Friday, November 3, 2017

Big Data Auditing Revisited: Context is King

It has been a few years since I wrote up on Big Data and the Audit.  It was one of the more popular posts with over a 1,000 hits to date.

The post looks at Big Data: A Revolution That Will Transform How We Live, Work, and Think by Kenneth Cukier and Viktor Mayer-Schönberger. I enjoyed the book as it really broke down the business impact of big data without getting in technical details of the underlying technology.

Why take a second look at big data auditing?

Big data and the accompanying analytical models are key a precursor to artificial intelligence. Machine learning algorithms that power the AI bots requires the users to analyse the problem and teach the underlying algorithm.

Part 1: Context is King

To make things a bit more digestible, I thought it would be good to divide the post into two parts. The first post is more palatable as I want to explore the second use case in a bit more detail and its relevance to today.  The second post will be a bit more controversial as I will take a look at the difficulty of applying fraud or cancer-fighting algorithms in the realm of (external) financial audit.

But let's look at the first issue: how can big data analytics give us better context? 

In the original post, I spoke discussed the use case used in Cukier and Mayer-Schönberger's work around Inrix. The book gives the example of how an investment firm is using traffic analysis, from Inrix, to determine the sales that a retailer will make and then buy or sell the stock of the retailer on that information. In a sense, the investment is using vehicular traffic as a proxy for sales. In an audit context, auditors can develop expectations of what sales should be based on the number of vehicles going around stores. For example, if sales are going up, but the number of vehicles are going down then the auditor would need to take a closer look.

What I realized from this example is that what big data can give auditors better context around things and assess reasonability of things. That is as more sensor data and other data are available to auditors to integrate into statistical models, the more they will be able to spot anomalies. 

One of the issues with Barry Minkow's ZZZBest accounting fraud was the lack of context. For more on the fraud, check this video:

I actually studied this case in my auditing class at the University of Waterloo. One of the lessons we were take away from this case was that the auditors didn't know how much a site restoration would cost on average (see the first bullet in this text on page 129). But how would an auditor be able to access such data? Even with the advent of the internet, it is not simply a matter of Googling for the information.

More recently, an accounting professor was found to have generated data fraudulently. The way he got caught was that a statistic he used didn't correspond to reality. Specifically:

"misrepresented the number of U.S.-based offices it had: not 150, as the paper maintained (and as a reader had noticed might be on the high side, triggering an inquiry from the journal)" [Emphasis added]

Again, the reader had the context to understand what was presented was unreasonable causing the study to unravel and exposing the academic fraud perpetrated by Hunton. 

What will it take to make this a reality? 

What's missing is a data aggregation tool that can connect to the private, third party, and public data feeds that an auditor can leverage for statistical analysis. Furthermore, for this to be useful to clients and the business community large are visualized depictions that enable the auditor to tell the story in a better way rather than handing over complex spreadsheets.

Of course for auditors to present such materials requires them to have deeper training in data wrangling, statistics and visualization tools and techniques. 

In the next post, we will revisit the first use case that I presented in the original post that explored how the New York City was better able to audit illegal conversions through the use of big data analytical techniques. Originally, I had thought this would be a good model to apply in the world of audit. However, I am revisiting this idea. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Sunday, October 15, 2017

What's missing from this Top 5 uses of Blockchain list?

TechRepublic's Tom Merritt  walks us through the "Top 5" uses of blockchain in the following video. The accompanying post lists the following 5 use cases:
  • Stocks
  • Shipping
  • Diamonds 
  • Livestock 
  • Law

What's missing? 

Stocks use case is actually limited to Initial Coin Offerings (ICOs). For more on an overview of ICOs, check this article. However, the post excluded Linq's blockchain that allows for the settlement of private securities.

But on a broader note, the post excluded the financial industry altogether in terms of being a forerunner for the use of blockchain. Following the hype-cycle, one of the early areas of interest for the use of the permissioned blockchain were financial institutions. It seemed like every week that a company joining the R3 Consortium.

However, since that initial fervor, a number of players, such as Goldman Sachs, Santander, Morgan Stanley and the National Australian Bank, have left the consortium.


The problem lies in understanding the actual business case for the permissioned blockchain (for the differences between public and private/permissioned, see this post). The permissioned blockchain helps parties to have a common view of transactions that they have transacted with each other via a shared ledger database. With the use of digital signatures, it incorporates authorization into this as well, so in addition to sharing information, it also enables the ability to "sign-off" on that information.

The banks could decide that they would use such a framework to make it easier to settle payments, however, how do they keep things private such as pricing and other data? This is something that needs to be sorted out but points to a bigger question as to what is the strategic advantage of blockchain for FIs. That is, this exponential technology doesn't lead to cost savings like robotic process automation or strategic insights like big data analysis.

And that's why I think something like shipping or supply chain more broadly is a much better beachhead for blockchain. With multiple partners involved in supply chain, have a shared database enables the partners to see where things are at between the wholesaler, shipper, and retailer, enabling each partner to get better insights into movement of goods and other business information. Such a system would allow for creative ways to settle payments or even enhance the ability of retailers to design consignment contracts with wholesalers. For example, BestBuy is marketplace (e.g. Brainydeal is one such retailer) within its retail front requiring such coordination. The one caveat, however, is to ensure that (cheaper) existing technology doesn't actually do this already. After all, shared databases are not a novel concept.

I would contend that legal would be a great place for the blockchain to expedite paperwork - more so than supply chain. However, such technology would be fought tooth and nail by lawyers. And they have unlimited resources to fight such technology in the courts. Also, politicians have little incentive to look into such advances as most of them are lawyers, depend on lawyers or have friends who are.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Tuesday, October 3, 2017

Should drone inventors have thought about this risk?

Came across this article on Wall Street Journal about how the wedge-tailed eagles have turned out to be the drones worst nightmare. Here are some videos that illustrate the problem:

Being someone who works on innovation as the GRC Strategist - risk is something that I think about daily. Of course, you need need to be prudent and make sure that you've documented. All the known risks and have a plan and how to mitigate them.  For example, you should patch your software when the vendor tells you there is an issue.

But how could drone inventors possibly think about the risk formula about the impact and likelihood of eagles tearing up your drone?

It's a good illustration of how innovation requires taking risks of which you will only encounter when actually deploying innovation into the real world. They're just some things that literally will fall out of the sky that you didn't think of and a workaround will need to be designed after the fact.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Monday, October 2, 2017

What can driving algorithms tell us about robo-auditors?

On a recent trip to the US, decided to opt for a vehicle with the sat-nav as I was going to need directions and wanted to save on the roaming charges. I normally rely on Google Maps for guiding me around traffic jams but thought that the sat-nav would be a good substitute.

Unfortunately, it took me on a wild goose chase more than once – to avoid the traffic. I had blindly followed the algorithm's suggestions assuming it would save me time. I ended up being stuck at traffic lights waiting to a left-turn for what seemed like forever.

Then I realized that I was missing was that feature in Google Maps that tells you how much time you will save by taking the path less traveled. If it only saves me a few minutes, I normally stick to the highway as there are no traffic lights and things may clear-up. Effectively, what Google does is that it gives a way to supervise it’s algorithmic decision-making process.

How does this help with understanding the future of robot auditors?

Algorithms, and AI robots more broadly, need to give sufficient data to judge whether the algorithm is driving in the right direction. Professional auditing standards currently require supervision of junior staff – but the analogy can be applied to AI-powered audit-bots. For example, let’s say there is an AI auditor assessing the effectiveness of access controls and it’s suggesting to not rely on the control. The supervisory data needs to give enough context to assess what the consequences of taking such a decision and the alternative. This could include:

  • Were controls relied on in previous years? This would give some context as to whether this recommendation is in-line with prior experience.
  • What are the results of other security controls? This would give an understanding whether this is actually an anomaly or part of the same pattern of an overall bad control environment.
  • How close is it between the reliance and non-reliance decision? Perhaps this is more relevant in the opposite situation where the system is saying to rely on controls when it has found weaknesses. However, either way the auditor should understand how close it is to make the opposite judgment.
  • What is the impact on substantive test procedures? If access controls are not relied on, the impact on substantive procedures needs to be understood.
  • What alternative procedures that can be relied on? Although in this scenario the algo is telling us the control is reliable, in a scenario where it would recommend not relying on such a control.

What UI does the auditor need to run algorithmic audit?

On a broader note, what is the user interface (UI) to capture this judgment and enable such supervision?

Visualization (e.g. the vehicle moving on the map), mobile technology, satellite navigation and other technologies are assembled to guide the driver. Similarly, auditors need a way to pull together the not just the data necessary to answer the questions above but also a way to understand what risks within the audit require greater attention. This will help the auditor understand where the audit resources need to be allocated from nature, extent and timing perspective.

We all feel a sense of panic when reading the latest study that predict the pending robot-apocalypse in the job market. The reality is that even driving algos need supervision and cannot wholly be trusted on their own. Consequently, when it comes to applying algorithms and AI to audits, it’s going to take some serious effort to define the map that enables such automation let alone building that automation itself.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Saturday, September 30, 2017

CPAOne: AI, Analytics and Beyond

Attended the CPA One Conference almost two weeks ago in Ottawa, Ontario. Given that my space is in audit innovation, I attended the more techno-oriented presentations. Here's a summary of the sessions that I attended:

"Big data: Realizing benefits in the age of machine learning and artificial intelligence": The session was kicked off by Oracle's Maria Pollieri. The session delved deep in the detail of machine learning and would have been beneficial to those who were trying to wrap things around thing more from a technical side. She was followed up by Roger's Jane Skoblo. She mentioned a fact that really grabbed my attention: when a business can just increase its accessibility to data by 10%; it can result in up to $65 million increase in benefits.

The next day started with Pete's and Neeraj's session on audit automation, "Why nobody loves the audit". They want over a survey of auditors and clients on the key pain points of the external audit. It turns out that these challenges are actually shared by both. For example, clients lack context on "the why" things are being collected, while auditors found it difficult to work with clients who lacked such context. On the data side, clients have hard time gathering docs and data, while the auditors spent too much time gathering this information. From a solutions perspective, the presenters discussed how Auvenir puts a process around gathering the data and enables better communication. This will be explored in future posts when we look at process standardization as a key pre-requisite to getting AI into the audit. 

The keynote on this day was delivered by Deloitte Digital's Shawn Kanungo, "The 0 to 100 effect". The session was well-received as he discussed the different aspects of exponential change and its impact on the profession (which was discussed previously here). One of the key takeaways I had from his presentation was how a lot of innovation is recombining ideas that already exist. Check this video he posted that highlights some of the points from his talk:

Also, checked out the presentation by Kevin Kolliniatis from KPMG and Chris Dulny from PwC, "AI and the evolution of the audit". Chris did a good job breaking down AI and made it digestible for the crowd. Kevin highlighted in his presentation noting the link that AI is key for identifying unusual patterns.

That being said, the continuing challenge is how do we get data out of the systems in manner that's reliable (e.g. it's the right data, for the right period, etc.) and is understood (e.g. we don't have to go back and forth with the client to understand what they sent).

Last but not least was "Future of finance in a digital world" with Grant Abrams and Tahanie Thabet from Deloitte. They broke down how digital technologies are reshaping the way the finance department. As I've expressed here, one of the keys is to appreciate the difference between AI and Robotic Process Automation (RPA). So I thought it was really beneficial that they actually showed how such automation can assist with moving data from invoices into the system (the demo was slightly different than the one that can be seen below, but illustrates the potential of RPA). They didn't get into a lot of detail on blockchain but mentioned it is relevant to the space (apparently they have someone in the group that specifically tackles these types of conversations).

Kudos to CPA Canada for tackling these leading-edge topics! Most of these sessions were well attended and people asked questions wanting to know more. It's through these types of open forums that CPAs can learn to embrace the change that we all know is coming.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Monday, September 25, 2017

Will the iPhone's blue ocean strategy work?

Apple unveiled its much-anticipated iPhone upgrade - the iPhone X - earlier this month.

The following video is a splashy summary of what the phone offers:

The following video has Jony Ive's voice-over and gives a bit more about the actual technology behind everyone's favourite iDevice:

The most interesting feature for me was the augmented reality piece. With the success of Pokemon Go, the business opportunity is just waiting to be exploited. However, there seems to be more work that needs to be done for it is ready for mass consumption.

Perhaps, the following Funny or Die "review" of the release summarizes the sentiment out there:

But is it fair?

It's definitely not the wow of the first iPhone or iPad release. It feels incremental. However, Wall Street Journal has a different theory: Apple is targeting the Chinese "elite" who would want such a phone because of the status it affords:

"The iPhone X design has raised hopes that it can reverse Apple’s fortunes in China, Apple’s most important market outside the U.S., where sales have fallen six straight quarters.

“The high-end Chinese phone market is super competitive and customers are very discerning but also enthusiastic,” said Benedict Evans, a partner at Andreessen Horowitz, a venture-capital firm. “If Apple can get something that rings the bell [with them], then this will work.”"

This could be a blue ocean strategy at work (see the video below for more).

The idea of a blue ocean strategy is that instead of competing in the blood-soaked waters of intense competition companies migrate to the blue ocean where there is no competition or where the existing competition doesn't matter. 

Let's face it.

Either we're guilty of lining up for one of those iDevices - or know someone who did/does. But at the same time, there are no big line-ups for Microsoft or Samsung computing devices. This uniquely positions Apple is to capitalize on its brand - while others are left fighting in the red oceans on product features and price.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Wednesday, September 13, 2017

Bitcoin clampdown: Towards a corporate-cryptocurrency?

WSJ reported that the Chinese government was working to shut down Bitcoin exchanges:

"China’s central bank together with other regulators has drafted instructions banning Chinese platforms from providing virtual-currency trading services, according to people familiar with the matter...regulators told at least one of the exchanges that the decision to shutter them has been made, one of the people said. Another said the order may take several months to implement."
China, however, is not the only has such issues with crypto currency. The US also has limited the use of Bitcoin by taxing it as a capital gain:

"Capital-gains tax rules could make using bitcoin as a currency a logistical nightmare. It meant that when U.S. citizens filed taxes, they had to account for every single bitcoin acquired, sold, or used for purchases, and the prices and dates at which those transactions happened. If you purchased 0.5 bitcoins at $360 in April 2014 and sold them for $645 on June 9, you’d have to declare that gain as a taxable event in 2015. Fair enough. But did you have to account for swings in the value if you used your bitcoin to purchase a vacation on Expedia or to order a pizza? The IRS’s move seemed to undermine bitcoin’s potential for use as a currency." Vigna, Paul. The Age of Cryptocurrency: How Bitcoin and Digital Money Are Challenging the Global Economic Order (p. 260). St. Martin's Press. Kindle Edition. 

However, the key regulatory action against Bitcoin came from the FDIC and DOJ:

"bitcoiners would report that agents from the Federal Deposit Insurance Corporation, the body charged with cleaning up failed banks so that insured depositors can be kept whole, were pressuring bank compliance officers not to work with bitcoiners. It’s hard to verify this claim. The FDIC had long communicated its concerns to bankers over supposedly high-risk categories of merchants, and bitcoin businesses were told by bank compliance officers they were included in those groups...

The U.S. Department of Justice, too, sent banks messages that contradicted FinCEN’s accommodating message. In 2013, the DOJ launched an initiative known as Operation Choke Point, in which it investigated banks dealing with merchants in businesses that weren’t necessarily illegal but were considered high fraud risks. Miami-based lawyer Andrew Ittleman, who has become something of an accidental expert on the subject, told us that Operation Choke Point now occupied most of his time and that primarily his clients were legal providers of bitcoin services and medical marijuana, along with a few pornographers and gun dealers. The law was having a chilling effect: banks might not be breaking the law by servicing such businesses, but the risk of an audit from the DOJ was enough to dissuade them from doing so. Ittleman fought hard for his clients, who were denied a vital instrument of financial access, but it was an uphill battle. The matter, he said, should be taken up to the Supreme Court by civil rights activists such as the American Civil Liberties Union." (ibid p. 258-259)

Why are governments so worried about Bitcoin?

The WSJ article cited above gives a clue:

"Beijing’s crackdown on bitcoin is part of a broader effort to root out risks to the country’s financial system. Officials earlier this year circulated a draft of anti-money-laundering rules for bitcoin exchanges, a powerful warning, even though the regulations were never formalized, according to people familiar with the matter...Virtual currencies in theory allow holders to bypass China’s traditional banking system to move money outside its capital-controlled borders. That could make it more difficult for Chinese regulators to maintain a tight grip on the yuan." [Emphasis added]

Cryptocurrency has its roots in the anarchist activists and others who saw Bitcoin as a way to challenge the power of banking sector. Given that Bitcoin had its debut during the Financial Crisis, it may have been reasonable to believe that there would be sufficient groundswell to believe that the cryptocurrency would gain popularity.

However, popularity in the realm of currency and capital is not sufficient to change institutional realities of societies. 

The reality of societies today is that financial institutions, and corporations more broadly, represent institutions that keep the society together. Since they hold the keys of the society, ultimately they will control the change that will proliferate through society. And something that undermines the ability of the society's today to control capital flows is pretty much a national security issue - and can expect a response that reflects that reality. In other words, it was reasonable to expect the Empire to Strike Back as they did. 

Can we ever expect a corporate-sponsored cryptocurrency? 

Given the way power works, the only one that can really challenge banks hegemony are other corporations. For example, Walmart teams up with generic drug makers (in competition with expensive brand-name alternatives) to reduce the healthcare benefits they pay to their employees.

On requirement would be to have direct access to customers so they can actually convert their cash into that digital currency. For example, online realtors are dependent on banks and their electronic payment networks to essentially get cash into the system. 

So likely a retailer alliance could be something that poses a challenge to banks and their networks. 

Amazon already has Amazon Coin, but I think that if they teamed up with Walmart you would have something that basically has wide acceptance. And that's when the games will begin.

Retailers also have an incentive to cut-out the banks and save those credit card fees. However, for this to have user acceptance the retailers would need to give their consumers a cut. 

But would this be a true cryptocurrency? 

Such a currency would likely take a permissioned or private blockchain route. Essentially, there will be a need for 'independent verifiers' (instead of miners) that will ensure that the transactions are properly accounted for. This is likely cheaper than using miners which are costly in terms of the energy costs that have to be paid

Although I think external auditors could play the role of the independent verifier, these systems can be highly automated and an assurance model can be developed where you have real-time assurance as the source documents would be digital. This is assuming that the cryptographic keys can be relied on for such a purpose and auditors are able to get "effortless" access to such evidence and systems. So it may lead to a renaissance in the audit but may help auditors realize their potential within the field of audit data analytics and more broadly as data scientists. 

This speaks to one of the key aspects of automated audits that I raised on this post. As promised, my plan is to delve deeper on this topic, where we can look at how blockchain can facilitate AI or automated audits. 

Ultimately, banks play a critical role in extending credit which essentially makes them gatekeepers of the consumer economy. However, other companies, largely the tech sector, are hoarding cash:

Courtesy of Business Insider

So the question is whether these non-banks could move into bank territory. For example, Rogers Wireless (cell phone provider) is also a bank. That being said, it likely won't be a revolution but could be something that evolves over time that steadily erodes bank power. However, that would mean that the banks would take this lying down and I don't think that the Empire will go out without a fight.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Monday, September 11, 2017

Serendipity: Beyond the reach of Robot Professionals?

Came across a story about how Dr. Behfar Ehdaie at Memorial Sloan Kettering Cancer Center was figuring out how to deal with the emotions that come with a discovery of prostate cancer. His novel solution gives may give us some insights into the limits of robots in the professional world.

What he found was that his patients opted for radical treatments, such as surgery or chemotherapy, that resulted in side-effects that actually ended up being more harmful. To use a cliche, the cure was worse than the cancer.

For such patients, "the medical consensus is that active surveillance often is the appropriate treatment for small early tumors". Of course, such an approach is not risk-free, but the problem is that "despite the data showing that this approach is safe, about 50% of eligible men don’t get it either because they turn it down or their physicians don’t embrace it. Medical experts say many men have been overtreated, as their cancers probably posed little immediate danger."

What was his solution?

Negotiate with patients.

As noted in the WSJ article referenced above, he contacted Harvard professor Deepak Malhotra who had authored an article on the topic to develop strategies on negotiating with the patient. Leveraging lessons from behavioral economics was to make monitoring the anchor instead of surgery or chemo. Dr. Ehdaie and professor Malhotra devised a lecture that was delivered to doctors to help them learn from Dr. Ehdaie's successes with this approach.

But what does this have to do with limits of robot-professionals or robopros?

When it comes to cancer treatment and robots, one can't complete the conversation without mentioning IBM's Watson "Oncology Edition". In fact, IBM has a partnership with the same Memorial Sloan Kettering Cancer Center that Dr. Ehdaie works at. Here is a promo-video that speaks to the promise of Watson:

The key to understanding the limits to robot-professionals is the backstory on how Dr. Ehdaie first decided to explore negotiations a way to deal with the issue.

This is where serendipity comes to play.

He was exposed to such concepts with discussions with his wife who is an MBA. Meaning that he went beyond the cancer treatment journals and then discovered a non-standard approach to dealing with a problem. Robots are not good at this. Machine-learning and AI is only good as what you teach it. Even "simple" tasks require thousands of man-hours to train such algos. Perhaps this can be overcome, but currently, it is a real limitation of AI.

Does this make humans indispensable?
Really depends on the objectives that govern the profession and the organizations that hire them.

If it's about cost-cutting and making the process efficient and streamlined, robots are perfect creating a fossilized bureaucracy that is resistant to change. Think about how financial institutions have yet to overhaul their ancient banking systems coded in COBOL:

"In the United States, the financial sector, major corporations, and parts of the federal government still largely rely on it because it underpins powerful systems that were built in the 70s or 80s and never fully replaced."

Similarly, if Dr. Watson replaces a large component of the diagnostic process it would become hard to dislodge it from the cancer treatment process.

On the other hand, if organizations recognize the value of human beings in being important to overall objectives of the profession - patient care, audit quality, etc. - then human judgment must be hardwired into the organization's DNA to avoid the development of such an inflexible system.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Saturday, September 9, 2017

AI and the Audit: What does a robot need to audit your numbers?

In the previous post, we examined the value propositions that Appzen's AI brings to auditing expense reports.

In this post, we analyze what insights we can extract from Appzen when it comes more broadly to applying AI to the external financial audit.

The following gives a refresher on how the Appzen AI audit works:

Based on this we look at a number of factors that exist in this process to develop

Standardized process:
The expense report process that has been fairly standardized for over a decade: employees submit a digitized report of what they spent, expense codes, commentary and all the supporting documentation (e.g. receipts, invoices, etc.).  This is similar to how factories needed an assembly line before they could be automated.

Standardized capture and presentation of audit evidence:
I think this is a key piece: the actual audit evidence (i.e. receipts) must also be included in what's submitted to the auditor. As the evidence is provided in a standardized format, it enables machines to analyze these digitized source documents to run the necessary correlative models to run the risk scores and enables the automated analysis.

Audit evidence retains its chain of custody through the digitization process:
The auditor does not need to expend additional resources verifying that the evidence actually relates to the item being audited, nor do they have to expend additional resources ensuring that the independence of the evidence wasn't lost through digitization process. For example, when receiving a bank confirmation the auditor needs to ensure that this received directly from the bank and not the client.

Evidence provider identity is verified and contractually obligated to follow-up with the auditor:
The party submitting the audit evidence, the employee, has been verified in the system through the employee onboarding process. The implication of this is that the auditor doesn't have to expend audit resources confirming the identity of the evidence provider. Secondly, and perhaps more importantly, the auditor doesn't have to expend significant resources following up with the evidence provider. For example, not all customers will respond to accounts receivable confirms and then auditor will have to perform alternate procedures.

Evidence provider has incentives to produce the proper evidence: 
The previous point is closely related to the issue of incentives: if the employee fails to provide evidence then they will not be reimbursed. This puts a strong incentive on the employee to provide the evidence in a timely manner.

Provider of the evidence is trained on providing evidence:
The employee has been trained to provide complete, accurate and valid evidence. They also have access to help if they have issues with submitting expense receipts or understanding whether that evidence will be accepted.

Violations can be clearly defined and examples of violations can be taught to the system:
For fraud or errors to be flagged there needs to be rules that can be fed into the system to identify whether the item submitted needs further review or audit. For example, if the amount on the receipt doesn't match this would be flagged and has a high likelihood of error. But more importantly,  the examples of violations identified can be fed into the system to teach the system (via machine learning) what to look for.

In a future post, we will use these factors to look at how easily (or not) AI can automate financial audits.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else. 

Tuesday, September 5, 2017

AI and the Audit: Why hire a Robot as your Auditor?

On this blog, we've covered the topic of exponential change and how audit/accounting is prone to such forces.

Despite this, I am tempted to say financial auditing is different. It's not like factory work or more controversially like the pharmacist profession where AI claims to offer a safer alternative to dispensing medication.

But does that make me just one of the people who think that their profession is unique because they are in the midst of seismic change but refuse to see the writing on the wall?

At the same time, I don't want to come across as an alarmist claiming that the world is going to end when it really isn't.

It's the challenge of nuance.

While trying to figure out how to tackle this challenge, I came across AppZen; an app that uses artificial intelligence to audit expense report. It was identified in this post as being one of the game-changers in the fintech scene and was also featured in Accounting Today.

According to the company's website, the application "combines computer vision, deep learning, and natural language processing to understand the full context of expenses, not just amounts, dates, and merchant names. ReceiptIQ detects unauthorized charges in real-time from receipt images, boarding passes, travel documents, cell phone bills and any other expense documentation. Cross-checks expenses in real-time against thousands of external and social sources to determine if they are legitimate and accurate... Real-time identification of unauthorized upgrades in airlines, hotels and car rentals as well as out of policy claims for hotel laundry, alcohol purchases, cell phone charges and more."

Reviewing the company's video, I was able to extract the following value propositions:
  • "100% Testing":  I put it in quotes on purpose because the idea is that the whole population is analyzed but only the high-risk ones are further analyzed. That is, this is still "examining on a test basis" but uses a risk based approach to identify what reports should be further examined. This is in contrast to the manual approach of sampling.  
  • Automated exception analysis: Closely connected to the previous point, but to emphasize that there is an automated review of the population.
  • Real-time analysis: Reports can be analyzed instantaneously. Although not explicitly identified in the video, this could have real world savings. Faster reviews - leading to faster reimbursement to employees - could reduce the overall amount owing on corporate credit cards thereby offering more favourable position with the credit card companies. 
  • Seamless integration into existing processes: Add-on to an existing process is a much easier sell than an app that requires replacing the existing app you may have just bought.  
  • Use of external data: The app uses 100s of external data sources to develop. It seems that this assists in building an expectation of whether the expense needs further analysis. 
  • Limited false positives: Not explicitly stated, but it is strongly implied that the number of reports that need to be reviewed is few - meaning it's not flagging reports that are valid.   
  • Reduction of audit costs and fraud: Finally, the app promises greater efficiency in the use of audit resources deployed and greater effectiveness in catching fraud. 
When looking at these benefits of AI-enabled automation, they are based on certain assumptions that may exist in the expense report realm but not in the external audit realm. For example, accounting records at a company are not normally accompanied by a digitized copy of the source document (e.g. invoice, receipt, etc.) that provides evidence of its validity, accuracy, etc. of that accounting entry. 

So which of these assumptions applies in the world of external financial audits? 

This will be the topic of the next post where I will develop a list of factors that enabled expense report to by automated by AI and see if they apply to our world. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else. 

Tuesday, August 22, 2017

Did artificial intelligence kill the BlackBerry? It did for me.

Recently, Globe and Mail noted in their political briefing newsletter that Samsung's Knox software is deemed to be as secure as the traditional BlackBerry:

"Shared Services Canada, the department in charge of overseeing IT for the federal government, is set to offer alternatives to bureaucrats over the next 18 months as part of “a new approach to mobile service to better serve its clients, use new technology and adapt to changes in the marketplace.” Samsung and its line of Android-powered smartphones was the first to be approved by Shared Services, but only after two years and several tests showed that Samsung’s phones passed military-grade requirements."

In this blog, we've covered Blackberry's steady fall into oblivion. For me, BlackBerry was my first smartphone. I even got excited about the Torch, thinking it was the perfect compromise between the touch screen and the classic keyboard. However, that feeling faded quite quickly after using the device. It was so underpowered and underwhelming compared to the competition.

When looking at the Porter 5 forces that surrounded this once mighty Canadian tech giant, we could say that both Apple's iOS and Android offer better substitute's: better devices, more power, better apps, etc. Essentially, these devices has evolved so much that they bring the power of the PC into the palm of one's head (Samsung's Note 8 is expected to have 6GB of RAM!).   This alone doesn't explain why BlackBerry was ultimately displaced from corporate IT - well before Samsung's Knox became equal-to-BlackBerry in terms of security.

I think there were two key developments that enabled BlackBerry's decline.

The more well known one is the "consumerization of IT" phenomenon: users wanted to use their latest iPhone or Android device instead of the BlackBerry in the corporate environment. Going back to Porter 5 forces this speaks to "bargaining power of buyers": the people no longer wanted to be limited to the "one trick pony" of email and BB Messenger. And they were willing to lobby their corporate IT departments to bring on the Android and Apple devices.

This leads to the second less well known factor.

What allowed consumerization to take place was that Microsoft took an open approach to licensing it Exchange Active Sync. This move paved the way for iPhone and Android to connect their devices to the corporate email server. Microsoft open attitude essentially transferred the power from BlackBerry to the consumer.

But for me it was a little different. Of course I like the apps and GPS that my Android and iPhone bring to me: the ability to read the Kindle, listen to audio books and podcasts without having to carry multiple devices is definitely a productivity. But really it was one particular app that made me able to switch: SwiftKey.

And that's where we get to the artificial intelligence.

I was a big fan of the Blackberry,  primarily because I thought I couldn't live without the physical QWERTY keyboard. But friends who were encouraging me to switch mentioned that Android sported the SwiftKey keyboard which is powered by artificial intelligence. This keyboard is much better for me in terms of learning the words I use when I type than the predictive text feature in its iOS counterpart (which I use for work).

A little while ago, I tried a colleague's BlackBerry and the irony is that my hands hurt. And that's probably because I type a lot less specifically because of the AI approach taken by SwiftKey. As per the native analytics tracker (see graphic below) in my app I have been saved myself over 350,000 taps and am 28% more efficient

Today, over a quarter billion people use SwiftKey on their mobile devices. Although a little hidden from the view of analysts and academics, advances in artificial intelligence enabled SwiftKey (now owned by Microsoft) to offer a substitute for the once dominant BlackBerry physical keyboard. And for me personally it was this little piece of exponential technology (along with the relatively giant landscape of the Samsung Note 1) that convinced me it was time to switch.

And like I said, I can never go back.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else. 

Sunday, June 18, 2017

"Bitcoin process flow": Accountant's guide to risk & controls around the blockchain

For the past year, I have been following blockchain to assess how this exponential technology will impact financial auditing.

Unlike artificial intelligence, quantum computing, or virtual reality, this technology addresses the heart of accounting profession: it is an innovation in the process of recording and accounting for transactions. Furthermore, it captures "proof of interaction" by leveraging digital signatures as the basis for executing exchanges. Both these features speaks to the core of what we do as accountants and auditors.

But before we get ahead of ourselves, it is important to look at blockchain in a nuanced way. On the one hand, technologists should be careful about how the blockchain will impact the audit. However, at the same time, the audit profession can't afford to ignore it. To do so would invite the profession to repeat the mistakes of Kodak who, despite inventing the digital camera in 1975, were ultimately disrupted by that very same technology.

Part of the problem was understanding that digital technology was changing at a linear pace instead of an exponential pace. In this post, Peter Diamandis talks about how "30 exponential steps" compares to "30 exponential steps" (and talks more broadly about linear vs exponential thinking). Ray Kurzweil, the infamous Googler, talks about the infamous story of how the inventor of chess requested an exponential amount of rice (and is rumored to have lost his head).

Going back to looking at this as an auditor, I think a useful starting point to understand the topic of blockchain is one of "professional skepticism". Specifically,:

Why would people trust this?

It's been quite the task in trying to understand how the public blockchain, specifically bitcoin, works in disintermediating centralized authorities, such as banks, to settle transactions between two parties that don't know each other. In a sense, a retailer, like, only needs to receive a string of digits, such as: and be satisfied that the purchaser has bitcoins required to buy the merchandise and hasn't already spent them. That is, they have "assurance" from the above string of digits and characters that the sender has not already spent the bitcoin or has simultaneously sent the bitcoins to someone else.

Part 1: Background on the process flow

Before going through the walk through, it is important to watch these videos first to get some background on how Bitcoin works.

The following video illustrates the peer-to-peer nature of the ledger:

This video gives a good 5-minute summary delving more into the technical details of bitcoin. If you need more, check out this 22-minute video by the same author.

The following video by Andreas Antonpolous, is especially helpful in understanding how the blockchain works at a deeper level. Encourage watching the whole video, but if you want to get to the meat of how the Proof of Work, SHA hash function works, skip to this point in the video .

As noted in these videos, when you send or receive bitcoins there's no exchange of actual digital code. Rather, it merely updates on the ledgers across the bitcoin network. It's quite ironic for us accountants - the way to bitcoin holdings are really just the sum of the person's bitcoin transactions.

Part 2: Walk-through of a Bitcoin Transaction

I originally mapped out this "walk-through" of a bitcoin transaction in PowerPoint. The transaction is largely based on the book, Mastering Bitcoin, by Andreas Antonopolous (same individual in the video above). He has been nice enough to make a number of the chapters online, including chapter 2, 5 and 8 that I used to develop this flow.

The bitcoin transaction that I used to perform the walk-through is the same one used in the book and it belongs to block #277298. As per the book, Alice sends 0.015 bitcoins to Bob's cafe to buy a coffee.

Step 1: Get a bitcoin wallet and some bitcoin.

For those bold enough to transact in bitcoin, they need to set-up a bitcoin wallet on their computer or mobile phone. Most important of all this needs to be secured as it holds your private key that is used to sign the transactions and send over to others. If this key is compromised, lost, etc. - you will lose all your bitcoins! And unlike credit cards, there is no central authority to complain to if this happens.

If you live in Toronto, you can actually buy the bitcoins at Deloitte at Bay and Adelaide (but you will need to set-up your digital wallet before doing this).

It cannot be overstated enough that this is where the bulk of security issues occur and makes bitcoin prone to hacking. As noted in this article, the August 2016 hack of Bitfinex had to do with the way that the actual wallets are secured using multi-signature wallets where multiple parties (user, Bitfinex, and Bitgo) held the keys. It should be clear, however, that it's not the actual ledger that is being hacked or more accurately being modified. Instead, it's the encryption keys that are being stolen by the attackers.

How did the thieves access the funds given that the ledger is reporting all transactions publicly?

This article from the Verge gives some insights on how bitcoins can be effectively laundered out of the blockchain.

Step 2: Send bitcoins to the recipient.

Process: In this example, Alice is sending the bitcoins to Bob's public key "1Cdid9KFAaatwczBwBttQcw XYCpvK8h7FK", which is also known as his bitcoin address.

If you want to wade into the details as to how the transaction is set-up and transmitted check out these two posts (here and here) by Google engineer, Ken Shirrif.

Risks:  Unauthorized recipient is sent the bitcoin. Unauthorized user modifies the payments.

Controls: Public key-cryptography: As noted in the process, Alice must send the bitcoin to Bob's bitcoin address or his public key. As long as she is 100% sure that it is actually Bob's address then only Bob will be able to access those bitcoins. In this scenario, Alice will likely scan Bob's QR since she is buying the coffee from him. However, if this were an online transaction then she would need to use an alternative method to verify that she is sending her bitcoins to the right address. PKI also ensures that the message can't be altered.

Step 3: Generate the transaction ID

Process:After the bitcoins are sent to the recipient a transaction identification number is generated, which in this case is “7957a35fe64f80d234d76d83a2a8f1a0d8149a41d81de548f0a65a8a999f6f18”.

Risks: Transaction will not be properly identified.

Control: Each bitcoin transaction is uniquely identified by transaction identification.

Step 4: Perform checks at the node

Process: Transaction is captured by the initial node. Risk:Transaction will be invalid, incomplete, incorrectly formatted, or violate other rules within the bitcoin protocol. See below for how these controls would be classified as “input edit controls” or data validation routine.

Risks: Inaccurate, invalid or incomplete transaction or transaction details will be posted to the blockchain.

Controls: The following list of controls are taken verbatim from chapter 8 Antonopolous's book mentioned earlier (or click here to see "Independent Verification of Transactions" in chapter 8)

Validity checks.The real genius of bitcoin is that it ensures that the person sending you the bitcoin already has them. In other words, it’s provide comfort on the existence assertion – to potential vendor or other person that will receive those bitcoins. With respect to data validations, it provides the following checks:· None of the inputs have hash=0, N=–1 (coinbase transactions should not be relayed).
  • A matching transaction in the pool, or in a block in the main branch, must exist.
  • For each input, if the referenced output exists in any other transaction in the pool, the transaction must be rejected.
  • For each input, look in the main branch and the transaction pool to find the referenced output transaction. If the output transaction is missing for any input, this will be an orphan transaction. Add to the orphan transactions pool, if a matching transaction is not already in the pool.
  • For each input, if the referenced output transaction is a coinbase output, it must have at least COINBASE_MATURITY (100) confirmations.
  • For each input, the referenced output must exist and cannot already be spent.
  • Reject if transaction fee would be too low to get into an empty block.
  • The unlocking scripts for each input must validate against the corresponding output locking scripts.
System-based validation. The following is a general data validation that ensures that the transaction is formatted per the bitcoin rules. As per Ken Shirrif’s post, noted in step 2, Bitcoin is very unforgiving when it comes to processing transactions: any inconsistencies with the protocol will result in the transaction being rejected.
  • The transaction’s syntax and data structure must be correct. 
Completeness check. The following data validation ensure that the transaction is complete:
  • Neither lists of inputs or outputs are empty.
Limit checks. The following data validation rules ensure that transaction submitted for processing do not exceed the limit set by the Bitcoin protocol:·
  • The transaction size in bytes is less than MAX_BLOCK_SIZE.
  • The transaction size in bytes is greater than or equal to 100.
  • The number of signature operations contained in the transaction is less than the signature operation limit
Logical relationship checks. The following data validation routines ensure that values match. The second one is similar to the idea that underpins accounting of where the debit equals the credit.

  • The unlocking script (scriptSig) can only push numbers on the stack, and the locking script (scriptPubkey) must match isStandard forms (this rejects "nonstandard" transactions)
  • Reject if the sum of input values is less than sum of output values.

Range checks. The following controls ensure that the values submitted are within an acceptable range. The last one is what prohibits the mining of coins beyond the 21 million limit set by the protocol:
  • nLockTime is less than or equal to INT_MAX.
  • Each output value, as well as the total, must be within the allowed range of values (less than 21m coins, more than 0).
  • Using the referenced output transactions to get input values, check that each input value, as well as the sum, are in the allowed range of values (less than 21m coins, more than 0).

Step 5: Accept or reject the transaction 

Process: If the transaction meets the criteria then it is passed on to the miners to be mined in a block. Otherwise the transaction is rejected.

Risk/Control: this is a flow through from the previous step.

Step 6: Send transaction to be mined

Process: The transaction is then sent to a pool to be mined. The protocol looks to have the transaction mined within 10 minutes. When the sender submits the transaction to the recipient, they can add fees to be paid to the miners. However, those do not give fees are of a lower priority than the people that actually paying to have their transactions processed. Right now this is not critical as the main reward is getting awarded 12.5 bitcoins for mining (i.e. guessing the correct nonce which is discussed below).  When bitcoins run out in 2040, however, it is these transaction fees that will become the main “remuneration” for the miners. 

Risk: Miners incentives will not be aligned with verifying transactions. 

Control: The economic incentives give the miners a reason not to counterfeit. It is less work to actually mine the coin then try to counterfeit the coin by amassing the necessary computer power. Also, the problem for profit-seeking criminals is that once they counterfeit the coins (e.g. through the 51% attack) then the community would lose faith in the bitcoin making it worthless. However, this does not stop non-profit seeking parties who are looking for a challenge or to destroy the bitcoin platform. 

Step 7: Pool the transaction with other transactions to be mined.

Process: As you can see from this list of transactions, transaction ID "7957a35fe64f80d..." is just one of the many transactions that are pooled together to be mined (i.e. checked) and then added to the blockchain ledger. You can try to find the transaction by going to the link, hitting ctrl-F and pasting in the first few digits of the transaction.

Risk and Controls: NA

Step 8: Protocol uses Merkel-Tree structure to hash transactions

Process: What I found challenging was to understand how the header hash (i.e. this) links to the actual transaction (i.e. this). And that’s where my journey took me to Merkle Tree structures. What Merkle trees allow you to do is recursive hashing that combines transactions recursively into the root hash as follows:

(Taken from: here)

Risk: Any node can verify the integrity of the blockchain by downloading the full blockchain ledger and ensuring that one block is linked to the previous block. However, to do this you need about 100 GB and a few days to download the blockchain. Consequently, there is a potential risk that mobile devices - which are used by most to execute bitcoin transactions - is unable to do this verification because it lacks the storage capacity and processing power to verify the blockchain.

Control: The use of Merkle Roots enables the verification of bitcoin transactions on small devices such as smartphones. Unlike a computer that has sufficient storage, these devices can simply use merkle paths to verify the transactions instead. Using Simplified Payment Verification, the bitcoin protocol, enables you to verify that the transaction is part of this root in order to get comfort that it is part of the block that has been checked and added to the blockchain. This structure also protects the pseudonymity of the other transactions as it doesn't require decrypting the other transaction in the tree structure. This control, however, relies ultimately the overall blockchain is being verified by network and does not standalone.

Step 9: Combining the hash transactions with previous block

Process: Miners need to generate the header of the blockhash, which consists of the previous hash, the merkle root of the current set of transactions, as well as the nonce (see step 10 and 11)

Risk: Transactions will be modified in an unauthorized manner.

Control: This is what effectively puts the "chain" in blockchain. It’s ultimately this structure that prevents transactions that have been added to the ledger from being modified. So let’s say you want to alter transactions that were added 1 hour ago (remember: it takes 10 minutes to add a block of transactions) you have to change the following:
- Merkle root of the hash of that transaction that was added 60 minutes ago.
- The header hash of the transaction of the block that was added 50 minutes ago.
- The header hash of the transaction of the block that was added 40 minutes ago.
- The header hash of the transaction of the block that was added 30 minutes ago.
- The header hash of the transaction of the block that was added 20 minutes ago.
- The header hash of the transaction of the block that was added 10 minutes ago.


Because each hash is based on the hash of that transaction that was added an hour ago. Any modification of that hash alters each of the 5 blocks that comes after that. Each block of the 5 block’s data structure depends on that hash-value of that transaction you want to modify.

Step 10: Setting the Difficulty/Target to identify the nonce

Process: The difficulty is actually set by the peer-to-peer system itself reviewing that the average time for the last 2016 blocks was 10 minutes on average. If not, then the difficulty will be adjusted up or down to get to the 10 minute average.

Risk: Transactions will be mined in an untimely manner; i.e. more or less than 10 minutes.

Control: The difficulty/target effectively as a throttle to ensure that the blocks mined takes 10 minutes regardless the number the miners or the computers involved(i.e. which will continually fluctuate). What the target determines is the level of guessing that the miners have to do find the "nonce" (see next step). The lower the target the more difficult it is to guess that number because there are possibilities of the answer being correct.

Antonopoulos, in Mastering Bitcoin, gives the following analogy:

"To give a simple analogy, imagine a game where players throw a pair of dice repeatedly, trying to throw less than a specified target. In the first round, the target is 12. Unless you throw double-six, you win. In the next round the target is 11. Players must throw 10 or less to win, again an easy task. Let’s say a few rounds later the target is down to 5. Now, more than half the dice throws will add up to more than 5 and therefore be invalid. It takes exponentially more dice throws to win, the lower the target gets. Eventually, when the target is 2 (the minimum possible), only one throw out of every 36, or 2% of them, will produce a winning result."

Step 11: Produce the header hash, i.e. the proof of work

Process: The miners "brute force" (rapidly guess) what the right value of the nonce is to get the hash. The miners keep iterating the nonce, producing the hash, and checking if it matches the desired header hash. The series flows above is meant to illustrate the iterative process the miner goes through. If the miner guesses the right hash, they will be awarded the Block Award of 12.5 bitcoins. This reward halves every 4 years and there will only be 21 million bitcoins issued. The last bitcoin will be mined in 2140.  

  1. Malicious actor controlling 51% of the network could authorize fraudulent transactions.
  2. People will not sign up to be miner without sufficient reward for their effort
  3. Infinite supply of bitcoins would expose the currency to inflation risks, i.e. if a bitcoins are mined endlessly the exiting bitcoins would decrease in value. 

Mitigating Risk 1: As noted in the process above, the miners have to brute-force the nonce and therefore expend energy. In fact, "electricity makes up between 90 and 95 percent of bitcoin mining costs". That means miners have to invest capital, effort and energy to actually mine the bitcoin. As noted earlier, this investment ties the miner to the success of bitcoin. That is, they won't want to hack bitcoin as it would drive the value down. On the capital side, miners buy specialized equipment called "rigs" to mine bitcoin:

Mitigating Risks 2 & 3: The bitcoin reward provides the incentives to the miners to create the header hash that has the necessary elements. While the 21 million cap on bitcoins, actually makes the currency deflationary. As bitcoins get deleted or become inaccessible because some can't remember the password to their digital wallet - those bitcoins are gone forever. Consequently, the total amount of bitcoin in circulation will be less than 21 million. 

Step 12: The block is time stamped 

Process: Timestamps are embedded in every calculation involved in generating the block. This makes the blockchain “immutable” as malicious actors can’t change previous blocks, especially after 6 blocks have been added to that block (i.e. which is why online retailers wait 60 minutes before accepting payment)

Risk & Control:  As noted in Step 9,  the blockchain concept of linking one blockchain to another is a sequence is one of the key controls to ensure that transactions will be modified in an unauthorized manner. Such a control is dependent on the timestamp as noted in the process section.

Step 13: Block is propagated across the network.

Process: Other nodes check the hash by running it through the SHA-256 hash function and confirm that the miner has properly checked the transaction. If more the 51% agree, then it is accepted as valid and added to shared blockchain ledger and it will become part of the immutable record.

Risk: If miners added the block to themselves, they would have both access to gaining the asset (i.e. the bitcoin) and access to the ledger itself. 

Control: The bitcoin network effectively segregates incompatible functions by requiring 51% of the network to agree that the work performed was valid. That is, a block cannot become part of the blockchain ledger until the majority of the network reviews the work performed by the miners. 

Hopefully, this has clarified some of the nagging questions you've had about how the bitcoin blockchain enables trust through a decentralized peer-to-peer network.  That being said, the above flowchart has been quite the labour of love for the past few months. So there will be quite a few gaps! Special thanks to Andreas Antonopoulos, who although I have never met, has made this journey a lot easier by making his work available online.

Please email me at  malik [at] if you have any comments, questions, or notice any gaps.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.