled, will "Humans go the way of horse labour?"

The article explores how the mechanization of farm labour serves as a model of exploring the automation of knowledge work citing the work of Nobel Prize-winning economist Wassily Leontief. They state:

"In 1983, the Nobel Prize-winning economist Wassily Leontief brought the debate into sharp relief through a clever comparison of humans and horses. For many decades, horse labor appeared impervious to technological change. Even as the telegraph supplanted the Pony Express and railroads replaced the stagecoach and the Conestoga wagon, the U.S. equine population grew seemingly without end, increasing sixfold between 1840 and 1900 to more than 21 million horses and mules. The animals were vital not only on farms but also in the country’s rapidly growing urban centers.

But then, with the introduction and spread of the internal combustion engine, the trend rapidly reversed. As engines found their way into automobiles in the city and tractors in the countryside, horses became largely irrelevant. By 1960, the U.S. counted just 3 million horses, a decline of nearly 88 percent in just over half a century. If there had been a debate in the early 1900s about the fate of the horse in the face of new industrial technologies, someone might have formulated a “lump of equine labor fallacy,” based on the animal’s resilience up till then. But the fallacy itself would soon be proved false: Once the right technology came along, most horses were doomed as labor."

The MIT Professors are not alone in sounding the alarm when it comes to how automation can impact labour. Others includes Thomas Piketty, Douglas Rushkoff, Martin Ford and Nick Carr. 

If the techno-distopians are right, then there will need to be a fundamental alteration of the way the economic system is structured to address the unemployed masses. Such masses are not likely going to take such things lying down. For example, in response to the Great Depression there were mass demonstrations in Washington DC where thousands protested their plight. In January 1932, Cox's Army of 25,000 assembled in the capital to protest their poverty. Later that year, the Bonus Army of 43,000 marched on Washington in the summer to demand the US government pay the bonus promised early:



Alternatively, if the techno-utopians are right, such as Peter Diamandis and others at Singularity university, then such  protests won't be necessary: the system will make changes proactively to ensure that the gains made from exponential technologies are made available to the majority.

The point is that either way actions must occur at the political level to make the changes necessary to  address the deeply embedded economic architecture.

Consequently, working within the status quo leads to one actionable option: "Race with the Machine".

Prior to penning the article I cited above, MIT Professors Erik Brynjolfsson And Andrew Mcafee proposed that the path forward requires "man and machine" to work together:



This is essentially how IBM's cognitive system, Watson, was positioned when it comes to doctors and medicine: doctors delegate the task treatment research to Watson, while they determine what is the right treatment for their cancer patients. For example, doctors and Watson were able to work together and determine what the correct treatment was for a 60 year old Japanese patient

How can this be applied to financial audit? 


Firstly, the scope of the audit is driven by optimizing the cost-benefit curve. Consequently, there is a potential to get greater assurance for the same amount of resources allocated. Keep in mind that if auditors had to audit all transactions,  the organization could go bankrupt just trying pay the audit bill. Consequently, auditors only look at transaction on a test basis.

However, with the increased datafication of an organization's interactions with stakeholders, there is an opportunity - that didn't previously exist - to analyze these interactions for audit insights.

Take for example a Business to Consumer (B2C) company, like Dell, that interacts with its customers via social media. In 2005, there was an infamous spat between a CUNY journalism professor, Jeff Jarvis, and Dell computers (original post here). Jarvis was irate over the customer service and has been an Apple customer since. Such conversations can be mined for potential audit implications. In this particular instance, it could be a means to assess the adequacy of the sales returns allowance - developing a model based on how many other customers have complained via blogs, twitter or other social media about the B2C company and then assessing whether the provision is adequate.

Previously, such an analysis would be cost prohibitive and wouldn't make sense for the auditor to even considering such a thing. For example, the B2C company would need to record all conversations and then have auditor listen to thousands of hours of conversations to see whether such an issue actually exists.

This is not to say that it is currently feasible to run such an analysis.  Tools that aggregate, standardize and analyze such unstructured text could be argued to be in their infancy. However, datafication combined with further advances in social analytic tools (see video below for an example) in is the first step to a world where such analysis could be feasible.



The second separate but related issue is the role of the regulators in opening or closing the gate on innovation.

Some may mistakenly believe that this due to the regulated nature of audit. However, audit is not the only arena where innovation is shaped by the “regulator”. In fact, the success or failure of innovation  depends on how the incumbents who govern the landscape make way for the new technology (or not).

Take for example the rise of the iPhone in the corporate environment. What allowed consumerization to take place (i.e. allowing users to connect their favourite smartphone devices to the network instead of the corporate devices) was that Microsoft took an open approach to licensing it Exchange Active Sync. They could have created a walled garden that allowed Windows Phone only to connect to their email server, however, they paved the way for iPhone and Android to connect their devices to the corporate email server. Microsoft as the "regulator" of which mobile device can connect to its mail server enabled the iPhone and Android to displace our beloved BlackBerries from the corporate environment. Had Microsoft saw more profit in walling off the market for its own devices the ability for Apple iDevice to disrupt corporate IT would have been stifled if not suffocated.

On the opposite side, David Sarnoff of RCA squashed FM radio in order to protect his AM Radio technology and pave the way for television. The inventor, Edwin Armstrong, who initially was Sarnoff's friend, had mistakenly shared his technological innovations with him only to be betrayed by him. FM Radio technology had the potential to share data, such as faxes, back in the 1930s. One can only imagine the state of the wireless technology had RCA allowed this technology to flourish. 

Similarly, in 1934, AT&T blocked the answering machine for fear that it would undermine their business because "ability to record voice would cause business people to shun the telephone for fear of having their conversations recorded". So although much innovation came out of AT&T's Bell labs, the point is that it was effectively acting as the "regulator" which determined which innovations were permitted in the telecommunications industry and which ones were not. 

Consequently, the regulators (e.g. SEC, PCAOB, AICPA, etc.) will have a significant role to play on how innovation will unfold with the arena of audit. It is ultimately they who are going to weigh and assess what constitutes reasonable assurance actually is.  

Where are the regulators currently at? 

Well it seems that they are looking to technology to actually improve audit quality. In a May 2017 speech, PCAOB Board Member Jeanette M. Franzel noted in the section "Impact of Technology on Audit" that:

"If managed and implemented properly, these developments have the potential to enhance the value of the audit process and increase audit quality." [emphasis added]

To be sure it's not all rainbows and unicorns. Board Member Franzel did see "potentially disruptive changes will present challenges and threats across the auditing profession". However, at least there is an appetite to explore how such technologies can improve audit quality, expand what more can be done within audits and enable auditors to race with the machine.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else. 

Monday, April 10, 2017

[Update] Do 2 non-CPA audits equal 1 CPA audit? Zcash gets non-audit firms to issue audit reports.

Last year, Zcash went live.

What is Zcash?

Zcash is a public blockchain similar to bitcoin. Zooko Wilcox, the founder of Zcash, explains what it is in the following video:



As he notes in the video, what distinguishes Zcash from bitcoin is that it offers greater privacy of the users as they don't have to disclose their private key (which is a pre-requisite for bitcoin). However, because Zcash uses zero knowledge proofs (see the amazingly easy to follow explanation below), there is no need for the private key to be revealed - thereby offering extra anonymity to the user.


However, what I thought was exceptional noteworthy about the Zcash is how it went about proving to the world that its code is sound. When Zcash went live, Coindesk reported the following:

"Notably, the development team released two audits conducted by NCC Group and Coinspect, respectively, ahead of the launch.

The reports sought to identify potentially harmful bugs in the cryptocurrency's code prior to launch. (The audits can be found here and here)."
The article referenced, a blogpost, which described the scope of the security audits as follows:

"Today we are publishing the final reports of each external security auditor we contracted this summer to review our code. We've triaged the issues found and addressed any we considered severe (e.g. could compromise user privacy, lose funds, break consensus, etc...).

NCC Group's conclusion was (also available here):

“NCC Group performed a two-part targeted review of the Zcash cryptocurrency implementation. The first part, performed by the Group's Cryptography Services practice, focused on validating that Zcash's implementation adhered to the Zcash Protocol Specification. An assessment looking for security errors within the cryptographic implementation was also performed. The second part was a C++ source code review for vulnerabilities using static and dynamic analysis and fuzz testing. The review also included a cursory assessment of dependent libraries and recommendations for improving software assurance practices at Zcash.

NCC Group identified an issue that would allow an adversary to tamper with the verification and proving keys used by the Zcash daemon as well as a number of C++ coding errors that could result in stack-based buffer overflows, data races, memory use-after-free issues, memory leaks, and other potentially exploitable runtime error conditions. Additionally, most, if not all, third-party open source library dependencies were identified as being out-of-date. In the end, NCC Group did not find any critical severity issues that would undermine the integrity of the Zcash blockchain or undermine the security of confidential transactions during the time that the review was conducted (from August 8 – September 2, 2016).”

As for Coinspet, they noted (also available here): 

"Coinspect reviewed Zcash's innovations over the Bitcoin Core source code, focused on evaluating its resistance against specific threats to cryptocurrencies. Coinspect identified high-risk and moderate-risk issues during the assessment that affected the performance and availability of the Zcash p2p network. The security issues identified did not allow remote code execution nor allowed an attacker to steal funds or compromise the privacy of Zcash users. However we found exploitable 51% and isolation attacks with minimum resources.

It is an honor for Coinspect to contribute with our cryptocurrency security experience to the exceptional team behind this exciting project."

What I thought was interesting, was a couple of things.

Firstly, these are purely tech experts, not CPAs. They are producing "audit reports" that users will rely on for privacy, ability for the protocol to generate consensus, and loss of funds. 

Of course, these are all things that a CPA firm couldn't opine on such things because the liability would be too much for the firm to bear.

But I think that's the point: if things are so complex/risky that a CPA firm can't produce the audit report, it leaves the field wild open for competitors like Coinspect and NCC Group (who were likely paid $250,000).

And is the twist, that they retained 2 or 3 firms to do this. I think that's the real interesting part. 

Audits completed by CPA are governed by strict standards of independence to ensure that the auditors are independent.  However, what Zcash is in effect saying that such issues can be overcome by getting two "unlicensed" auditors to opine on the same thing. Implicitly, why would the two independent parties collude on a lie? 

Initially Zcash as a cryptocurrency was not doing so well price-wise. When this post was originally written (on Dec 23rd) there were 188,905 transactions executed on this by blockchain. Today, roughly 3 months later on April 10th, the transaction count has more than doubled to 463,560. Furthermore, it is now the 9th most popular by market capitalization.

Te world of cryptocurrency is not as conservative world of financial statements. However, the approach that Zcash to gain trust essentially. Although we can have philosophical debates on whether this meets GAAS or not, the reality is someone has found a way to eat our lunch. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. 

Saturday, April 1, 2017

Cafe X and Amazon Go: Auditing a robot-operated store?

By now you've probably heard of the robot-barista - Cafe X.  If not check out this video from Wired, where David Pierce walks us not only through how the robot will make your latte, but why he thinks it better than the human alternative:



Amazing isn't it?

In a presentation I did last year on how these forces of automation could impact auditing & accounting, I noted it's easier to see how technology disrupts someone other than you.

And so it looks like baristas have met their match.

As Pierce notes in the video, the inconvenience of dealing with imperfect people is something that most people want to avoid in the rat-race we live in: who wants the barista to remake your coffee 11 times as he says? ;) 

The Wired article also notes that Cafe X is 'high-quality at a cheaper price': 

"Surprisingly delicious coffee, starting at $2.25—cheaper than you’d find at Sightglass or even Starbucks. Cafe X’s location in the corner of the Metreon may not entice you out of your daily routine."

Amazon Go: Walkthrough Technology 
Amazon has also wowed the "techthusiasts" out there with their cashier-less store concept:



In the FAQ section, Amazon summarizes how this cashier-less store works:

"Our checkout-free shopping experience is made possible by the same types of technologies used in self-driving cars: computer vision, sensor fusion, and deep learning. Our Just Walk Out Technology automatically detects when products are taken from or returned to the shelves and keeps track of them in a virtual cart. When you’re done shopping, you can just leave the store. Shortly after, we’ll charge your Amazon account and send you a receipt."

Although this has the potential to revolutionize retail, Amazon has experienced some setbacks of late. The store can allegedly only handle 20 people at a time. So there maybe some kinks to work out before this goes mainstream.

Obviously, this could have a massive impact on entry level jobs: most of us who were young a while ago relied on these McJobs for spending money and funding our college/university tuition. They also gave students some practical work experience to help land a career accounting profession ;)

But let's save this discussion for a future post.

How would you audit cashier-less stores, like Cafe X or Amazon Go?

The retail industry has been a manual intensive industry that requires cashiers, stock room personnel and the like. Such a process naturally requires policies and procedures (aka internal controls) that ensure that merchandise makes it from the shelf to the cash register and into the customers possession. And there are those anti-theft mechanisms to prevent shoplifting as well. In the industry, "shrinkage", the amount of merchandise that is stolen, robbed, damaged, etc, is estimated by the National Retail Federation to be 1.38% of sales or $45.2 billion for 2015.

Cafe X and Amazon Go offer a glimpse into how automating traditional businesses can alter these fundamental risks that impact the way we go about conducting our financial audits.

With Cafe X, shrinkage is almost eliminated as there is no humans involved in the production process. Once the kiosk is loaded up with cups, coffee, syrup, sugar, milk, etc. the system is essentially fully automated - no manual intervention by baristas or customers.

Amazon Go, on the other hand, uses a whole lot of automation that is watching and analyze every move of the customers (and employees) throughout the store. Consequently, this would not be the store to steal from! And let's not forget Amazon is experimenting with those drones and are we really sure that they are unarmed?


Given this level of automation of the actual business process and controls, could auditors stick to the tried, tested and true retail audit procedures? Or would this enable a more automated approach?

I was directly involved with the recent test-audit of the blockchain involving loyalty points. One of the realities of auditing such exponential technologies is that it makes controls testing a must. For example, for the financial auditor to rely on the digital signatures there needs to be some testing around the wallets to ensure that the signatures are reliable.

Consequently, testing such automated stores would require either a SOC2 or modified SOC report to meet the needs of such a store. For example, the SOC2 would need to have some way of having comfort of how the stock and inventory gets loaded into the store. Likely the auditor would rely on the automated process which the store uses to replenish stock, but it's that hand off between the delivery person (assuming it's still human) that would be the area there is a risk of shrinkage. For example, how does legitimately damaged inventory get accounted for at that point? Whatever process and controls Amazon/Cafe X put in place would need to be tested from a controls perspective.

For the substantive component, I think that's where things get interesting: enter the "embedded audit module". This concept has been around since at least 1989. The idea is that the auditor installs independent software onto the client's system and then transmits it back to the auditor, who uses it as a basis for conducting the necessary audit procedures and tests. The core idea is that the auditor has full control over such a system and the client cannot tamper with the code.

What would be relatively straightforward would be the data capture-component: sales data, stock data, spoilage, etc. would be uploaded from the automated store right into the auditor's system. But this then requires the additional step of verifying the data to independent source documents (e.g. invoices, purchase orders, etc.). In other words, the audit procedure would still require manual intervention as the auditee would need to send this information back to the auditor to complete their audit.

Where I think the audit innovation would be is exploring how video footage can act as a substitute for physical/direct observation by the auditor. That is, could the auditor install a video camera in the automated store as a part of the EAM that would then act as actual independent audit evidence of the actual sale or purchase? For example, in the Cafe X example the auditor could actually use the footage and the visual software to count the cups sold that day and reconcile that to the sales data transmitted back from the EAM for the day?

Although one can argue such transactions are not material and therefore such procedures are overkill.

However, I think now is the right time to conduct experiments and test audits to see whether we can reinvent the classic audit to meet the technology of today. In a future post, we will explore what this means broadly for jobs and more specifically how this could impact the profession.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. 

Thursday, January 12, 2017

Change Management: Norway's switch to Digital Radio

Norway is making the switch: moving from FM Radio to digital audio broadcasting (DAB).

As reported in the Local, an English Norwegian news site, Ole Jørgen Torvmark, the head of Digitalradio Norge, (jointly owned by the private and public radio stations):

"The big difference and the main reason behind this big technological shift is that we want to offer a better radio service to the whole population."

The article also notes that FM can only support 5 national stations, whereas DAB can support 22 national stations and 20 smaller ones. Furthermore, they make the case it is:
  • Cheaper: Will cost an eighth of FM.
  • Better: Better coverage, ability to catch up on programs.
  • Faster: Easier to get Emergency messages out.
However, not all are happy. According to the WSJ, 2/3rds of people are actually against the move. The Local noted that people are not pleased about paying the extra money for getting the new radio to receive the signals - despite the advertised benefits.

For those interested in the technology behind AM and FM radio check out this:



But for more on the challenges of abandoning this decades old technology check the following BBC report:


As any technology professional knows, one of the most difficult aspects of making change is the people aspect of the technology. For example, Norwegians would be collectively better off if the switched to DAB as the overall cost of operating radio would be much cheaper.

But is that good enough for people to pay the costs for getting a new radio?

It's important to recognize that people need more than cold facts to be positive towards change. Organizations that need to make such changes - technology or otherwise - need to also address the emotional nature of people by addressing the fear, uncertainty and doubt that comes along with such change. 

Monday, January 9, 2017

SEC and Whistleblowers: Can robots come to the rescue?

Saw this following news alert from AccountingToday:

"The Securities and Exchange Commission announced that it had awarded more than $5.5 million to a whistleblower. According to the SEC, the whistleblower directly reported critical information to the commission about an ongoing scheme at their workplace, and that led to a successful enforcement action..."

The article also gives some useful stats on the number of whistle-blowers coming out and the total number of payouts, so check it out.

This is good news in terms of promoting the idea of speaking truth to power. Without such assistance it can be quite difficult to encourage whisteblowing.

We often have a romantic notion of what it is like to tell the truth when there is a drive by all of those around us to commit fraud. Too many Hollywood blockbusters make us believe, falsely, that there is always a happy ending where the good guys win.

For a reality check, we should take a look at Alayne Fleischmann's ordeal in attempting to blow the whistle on the mortgage fraud at Jamie Dimon's JP Morgan Chase. As Rolling Stone's Matt Taibbi notes:

"Fleischmann...had to struggle to find work despite some striking skills and qualifications, a common symptom of a not-so-common condition called being a whistle-blower...Thanks to a confidentiality agreement, she's kept her mouth shut since then. "My closest family and friends don't know what I've been living with," she says. "Even my brother will only find out for the first time when he sees this interview."

As she notes in the video below, the reality of such environments is that there is subordination of the "compliance" functionsto enable the fraud to go through (e.g. the Due Diligence manager got angry when people thought that the loans were bad), lack of effective segregation of duties (e.g. sales people were involved in the due diligence review), and other issues:



Can robots come to the rescue?

When looking at process automation more broadly, we see that one of the "side benefits" is compliance. For example, when library loans out e-books they are never returned late as the patron's access to the digital copy on the reading device is removed right on the due date. Similarly, with autonomous vehicles they never speed, fail to complete to a full stop and the like.

Insurance companies have attempted to use what we can call "compliance tech" by offering drivers a discount for good driving if they are willing to install a monitoring device in their car. As noted in the CBC article, Desjardin Insurance has noted that 7000 people have for this offer which they call Ajusto. As can be seen in the video, Ajusto also leverages gamification and social to promote this program.


Although they have promised that such technology can't be used to penalize the driver, many skeptics are not sure that it will turn out that. For example,  Leonard Kunka, a motor vehicle litigation lawyer, notes:

"It's an invasive technology. It provides a lot more information than insurers currently have to set premiums, and I question whether it's any better than what the insurers use today to set premiums, which is a person's driving record and their history of collisions and accidents."

In other words, can we expect the insurance companies to maintain rates when they can "see" the driver constantly breaking speed limits? Conversely, can we expect them to lower rates when they see that people can drive safely above the speed limits?

Although I doubt it, the reality of such compliance-tech is that it is only used by people who are already compliant: the others who are not compliant would not sign-up for such technology and even if they did would somehow subvert it - as we saw with the whole Volkswagen emission debacle:

"In the test mode, the cars are fully compliant with all federal emissions levels. But when driving normally, the computer switches to a separate mode—significantly changing the fuel pressure, injection timing, exhaust-gas recirculation, and, in models with AdBlue, the amount of urea fluid sprayed into the exhaust. While this mode likely delivers higher mileage and power, it also permits heavier nitrogen-oxide emissions (NOx)—a smog-forming pollutant linked to lung cancer—up to 40 times higher than the federal limit. That doesn’t mean every TDI is pumping 40 times as much NOx as it should. Some cars may emit just a few times over the limit, depending on driving style and load."
Ultimately, technology is only good as the people that support it and so we can't abdicate such responsibility to technology. Instead, we need to continue to encourage people morally and financially to speak the truth when the see things go awry.

Monday, January 2, 2017

Millennials: Are we influencing them or are they influencing us?

Millennials. Most of have heard something about them by now. A friend of mine, who is a millennial, shared this video with me via Facebook:


Given that it's been a few years since I uncovered this generation, I thought it was a good refresher on the topic. However, I think a couple of caveats are important to the phenomenon:

  • Millennials are middle class: As Sinek notes that millennials have the entitlement notion. However, that can only develop if they've been insulated from reality of life. That is, they've always had a "safe zone" to fall back on: namely the bank and couch of mom and dad. This is not a reality of people who live in poverty inside or outside of Canada/US/Europe/Australia. 
  • Boys adrift phenomenon may be a confounding factor: Dr Leonard Sax wrote, Boys Adrift, a phenomenal book that explores why boys - specifically - have "failed to launch". This includes video games, pornography, misguided education approaches education and other factors. Definitely important to look at Sax's work when the individual in you are trying to help or advise is male. 
That being said, what I thought was interesting is: who is influencing who? Specifically, when Sinek spoke about smartphone addiction I thought "uh oh is he talking about me?" 

I recently commented to a colleague about how I have a propensity to ensure that I clear all my notifications and maybe that's a good thing because that way I am up to date on all my emails, slacks, and texts. However, after watching this I realize that in my desire to remain constantly productive, I am favouring the virtual world or the physical world. 

Although these devices are amazing in terms of helping us doing more with our dead time (e.g. driving ). That's how I "read" Dr. Sax's book - by listening to it on Audible while on the go. However, am I now at the point where I tend to prefer the screen of the smartphone? It is truly a strange thing for me. Early on in my career as a junior auditor I found the most effective way to deal with clients and colleagues was not by phone but actually going and discussing with the person live. In fact, when I returned to Deloitte in 2012 the new virtual mode of connection took a while for me to adjust as we used Lync (now Skype for Business) to conduct meetings - no more physical presence. 

So how can it be that I've been accustomed to the "millennial approach" to interaction?
Neuroplasticity. 

Nicholas Carr, who wrote an article for the Atlantic "Is Google Making Us Stupid?", which he later followed up with "The Shallows" actually talks about a similar phenomenon that he went through. He noticed how it was hard for him to get through books. What he discusses in his book is how by being immersed in the era of tweets, blogposts, and YouTube clips is that our brains are actually been reshaped by neuroplasiticity to favour this type of engagement over reading. 

Combine that with the dopamine bursts that Sinek talks about, it's no surprise that I have suddenly become millenialized. 

However, there is hope. 

Carr discusses how by disconnecting and forcing himself to read he is able to restore his brain and once again consume long-form material. The key is to purposely retrain our habits  to return to world of physical interaction and put away the smartphones as Sinek suggests. 

For more on the positive side of neuroplasticity see the work of Barbara Arrowsmith-Young who was able to rewire her brain. It's a truly inspirational story about how a woman was able to overcome her learning disabilities and help others as well.