Five Top Tech Takeaways: Google's $18B Anti-Trust Woes, Hidden AI Workers, AI Beats Going to Uni, AI Executive Order and Can AI Pass Accounting?

AI's CPA Exam Woes

The Hidden Workforce Behind AI's Training.

The booming artificial intelligence (AI) industry heavily relies on a vast, often overlooked workforce that labels data. Major companies, including tech giants such as Amazon and Facebook, outsource this data labeling to crowdsourced workers in regions with low labor costs. The global data collection and labeling market, which stood at $2.22 billion in 2022, is projected to escalate to $17.1 billion by 2030. However, beneath this growth lies a stark reality: many workers face long hours, unpredictable incomes, and minimal pay for their tasks. This exploitative trend is pervasive across developing nations, prompting concerns and discussions about ethical practices in the AI training landscape.

Key Takeaways:

• Major tech companies are heavily reliant on gig workers in economically challenged regions to train their AI models.
• The global data collection and labeling industry is rapidly growing, with a projected worth of $17.1 billion by 2030.
• Workers face uncertain incomes and long hours, leading some to label it as "digital slavery."

Source: WIRED

The New Gold Rush: Young Minds Ditch College for AI Ventures.

A growing number of teenagers and young adults are leaving their college education behind to capitalize on the surging AI industry. They are lured by the promising investment wave in AI, as evidenced by more than 25% of American startup investments going to AI firms this year. The emergence of technologies like ChatGPT and the increasing value of the generative-AI applications market have emboldened many young founders to leave their studies and focus on their AI ventures.

Key Takeaways:

• A surge in AI investments has led to a trend of students dropping out of college to focus on AI startups.
• Generative AI technologies, such as ChatGPT, have revolutionized the startup landscape, enabling entrepreneurs to create solutions without needing large teams.
• While some young founders achieve success, there's an understanding that not every venture will thrive, but returning to college remains an option for many.

(Source: The Wall Street Journal)

Experts evaluate if AI can pass as an accounting professional exam

A panel of accounting experts convened to evaluate the responses of the AI system BARD to questions in fields like auditing, tax, and forensic accounting. They wanted to test the claim that AI could become an expert in these areas. The panel used Bloom's Taxonomy, a framework for learning objectives, to assess if BARD could demonstrate higher-order thinking skills. Some panelists assigned the AI a letter grade. 

Key Takeaways:

• BARD provided factually incorrect answers and only demonstrated basic recall of information for internal auditing questions.
• For tax topics, BARD gave thorough responses but could not replace a CPA's expertise and experience.
• BARD struggled with comprehension of forensic accounting and GAAS standards, often oversimplifying complex professional guidelines.

(Source: CPA Journal)

Does Google Spend $18 Billion to Keep Safari in Check?

 

A significant development in the US v. Google trial highlights the multibillion-dollar deals between tech giants Google and Apple. Based on a recent report from The New York Times, Google pays a hefty sum, approximately $18 billion, annually to Apple to remain the default search engine for Safari across Apple devices such as Macs, iPads, and iPhones.

Three Major Takeaways:

• Google's payment to Apple not only secures its primary position on Apple devices but also historically discouraged Apple from creating its own search engine. Notably, Apple has explored avenues like acquiring Bing or crafting a unique search engine, but hesitations arise from potentially antagonizing Google and losing the lucrative deal.
• Microsoft's CEO, Satya Nadella, implied that Apple maintains its alliance with Google as it could face challenges if Google decided to leverage its widely-used applications, like Gmail and Maps, to push users toward Chrome and away from Safari.
• The US v. Google trial has spotlighted the implications of Apple's agreement with Google, arguing that it promotes an anticompetitive monopoly. The idea is that any search engine partnered with Apple's vast market share would instantly gain significant influence.

(Source: The Verge)

White House Releases AI Executive Order

The White House has unveiled an extensive executive order on artificial intelligence (AI). This directive encompasses nearly all federal agencies, aiming to regulate and guide the growth of AI to safeguard the public, economy, and national security. Given the limited power of President Biden's executive branch and the unlikelihood of Congress producing new AI-related laws soon, this order is set to be the most assertive piece of U.S. regulation on this rapidly expanding industry for the foreseeable future.

Key Takeaways:

• The executive order mandates developers of high-end AI systems to disclose their safety test outcomes to the U.S. government. It also establishes rigorous standards for testing to ensure AI product safety before public release.
• To combat AI-driven deep fakes and misinformation, the Department of Commerce will create guidelines for content authentication and watermarking. This will help label AI-generated content clearly.
• Addressing concerns about AI potentially displacing millions of jobs, the order instructs the administration to draft a report on AI's potential labor market effects. It will also explore ways to bolster federal support for workers impacted by AI-induced labor disruptions.

(Source: CNBC Television)

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist who is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else. This post was written with the assistance of an AI language model. The model provided suggestions and completions to help me write, but the final content and opinions are my own.

Data Tsunami: How big is the Data Deluge? (Part 1)

Was invited last year to speak about the Data Tsunami at the AICPA Engage conference, but I didn't quite make it there! Instead, I presented virtually. 

So, will be breaking out some of the topics that I will be discussing over a few blog posts. 

How big is the data tsunami?

Probably, the first thing that comes to mind is social data. The Internet truly unleashed the first torrent of the data tsunami. Google's search index alone is 100,000,000 GB. In terms, of social data we are looking at the following:

• Twitter: 200 billion tweets per year (Twitter)
• Facebook: 4 petabytes of data per day (WEF)
• WhatsApp: 65 Billion Messages per day (WEF)
• YouTube: 250 million hours per day (Variety)
• Apple: 50 billion podcasts downloads (Fast Company

It's interesting how the data tsunami encompasses print, sight and sound. This is of course lends itself to analytics, but we will discuss that in a future post.

In terms of organizational data, Walmart generate 2.5 petabytes of data per hour. According to American Banker, 12 million petabytes (per year) of data flows through the financial industry. In terms of manufacturing, 6,000 fan blades manufactured by Rolls Royce generates 3 petabytes. It gives an idea of how much data is generated by the millions of parts that go into airplanes, trains and automobiles.

In terms of medical data, Stanford published the following: 

“The sheer volume of health care data is growing at an astronomical rate: 153 Exabyte…were produced in 2013 and an estimated 2,314 Exabyte will be produced in 2020, translating to an overall rate of increase at least 48 percent annually.”

This obviously has tremendous privacy concerns. 

How big will the data tsunami get? 

According to IDC, "the collective sum of the world’s data will grow from 33 zettabytes this year  [2018] to a 175ZB by 2025". 

A couple of key contributors to this 'tsunami of data', will likely be the Internet of Things (IoT). 

IDC predicts that 40+ billion IoT devices will generate 79.4 ZB of data by 2025. The other generation of 'digital exhaust' will likely be autonomous vehicles, which according to Intel produce about 4 terabytes of data per hour. 

But the big question is so what?  

We'll take a look at this question in the next post. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.

 

Audit, Audit, Audit harked Mark: Can CPAs come to Facebook's rescue?

In an investigation by the Guardian and the New York Times, the alleged misdeeds of Cambridge Analytica were revealed.

As noted in the Guardian article:

"Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”... Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals."

The following video from TheVerge sums up the issue:

Although such allegations have received attention (in my opinion due to the association with Trump's campaign), the reality is that these allegations against Facebook are actually not new and reported in both the Intercept in early 2017 and the Guardian way back in 2015. 

There was an ensuing backlash (as noted in the video above and here) that forced Facebook CEO, Mark Zuckerberg to respond. He both had a written response and gave the following interview on CNN:

During the CNN interview, he mentioned the word "audit" 3 times[emphasis added]:

• "So we're going to go now and investigate every app that has access to a large amount of information from before we locked down our platform. And if we detect any suspicious activity, we're going to do a full forensic audit"
• "And we're now not just going to take people's word for it when they give us a legal certification, but if we see anything suspicious, which I think there probably were signs in this case that we could have looked into, we're going to do a full forensic audit."
• "We know how much -- how many people were using those services, and we can look at the patterns of their data requests. And based on that, we think we'll have a pretty clear sense of whether anyone was doing anything abnormal, and we'll be able to do a full audit of anyone who is questionable."

Can CPAs come to Mark's rescue? 

Zuckerberg's repetitive use of the word audit should be read in conjunction with his "welcoming" of regulation:

"I actually am not sure we shouldn't be regulated. You know, I think in general, technology is an increasingly important trend in the world, and I actually think the question is more what is the right regulation rather than yes or no, should it be regulated?"

Zuckerberg would not be the first tech giant to opt for regulation as a business strategy.

In Tim Wu's Master Switch, Theodore Veil also advocated for the concept of a regulated monopoly in the arena of telephones:

"[Theodore] Vail died in 1920 at age 74, shortly after resigning as AT&T's president, but by that time, his life's work was done. The Bell system had uncontested domination of American telephony, and long-distance communication was unified according to his vision. The idea of an open, competitive system had lost out to AT&T's conception of an enlightened, licensed, and regulated monopoly. AT&T would remain in this form until the 1980s, and it would return in not so substantially different form in the 2000s. As historian Milton Mueller writes, Vail had completed the "political and ideological victory of the regulated monopoly paradigm, advanced under the banner of universal service."" [emphasis added]

As Tim points out in his book, the move enabled AT&T didn't always use their monopolistic powers for good. They charged high long distance rates and even stifled innovation suppressing the answering machine due to potential conflict with its main business.

Regardless, it shows that Facebook could be an early advocate for CPAs offering privacy related assurance services around its algorithms.

AlgoTrust: A new service offering for CPAs? 

The concept of AlgoTrust is something I have previously discussed in this post.

The idea actually has support from multiple angles not least of which of comes from information security expert, Bruce Schneier:

"...it is also worth noting that there are other experts who hold that algorithms - from a privacy perspective - need to be regulated. Bruce Schneier, a well-known information security expert who helped review the Snowden documents, in his latest book, Data and Goliath ... also calls for "auditing algorithms for fairness". He also notes that such audits don't need to make the algorithms public, which is it the same way financial statements of public companies are audited today. This keeps a balance between confidentiality and public confidence in the company's use of our data."

Big Data versus Privacy: The monetization paradox
Such an algo-audit could leverage the work done by AICPA and CPA Canada in the realm of privacy, specifically the Generally Accepted Privacy Principles. That being said, privacy audits have been a hard sell in the past. But what distinguishes the service here is that it would be auditing the algorithm for compliance with privacy "regulations".The reason regulations need to be put in quotes is that in substance privacy legislation is effectively eliminated if the consumer consents to use the service.  

The challenge, therefore, is balancing the drive to monetize big data with the privacy needs of the people who use the service. For example, people who identify with the "left" may not want Steve Bannon or Trump accessing their data. Similarly, people who identify with the "right" may not want Obama accessing their social media data. The end result is that no one can access meaningful data due to privacy restrictions - resulting in a standard so restrictive that it eliminates that ability of companies like Facebook to monetize the treasure trove of data that they have collected.

As noted in an earlier post, there is an inherent highlight the conflict between privacy and profiting from big data. The value of big data emerges from the secondary uses of big data. However, privacy policies require the user to consent to a specific use of data at the time they sign up for the service. This means future big data analytics are essentially limited by what uses the user agreed upon sign-up. However, corporations in their drive to maximize profits will ultimately make privacy policies so loose (i.e. to cover secondary uses) that the user essentially has to give up all their privacy in order to use the service.

There is a lot of potential in attempting to create an assurance service to address Facebook's predicament, but as they say, the devil is in the details. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else

BNY Mellon Software Glitch: Time to make SysTrust mandatory?

As was widely reported in the business press, BNY Mellon experienced a technical glitch that affected its ability to price mutual funds accurately. Based on the press release from one of the affected funds, the problems started on Monday August 24th, where one of BNY Mellon's system "InvestOne" managed by SunGard was pricing about 800 mutual funds inaccurately.

So what was the cause of this fiasco?

According to CNN, "BNY Mellon outage occurred after a SunGard accounting system it uses became "corrupted" following an upgrade. A back-up also failed."

Normally, this type of thing will force the party experiencing the breach intense scrutiny over what went wrong. However, as I went through the timeline posted by the company, I found (reading between the lines) that they did a number of things right, such as:

• Incident Management Communication Plan: One of the aspects of incident management is communicating to the public and making them aware of the issue. As it can be seen, the company posted details on estimates as to when the system would be ready as well as what was the source of the delay when they didn't meet their estimated deadline. 
• Contingency planning: BNY Mellon was able to get the Net Asset Values (NAVs) "using a secondary and more manual process" to the clients without the production system. According to WSJ, this involved "mobilizing more than 100 accountants to manually calculate the values of thousands of fund securities". The secondary procedure was not perfect as small differences were noted between the fund and, as reported the WSJ, this could expose the bank to "potential liability from the resolution of trades that may have been made during the pricing fog".  
• Effective Service Level Agreement (SLA) with SunGard: Based on the close coordination with SunGard, it appears that they were able to get SunGard to eventually rebuild the system "from scratch". 

That being said, there is always room for improvement. When I was reflecting on this, I speculated that this was another case of inadequate testing of the system upgrade. However, according to SunGard, this was not the case. As they noted on their website:

"The issue appears to have been caused by an unforeseen complication resulting from an operating system change performed by SunGard on Saturday, August 22nd. This maintenance was successfully performed in a test environment, per our standard operating procedure, and then replicated in SunGard’s U.S. production environment for BNY Mellon. This change had also been previously implemented, without any issues, in other InvestOne environments. Unfortunately, in the process of applying this change to the SunGard production environment of InvestOne supporting BNY Mellon’s U.S. fund accounting clients, that environment became corrupted. Additionally, the back-up environment hosted by SunGard, supporting BNY Mellon’s U.S. fund accounting clients, was concurrently corrupted, thus impeding automatic failover. Because of the unusual nature of the event, we are confident this was an isolated incident due to the physical/logical system environment and not an application issue with InvestOne itself."

Given my background as a CA, CPA and CISA, I have always thought it is an odd contradiction that we expect infrastructure (road, dams, bridges, etc.) to be certified by engineers to be in working order (key word is expect, as John Oliver notes in the video below, this is not exactly up to snuff!), but do not have the same expectations for the technology that runs the Information Age.

And that's where I have always proposed that it is necessary to have a framework like SysTrust (now SOC2 and SOC3) in place that requires companies to ensure that their systems are reliable: secure, available, and able to process information without messing it up.

Based on the experience between SunGard and BNY Mellon, I think it actually proves the case. Although companies, like SunGard, likely have such controls in place it is beneficial to others to have a second set of eyes on those controls, ensuring that they are in place, are designed effectively and are operating effectively. The reason is that with such mandatory audits in place, it will allow for the circulation of best practices through such audits. This occurs in the financial auditing world through "management letter points".

One other area that we should explore is the total impact of this error, as it will give insights into the "total impact of failed IT controls". This will be the topic of the next blogpost.

Hey CPA: Should I get anti-virus for my home network?

Recently, I was having a conversation with my friend's 12 year old daughter. She's an avid e-book reader and her Kobo is a close companion. We were discussing the susceptibility of Kobo (in contrast to her computer) to viruses. I wasn't sure what OS was on the Kobo, but I did a quick check and realized that it was a Linux operating system. So I explained the economics of malware: most malware are designed for the Windows or MAC Operating System: criminals want to get the most bang for their buck. So the likelihood that hackers would target the Kobo tablets would be quite low.

Then it struck me: would a CPA be able to lead this sort of discussion?

The recent merger of the professional accounting bodies prompted the publication of a new competency map. The new competency map, however, greatly reduced the amount of technology competence required by a CPA.

Coincidentally, the WSJ published a review of the Bit Defender BOX around the same time I had this discussion. For what it is, see Amazon's Video Review.

As with the conversation with the 12 year-old, I wondered whether a CPA could keep pace with the issues brought up in the article, which include:

• If there's an OS, there's a risk of virus infection: The proliferation of "smart" devices is actually a proliferation of operating systems. As they point, no large scale infections to report yet. But the point is that there is a risk of infection and consumers need to figure out how to handle the virus.
• Network controls versus end-point controls: The solution for the virus can either be put on each device (e.g. mobile phone, tablet, smart thermostat, etc.) or at a network level. But which one is better? And that's the point: could a CPA discuss the advantages and disadvantages of each approach
• Evaluating intrusion detection systems (IDS): box is, in a sense, the IDS for the masses. As noted WSJ, the Box sent a number of "unhelpful alarms". In other words, the system generated "false positives" which means that users will initially check it alert diligently, but then ignore subsequent alerts assuming it's a false alarm. 
• Limitations of scanning devices: The article also notes how the device can't work on encrypted traffic.  More generally, it talks about the overall (lack of) reliability and 
• Best security practices: The article also notes several best practices to make home networking safer including, patching/updating router software + enabling auto-update, use of strong passwords, hardening systems (i.e. changing the default user ID & password on things like routers), use WPA2 standards (i.e. not WEP which can be easily cracked), and use of guest network instead of sharing passwords. 

But that's not all. WSJ also published this article detailing five key corporate security practices, including:

• Patching, i.e. installing software updates to plug security holes in the software,
• Limiting connectivity of devices on a "need to do basis",
• Encrypting data that is confidential or highly confidential (e.g. credit card data)
• Use of physical security devices instead of just passwords
• Independently assessing vendor compliance with security. 

The interesting thing about this article is that it omits the use of SOC audit reports (see Amazon's FAQ on the topic or the AICPA's site) with respect to verifying the level of security compliance with the latter point. 

But, again, does the current competency map train CPAs sufficiently to spot that? 

We should keep in mind a couple of things.

Firstly, the WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally. 

Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection. 

Secondly, my friend's kid is 12 years old and understands the concept of viruses, OS and risk at very rudimentary level. 

Okay so we all know the kids are tech savvy. 

But we need a competency map that would be relevant to the future generation that will be entering the profession.  Furthermore, if the CPA profession wants to achieve its vision of being the  "globally respected business and accounting designation" it must not just meet the level of the business press but must go beyond. 

Should Algorithm Audits be mandated for HFT firms?

Was heading into work on train and came across WSJ's op-ed piece on the need for regulation around algorithms involved in trading. The article mentions how the regulators have not done much since the Flash Crash of 2010.

What is the Flash Crash of 2010?

As noted in the piece, "flash crash hit on the afternoon of May 6, 2010, as riots in Athens and a European debt crisis weighed on markets. In about eight minutes the Dow Jones Industrial Average fell 700 points before rebounding." 

The op-ed goes on to dismiss the "official" explanation (i.e. a large hedge placed by a US firm and financial shenanigans of UK based day trader) and states: "More important, they say, is the role of high-frequency firms, which use hard-to-monitor algorithms to trade large amounts of stock in fractions of seconds. If they trade erratically, the market can come unglued, as happened in the flash crash."

The article notes that the SEC has been exploring the mandating disclosure requirements and controls on firms that use algorithms. However, the article also quotes a number of regulators who say they don't have enough funds to keep pace with the firms. 

Before I go back down memory lane, it is also worth noting that there are other experts who hold that algorithms - from a privacy perspective - need to be regulated. Bruce Schneier, a well known information security expert who helped review the Snowden documents, in his latest book, Data and Goliath (see clip below for a summary), also calls for "auditing algorithms for fairness".  He also notes that such audits don't need to make the algorithms public, which is it the same way financial statements of public companies are audited today. This keeps a balance between confidentiality and public confidence in the company's use of our data.

So is it time for auditing algorithms through an "AlgoTrust" offering?

As I noted on my reflections on "Big Data: A Revolution That Will Transform How We Live, Work, and Think": 

"[H]ow would you go about auditing an algo? Although auditors lack the technical skills of algoritmists, it doesn't prevent them from auditing algorithms. The WebTrust for Certification Authorities (WebTrust for CAs) could be a model where assurance practitioners develop a standard in conjunction with algorithmists and enable audits to be performed against the standard. Why is WebTrust for CAs a model? WebTrust for CAs is a technical standard where an audit firm would "assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)". That is, although the cryptographic key generation process is something that goes beyond the technical discipline of a regular CPA, it did not prevent the assurance firms from issuing an opinion."

I also noted:

"some of the ground work for such a service is already established. Fundamentally, an algorithm takes data inputs, processes it and then delivers a certain output or decision. Therefore, one aspect of such a service is to understand whether the algo has "processing integrity" (i.e. as the authors put it, to attest to the "accuracy or validity of big-data predictions"), which is something the profession established a while back through its SysTrust offering."

What I saw to be the challenge at the time I penned that blog post is market demand for this type of service. The answer appears to be that SEC could mandate such audits and leverage the CPA firms the same way they do for financial audits. However, instead of rendering opinion on the financials, such audit firms would render an AlgoTrust opinion on the algorithms to ensure that they are in-line with Generally Accepted Algorithmic Principles instead of Generally Accepted Accounting Principles (sorry I couldn't resist!).

Beyond WebTrust for Certification Authorities, companies are currently leveraging SysTrust which has been subsumed into the SOC 2 and SOC 3 audit reports. For example, Salesforce.com gets an audit opinion that provides reasonable assurance that its systems are secure, available and that it maintains confidentiality of the information they are provided with.

The AlgoTrust standard should address issues such as the ones raised in WSJ (i.e. as it relates to trading algos) as well ensuring the preservation of privacy. But it should not stop there. In the original post, Chris Steiner explains how algos are invading all parts of life, including things like robot pharmacists.

We have at least three experts from three different fields: finance, data, and information security that all see the value in auditing algorithms. If the CPAs don't take the lead on this, who will? As Bruce Schneier notes it won't be easy, but it is something that will eventually be tackled by either the CPA profession or someone else. 

Unauthorized Access to China? Value of IT Audits and Control Frameworks

Various media sites and blogs, including the BBC, picked up on the story reported by this blog about one enterprising individual who decided to apply what all the major manufacturing companies and service companies are doing: outsource work to cheap labour pools in China (and also India). According to the Verizon post, the individual would basically show his face to work and surf the Internet, while the developers in China were doing all the hard work. Although many have attacked him as being lazy and "scamming" the system, the reality is that many enterprises, such as Apple, depend on such strategies for their profitability. Regardless of this debate, it ultimately the individual violated his agreement with the company. (I am assuming that he had a standard terms of employment that required him to do the work assigned to him and not to provide his credentials to unauthorized users).

From Information Security Risk and Control perspective, this story is a good one for IT Audit and Security practitioners to highlight the importance of IT control framework, risk analysis and audits. The company that discovered the issue was reviewing the security logs. As Andrew Valentine notes in the original Verizon security blog post that noted the incident: "In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review)." Effectively, the DBIR acted a control framework. It illustrated the importance of best practices to those that read it. And this is ultimately the role of IT Control Frameworks. COBIT, Trust Services and ISO 27001/2, all identify the need to log access and review such access.  COBIT 4.1, published by the Information Systems Audit and Control Association (ISACA), identifies the following control in their framework:


DS5.5 Security Testing, Surveillance and Monitoring
"Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed."

Trust Services, jointly published by AICPA and the CICA, requires the following (See the Security Principle, 3.2(g) on page 10):
 "The information security team, under the direction of the CIO, maintains access to firewall and other logs, as well as access to any storage media. Any access is logged and reviewed in accordance with the company’s IT policies."

ISO 27001/2 requires "Audit logging" under 10.10.1 See page 5 of this sales document from Splunk, a big data company that analyzes logs. ISO keeps this document confidential and so no direct link to the control could be provided.

The other important aspect of this story is that the individuals who read Verizon's DBIR understood how the control related to a specific risk (if you read the report the information security controls identified are linked to the risks they manage). Consequently, to get buy in, IS assurance professionals need to link the IT controls or  frameworks. Presenting controls in isolation fails to illustrate the importance of such controls. It would be interesting if ISACA could either team with Verizon to publish the next report or actually map the report to its framework.

Finally, Verizon's work illustrates the importance of IT audit. Organizations that want to keep on top of security threats and risks need to have competent security and risk professionals that can investigate and analyze risks when the are identified.