Are we ready? COVID-19 Reopening woes and the new realities it brings

Ontario is cautiously moving ahead with plans to reopen the economy. 

Certainly, there have been snags along the way. Patrons of a park in Toronto were not social distancing. Also, a nail salon in the city of Kingston caused a spike in cases. But despite these issues, one can look to the neighbour to the South and realize that things can be much challenging. 

According to CNBC:

"Governors in Washington, California, Florida and Texas are walking back some of their reopening plans as coronavirus cases rise in more than 30 states across the U.S., according to a CNBC analysis of data compiled by Johns Hopkins University"

This is not surprising given the rise in COVID-19 cases with CNBC reporting an increase of "5% over the previous week in 37 states across the country". 

With that in mind, there are some lessons we can learn a few things when considering the challenges or re-opening as the pandemic continues to spread in society (without a vaccine or cure). Specifically, the Wall Street Journal reported on how the re-openings - albeit semi-temporarily - unfolded in Texas. Based on this article, they noted the following:

• Pandemic screening: Entering and exiting office buildings will not be as easy as it used to be. There will be some measures implemented to ensure that sick people don't make it into the office. For example, buildings will check people's temperature as they enter the building. 
• Best laid plans can go awry: Companies are using all types of means to determine whether people should go back to the office. Dell,  for example,  has "built its own digital tool to analyze more than a dozen data points, such as local cases and hospitalizations, to guide its decision". However, the pandemic, like many business continuity risks, expose the things in the process we take for granted. Consequently, caution is best when trying to going back to "semi-normal".  For example, some offices were shut down after re-opening for two weeks because someone had got COVID-19. 
• Waiting for an elevator a non-trivial dilemma: Who would have thought that elevators would pose to be a dilemma during a pandemic? Getting in a closed space is a problem. But also forcing people to wait for an elevator is a problem. Will workers "socially distance" while waiting or will they fill the time waiting with impromptu meetings with colleagues? 
• Public transport or carpooling is now a high-risk activity: The article points out that a company had sufficient parking spots for only a third of its employees. That is, they assumed others were not going to drive. But parking is not the only issue. Many of us who use public transit, use that time on the train to catch up on emails or get that deliverable out there. Consequently, stuck behind the steering wheel is not only stressful but also lost productivity.

What does this mean? 

Working from home is the new normal. And companies have made it work. For example, Aniket Sanyal, an engineer from Halliburton was able to drill oil wells around the world from the comfort of his own home. What did he need? In his own words: “I just needed a good internet connection”. Other jobs, whether it's balancing a trial balance or sending documents to the client, are a lot less complex. They can be easily accommodated in the world of cloud and conference calls. 

According to Jennifer Davis, senior vice president of global communications from Dell: “We are predicting within our company and, frankly, more broadly, that the future of work looks different and that more people will stay home permanently". The article also notes that "only 50% of its workers will ever go back to an office, even when the crisis passes". In other words, working from home is now the new normal. Think about it. Would anyone risk getting COVID-19 waiting for an elevator when they could avoid such a risk by working from home? 

Consequently, the pandemic and the risks it brings makes us re-evaluate whether we need to be onsite or whether we just need a good internet connection.  

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.

COVID-19 & Accounting firms: Will only the agile survive?

The impact of COVID-19 is impacting everyone, including accountants. As discussed in the last post, the crisis has made video calling normal to the point that people are experiencing fatigue. It speaks one of the adjustments people have had to make due to the "new normal"

But what is the wider impact on the profession? How are firms handling the COVID-19 Crisis?

Accounting Today published a survey, "The accounting profession and the coronavirus: The crisis in number" that gives some data as to where the accounting firms are at.

Economic Impacts: Bad News and the Good News

Not surprisingly, nearly three-quarters of the firms surveyed, felt that the pandemic was going to reduce their revenues. In terms of magnitude, 37% of those surveyed are predicting a 10%+ loss in earnings. The good news, however, is that most had not let staff go. Only 7% had laid off staff, while 4% were planning to do so.

The other interesting find is that the most popular service to come about due to this crisis was CARES Act Consulting, with 73% offering this service. The next closest was business continuity consulting at 36%. 

There were also some interesting finds around the tech front. 

• Working Remote: Over 60% of firms had challenges with closing their offices, with nearly half of those having some challenges with the "online approach". The survey found that only 10% had no remote capabilities. See the graphic below for more details
• Closing offices: Closely related to the previous result, only 13% fully shut down their office. The survey did not reveal why this was the case.  But if you can't work remotely, what other choice do you have? 
• Communications: Although more than half used traditional means of communication, 33%were looking at new forms of communication. 

https://www.accountingtoday.com/list/the-accounting-profession-and-the-coronavirus-the-crisis-in-numbers

CPA firms provide COVID-19 services free of charge
Many small businesses have been drastically impacted by the coronavirus shutdown. As reported by the Wall Street Journal, "about 20% of them had enough cash saved to operate normally for only two months if their revenue were to dry up. Among less financially secure companies, only 10% could operate normally on savings alone for two months". The survey found that 1/3rd of CPA firms are stepping up to help by not charging for COVID-19 related services. 

Agility in time of uncertainty

Virtual firms, like Live.ca, seem to have been well prepared for this pandemic. With no offices to speak of, the firm was online from day one. The firm was featured on this CPA Canada promotional video:

Being agile in times of adversity is key to success. Understandably, tech can be daunting for small firms. However, it is also daunting for small businesses. Consequently, the tech-savvy CPA firms are able to offer consulting services like business continuity planning. But before getting there, firms need to ensure that they have the underlying capabilities to be agile. For example, if the firm has limited capability to service clients remotely it not only reduces the ability to service clients but also prevents the firm from being viewed as adaptive by current and prospective clients.

That being said, it's a matter of will. With nearly three-quarters of the firms already offering CARES Consulting, just shows how agile firms can be when the mindset is there.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else

GoldmanSachs on Blockchain: Insights into Audit & Accounting Automation

As noted in this Business Insider article, Goldman Sachs (GS) published a report on blockchain that identifies a number of scenarios where the technology can save billions. The BI article extracted the following use cases from the 88 page report:

• Better authentication of individuals partaking in the sharing economy: Leveraging the "smart identity" functionality of the blockchain, peer-to-peer sharing businesses sites (e.g. Airbnb) can give both the customer (e.g. the renter) and the supplier (e.g. the home owner) greater assurance that the customer is really who they say they are. The GS report also links the identity to smart contracts that facilitates automated performance based payments 
• Accounting system for renewable energy power generation: Where individual homeowners are generating wind or solar power, the blockchain can be the natural accounting system to manage the "debits and credits" transferred back and forth between the energy producer and the network. It also enables payment transfers as well. 
• Reducing back end administration for title insurance: The actual GS report notes how the vast majority of the cost associated with title insurance can be reduced by about 30% using blockchain to manage the underlying property records. Other interesting notes is that they attribute part of the decline to improved actuarial risk calculations due to "greater historical transparency". 
• Improving accuracy and timeliness of trading various securities: The financial services industry usage of the blockchain is quite straightforward - replace the chaotic world of spreadsheet accounting with the streamlined world of blockchain - it is a database technology after all. NASDAQ use of Linq was featured in this DUPress article and can also be found here. The GS report goes into much more granular detail as to the different scenarios on how the back-end system can be improved resulting in less verification issues and improved trading times.  
• Better authentication of customers aka KYC (Know-Your-Customer): As noted in the BI article, "Like with the Airbnb example, Goldman envisions identity data stored on a blockchain that could help finance firms easily and quickly check new customers as part of "know your customer" regulation — a bit like a digital passport."

I went through the long report and extracted the following accounting automation insights:

• Blockchains can reduce spreadsheet funk. Sharing spreadsheets has become the norm in the financial world for being a flexible way to send quantitative information along with context and some formulas here and there; it's how we auditors often get data from the client when asking for a breakdown of an account we are looking into as a part of the audit. It's also error prone. Blockchain, in a sense, is a "napster-esque" way of sharing financial information that ensures a common data structure between the sender and the receiver thereby eliminating the manual verification/handling of spreadsheets (see pages 3 and 10).
• Blockchain can enhance "assurance", where it's not feasible for auditors to do so. On page 16 the report discusses the role of smart identities in assisting the sharing economy. It talks about how required digitally signed user reviews will have greater data integrity as it could reduce the risk of self-inflated reviews. Although people rely on such reviews to buy books, rent hotels, etc., there is risk of fraud where the seller will inflate reviews or pay people to do so. However, with a blockchain enabled smart identity there's a higher level of assurance that the end-user can place on the reviews as it harder for the site owner to fake the reviews due to fact the review is digitally signed. Of course no audit firm would have audited such reviews. But I think that's the point: the blockchain technology fills an an assurance need that auditors couldn't, simply because the delivery of such a service wouldn't be profitable. 
• Blockchain automation will reduce the need for back-end clerical staff (aka accountants): When looking at the application of blockchain to the title insurance industry (see pages 33-39), it notes how 75% of the industry premiums relate to headcount costs. GS puts the reduction in clerical staff by 30% and a 20% reduction in variable expenses (e.g. commissions, marketing, etc.). Blockchain - without AI enhancements - will automate accounting work as part of the automating knowledge work trend. This is of course more clerical tasks, but blockchain will likely result in less headcount within the finance department. 
• Role for third party assurance reports in a permissioned blockchain: The consensus mechanism in the permissioned blockchain is quite different than it's public counterpart, which relies on the proof of work (POW). (See the Khan Academy video, below for the POW and the blockchain section in this post) This is not the case for permissioned system which require the consortium who set-up the blockchain to determine how they will work with each other. This could require auditors to provide assurance over the implementation of blockchain similar to what the SOC report does for cloud computing companies. The report discusses how (see page 29) on how the blockchain will enable "Smart Grid Blockchains" to essentially acts as the record keeping and payment system of energy exchanged by the household owner who has windmills, solar panels to the power grid. But how do we ensure that this being calculated properly? Well, that's where the Processing Integrity Principle of the SOC3 assurance report comes in. It could provide assurance that the blockchain-accounting-payment system is processing the data in complete, accurate and timely manner.  
• Greater visibility, means greater opportunity for audit analytics. One area of cost savings associated with a blockchain enabled title insurance industry is that actuaries will be better able to assess risk  because of "greater historical transparency and immutability into the property registration system" (see page 38). Consequently, where a material amount of transactions are on a blockchain auditors will have (1) easier access to the data (not a trivial matter by any means!) and (2) can run better analytics to identify irregular transactions and (3) enable better ways to assess estimates. 
• Value versus hourly billing: In a number of the use cases identified (e.g. title insurance, settling equities, KYC; see pages 38, 51, 75) noted how the gains (read: headcount reduction) from blockchain enabled automation are expected to be passed on to the customer. Why is this relevant to audit? Audit firms could be expected to hand over automation windfalls to the client and further reduce fees. On the one hand, the more automated the audit, the potentially less fees that audit will capture. On the other hand, regulators may want the auditors to do more with the budget that has been freed up. So the revenue, profitability of highly automated audits will depend on how the regulators re-draw scope in light of such advances. 

Despite having the reputation as a great-vampire-squid, the GS report is quite useful for those working in the blockchain space in identifying the potential for this exponential technology.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else

Cloud vs corporate IT: Insights into how the share-economy will play out?

When thinking about disruption we often attempt to look to the past for how it will affect our future. However, we can also explore how disruptive tech is impacting our world today.

Consider a recent WSJ article that gave us insights in to how cloud and mobile is disrupting "classic tech":

• EMC, Intel and IBM are being disrupted. The move to cloud and mobile is impacting the ability of these companies to meet earnings expectations. For example, EMC's sales of storage products declined by 10%, while Intel has seen an overall decline in PC Market sales.
• Companies are slashing their workforce in response to such trends. The shift to cloud & mobile is resulting has resulted in the hemorrhaging of 12,000 jobs, or 11% of the workforce, at Intel alone. 
• Overall decline in revenues/profits despite strategic shifts in product mix. IBM's cloud computing business grew 34%, while Intel's data centre business, serving cloud providers grew 9% (for more on this "corporatification trend" see here). However, IBM's total revenue fell almost 5%. Intel had a tough time keeping up with rivals like ARM who posted revenue gains of 22%. This compares to 7% of which the WSJ attributes a chunk of that rise to an acquisition Intel made. 

Reflecting on these trends, is it fair to think of cloud as the original use case for the share economy? 

When we think of Uber, Airbnb, etc., we see how users can use these platforms to monetize their excess or underutilized asset by renting it to others.

However, isn't that also the story of the cloud?

Amazon, Intuit, and other cloud computing companies decided to "share" their excess computing capacity to others. In a sense, we are talking about servers instead of houses, but the concept is really the same.

And this goes to my initial point. We are living through the disruptive impacts of cloud and mobile on legacy-tech and we can quantify, analyze and understand its impact.

Given this premise what does this above tell us about the share-economy?

Firstly, better utilization of assets leads to the sale of less assets.  This should be expected as there is a more efficient use of assets leads to  (servers, car, house, etc) less market size as demand remains constant. As I had noted in the post a few months ago, Uberization of the taxicab industry would ultimately lead to a fleet of cars that are owned by a company like Google - leading to a net reduction of cars used by society. GM probably understands this concept as they have invested $500 million into Lyft; a competitor to Uber.

Secondly, it illustrates how the share-economy is subject to concentration of wealth: the cloud computing landscape is dominated by large players, including Amazon, Google and Microsoft. As noted by Douglas Rushkoff in the following video, since these innovations emerge out of the "operating system of capitalism", they inevitably result in the formation of a handful of platforms dominate the industry and capture the lion's share of the profits.


(Also check out his book that discusses this in more depth)

Thirdly, its difficult for behemoths to adjust to these types of shifts. Despite Intel and IBM investing in the disruptive technologies, it's hard for them to adjust to the dynamics of the new economy. This illustrates how much more challenging it will be for those disrupted by such platforms to re-tool and compete in the landscape.

For accountants and auditors, one such platform to watch out for is Gigwalk. As per their website, their value proposition is that by leveraging the 350,000 “professional services” workers (see graphic below) the manufacturer or other upstream supplier can get visibility into the actual retail outlet. For example, Whirlpool wanted to “Audit the presence of its Swash product on showroom floors, communicating back to corporate compliance gaps in real-time”.

And the "starter Store Audit Package" begins at $10.

Creative destruction is not inevitable, but we should learn from the lessons of these tech giants and plan prudently to meet such challenges head on.

Amazon to Canadian Customers: These features are for US Only

Over the break, I decided to abandon my Samsung S4 and move to the Note 4. I made the mistake of buying the first cell at an independent cell shop thinking that I would get ahead on contracts. But it had chronic issues with getting the IMEI to work and then the speaker didn't work either. Never had these problems before when buying on contract. So back on contract I go.

Device is beautiful:


I had the first iteration of the device, the Note 1. This is much better and the pen seems to be much improved in terms being able to write by hand. Much crisper screen as well. Anyways, I digress.

Given the decent size of the device, I figured this would be the perfect opportunity to try out the immersion reading feature. Immersion reading enables you to hear and read the book at the same time, giving you the benefits of both the audio learning and the visualizing the text.

Much to my dismay I figured out after hours of trying to make this work that it didn't. Why? Because I am in Canada.

However, it was only after confirming my suspicions with this post that I realized the truth: Canadians are locked out of yet another one of Amazon's services. Now the real issue is why doesn't Amazon openly say this on the amazon.ca website? In fact, I even corresponded with the help and assumed that they would warn me that this feature does not work. As you read the posts, I was not the only one that was frustrated by this state of things

The incident reveals a couple of things. Firstly, Amazon is a US focused company, it does not serve Canada well. For example, it's prime video service is only in the US. This is just another example. I wonder why Chapters has not exploited this?

Secondly, it exposes the weakness with mass service model used by Amazon as well as cloud computing companies, it can serve the masses but not the unique needs of particular clientele.

Europe vs Google et al: Long term ramifications of the Snowden Revelations?

Wall Street Journal had an interesting piece today where they discuss how the "clash that pits [European] governments against the new tech titans, established industries against upstart challengers, and freewheeling American business culture against a more regulated European framework". For example, "[t]he European Parliament in late October called on Internet companies operating in the region to “unbundle” its search engines from its other commercial properties". The obvious company that would be impacted by this is Google (and the WSJ article notes that Microsoft is aiding and abetting such calls to help boost its own profile).

However, the WSJ article notes: "And perhaps most fundamentally, it is about control of the Internet, the world’s common connection and crucial economic engine that is viewed as being under the sway of the U.S. This exploded following the revelations by Edward Snowden of widespread U.S. government surveillance of Americans and Europeans—sometimes via U.S. company data and telecommunications networks."

This would not be the first article to note that the Snowden revelations have put a chill on the move to the (US) cloud. However, it does highlight how far the revelations have gone to force the hand of European regulators to at least act in public like they are trying to do something to protect the data of their companies.

What the article did not into much detail is the likely reason that the Europeans are concerned. Although it may presented to be an issue of privacy or anti-surveillance, the likely real reason is industrial espionage.  As per the Snowden revelations, governmental spy agencies are not just interested in obtaining information on matters relating to national security, but are also interested in obtaining data related to international trade or other business dealings. As noted by the CBC, “NSA does not limit itsespionage to issues of national security and he cited German engineering firm,Siemens as one target”. It is unfair just to single out the US for such actions, as other governments do it as well. For example, Canada’s CSEC is also alleged to be involved in similar activity. The Globe & Mail reporting that “Communications SecurityEstablishment Canada (CSEC) has spied on computers and smartphones affiliatedwith Brazil’s mining and energy ministry in a bid to gain economic intelligence.” Former Carleton University Professor Martin Rudner explains (in the same G&M article) that the objective of such surveillance is to give Canadian government a leg up during negotiations, such as NAFTA. 

Although most have forgotten the commercial rivalries (see quote from then US president Woodrow Wilson about the roots of international conflict) that exist between the G8 Nations, it is important to understand the implications that this has for data security on the cloud. Anything that is sensitive and is relevant to business dealings should never be put on the cloud. Of course it is a matter of judgment of what constitutes "sensitive", but the criteria can effectively "reverse engineered" based on what was revealed.

Porter's Outage: Dealing with an outsourcer's system failure

A couple of weeks ago, I got caught in the Porter Airlines network outage. I was heading back from a meeting from Ottawa and we had managed to get the airport on time, only to find that we could not get our flight because the "system was down". Although I was scrambling to figure out how to get back to Toronto, my colleague had it much worse as she had a connecting flight back to Windsor! For me it was one of those "check out" moments. You know when you are at the grocery store and the guy ahead of you is haggling with the attendant, and you think to yourself: "Should I wait for this situation to resolve itself or move to the next line?" As the Porter folks informed us that they will give us a refund, I decided to book the next Air Canada flight back to Pearson (instead of the Billy Bishop airport - where I had parked at. Although I was supposed to fly out at 9:20 PM, they managed to put me on the 7:30 flight. A number of us at the back were "refugees" from the Porter flight. It is tempting to get exasperated and complain in these situations, but one of my fellow refugees pointed out how this is essentially  "first world problem": we only ended up waiting about an hour and we had all the amenities (food, water, shelter, etc) waiting for us when we got back to Toronto!  
As reported in the Toronto Star, the source of the outage was due to a failure at Navitaire: the "reservation and flight planning system" that Porter outsourced to. It turns out that other airline companies, such as Air Tran, were also affected by the outage.

Surprisingly, this is not the first time that Navitaire has experienced an outage: the company also had an outage in 2010 that affected Virgin Blue airlines. As would be expected, Virgin sued Navitaire. The case was settled out of court. As noted by the Register (who commented on the 2010 outage):

"It is becoming more and more obvious that Navitaire's business continuance and disaster recovery provisions failed completely in this outage. There should have been standby systems ready to take on the load of any failed system or system component, but there weren't any. That is a blunder of the first magnitude by whoever designed, implemented and ran the system."

Well, it seems that the "blunder of the first magnitude" has repeated itself only 3 years later.

As you know from my previous posts, that I have written about the cloud from a CPA perspective, so the logical question is: where is the SysTrust or other third party review of their IT controls to ensure that this type of thing doesn't happen?

Well, I could not find it. The brochure for the services offered by Navitaire, does not make mention of the third party audit report. However, it is possible (although unlikely due to the cost) that Navitaire allows its customers to send in their own auditors.

Regardless, the incident illustrates the need for customers who outsource their operations to third parties to get an assurance report (e.g. Trust Services) that ensures that such controls (e.g. disaster recovery) are in place.

To Porter's credit they gave me a refund and they also gave a free flight to anywhere they fly. So from their end they did their best to make amends due to the fiasco.

Technology and Audit: Rising tide of tech floats all boats

Norman Marks, evangelist at SAP, neatly summarizes  in this 5 minute video the implications of the how the recent technologies, such as cloud, analytics, and the like has implications on the auditing profession.

As he notes, "if it's good enough for our clients, it's good enough for us" (i.e. us being the auditing profession).  He mentions how individual analysts and other business professionals are using tablets and other devices to perform analytics. He also cautions that we should not make the same mistake as we did when analyzing the potential for desktop computing. In the video he narrates an amusing anecdote about the reaction of the accounting firm that he worked at to the nascent, desktop computer in the 70s.

Although I agree with his comments, I would say that this also extends beyond the corporate IT environment I have written in the past about cloud and mobile tech and what I see is that these technologies favour the small and medium sized business (SMBs) over the large ones. Basically, SMBs can now afford enterprise class technology and are probably using this technology within their personal spheres. Hence the term "consumerization of IT": advances in technology are focused in the consumer space not the corporate IT Department. As illustrated by the use of the iPhone within the corporate IT, consumers brought or demanded that IT let them use the iPhone instead of the standard  issue (e.g. BlackBerry) smartphone. Furthermore, widespread familiarity with these technologies allows SMBs access to employees who know how to use these technologies - without specialized training. The sum of it: it is much harder for auditors to justify being low-tech, when even the employee of the SMB has gone high tech.

NYT vs Tesla: Sustainability, Electric Cars and Data Audits

On February 10th, the New York Times posted a negative review of the Tesla S Sports car. The article entitled, "Stalled Out on Tesla’s Electric Highway", painted a bleak picture of the ability of the Tesla to keep its charge and travel long distances. This is obviously a big concern for those that would purchase such a car.  The reporter who drove the car noted the following with respect to his experience during the test drive:

• Charge was dropping faster than anticipated.
• In order to extend the charge, the reporter reduced the temperature to the point where he was feeling uncomfortable.
• The reporter barely made it to the next charging station, even though he should have been able to make it (easily) based on the amount of charge indicated at the outset of his journey.
• Car did not retain its charge overnight after. When the reporter went to sleep it stated 79 miles was required, but in the morning it stated that 25 miles was remaining
• On another leg of the trip the reporter never made it to the next charge station, even though the driver drove the car at a modest 45 miles per hour. Instead, the car shut down on the road, requiring the reporter to wait 45 minutes for the car to be put on the flat bed truck.

Billionaire Elon Musk, the co-founder and CEO of Tesla and founder of PayPal, was not going to take this review lying down. As it turns out, the Tesla S sports car had data logs recording the drivers actions. So, Elon reviewed the logs and fired back with the following post, disputing the claims of the NY Times article. He noted the following:

• The temperature was not turned down, but instead turned up to 74 degrees.
• Insufficient time was spent charging the car (47 minutes instead of 59 minutes).
• On the last leg of the trip where the car died, the reporter actually missed the recharge station.
• He drove between 61 and 81 mph, well beyond the 45 mph claimed.

The blog post also points a link to the following article, highlighting that the report had previously noted that electric cars were "dismal, the victim of hyped expectations, technological flops, high costs and a hostile political climate", pointing to the writer's bias against electric cars. 

Of course, the report was also not going to take this rebuttal lying down either. And so he fired back with the following "rebuttal of the rebuttal". (I am not going to summarize what he said, but you can read it there).

The point is who is correct? 

Although Tesla is stating that the reporter has an axe to grind, the same argument can be made against Tesla. That is, they want electric cars to be viewed favourably so that their company succeeds. 

And that's where the importance of data audits and system controls come in.

How do we know the logs that Tesla are using are not tampered with? What are the system controls that are in place to ensure that there is data integrity? 

The importance of this topic goes beyond a tussle between a media outlet and company. What's really being discussed is here is environmental sustainability. The tussle illustrates the increasing importance of data for society to make critical judgments on how to think about sustainability. And this goes to my next question: are assurance practitioners ready to tackle these types of third party reporting challenges? 

As I've mentioned in previous posts, auditing information is skill that goes beyond the actual information being audited. In terms of the Tesla car, audit procedures could be performed to see whether there were controls over the data logs exist to ensure they were not tampered with,  the sensors that report the data generated could also be tested for completeness, accuracy and validity, etc. For example, Musk claims that the car never ran out of energy, where as the reporter (in his rebuttal) claims it did. So is it the reporter right and the sensors wrong? Or the sensors right and the reporter are wrong? You can only know if someone independent of the NYT and Tesla tested the controls. 

As we know from the increased interest in big data (e.g. it was a big part of the last US federal election), these types of disagreements are going to become more common place. It illustrates the financial auditors need to become more proficient in technology and be able to port over their skills from one arena of financial information to sustainability, etc.

However, the world waits for no one. 

Non-accountants have already started to dabble in the world of assurance. Although not an audit per se, CloudAudit  is an attempt by members of the Cloud Security Alliance to allow potential cloud customers to view "audit artifacts" (which I would translate to source documents or audit evidence) maintained by a cloud service provider and gain some comfort over the state system controls at the cloud customer. Consequently, if audit professionals choose to stay on the sidelines and stick to the traditional financial audit, some other tech savvy professional group will be needed to fill this gap.  

Hurricane Sandy and Disaster Recovery: Cloud to the rescue?

When looking at the aftermath of hurricane Sandy, the most important aspect of the event is the toll it has had on the people. The Atlantic puts the total impact in terms of dollars at $60 billion, with death toll at 123 people. However, those that survived face the challenges brought about by the flooding and living without power for weeks. For example, 4 million remained without power for extended period of time. This of course challenged individuals to keep their frozen food cold and live without technology for that period of time. As for companies, their disaster recovery plans were put to the test. Perhaps the most poignant example was the New York University Langone Medical Center who had to evacuate patients because their backup generators because they were located in the basements, which got flooded. Hospital officials defended their preparedness  but critics pointed out that the backup power generators "are not state-of-the-art".

Samara Lynn of PC Magazine published an article on how Sandy taught organizations valuable lessons from a Disaster Recovery (DR) perspective (she previously painstakingly put together a 4 part series for small and medium sized businesses on DR planning; see here, here, here, and here). Before I read the article, I was expecting a bulleted list of dos and don'ts when it comes DR planning. But what I was surprised to find is that companies are relying on cloud computing service providers to make up for the unavailability of local processing. Examples include:

• A New York Architectural firm Diller Scofidio + Renfro used Amazon Web Services (AWS) to relocate the company's core applications, enabling users with the proper license configuration to access these applications right from their laptops. Also, the IT Manager, Chris Donnell, used AWS as a remote desktop during the disaster. (I encourage you to read the whole article as it details how Chris was in the middle of an email migration from Outlook to Gmail when Sandy hit; poor guy!). The company also used Panzura to store the data temporarily in the cloud.
• Ring Central, a cloud-based pbx hosting service, (they sponsor TWIET and other podcasts on the TWIT network) was able to relocate their operations away from the storm. More importantly, they offer near instant recovery of phone support by plugging in a piece of hardware they can "bring in a live extension under 10 minutes". Naturally, there is an increased interest in Ring Central by those that were satisfied with the lengthy recovery times of their providers. 

The article also discusses how a service provider made DR as part of IT outsourcing service and how the key to DR is backup power. 

Although not related directly to cloud, one of the most amazing story that I've heard is how SquareSpace (SQS) kept it's platform up and running. Like the hospital, SQS had its back up generator in the basement and that got flooded. It published this blog post to inform customers of what was happening. However, the real interesting story is the lengths that team went to ensure the site stayed up and running. The team physically took fuel from the basement to the generator of the roof going up 17 flights of stair. 

Even more amazing was that the founder and CEO, Anthony Casalena, personally helped in this effort. Talk about Tone at the Top! 

Can we live in the cloud? Prof Jeff Jarvis intends to find out

On This Week in Google (TWIG) episode 169, Jeff Jarvis, professor of journalism at CUNY, announced that he will be attempting to live only in the cloud and abandoning the comforts of offline desktops.  He recently moved to the Android eco-system (i.e. for his mobile device and tablet), which he accredits to Google's wide range of services from maps to Google Docs. Taking it to "whole nother level", Jeff is planning to live only in the cloud once he gets his hands on Samsung's ultra-cheap Chromebook, which is expected to retail for $249. The Chromebook (as its names suggests) is based on Google's Chrome OS, where the OS is basically the Chrome browser. Here's the ad in case you missed it:


As illustrated in the ad, the concept is that the Chromebook is something that everyone and anyone can use. The premise is: if you primarily do everything in the browser, then you really don't need a full laptop. A few years ago, as Leo Laporte pointed out in the episode, this experiment by the way of netbooks failed. Does Jeff have a fighting chance or will Leo tell Jeff "I-told-you-so" after Jeff experiment ends? Well, I think Jeff does have a fighting chance. Firstly, cloud computing has matured significantly since netbooks have hit the scene. Secondly, people are now accustomed to using tablets and smartphones as a way to get things done.

In a way the Chromebook represents an intersection between the trend of cloud computing and thin client devices and taking technology back to the early years of computing, where users had to "dial-in" from their "dumb terminals" into powerful mainframes. Except the Chromebook,smartphones, and tablets are replacing the dumb terminals, while the cloud computing service providers are replacing the mainframe.

Why should information security & privacy professionals care about this?

It is really about the price point. If Jeff Jarvis can successfully move to the cloud with this device, it means that the economics of the consumerization of IT has arrived. Think of a 10-person small business that is starting up. It really just needs email and office productivity apps for their clients. The IT cost would be $2500 for the hardware and then recurring cost of $500 a year for the Google Apps. The traditional  Dell laptop + MS Office license would cost about $6480 upfront + the cost of an email server + the IT resources an effort to maintain/patch the laptops and the server.

In terms of data redundancy, one could argue that all the data is on the cloud so it's actually safer. Theoretically, if the owner loses their Chromebook, they can just change their password and then the Chromebook is essentially just a "dumb" piece of hardware with no data. And as illustrated by these stats, this is no small benefit. Of course, cloud computing does have its risks as mentioned on a previous blog post and this publication (which I co-authored for the CICA). It's not that the risks in the cloud are insurmountable, but they are different then the ones we are accustomed to dealing with.

From a usability and information risk perspective I would ask these questions to Jeff Jarvis about his experiment:

• Printing: What are the hiccups in terms of producing and printing formatted documents? What I am thinking about are the mundane things like resumes, reports and the like. 
• Working with Luddites: How do you work with others that are not in the cloud? Sometimes working with a colleague the most efficient way to transfer a number of documents is via USB, especially when the other party does not have Internet access (e.g. think of locked down company laptops). 
• Handling Sensitive Data: What is the sensitivity of the data that is being on the cloud? For example, we keep private things like tax files that contain SSNs, SINs, income, etc offline. So how would one keep such things private or is it matter of just living in public? For readers that are unfamiliar with Jeff Jarvis, he takes "what's the harm approach and has written two books (click here and here) on the topic of being more open and social with one's information. But I hope he can appreciate not everyone uses his "privacy settings" :)
• Trusting cloud providers: What due diligence does someone do before trusting a cloud provider? I suppose this is a "leading question".  Accounting associations in Canada (i.e. the CICA) and the US (AICPA) have established Service Organization Control (SOC) Reports. These reports replaced the SAS 70 Type II reports in the US and Section 5970 Reports in Canada. So do you need this type of assurance before dealing with companies? Going back to the tax return example, one solution would be to use cloud-based tax services. But how do you establish trust that this information is appropriately. One may attribute my repetitive use of the tax return info to the fact that I am an accountant. However, to be fair Gina Trapani on a previous episode of TWIG did point out an accountant should not be putting tax info on the cloud unless it was encrypted. 
• Securing data on the lost Chromebook. If the Chromebook is lost, what are the precautionary measures the person has to take? In other words, the theory meet reality. 
• Making local backups:  Currently, we back from offline to the cloud, but how does this work in reverse? The reason this is important is illustrated by Mat Honan's Apple iCloud account getting hacked and watching helplessly as his data got deleted. 
• Working without internet access: How many times does the lack of internet access due to being in a subway or non-WiFi become an obstacle to being productive?
• Working through cloud outages: What happens if there is a disruption at the cloud provider or underlying infrastructure? Jeff lives in NY (and judging by his tweets; he's doing okay), so he does have some experience dealing with such a scenario given the disaster brought to his area by Hurricane Sandy. 

Assuming Jeff actually does gets his Samsung Chromebook and goes through with this experiment, I will post an update to this post.

Did the SC Supreme Court legalize industrial espionage on the cloud?

As reported in Ars Technica, the South Carolina (SC) Supreme Court iruled that gaining access to someone else's email does not violate any laws, specifically the Stored Communications Act. In the case, Jennings vs Jennings, the husband (M. Lee Jennings) was suing his ex-wife's (Gail M. Jennings) daughter-in-law, Holly Broome, (from a previous marriage) for unauthorized access to his personal email account. Holly had guessed the correct answers to the secret questions and gained accessed to his email accounts. She had been asked by her mother-in-law to look at M. Lee Jennings's email because he admitted to her that he was having an affair and had exchanged email correspondences with this woman. Holly printed the emails and provided it to Gail and her defense team, who used it against ML Jennings during their divorce trial.

The Supreme court found that the hacking was not in violation of the Stored Communications Act (SCA) because cloud-based email does not meet the "definition of "electronic storage" within the SCA [which] requires that it must be both temporary and intermediate storage incident to transmission of the communication and storage for the purposes of backup protection".  It should be noted that, as pointed out by William Shapiro on this episode of This Week in Enterprise Tech (it's the first segment so you don't have to listen to the whole episode), that this judgment is only limited to South Carolina.

Wow. In these few small sentences, the SC Supreme Court has allowed unauthorized access to anything that is stored on the cloud. In the last few posts on the UWCISA blog, I have commented on industrial espionage and Microsoft's move of Office to the cloud. On my entry on cloud I noted that the cloud pretty much gives access to law enforcement:
"In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. "

On my entry on industrial espionage, I highlighted that, in addition to the risks highlighted by US government officials on using Chinese hardware manufacturers, "it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese."

Furthmore, I have been immersed in the last few week's in Kevin Mitnick's (wiki, his site) Ghost in the Wires, which details how he hacked into Motorola, Sun, and other major companies.Once you read his story, you will quickly realize how this ruling by the SC Supreme Court makes it open season on any corporation that uses the cloud as means to outsource processing. If an average person, like Holly Broome can access confidential email - imagine what a determined hacker like Mitnick could do!  For example, if you use Google Docs or the soon to be released Microsoft Office 365, then a competitor can gain access without violating the SCA and use that information. Will this judgement spur hackers to relocate to South Carolina and access all types of confidential information stored on the cloud? Of course they can't take patented or copyright information, but what about companies that likely don't have such information patented, trademarked etc or protected by other laws (e.g. privacy legislation, theft of credit cards, etc)?

It's interesting how vulnerable cloud, and technology in general, is to the inability of law makers and judges to see into the future. Common sense would dedicate that a person that buys or uses a service and keeps it secret via a password, expects that the information to be confidential to them. But I am not a lawyer, just an accountant in tech. That being said, it is unlikely that Google, Microsoft, Amazon, and the other tech giants will take this ruling lying down. One can expect that they will use their dollars and influence to allay fears that their services are safe from "legal industrial espionage".

MS Office goes Cloud: Quick overview of benefits and things to watch out for

Earlier this month, CNET's Mary Jo Foley reported on Microsoft's move to Office 2013. As noted on a previous blog post, this is a huge year for Microsoft as it moves to the tablet-centric  Windows 8 operating system. Well, they seem to be doubling down on dramatic shifts as they launch a SaaS offering of their infamous Office productivity suite; Office 365. Mary Jo reports that Microsoft will be giving a choice between purchasing Office 2013 as "normal" or as a subscription to its cloud version of the software. To sweeten the offer Microsoft is offering the following extras (credits: Mary Jo and Paul Thurrott): 

• Ability to log-in to 5 different PCs or Macs 
• Access to Word, Excel, Powerpoint, OneNote, as well Access, Publisher and Outlook
• 60 Skype World Minutes a month
• 20 GB of SkyDrive storage
• Update on security and other patches
• Access to new functions through the subscription period (i.e. you don't need to wait for the next version)

In contrast, the standard PC-installed version of Office 2013 can only be installed on one machine. Also, to get access to Access, Publisher and Outlook you need to Professional version (Mary Jo has a great table here that explains the different options). 

Office 365 Home Premium is $99.99/year, which covers an "entire household" (i.e. Paul Thurrott explains that it is not tied to a single individual, but can be used any person located at that address). Assuming that this will be same price in Canada, this would amount to $9.42/month (including HST) which is cheaper than two venti lattes at Starbucks. This is in contrast to Office 2013 Professional, which retails for 399.99+HST (and 139.99+HST for the Home & Student version, which includes Word, Excel, Powerpoint, and OneNote). 

However, the big story here is that Microsoft getting the average user  - to the Cloud! (Oh, yes – it was Microsoft that came up with those terrific ads didn't they?). Some may say that this is yesterday's news because Google Docs  has already brought cloud-based office productivity. Although that may be true, if you ask my students they're using Google Docs to collaborate but still rely on MS Office to print a report or assignment. And of course when they go on their work terms, the firms are still using MS Office (so they need to know how it works and be able to use it well).   

In other words: Is the world ready for moving their recipes, financial budgets, and other personal documents to the cloud? 

For those that want the full low down on cloud, they can download this whitepaper from the CICA, which I wrote with Yvon Audette of KPMG. Alternatively, here is a short list of things that you can talk to your friends or whoever that are wondering what happens if they decide to go to go with Office 365 or another cloud based app.

Pay for what you use: In terms of benefits, MS has really sweetened the pie with the extras they noted above. The other implicit benefit is that you are not paying for a static piece hardware upfront. Furthermore, if you decide to change your mind later on you will be out only $100 instead of $400. For example, to buy Office  Professional you have to fork over $400 on the spot, where as with Office 365 you pay as you go (i.e. $100 per year). So if you decide a year from now that you don't use all the extras that Office 365 comes up (i.e. let's say you are not using the extra software, such as Publisher, Access, Skype, etc) you can buy the Starter version or switch to an open source alternative. 

The Cloud Can Go Down, but so can your laptop: There have been cases of cloud outages, as I noted in my last post. Consequently, you should create a local backup of your files from Office 365, so that they are accessible off of the cloud (I am hoping Microsoft will make this easy) and won't get corrupted if there is a problem at Microsoft. However, let's be honest - what's more likely to go down Microsoft or your own laptop? The advantage of Office 365 is that if your laptop goes down, you can always access it from another laptop. In other words, your data is no longer tied to your machine.

You have less control, but you've handed it over to Microsoft (who should know a little bit about good computing practices): It should be clear that you are handing over your files to Microsoft to manage for you. But this may be a good thing, as they may do a better job than you. For example, if you don't do local backups (as you should), then Microsoft likely does. According to this link, they perform an ISO 27001 audit (click here to see what that covers) as well as HIPAA, FISMA, and EU Model Clauses. The certification that is absent is the new SOC 2 (see here for the difference between SOC 2 and SOC1. SOC 1 replaced the SAS 70 Type II reports, which outsourcers previously used and abused).

Terms of service (ToS), assume nothing: In general, cloud service providers have an army of lawyers to indemnify them from pretty much everything. So you should assume if anything goes wrong it's tough luck for you. Also, beware on what they say in terms of who owns the data (ZDNet did an analysis last year for online storage, we hope they update it for the new Office 365). According to this post, Microsoft pays back money for downtime for the Office 365 they were offering to businesses - but it is unclear whether they would do the same for consumers. 

Is a hacker also using Office 365? Amazon's cloud service, EC2, was used by hackers to launch the infamous attack on Sony's PSN. Security researchers were also able to spy on fellow "tenants". So what do these two facts add up to? Hackers will try to see what  vulnerabilities exist in Office 365 to exploit to get data from other users. That being said, hackers are mostly after credit card data and it may be more trouble than it's worth to mine terabytes of cake recipes and essays on Shakespeare to find what they are looking for (but 'big data tools' do make this easier). 

Privacy: accidental disclosures and the reality of law enforcement. In addition to nefarious individuals lurking on the internet, there is a risk that something will go wrong and the wrong user will get access to your documents. For example, Microsoft's precursor to Office 365 (known excitingly as BPOS) experienced precisely this kind of breach (to be fair here is MS's defense). In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. 

With Microsoft's push to the cloud, it will be interesting to "consumer outsourcing" works out. For example, how will the masses react to an outage? Will grade school teachers accept the excuse that the "cloud ate my homework"? Or will we be surprised at how adept people are to the new realities of the cloud? For example, people nowadays have camera free parties to manage the risk of the 24-7 surveillance world we live in due to social networks. Practically, consumers can use free open source alternatives to keep their personal documents offline and use Office 365 for things that they don't consider sensitive or to meet the demands of employers/customers and some of these providers are keenly working to make their offerings interact with Office 365. However, the problem is that if they are used to using Excel offline to keep their budgets are they really going to switch to the open source alternative? I guess we will wait and see what happens. 

Electrical and cloud outages: Is it time to bring both on premise?

Amazon experienced an outage that affected a number of companies that rely on their cloud service. The company informed its users that its service went down due to the power outage stating: 


"On June 29, 2012 at about 8:33 PM PDT, one of the Availability Zones (AZ) in our US-EAST-1 Region experienced a power issue.  While we were able to restore access to a vast majority of  RDS DB Instances that were impacted by this event, some Single-AZ DB Instances in the affected AZ experienced storage inconsistency issues and access could not be restored despite our recovery efforts.  These affected DB Instances have been moved into the “failed ” state." 


This notice was actually taken from CodeGuard (a start-up that takes snapshots of websites enabling owners to undo unwanted changes) who was one of the companies affected by the outage. 


As can be expected, many will use this as an opportunity to illustrates the danger of moving from on premise to the cloud. A parallel argument would be to highlight the dangers of drawing on electricity from the central grid. One would argue one is more reliant on power than on computing - so why not bring electricity "back" on premise? This is an absurd argument, but that is exactly the point. Companies, as pointed out by Nicholas Carr in the Big Switch, used to produce their own electricity, but eventually moved to rely on the grid for power.  Today hardly anyone produces their own power, but has backup generators in place to provide power should grid go down. And that's the right question to ask: why was there inadequate backup power at Amazon? In other words, society has decided to live with the fact that electricity is delivered centrally - but has built in controls to manage issues that may arise. 


Instead of viewing this as a black mark against cloud computing, it is important to view this discussion in the context of risk. Charles Babcock, InformationWeek published a good article on the reaction to the Outage. He noted that some are leaving AWS in reaction to the service. Specifically,  Whatsyourprice.com (an online dating service) is moving to a hosted solution - away from the cloud. However, he also mentions, Okta (an identity management service) that was unaffected by the outage because they designed their application to be fault tolerant.  

In other words companies need to focus on whether the benefits of cloud computing outweigh its risks. Cloud provide pay-as-you-go computing - giving companies who have uneven workloads the ability to buy compute resources when they need it. It also give start ups, like CodeGuard, a chance to get their offerings into the market.  Here,here and here are the follow-up posts to their outage - they were able to get back online and they are sticking with Amazon. And this should not be a surprise to anyone. Technology startups can leverage the pay-as-you-go model of cloud computing to conserve their capital and instead focus on getting their offering out. For example, the founder of Animoto, points out they went from 50 to 80 compute to 3,500 instances over three-days (they were signing up 25,000 new users per hour at the peak) when their app went viral. So companies will hopefully use the cloud outage to highlight the need for good design and appropriate controls instead of an excuse to stick to the status quo of on-premise computing. 

Cloud Computing and Unbilled Deferred Revenue: On the way to another bubble?

I was reading this report on the outlook cloud computing from GigaOm and came across an interesting accounting term:  "unbilled deferred revenue". When I googled the term, I came across the following explanation from Salesforce.com: "Unbilled deferred revenue, represent[s] business that is contracted but unbilled and off balance sheet". In other words, it is revenue that can't be recognized because it is not earned and it is off-balance sheet because it has been collected! Will such funky accounting terms be used to fuel a bubble vis-a-vis the cloud? It appears I am not the only one that saw the need to look into this a little deeper. This article actually analyzes the term and gives some rationalization to the concept: "[Subscription economy is] one way to make sense of cloud computing and the many new and very different ways of doing business on the Internet. We're most familiar with Software as a Service and how different it is from conventional licenses; so familiar, in fact, that I don't need to describe it for you here." 


One of the key factors in bubbles (based on a paper that Efrim and I wrote a few years ago) was "speculative valuation models".  So the next step is for some physicist to figure out how  "unbilled deferred revenue" can be put into a black-scholes type finance model -  and voila! -  we are are on our way to the next tech bubble. 


Of course there are other factors (see the paper for the list) that are necessary to inflate a bubble. The one to pay particular attention is to whether the credit is flowing freely. With the debts woes of Europe and people still stinging from the sub-prime crisis, this factor may inhibit the inflation of such a bubble. However, this assumes banks and traditional lenders will be the primary source of capital. The reality is that tech companies are awash in cash, and as evidenced by Facebook's acquisition of Instagram for a cool billion, they appear ready to step in and make the necessary deals to potentially fuel another tech bubble.  

Google Drive: Cost, Security and Other Issues

Earlier this week, Google released its much anticipated release of Google Drive (even the official blog referred to it as the "Lochness monster"; due to the fact that Google was supposed to release this years ago). For those interested in how Google Drive stacks up against other cloud based storage services, see Dana Wollman's post on Engadget. Included in her post is a side-by-side comparison of Google's offering against  Dropbox, Microsoft SkyDrive and iCloud. In terms of security issues, this CIO article points out that it will be hard for system administrators to block Google Drive because it will be hard to distinguish from the other Google services (e.g. Gmail, youtube, etc), which many organizations allow users to access. 

As with any other cloud service, users need to be aware of the terms of service (ToS or "click wrap" agreement) which bind the users to all sorts of conditions (this ZDNet article gives a good analysis of how Google is imitating DropBox a little too much). This article claims that users concern that content shared would be owned by Google "are probably unfounded". Their evidence: Google's ToS are the same as Microsoft's ToS for their cloud drive offering. However, the following ZDNet article extracted the ownership clauses and it seems that Microsoft is much clearer in stating that the content belongs to the user and not Microsoft (but you can see it for yourself and decide). 


Although Google may capitulate to public pressure and alter the terms of service, the incident highlights one of the key trade offs with the cloud: convenience of the cloud comes at the cost of control. For example, most, if not all, cloud service providers (CSP) will hand over data to law enforcement - without the consent of the data owner. However, if the same law enforcement agencies wanted the data hosted at your business or house; they would have to obtain your consent first - because you are in control and not the CSP. 


Beyond the privacy issues, if CSPs are free to write their own terms of service customers, especially the small and medium sized businesses (SMBs), will be at the mercy of these large players who have an army of lawyers at their disposal to write the ToS in a way to protect the CSP - leaving the SMBs vulnerable. That's until there's some cataclysmic breakdown in the cloud forcing the regulators to act in a way to protect users from such agreements, similar to what we saw with SOX or even the birth of the SEC itself after the depression.