In the epic battle between man versus machine, the chess champion Gary Kasparov threw the match because it is alleged that he thought that the AI-powered system did a well-calculated move. In reality, it was just a random move that the system threw out because it had experienced a technical glitch.
One up-and-coming AI-enabled service to watch is GPT-3 from an organization called OpenAI. OpenAI was started by Elon Musk. It’s in beta right now and in a really raw state but the capabilities that have surfaced are pretty amazing.
One capability (as noted in the video) it has is summarizing long reads. However, there are serious flaws that need to be worked out. For example, it advised a fake patient suffering from depression to kill themselves. So it's not going to be rolled out at a hospital any time soon, but it is something definitely watch.
AI and CPAs: Competitors or Collaborators?
AI could make the profession more sustainable, as these mundane tasks could be handed to a system. MIT’s Eric Brynjolfsson describes this concept as "race with the machine". The idea is that doctors, accountants, lawyers, can work better together with technology. It’s almost like a second set of eyes or someone that can help you assess whether the professional judgement on an issue is correct.
However, this is not something that is currently on the horizon.
What’s more realistic is understanding where the economics of automation will apply for more basic things like have a more timely close. McKinsey put out a study in August 2020 that found automating and increasing the accuracy of forecasts helped management make better decisions. One case study they highlighted was a manufacturer that was able to reduce inventories and product obsolescence by 20 to 40 percent.
Change is coming faster than we expect
We should be aware of the concept of exponential change. Technology, like AI, improves at an exponential rate and not a linear rate. Consequently, monitoring the space is key for CPAs and other to ensure that they see change coming and adapt accordingly.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else
In 2018, CPA Canada held the Foresight Sessions where they consulted CPAs and others how the profession should move forward. CPA Canada took a broad view of the topic and brought a diverse crowd of people to look at how things could unfold. There were a number of facilitated sessions that looked at a number of possible scenarios and how the profession could thrive in each of those scenarios. What I liked about the sessions was the diversity of thought. The environment was so open that attendees were even willing to talk about things like wealth inequality and its potential impact on the profession.
Before looking at where we are now, it is good to take a step back and look at the underlying need to re-examine the profession. The CPA profession was borne in a book-based world where knowledge went through a manufacturing process of sorts. Regardless of whether it is the accounting standards themselves or the actual financial statements, the idea was there was a sense of finality to the process. The Internet, and more specifically the hyperlink, changed that. Data, information and knowledge are now networked.
It's not to say that the profession was unaware of this.
As a CPA who got his start in the world of Audit Data Analytics back in 2000 (yes, 20 years ago, when this type of work was known as computer-assisted audit techniques). Back then, IT-focused CPAs like myself used to tools like Audit Command Language or IDEA (sometimes referred to as 'generalized audit software'). This required the analysis of data largely for audit support.
CPA Canada also published the Information Integrity Control Guidelines (authored by Efrim Boritz and myself), which looked at how controls and "enablers" would create information integrity. The project was designed to take a fresh look at the traditional dichotomy between "general computer controls" and application controls". For example, the publication also looked at controls specifically around content.
Why Data Governance?
The challenge I have found is how to succinctly articulate how CPAs can play on the dividing between business and technology. Data governance probably is a good place to start. Even when you consider something more technical like a 'data scientist', a key component is to have business domain knowledge. Hence, to capture the future it makes sense to look at something that is beyond technology but rather data and information. After accountants have experience with data, but not configuring routers. Furthermore, as pointed out in this CPA Canada article "there is already a need for foundational standards of practice around all aspects of data governance and the data value chain".
Why are CPAs suited for data governance?
I have always felt that CPAs have a solid foundation in understanding information. Through the FASB framework, we realize the trade-offs between relevance and reliability, as well as understanding the reality of what is needed to audit something. When looking at the work Efrim and I have done around information integrity, this was a key resource because it is unique in understanding the parameters of information.
When teaching a class at Waterloo, I linked how this framework is now even relevant to social media companies. Google/YouTube, Facebook, and Twitter have all been "auditing" posts on their respective sites due to misinformation about COVID-19 or other matters. When covering this in-class, the concern I raised was around the "slippery slope". For example, does that mean all the other posts are "materially correct"? Such things illustrate how CPAs can add value when it comes to data governance.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.
The impact of COVID-19 is impacting everyone, including accountants. As discussed in the last post, the crisis has made video calling normal to the point that people are experiencing fatigue. It speaks one of the adjustments people have had to make due to the "new normal"
But what is the wider impact on the profession? How are firms handling the COVID-19 Crisis?
Not surprisingly, nearly three-quarters of the firms surveyed, felt that the pandemic was going to reduce their revenues. In terms of magnitude, 37% of those surveyed are predicting a 10%+ loss in earnings. The good news, however, is that most had not let staff go. Only 7% had laid off staff, while 4% were planning to do so.
The other interesting find is that the most popular service to come about due to this crisis was CARES Act Consulting, with 73% offering this service. The next closest was business continuity consulting at 36%.
There were also some interesting finds around the tech front.
Working Remote: Over 60% of firms had challenges with closing their offices, with nearly half of those having some challenges with the "online approach". The survey found that only 10% had no remote capabilities. See the graphic below for more details
Closing offices: Closely related to the previous result, only 13% fully shut down their office. The survey did not reveal why this was the case. But if you can't work remotely, what other choice do you have?
Communications: Although more than half used traditional means of communication, 33%were looking at new forms of communication.
Virtual firms, like Live.ca, seem to have been well prepared for this pandemic. With no offices to speak of, the firm was online from day one. The firm was featured on this CPA Canada promotional video:
Being agile in times of adversity is key to success. Understandably, tech can be daunting for small firms. However, it is also daunting for small businesses. Consequently, the tech-savvy CPA firms are able to offer consulting services like business continuity planning. But before getting there, firms need to ensure that they have the underlying capabilities to be agile. For example, if the firm has limited capability to service clients remotely it not only reduces the ability to service clients but also prevents the firm from being viewed as adaptive by current and prospective clients.
That being said, it's a matter of will. With nearly three-quarters of the firms already offering CARES Consulting, just shows how agile firms can be when the mindset is there.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else
"Libra, which will let you buy things or send money to people with nearly zero fees. You’ll pseudonymously buy or cash out your Libra online or at local exchange points like grocery stores, and spend it using interoperable third-party wallet apps or Facebook’s own Calibra wallet that will be built into WhatsApp, Messenger and its own app."
The head of Libra, David Marcus, went on CNBC to discuss this initiative as well.
The move represents the growing power of Facebook and other IT companies that increasingly dominating the economy.
In fact, this reality was one that was discussed at the CPA Foresight Initiative that were recently held. In my breakout group, dubbed "Tech Titans, I proposed is that there is actually nothing stopping one of these companies from becoming a bank. Circulating this picture to the wider group:
It is quite clear that these tech giants are well capitalized. What stops them from blessed by the grand wizards of Capitalism to become a bank? For example, Rogers has been issued a bank license in Canada to "issue credit cards and other financial products". Although the charter seems limited in scope, if they have enough capital reserves what's to stop the next step of them issuing loan through the magic of fractional reserve banking?
And so here you have it. Facebook is the first of the Tech Titans, also known as it’s Facebook, Apple, Amazon, Netflix and Google (FAANG), to turn embark down the path of financialization. What separates Libra from Bitcoin is that it's a stablecoin, is that it is a "stable coin"; where the value does not fluctuate. Bitcoin, in contrast, is not an actual currency as it is not backed by nothing. Hence the fluctuating value prohibits it from being something that consumers and retailers can keep in their wallets to buy things. As the Libra whitepaper notes:
"Libra is designed to be a stable digital cryptocurrency that will be fully backed by a reserve of real assets — the Libra Reserve — and supported by a competitive network of exchanges buying and selling Libra. That means anyone with Libra has a high degree of assurance they can convert their digital currency into local fiat currency based on an exchange rate, just like exchanging one currency for another when traveling. This approach is similar to how other currencies were introduced in the past: to help instill trust in a new currency and gain widespread adoption during its infancy, it was guaranteed that a country’s notes could be traded in for real assets, such as gold. Instead of backing Libra with gold, though, it will be backed by a collection of low-volatility assets, such as bank deposits and short-term government securities in currencies from stable and reputable central banks."
Arguably, Apple was the first of the FAANG to go down this road with their shiny new credit card, but this was largely incremental innovation as they are leveraging Goldman Sachs and MasterCard for the underlying infrastructure. And it’s a credit card, which is obviously a legacy payment technology.
Facebook, on the other hand, is charting new territory by wrapping its foray into financialization in blockchain technology. However, they too have assembled a coalition of the willing as well:
Although Calibra (Facebook's digital wallet to hold Libra) will not be connected to people's Facebook account, there is a treasure trove of data that would come from linking a person's personal data to the audit trail that would come from their Calibra wallet. And given Facebook's track record on privacy, it's not difficult to see why people would be suspicious about Facebook trying to monetize this data. That being said, David Marcus (head of Facebook's Calibra divison) noted on an interview on CNBC that there is a significant effort to get the cryptocurrency up and running.
My bet was on Amazon
As I noted in a previous post, I thought it would be Amazon that would be first to the market with a "stable-coin". My prediction was based that Amazon would have the most to gain by cutting out the credit card companies. The trick though, was how would Amazon get people to load up cash directly into their systems? Amazon would have to make a deal with a retailer, like Starbucks or Walmart, who could not only provide such access to Amazon but could also then get to use that cryptocurrency.
What did I miss?
The FAANG are not as powerful as the banking sector. Both Apple and Facebook have included major financial players in their respective entrance world of financialization. Perhaps that will change over time but for now, it seems they are content to partner with major players within the industry.
Why financialization?
Apple and Facebook may occupy the headlines when it comes to their respective financial plays, but they are not the first in tech to realize there are pots of money to be made from the rentier economy.
Perhaps the biggest illustration of this is how Sony makes 63% of its operating profits from finance with “[l]ife insurance has been its biggest moneymaker over the last decade, earning the company 933 billion yen ($9.07 billion)”. So even Sony - the inventor of the Walkman - is not focused on the production of goods or services but on such rent-seeking activity.
What about regulation?
How on earth is Facebook going to get away with this without being regulated?
Facebook appears to have bought themselves time by establishing this initiative in Switzerland. The other reality is that it's highly unlikely that this initiative was overlooked by the legal departments at Visa, MasterCard, PayPal, etc. That being said, could regulation be the worst thing for Facebook? I think that they may benefit from it. As I noted in this post, regulation can be a monopolist's best friend:
"In Tim Wu's Master Switch, Theodore Veil also advocated for the concept of a regulated monopoly in the arena of telephones:
"[Theodore] Vail died in 1920 at age 74, shortly after resigning as AT&T's president, but by that time, his life's work was done. The Bell system had uncontested domination of American telephony, and long-distance communication was unified according to his vision. The idea of an open, competitive system had lost out to AT&T's conception of an enlightened, licensed, and regulated monopoly. AT&T would remain in this form until the 1980s, and it would return in not so substantially different form in the 2000s. As historian Milton Mueller writes, Vail had completed the "political and ideological victory of the regulated monopoly paradigm, advanced under the banner of universal service."" [emphasis added]
We all know, including Facebook, that the world of finance is heavily regulated. Consequently, they likely know that the day they will have to comply with numerous regulations is inevitable.
However, could it be that the US Regulators are turning a blind-eye on purpose?
"Things really get interesting when the U.S. government issues a digital dollar. The dollar is already the world’s primary reserve and commercial currency, but this would give it an even bigger edge. That’s because people in countries whose currencies aren’t trusted or who are barred or restricted from buying foreign currencies—think China, Argentina, Russia—could now easily obtain the one currency that has long symbolized international stability. Whereas the international movement of paper dollars can be (somewhat) controlled with physical checks at border crossings and regulation of bank transfers, digital dollars would be far more footloose. They would invade other jurisdictions’ currency zones. If citizens of other countries can easily acquire dollars—by far the most sought-after currency in the world—and use them to buy almost anything, why would they need renminbi or pesos or rubles? In this scenario, other currencies become less sought after, the dollar more powerful. It is the ultimate expression of U.S. hegemony, and, for other governments, undermines their nation-state sovereignty."
That is, Facebook's deployment of the cryptocurrency gives the US government plausible deniability that the US is working to undermine the Chinese from a currency perspective. As I noted in this post, I cited the Wall Street Journal in explaining China's concern regarding cryptocurrency.
"Virtual currencies in theory allow holders to bypass China’s traditional banking system to move money outside its capital-controlled borders. That could make it more difficult for Chinese regulators to maintain a tight grip on the yuan."
(I also noted that the US had similar concerns around bitcoin and used DoJ operation Chokepoint as well as IRS rules to curtail the use of bitcoin and other cryptocurrencies. It's not realistic to think that a country will let down it's guard when it comes to capital controls.)
Although the foreign policy aspect may be important, there are real risks for the consumers here. How do the consumers know that their money is safe at Facebook? For example, the FDIC insures deposits of actual banking institutions. Unlike Bitcoin, Facebook can be forced to under audits and other compliance activities. Without such oversight, it's impossible to know whether Facebook is actually keeping enough reserves to back Libra. Take for example Tether, a stablecoin that was allegedly backed by the US Dollar. They initially had to break things off with their auditor. And it seems that they have retained lawyers to provide the necessary assurance over their reserves. However, this article on Forbes traces how Tether seems to be changing its wording around whether Tether is actually fully backed by US fiat currency.
So, we shouldn't be surprised to the FDIC or some other financial regualtor's seal as part of its updated infographic in the near future.
In future post(s), we will look at how bitcoiners are reacting to this as well as what potential opportunities Libra could bring to the audit.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else
In an investigation by the Guardian and the New York Times, the alleged misdeeds of Cambridge Analytica were revealed.
As noted in the Guardian article:
"Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”... Documents seen by the Observer, and confirmed by a Facebook statement, show that by late 2015 the company had found out that information had been harvested on an unprecedented scale. However, at the time it failed to alert users and took only limited steps to recover and secure the private information of more than 50 million individuals."
The following video from TheVerge sums up the issue:
Although such allegations have received attention (in my opinion due to the association with Trump's campaign), the reality is that these allegations against Facebook are actually not new and reported in both the Intercept in early 2017 and the Guardian way back in 2015.
There was an ensuing backlash (as noted in the video above and here) that forced Facebook CEO, Mark Zuckerberg to respond. He both had a written response and gave the following interview on CNN:
During the CNN interview, he mentioned the word "audit" 3 times[emphasis added]:
"So we're going to go now and investigate every app that has access to a large amount of information from before we locked down our platform. And if we detect any suspicious activity, we're going to do a full forensic audit"
"And we're now not just going to take people's word for it when they give us a legal certification, but if we see anything suspicious, which I think there probably were signs in this case that we could have looked into, we're going to do a full forensic audit."
"We know how much -- how many people were using those services, and we can look at the patterns of their data requests. And based on that, we think we'll have a pretty clear sense of whether anyone was doing anything abnormal, and we'll be able to do a full audit of anyone who is questionable."
Can CPAs come to Mark's rescue?
Zuckerberg's repetitive use of the word audit should be read in conjunction with his "welcoming" of regulation:
"I actually am not sure we shouldn't be regulated. You know, I think in general, technology is an increasingly important trend in the world, and I actually think the question is more what is the right regulation rather than yes or no, should it be regulated?"
Zuckerberg would not be the first tech giant to opt for regulation as a business strategy.
In Tim Wu's Master Switch, Theodore Veil also advocated for the concept of a regulated monopoly in the arena of telephones:
"[Theodore] Vail died in 1920 at age 74, shortly after resigning as AT&T's president, but by that time, his life's work was done. The Bell system had uncontested domination of American telephony, and long-distance communication was unified according to his vision. The idea of an open, competitive system had lost out to AT&T's conception of an enlightened, licensed, and regulated monopoly. AT&T would remain in this form until the 1980s, and it would return in not so substantially different form in the 2000s. As historian Milton Mueller writes, Vail had completed the "political and ideological victory of the regulated monopoly paradigm, advanced under the banner of universal service."" [emphasis added]
As Tim points out in his book, the move enabled AT&T didn't always use their monopolistic powers for good. They charged high long distance rates and even stifled innovation suppressing the answering machine due to potential conflict with its main business.
Regardless, it shows that Facebook could be an early advocate for CPAs offering privacy related assurance services around its algorithms.
AlgoTrust: A new service offering for CPAs?
The concept of AlgoTrust is something I have previously discussed in this post.
The idea actually has support from multiple angles not least of which of comes from information security expert, Bruce Schneier:
"...it is also worth noting that there are other experts who hold that algorithms - from a privacy perspective - need to be regulated. Bruce Schneier, a well-known information security expert who helped review the Snowden documents, in his latest book, Data and Goliath ... also calls for "auditing algorithms for fairness". He also notes that such audits don't need to make the algorithms public, which is it the same way financial statements of public companies are audited today. This keeps a balance between confidentiality and public confidence in the company's use of our data."
Big Data versus Privacy: The monetization paradox
Such an algo-audit could leverage the work done by AICPA and CPA Canada in the realm of privacy, specifically the Generally Accepted Privacy Principles. That being said, privacy audits have been a hard sell in the past. But what distinguishes the service here is that it would be auditing the algorithm for compliance with privacy "regulations".The reason regulations need to be put in quotes is that in substance privacy legislation is effectively eliminated if the consumer consents to use the service.
The challenge, therefore, is balancing the drive to monetize big data with the privacy needs of the people who use the service. For example, people who identify with the "left" may not want Steve Bannon or Trump accessing their data. Similarly, people who identify with the "right" may not want Obama accessing their social media data. The end result is that no one can access meaningful data due to privacy restrictions - resulting in a standard so restrictive that it eliminates that ability of companies like Facebook to monetize the treasure trove of data that they have collected.
As noted in an earlier post, there is an inherent highlight the conflict between privacy and profiting from big data. The value of big data emerges from the secondary uses of big data. However, privacy policies require the user to consent to a specific use of data at the time they sign up for the service. This means future big data analytics are essentially limited by what uses the user agreed upon sign-up. However, corporations in their drive to maximize profits will ultimately make privacy policies so loose (i.e. to cover secondary uses) that the user essentially has to give up all their privacy in order to use the service.
There is a lot of potential in attempting to create an assurance service to address Facebook's predicament, but as they say, the devil is in the details.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else
Attended the CPA One Conference almost two weeks ago in Ottawa, Ontario. Given that my space is in audit innovation, I attended the more techno-oriented presentations. Here's a summary of the sessions that I attended:
"Big data: Realizing benefits in the age of machine learning and artificial intelligence": The session was kicked off by Oracle's Maria Pollieri. The session delved deep in the detail of machine learning and would have been beneficial to those who were trying to wrap things around thing more from a technical side. She was followed up by Roger's Jane Skoblo. She mentioned a fact that really grabbed my attention: when a business can just increase its accessibility to data by 10%; it can result in up to $65 million increase in benefits.
The next day started with Pete's and Neeraj's session on audit automation, "Why nobody loves the audit". They want over a survey of auditors and clients on the key pain points of the external audit. It turns out that these challenges are actually shared by both. For example, clients lack context on "the why" things are being collected, while auditors found it difficult to work with clients who lacked such context. On the data side, clients have hard time gathering docs and data, while the auditors spent too much time gathering this information. From a solutions perspective, the presenters discussed how Auvenir puts a process around gathering the data and enables better communication. This will be explored in future posts when we look at process standardization as a key pre-requisite to getting AI into the audit.
The keynote on this day was delivered by Deloitte Digital's Shawn Kanungo, "The 0 to 100 effect". The session was well-received as he discussed the different aspects of exponential change and its impact on the profession (which was discussed previously here). One of the key takeaways I had from his presentation was how a lot of innovation is recombining ideas that already exist. Check this video he posted that highlights some of the points from his talk:
Also, checked out the presentation by Kevin Kolliniatis from KPMG and Chris Dulny from PwC, "AI and the evolution of the audit". Chris did a good job breaking down AI and made it digestible for the crowd. Kevin highlighted Mindbridge.ai in his presentation noting the link that AI is key for identifying unusual patterns.
That being said, the continuing challenge is how do we get data out of the systems in manner that's reliable (e.g. it's the right data, for the right period, etc.) and is understood (e.g. we don't have to go back and forth with the client to understand what they sent).
Last but not least was "Future of finance in a digital world" with Grant Abrams and Tahanie Thabet from Deloitte. They broke down how digital technologies are reshaping the way the finance department. As I've expressed here, one of the keys is to appreciate the difference between AI and Robotic Process Automation (RPA). So I thought it was really beneficial that they actually showed how such automation can assist with moving data from invoices into the system (the demo was slightly different than the one that can be seen below, but illustrates the potential of RPA). They didn't get into a lot of detail on blockchain but mentioned it is relevant to the space (apparently they have someone in the group that specifically tackles these types of conversations).
Kudos to CPA Canada for tackling these leading-edge topics! Most of these sessions were well attended and people asked questions wanting to know more. It's through these types of open forums that CPAs can learn to embrace the change that we all know is coming.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else
Today, I presented at the Canadian Accounting Technology Show and discussed how exponential technologies and their potential impact on the profession.
During the presentation, I promised a blogpost for the attendees who wanted to dig deeper in the presentation. So here it is!
IBM Watson's Victory over Ken Jennings
During the talk I refer to Ken Jennings and Brad Rutter's defeat at the hands of IBM's Watson. (See Engadet's video for more on this "exponential event".)
This post gives some background on the new "space race" between the tech-giants for the killer AI app and also gives a link to Ken's talk.
For additional information on Watson and the medical profession check out this video.
Exponential versus Linear Technological Change
Kodak - who invented the digital camera in 1975 - was ultimately disrupted by that very same technology. In fact, one of their employees applied Moore's Law to pixel's per dollar in digital cameras.
Why?
The problem illustrate that Kodak (as well as Polaroid) had linear thinking and didn't realize how quick digital technology would become the norm and preferred way of consuming photography. In this post, Peter Diamandis talks about how 30 exponential steps contrasts to 30 exponential steps (and talks more broadly about linear vs exponential thinking) and Ray Kurzweil talks about the infamous story of how the inventor of chess requested an exponential amount of rice (and is rumoured to have lost his head).
Predictions on the Automation of White Collar Work:
These stats are what actually prompted me to propose to CPA Canada that we should have a talk that would discuss this phenomenon. The variety of sources that have chimed in on the topic - combined with the understanding of exponential change - highlights the importance of looking deeper into the trend instead of dismissing it as just fear, uncertainty and doubt (FUD). This of course is not just limited to the accounting profession, but impacts all white collar worker (check out IBM's Watson latest application to automate aspects of the legal profession
"Job destruction will happen at a faster pace, with machine-driven job elimination overwhelming the market's ability to create valuable new ones.” (Gartner)
“…knowledge work automaton tools and systems could take on tasks that would be equal to the output of 110 million to 140 million full-time equivalents (FTEs).”’ (McKinsey)
‘94% probability accounting/auditing will be automated’ (Oxford Study)
Finance Department has seen a decrease from an average of 119 people (2004) to 71 people (2014); a reduction by 40% (Hackett Group; as taken from this WSJ article "The New Bookkeeper Is a Robot")
Exponential Technologies
As noted during the presentation, the key exponential technologies that are likely to enable the automation.
Artificial Intelligence: "Science of making computers do things that require intelligence when done by humans." During the presentation, I mention this pharmacist robot being able to dramatically reduce medications errors, which according to the FDA is responsible for 1.3 million injuries.
For other information check out this Deloitte publication on AI and Cognitive.
Internet of Things: "Billions of interconnected sensors and devices will soon exchange data; effectively the physical flow of goods, people, and things will now leave a “digital trail”." RFID inventory does provide some insights in how this digital exhaust left by physical goods can improve inventory management and responsiveness to customers (see this RFID Journal article for more details).
Blockchain: "The blockchain dis-intermediates the need for a centralized trusted authority to administer an exchange of value between parties." As I note in the presentation, I feel the blockchain needs a lot of nuance when discussing how the technology has the potential to disrupt the profession. The technology (as implemented in the exchange of the cryptocurrency Bitcoin) itself won't replace the audit because its controls are designed for the purposes of giving comfort to a retailer, such as Overstock.com, that the buyer has not spent the currency somewhere else. However, if a retailer was then to tell an auditor that they sold goods to these public addresses, the auditor would need to verify that the retailer was not selling the goods to itself (i.e. they would need to verify that the addresses that the retailer sold to are not controlled by the retailer). In other words a sale for the purposes of Bitcoin is not a sale for accounting purposes.
That being said, auditors can’t ignore blockchain as it is the first decentralized approach to exchange value that eliminates the need for a trusted intermediary.
To understand the blockchain better, check out the following videos:
Blockchain
technology will drastically change our lives: This
video gives a good overview of the implications of bitcoin
and illustrates the role of the network in maintaining the ledger.
Khan Academy: The
videos are about 90 minutes in total, but it is comprehensive.
Crowdsourcing: "Process of obtaining needed services, ideas, or content by soliciting contributions from a large group of people, and especially from an online community, rather than from traditional employees or suppliers."
For more on crowdsourcing, I wrote a post on the potential impact on crowdsourcing. The post gives a good background exploring the use-cases brought up by Jeff Howe (who coined the term crowdsourcing).
Near the end of the post, I noted that:
"Can accountants/auditors be crowdsourced like the way professional photographers were? It seems were crowdsourcing works best is an arena where you find hobbyists who do such things out of passion instead of obligation."
Since writing that post I found Gigwalk which illustrates how non-expert tasks within accounting or auditing can be done by the crowd (see this post near the bottom). Also, during the CATS conference it was noted that 50% of practitioners will be retiring over the next 5 to 10 years. Such retirees could form a huge pool of people who want to work casually in their retirement thereby enabling the audit to be crowdsourced. Concluding thoughts
To meet the challenge of the exponential change, I feel that we need to do the following:
Hands-on Approach to Technology: University courses on programming, data analytics and data sciences should become a standard part of the accounting student's education. Although tools change over time, I think accounting students who have an open-source statistical package like R would have more options in terms of employment. With respect to data science, (audit) sampling belongs to an era of small data. Consequently, for auditing theory to be keeping pace with the way big data is transforming the way organizations are dealing with their data auditors need to be able traverse data science and auditing theory.
Bring in the "hackers": An extension of the above recommendation, is to get the people who think outside the box and disrupt the way we do things.
Greater focus on cyber security: According to Alec Ross, cyber security is currently a 400 billion dollar problem and is expected to be a $175 billion industry by 2020. Security is a natural extension for CPAs who already need to understand internal controls, governance and concepts of risk (impact, likelihood, threats, etc.). With IoT, the security risks can only be expected to grow exponentially as now even the IoT-enabled fridge can be hacked (and the FTC thinks so as well).
Smart Contracts+AutoRepos of Smart Cars = Flash Crash10: As I have written previously about AlgoTrust (second post and first post), I noted that this was another area that CPAs can focus on - auditing algorithms. Just imagine how, these algorithms can feed into blockchain enabled smart contracts that could trigger a massive repossession of smart cars - leaving a city in chaos as people try to figure out how to get home. In other words, CPAs can act as independent monitors of algorithms to ensure such risks are safeguarded against.
CPAs-as-a-Crowd: CPAs should leverage the combined power of social and cognitive to get smarter by sharing knowledge and using "smart rooms" that use machine learning and other AI technologies.
To brings such change the profession, will not the work of one entity alone. Firms, educators, professional bodies and companies need to work together to ensure that the CPA profession will thrive in the world of exponential change that is just around the corner.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.
Harvard Business Review online published a great article summarizing how the machine learning, and analytics works in a business context. It uses an illustrative set of decision trees to show how in a cable business scenario (something we can all relate to) and then ends with the following graphic on how a hypothetical algorithm would determine whether a customer would continue with the cable subscription or join the cord cutter crowd.
It's a great illustration of HBR breaks down these "glob" words like, machine learning, algorithm, etc., and transforms them into digestible concepts. Furthermore, and I would say more importantly, it illustrates a rising level of expectation of technology knowledge for client facing business professionals, like accountants and consultants.
In a previous post, I had noted the following with respect to a couple of WSJ articles on information security and malware :
"WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally.
Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection. "
We could also apply this to the HBR article: it too is a good litmus test of the level of competence that a Canadian CPA should know about leading edge topics such as machine learning and its relationship with analytics.
We should recognize that the technology and security concepts discussed in these articles represent the minimum standard of what is expected from an accountant. If we as a profession want to achieve the vision of being the "globally respected business and accounting designation" [emphasis mine], then we must go above and beyond this minimum and surpass expectations of our clients, employers and business community at large.
As was widely reported in the business press, BNY Mellon experienced a technical glitch that affected its ability to price mutual funds accurately. Based on the press release from one of the affected funds, the problems started on Monday August 24th, where one of BNY Mellon's system "InvestOne" managed by SunGard was pricing about 800 mutual funds inaccurately.
Normally, this type of thing will force the party experiencing the breach intense scrutiny over what went wrong. However, as I went through the timeline posted by the company, I found (reading between the lines) that they did a number of things right, such as:
Incident Management Communication Plan: One of the aspects of incident management is communicating to the public and making them aware of the issue. As it can be seen, the company posted details on estimates as to when the system would be ready as well as what was the source of the delay when they didn't meet their estimated deadline.
That being said, there is always room for improvement. When I was reflecting on this, I speculated that this was another case of inadequate testing of the system upgrade. However, according to SunGard, this was not the case. As they noted on their website:
"The issue appears to have been caused by an unforeseen complication resulting from an operating system change performed by SunGard on Saturday, August 22nd. This maintenance was successfully performed in a test environment, per our standard operating procedure, and then replicated in SunGard’s U.S. production environment for BNY Mellon. This change had also been previously implemented, without any issues, in other InvestOne environments. Unfortunately, in the process of applying this change to the SunGard production environment of InvestOne supporting BNY Mellon’s U.S. fund accounting clients, that environment became corrupted. Additionally, the back-up environment hosted by SunGard, supporting BNY Mellon’s U.S. fund accounting clients, was concurrently corrupted, thus impeding automatic failover. Because of the unusual nature of the event, we are confident this was an isolated incident due to the physical/logical system environment and not an application issue with InvestOne itself."
Given my background as a CA, CPA and CISA, I have always thought it is an odd contradiction that we expect infrastructure (road, dams, bridges, etc.) to be certified by engineers to be in working order (key word is expect, as John Oliver notes in the video below, this is not exactly up to snuff!), but do not have the same expectations for the technology that runs the Information Age.
And that's where I have always proposed that it is necessary to have a framework like SysTrust (now SOC2 and SOC3) in place that requires companies to ensure that their systems are reliable: secure, available, and able to process information without messing it up.
Based on the experience between SunGard and BNY Mellon, I think it actually proves the case. Although companies, like SunGard, likely have such controls in place it is beneficial to others to have a second set of eyes on those controls, ensuring that they are in place, are designed effectively and are operating effectively. The reason is that with such mandatory audits in place, it will allow for the circulation of best practices through such audits. This occurs in the financial auditing world through "management letter points".
One other area that we should explore is the total impact of this error, as it will give insights into the "total impact of failed IT controls". This will be the topic of the next blogpost.
Recently, I was having a conversation with my friend's 12 year old daughter. She's an avid e-book reader and her Kobo is a close companion. We were discussing the susceptibility of Kobo (in contrast to her computer) to viruses. I wasn't sure what OS was on the Kobo, but I did a quick check and realized that it was a Linux operating system. So I explained the economics of malware: most malware are designed for the Windows or MAC Operating System: criminals want to get the most bang for their buck. So the likelihood that hackers would target the Kobo tablets would be quite low.
Then it struck me: would a CPA be able to lead this sort of discussion?
The recent merger of the professional accounting bodies prompted the publication of a new competency map. The new competency map, however, greatly reduced the amount of technology competence required by a CPA.
As with the conversation with the 12 year-old, I wondered whether a CPA could keep pace with the issues brought up in the article, which include:
If there's an OS, there's a risk of virus infection: The proliferation of "smart" devices is actually a proliferation of operating systems. As they point, no large scale infections to report yet. But the point is that there is a risk of infection and consumers need to figure out how to handle the virus.
Network controls versus end-point controls: The solution for the virus can either be put on each device (e.g. mobile phone, tablet, smart thermostat, etc.) or at a network level. But which one is better? And that's the point: could a CPA discuss the advantages and disadvantages of each approach
Evaluating intrusion detection systems (IDS): box is, in a sense, the IDS for the masses. As noted WSJ, the Box sent a number of "unhelpful alarms". In other words, the system generated "false positives" which means that users will initially check it alert diligently, but then ignore subsequent alerts assuming it's a false alarm.
Limitations of scanning devices: The article also notes how the device can't work on encrypted traffic. More generally, it talks about the overall (lack of) reliability and
Best security practices: The article also notes several best practices to make home networking safer including, patching/updating router software + enabling auto-update, use of strong passwords, hardening systems (i.e. changing the default user ID & password on things like routers), use WPA2 standards (i.e. not WEP which can be easily cracked), and use of guest network instead of sharing passwords.
Patching, i.e. installing software updates to plug security holes in the software,
Limiting connectivity of devices on a "need to do basis",
Encrypting data that is confidential or highly confidential (e.g. credit card data)
Use of physical security devices instead of just passwords
Independently assessing vendor compliance with security.
The interesting thing about this article is that it omits the use of SOC audit reports (see Amazon's FAQ on the topic or the AICPA's site) with respect to verifying the level of security compliance with the latter point.
But, again, does the current competency map train CPAs sufficiently to spot that?
We should keep in mind a couple of things.
Firstly, the WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally.
Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection.
Secondly, my friend's kid is 12 years old and understands the concept of viruses, OS and risk at very rudimentary level.
Okay so we all know the kids are tech savvy.
But we need a competency map that would be relevant to the future generation that will be entering the profession. Furthermore, if the CPA profession wants to achieve its vision of being the "globally respected business and accounting designation" it must not just meet the level of the business press but must go beyond.
As noted in the piece, "flash crash hit on the afternoon of May 6, 2010, as riots in Athens and a European debt crisis weighed on markets. In about eight minutes the Dow Jones Industrial Average fell 700 points before rebounding."
The op-ed goes on to dismiss the "official" explanation (i.e. a large hedge placed by a US firm and financial shenanigans of UK based day trader) and states: "More important, they say, is the role of high-frequency firms, which use hard-to-monitor algorithms to trade large amounts of stock in fractions of seconds. If they trade erratically, the market can come unglued, as happened in the flash crash."
The article notes that the SEC has been exploring the mandating disclosure requirements and controls on firms that use algorithms. However, the article also quotes a number of regulators who say they don't have enough funds to keep pace with the firms.
Before I go back down memory lane, it is also worth noting that there are other experts who hold that algorithms - from a privacy perspective - need to be regulated. Bruce Schneier, a well known information security expert who helped review the Snowden documents, in his latest book, Data and Goliath (see clip below for a summary), also calls for "auditing algorithms for fairness". He also notes that such audits don't need to make the algorithms public, which is it the same way financial statements of public companies are audited today. This keeps a balance between confidentiality and public confidence in the company's use of our data.
So is it time for auditing algorithms through an "AlgoTrust" offering?
"[H]ow would you go about auditing an algo? Although auditors lack the technical skills of algoritmists, it doesn't prevent them from auditing algorithms. The WebTrust for Certification Authorities (WebTrust for CAs) could be a model where assurance practitioners develop a standard in conjunction with algorithmists and enable audits to be performed against the standard. Why is WebTrust for CAs a model? WebTrust for CAs is a technical standard where an audit firm would "assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)". That is, although the cryptographic key generation process is something that goes beyond the technical discipline of a regular CPA, it did not prevent the assurance firms from issuing an opinion."
I also noted:
"some of the ground work for such a service is already established. Fundamentally, an algorithm takes data inputs, processes it and then delivers a certain output or decision. Therefore, one aspect of such a service is to understand whether the algo has "processing integrity" (i.e. as the authors put it, to attest to the "accuracy or validity of big-data predictions"), which is something the profession established a while back through its SysTrust offering."
What I saw to be the challenge at the time I penned that blog post is market demand for this type of service. The answer appears to be that SEC could mandate such audits and leverage the CPA firms the same way they do for financial audits. However, instead of rendering opinion on the financials, such audit firms would render an AlgoTrust opinion on the algorithms to ensure that they are in-line with Generally Accepted Algorithmic Principles instead of Generally Accepted Accounting Principles (sorry I couldn't resist!).
Beyond WebTrust for Certification Authorities, companies are currently leveraging SysTrust which has been subsumed into the SOC 2 and SOC 3 audit reports. For example, Salesforce.com gets an audit opinion that provides reasonable assurance that its systems are secure, available and that it maintains confidentiality of the information they are provided with.
The AlgoTrust standard should address issues such as the ones raised in WSJ (i.e. as it relates to trading algos) as well ensuring the preservation of privacy. But it should not stop there. In the original post, Chris Steiner explains how algos are invading all parts of life, including things like robot pharmacists.
We have at least three experts from three different fields: finance, data, and information security that all see the value in auditing algorithms. If the CPAs don't take the lead on this, who will? As Bruce Schneier notes it won't be easy, but it is something that will eventually be tackled by either the CPA profession or someone else.
For the past 10 years or so, I have been teaching what has been considered the IT prep course for the major exam students right in Canada to get their CA designation. Now with the merger of the accounting designations in Canada, the revised CPA Competency has altered the focus on IT and reduced it. However, the upside of this, is now the course I teach can be more about what's useful from a practical perspective. In the past I taught security as a list of controls:
Security Architecture/Boundary
Policies and Standards
Asset Classification & Management
Risk Assessment
Personnel Qualification & Trustworthiness
Responsibility & Accountability
Security Awareness
User Access Management
Physical Access Controls
Network Access and Communication Control
Logical Access Controls
Intrusion Detection & Response
Eliciting Compliance
Monitoring & Learning
But I thought how do you think about security conceptually? So I thought about using the SysTrust definition of a system as the way to group the key InfoSec controls. Here's what I came up with:
What do you think?
Below are some notes from the deck that elaborates on the above.
Risk Assessment
Key components of risk analysis? Risk = Impact X Likelihood
Governance
Governance, responsibilities & accountabilities
Develop security function
“tone at the top”: CEO has ultimate responsibility
CISO versus no CISO:
Would you trust a bank without a CISO? How about a hotel?
Board & Management
Security integral part of IT governance
Funding security function
Average 6 to 7% of the IT Budget
Manage security risk that emanates from relationships with third parties
Policies & standards
Policies and standards:
Serious about security: take steps needed
Consult ISO 27001/2, etc.
Have a methodology, define risk appetite, etc.
Manufacturing versus cloud computing provider
Other
Define security roles
Define security responsibilities for everybody
Role for internal audit
People
Background Checks
Human resource procedures to verify background work history of new hires.
Check qualifications
Employees first line and last line of defense
E.g. Insider threat
Incentives: fire bottom 20% = problem?
Acceptable Use Policy
Acceptable Use Policy
Provides limits as to how computing facilities can be used, e.g. LAN, laptops, PDAs, etc
Level personal of use
Controls:
Awareness/Orientation training/Sign statement
Block sites (hotmail, gmail, facebook, etc)
Monitor usage
Security Awareness & Training
New employee training
Need to communicate policies and standards to employees, customers (e.g. online banking), suppliers, service providers (e.g. SLA), etc
Marketing Security: Remind employees regularly
Provide easy access to policies
Policies need to be properly worded (should vs must)
Workshops/Tutorials on security: e.g. encrypting USB
Awareness posters, screensavers
Automate security
Termination
Terminate all access upon on letting an employee go
Must make part of HR processes
Data
Asset Classification
Data Classification
Sensitivity: impact of unauthorized disclosure; privacy, confidentiality
“Filters” traffic from inside to outside & outside to in
Permits traffic based configuration
Protected against tampering
Packet filter
Intrusion Detection/Prevention
Intrusion Detection System (IDS)
Firewall: Permit/Blocks, IDS Analyzes activity
Analyzes user activity: threat score
Sends alerts to security admin: problem with false positives - may dismiss actual threat
IPS can log off users
IDS: Can it detect encrypted attacks?
Link to SDLC?
Physical access controls
Safeguard against physical abuse, damage and destruction.
Isolation and restriction - use locks, effective key management, video, sensing devices
Tailgating: Man-trap, awareness
Locations of Systems: away from fire water sources (e.g. kitchen)
Hardening
Physical Access Control Considerations
Cost
Number of Type I (False negative) and Type II (False positive)
Average response time
Ability to manage multiple users
Satisfy ergonomic issues (E.g. retinal scan is quite invasive)
Virtual Private Network (VPN)
Virtual Private Network
Encrypted/authenticated access to the network,
Modem lines create problems
Callback modems: modem will call back a pre-specified number
Software
Access management
What are the trade offs?
Access management
Privilege management
Log and review this type of access
Enables Segregation of duties
Separate user and information system roles, separate within information system group
Development and data entry
Separate within user role as to incompatible functions
initiation and authorization of transactions, recording of transactions, custody of assets, and reconciliation
Logical Access Controls
User ID:
Linked to name, mdatardina@deloitte.ca
Based on job: Accountspayable@xyz.com
No association: User12@xyz.com Problem?
Logical Access Controls
Authentication - user is who says he/she is
Passwords:
Random vs user generated
Rule based: What are the rules?
Phrases: Cat jumped over the lazy dog in Sarnia Cjotldis1
Plastic magnetic-strip cards
Example?
Smart cards
Example?
Biometric devices - fingerprints, hand geometry, eye retina patterns; consider Type I/Type II
Access control software- allows controlled access - locks out illegitimate users, e.g. Active Directory for Windows
Increased use of single-sign-on: authenticate once across multiple platforms
Pro: ease-of-access
Con: break one password, can break into multiple systems
Could also use profile management
Allocate standard access privileges to users based on their group, rather than individual basis, e.g. AP clerk can access AP, network, office suite, etc
Reduces admin costs and allows easier access and rule setting
Anti-Virus Controls
Anti-virus software
Installed and configured properly
Update regularly
Won’t help against zero day
Ensure automated scans are scheduled.
Scan network
Scan desktop
Run at sign-on
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.
