UWCISA: Official Blog: WSJ

Showing posts with label WSJ. Show all posts

Thursday, January 9, 2025

AI at the Crossroads: Technology, Competition, and Society in 2025

UWCISA Blog · 01 Jan09 AI's Transformative Impact 2025 And Beyond

1. AI Agents at Work: How Companies Are Automating the Future

Businesses are leveraging autonomous AI agents to streamline operations and boost efficiency. Companies like Johnson & Johnson use AI to optimize drug development, while eBay automates marketing and seller support. At Deutsche Telekom, AI agents handle employee queries and administrative tasks. These tools promise to cut costs and improve productivity, though cybersecurity and bias concerns remain. By 2028, 15% of business decisions could be made autonomously, highlighting the transformative potential of these technologies.

(Source: The Wall Street Journal)

Key Takeaway: AI agents are being applied across industries for diverse tasks like customer service and drug discovery.
Key Takeaway: They improve productivity by automating complex workflows.
Key Takeaway: Security and accuracy remain challenges as adoption grows.

2. China’s AI Leap: How Restrictions Are Failing to Slow Progress

Despite U.S. export controls on advanced semiconductors, China is closing the gap in AI development. Companies like DeepSeek and Tencent have unveiled AI models that rival U.S. benchmarks, fueled by innovation, talent, and resourceful use of less powerful hardware. As AI becomes a global power tool, the competition raises questions about the long-term efficacy of U.S. policies and their implications for global influence and security.

(Source: TIME)

Key Takeaway: China's AI progress has defied export restrictions, demonstrating adaptability and innovation.
Key Takeaway: The global AI race influences economic, technological, and military strategies.
Key Takeaway: U.S. policies may require adjustments to maintain a competitive edge.

3. AI in 2025: Key Trends Shaping the Future

From generative virtual worlds to reasoning models and scientific discovery, AI's impact in 2025 is poised to be transformative. Nvidia’s Cosmos model hints at smarter robotics and wearables, while reasoning AIs from OpenAI and DeepMind promise better problem-solving. Meanwhile, AI tools continue to aid research in biology and materials science, highlighting AI’s growing role in innovation.

(Source: MIT Technology Review)

Key Takeaway: AI is advancing gaming, robotics, and research through immersive virtual worlds.
Key Takeaway: Reasoning models are reshaping problem-solving across disciplines.
Key Takeaway: AI's role in scientific discovery and defense highlights its expanding influence.

4. The Rise of AI-Powered Smart Glasses: Nvidia's Vision for the Future

At CES 2025, Nvidia showcased its Cosmos AI model, designed to enhance devices' understanding of physical environments. Smart glasses like Meta’s Ray-Ban spectacles are emerging as promising platforms for AI assistants, capable of processing visual and audio inputs for complex tasks. Nvidia’s advancements could drive the evolution of AI-powered wearables, aligning with industry moves to create mixed-reality ecosystems.

(Source: CNET)

Key Takeaway: Nvidia's AI model enables smarter, more interactive wearable technologies.
Key Takeaway: Smart glasses are gaining traction as AI assistants, merging innovation with practicality.
Key Takeaway: The industry is converging on mixed-reality platforms, paving the way for wearable AI growth.

5. AI and the Workforce: A Double-Edged Sword by 2030

AI is projected to transform the labor market, with 41% of employers planning to downsize as tasks become automated. Roles such as clerks and graphic designers face decline, but 77% of employers are committed to reskilling their workforce for collaboration with AI. While job losses are evident, generative AI also augments human skills, creating opportunities for growth in other areas.

(Source: CNN)

Key Takeaway: Automation is reducing demand for traditional roles but increasing the need for AI-related skills.
Key Takeaway: Companies are investing in reskilling workers for AI collaboration.
Key Takeaway: AI presents both challenges and opportunities for the future workforce.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist who is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else. This post was written with the assistance of an AI language model. The model provided suggestions and completions to help me write, but the final content and opinions are my own.

Monday, June 3, 2024

Five Top Tech Takeaways: Microsoft Unveil AI PCs, Google's $125B Cloud Glitch, Battle of the Bots, Glue Pizza, and GPT4 Outshines in Financial Forecasting

Make an image of a battle royale with the 5 robots with logos instead of heads. This includes the Google logo, Microsoft logo, OpenAI logo, Perplexity AI logo, and Anthropic logo

Battle of the Bots: WSJ's Comprehensive GenAI Evaluation

A comprehensive test by the Wall Street Journal compared five top AI chatbots—OpenAI's ChatGPT, Microsoft's Copilot, Google's Gemini, Perplexity, and Anthropic's Claude—on everyday skills. The tests included tasks in health, finance, cooking, work writing, creative writing, summarization, current events, coding, and speed. Perplexity emerged as the overall winner, excelling in summarization and current events, while ChatGPT performed best in health advice and speed. Each chatbot demonstrated unique strengths and weaknesses, highlighting the rapid evolution and diverse capabilities of AI technology.

Key Takeaways:

Perplexity outperformed other AI chatbots in summarization and current events tasks.
Claude excelled at work and creative writing.
ChatGPT had the fastest response time.

(Source: Wall Street Journal)

Author's note:

The Wall Street Journal's exercise is a valuable reminder that organizations must conduct a thorough and rigorous analysis of Generative AI (GenAI) vendors, just as they would with any other software procurement. The article provides a solid foundation for testing and evaluating these tools. However, it is crucial to note that effective testing can only be carried out once the potential business benefits have been clearly identified.

To ensure a comprehensive evaluation, organizations should first determine which specific functions will utilize the AI-powered chatbots and establish clear guidelines on how they will be used and managed within the company. This groundwork will enable the development of targeted test prompts, allowing for a more accurate assessment of which chatbot is best suited to meet the organization's unique needs and requirements. By aligning the testing process with the identified business objectives, companies can make informed decisions when selecting the most appropriate GenAI vendor for their specific use cases.

Microsoft Unveils AI-Powered Copilot+ PCs

Microsoft introduced the Copilot+ PCs, a new category of AI-enhanced Windows PCs with advanced silicon offering up to 40+ TOPS, extended battery life, and innovative AI features. These PCs feature Recall for memory-like data retrieval, Cocreator for real-time AI image creation, and live audio translation from 40+ languages. Starting at $999, they will be available from June 18 and include models from Microsoft Surface and other major brands.

Key Takeaways

Microsoft launched Copilot+ PCs, integrating advanced AI capabilities and powerful silicon.
Features include Recall for data retrieval, Cocreator for AI-driven image creation, and live translation.
The devices, starting at $999, will be available from June 18 from multiple major brands.

(Source: Microsoft)

From Glue on Pizza to Eating Rocks: Google's AI Under Fire

Google's new AI-generated search overviews have been widely mocked for providing bizarre and incorrect responses to user queries. Examples include recommending eating rocks based on a humor website, suggesting glue for pizza cheese, and sharing incorrect and offensive information about former President Obama. These errors highlight significant limitations and "hallucinations" in AI technology, prompting criticism and calls for better safeguards and accuracy in AI-generated content.

Key Takeaways

Google's AI search overviews have produced absurd and incorrect answers, causing social media backlash.
Errors included recommending glue for pizza and sharing false information about former President Obama.
Google's AI issues underline broader challenges in AI technology, especially regarding accuracy and reliability.

GPT-4 Outshines Humans in Financial Forecasting

A study by the Booth School of Business at the University of Chicago found that OpenAI's GPT-4 outperforms human financial analysts in predicting earnings changes from financial statements. Using "chain-of-thought" prompts, GPT-4 achieved a 60% accuracy rate compared to the low 50% range of human analysts. Additionally, trading strategies based on GPT-4's forecasts yielded more profitable results than traditional stock market approaches, suggesting significant potential for AI in financial decision-making.

Key Takeaways

GPT-4 surpasses human analysts in financial earnings predictions.
The AI model achieved a 60% accuracy rate, higher than human analysts.
GPT-4-based trading strategies generated higher profits than the stock market.

(Source: Business Insider)

Google's Cloud Glitch: UniSuper's $125 Billion Account Erased

Google inadvertently deleted the Google Cloud account of UniSuper, an Australian pension fund managing $125 billion. This incident left over half a million fund members without account access for about a week. UniSuper restored service via a backup account with another cloud provider. Google Cloud CEO Thomas Kurian and UniSuper CEO Peter Chun acknowledged the severity of the situation and assured measures have been taken to prevent future occurrences.

Key Takeaways:

Google accidentally erased a $125 billion pension fund's Google Cloud account, affecting over half a million users.
The issue was resolved using a backup account with another cloud provider.
Google and UniSuper CEOs stated measures are in place to prevent similar incidents.

(Source: Yahoo)

Monday, September 11, 2017

Serendipity: Beyond the reach of Robot Professionals?

Came across a story about how Dr. Behfar Ehdaie at Memorial Sloan Kettering Cancer Center was figuring out how to deal with the emotions that come with a discovery of prostate cancer. His novel solution gives may give us some insights into the limits of robots in the professional world.

What he found was that his patients opted for radical treatments, such as surgery or chemotherapy, that resulted in side-effects that actually ended up being more harmful. To use a cliche, the cure was worse than the cancer.

For such patients, "the medical consensus is that active surveillance often is the appropriate treatment for small early tumors". Of course, such an approach is not risk-free, but the problem is that "despite the data showing that this approach is safe, about 50% of eligible men don’t get it either because they turn it down or their physicians don’t embrace it. Medical experts say many men have been overtreated, as their cancers probably posed little immediate danger."

What was his solution?

Negotiate with patients.

As noted in the WSJ article referenced above, he contacted Harvard professor Deepak Malhotra who had authored an article on the topic to develop strategies on negotiating with the patient. Leveraging lessons from behavioral economics was to make monitoring the anchor instead of surgery or chemo. Dr. Ehdaie and professor Malhotra devised a lecture that was delivered to doctors to help them learn from Dr. Ehdaie's successes with this approach.

But what does this have to do with limits of robot-professionals or robopros?

When it comes to cancer treatment and robots, one can't complete the conversation without mentioning IBM's Watson "Oncology Edition". In fact, IBM has a partnership with the same Memorial Sloan Kettering Cancer Center that Dr. Ehdaie works at. Here is a promo-video that speaks to the promise of Watson:

The key to understanding the limits to robot-professionals is the backstory on how Dr. Ehdaie first decided to explore negotiations a way to deal with the issue.

This is where serendipity comes to play.

He was exposed to such concepts with discussions with his wife who is an MBA. Meaning that he went beyond the cancer treatment journals and then discovered a non-standard approach to dealing with a problem. Robots are not good at this. Machine-learning and AI is only good as what you teach it. Even "simple" tasks require thousands of man-hours to train such algos. Perhaps this can be overcome, but currently, it is a real limitation of AI.

Does this make humans indispensable?

Really depends on the objectives that govern the profession and the organizations that hire them.

If it's about cost-cutting and making the process efficient and streamlined, robots are perfect creating a fossilized bureaucracy that is resistant to change. Think about how financial institutions have yet to overhaul their ancient banking systems coded in COBOL:

"In the United States, the financial sector, major corporations, and parts of the federal government still largely rely on it because it underpins powerful systems that were built in the 70s or 80s and never fully replaced."

Similarly, if Dr. Watson replaces a large component of the diagnostic process it would become hard to dislodge it from the cancer treatment process.

On the other hand, if organizations recognize the value of human beings in being important to overall objectives of the profession - patient care, audit quality, etc. - then human judgment must be hardwired into the organization's DNA to avoid the development of such an inflexible system.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else

Wednesday, July 20, 2016

Passwords: How's that still a thing?

Passwords.

How is this topic still a thing?

In two words: Mark Zuckerberg.

In June 2016, Mark Zuckerberg got hacked and his secret password was revealed for all to see. Did it meet all those wonderful rules we learn in information security school? Was it ISO27001/2 compliant?

Well his password was "dadada" - so I'll let you decide.

The Wall Street Journal's Nathan Olivarez-Giles had a great article on hacking/passwords.

The article refers to a site where you can check to see if you've been hacked https://haveibeenpwned.com/ - definitely worth checking out.

Of course the next step is to then change the password on the 7 million devices you own, but who says hackers make your life boring?

Passwords are the best illustration of trade-off between convenience and security: you don't want the bad guys getting but at the same time you want to make it easy to use your email and the other services that you use.

One possible antidote to this unending saga of deal with hackings - managing the convenience versus security divide - is the use of password manager services.

WSJ's Geoffrey Fowler had an article which reviewed "1Password, Dashlane, LastPass and PasswordBox"; giving the win to Dashlane.

Of course two factor authentication, as Oliveraz-Giles points out, is a key control that we all need to implement in our lives - especially since many popular services are making it easier two use such a feature.

The fact passwords continue to be an issue reminds us that the most challenging aspect of a system is not the technology, but the people that use them.

Thursday, June 30, 2016

Algorithms stayed the chaos during Brexit storm: Can they help with auditor judgment?

The recent Brexit crisis hit the markets hard with the various stock indices plummeting and investors fleeing for the safe haven of gold, which went up "by $59.30, or 4.7 percent".

Amid this chaos, some investment strategies fared well - thanks to the use of robots.

According to the WSJ article, "Who Made Money in the Brexit Chaos? Machines, Not Humans", machines were immune to the fear, uncertainty and doubt that plagued markets (italics, highlight mine):

"This fund category, sometimes called commodity trading advisors, or CTAs, uses customized trading algorithms to spot market trends and place bets on futures and other derivatives. Most of the models didn’t factor in British election polls, bookmakers’ odds or the political-tea leaf reading that swayed other investors looking for an edge. In the weeks leading up to the Brexit vote, the trading models at many of these firms adopted a defensive pose. They favored high-quality government bonds, gold and safer currencies like the yen, while mostly avoiding riskier bets like oil and emerging markets.

That positioning paid off after Brexit caused the pound and more volatile assets to plunge as Thursday’s results came in. Société Générale’s CTA Index gained 1.5% on Friday. AQR Capital Management LLC, Fort and Welton Investments Partners LLC were among the big gainers... A key to CTAs’ success, their managers say, is that their models can tune out noise around market moving events—like an election or crucial economic data—that are important to investors but can be difficult to accurately forecast."

The article also quoted Lara Magnusen, portfolio strategist for Altegris’s main fund, who said (bold mine):

"Our models aren’t going to be affected by the same sentiments a human would be"

I thought that this was interesting as it illustrates how the machines can be seen as a way to provide an anchor when people are getting caught up in an emotional frenzy. Think of the implications for the world of audit and assurance, where professional judgement are made to determine what accounts, transactions, etc. are risky and should be tested. Imagine an audit algorithm that can be as an independent monitor that vets judgments of the audit professional - in a "race with a machine" scenario (for more on this idea see the Ted Talk below with MIT professor Eric Brynjolfsson). This could potentially improve auditor judgment, stakeholder confidence and audit quality.

Initially, I think this would be a way for audit firms to reduce the level of uncertainty associated with reviews from the PCAOB, CPAB and their equivalents in other jurisdictions. This would especially be the case if such audit oversight bodies would "bless" such algorithms and be able to ensure that the firms applied such judgment consistently, e.g. by having access to the "audit logs" produce by such programs.

The next - and more controversial step - would be to argue that independence rules can be relaxed in light of such automated oversight. To be honest I think there's a low likelihood of such an idea making traction with regulators in the near future, given that Europe has sought to require mandatory rotations of auditing firms. But it is something that should at least be contemplated, especially when automation becomes commonplace and attitudes may change towards how algorithms can play nicely with humans.

Wednesday, November 4, 2015

Did WSJ go too far in exposing Apple employee home purchasing habits?

The WSJ published an article discussing the cost of houses in the Bay Area. As per the title of the article, "Apple Paychecks—One Reason for High Home Prices", the key culprit they highlight are the significant salaries that the Apple employees are allegedly paid.

The the data for the findings were based on the work done by Zillow completed "at the request of The Wall Street Journal" who "used census data to track down where workers in the census tract that is dominated by Apple’s Cupertino, Calif., headquarters live—primarily neighborhoods in the San Jose and San Francisco metropolitan areas". It's not clear if they relied on their own data to complete this analysis. As per the graph below, Zillow tied the rising house prices to iPhone sales.

To be fair, and abide by full disclosure principles, the article does also blame "[z]oning laws and regulatory red tape are key factors as well". However, would it be the WSJ if it didn't lay such a charge?

Where to begin? The article raises a lot of issues in terms of the role of publicly available data - regardless if it is only the census data, data gathered by aggregators such as Zillow or social media sites.

As I had written a couple of years ago, the article actually is the promise of social media to "return us to the village". In the village privacy was limited because people knew each other and any deeds or misdeeds made by the individual were quickly found out by the community. A good example of how social media accomplishes this was role of public in identifying the rioters involved in the post-Stanley cup "celebrations". If such a riot had happened in the village, the rioters would be have been held accountable in a similar manner.

The Zillow-WSJ effort is really along similar lines: if employees of a company or members of a particular guild were buying up houses and driving up prices in particular area; wouldn't people in the village know?

Furthermore, it actually is village business. We need to understand how we will live with one another how we are going to make the most of living together in this shared space called community, which requires an understanding of how the actions of one group within the community will impact others especially when it relates to a basic need like housing.

That being said, it opens up the issue of big data and its ramifications on privacy. Although the above rationale translates well into issues relating to communal benefit it doesn't translate well into issues relating to how private entities can handle the information they were given for a specific purposes. This of course refers to the concept of "consent" well-established within privacy parlance.

The authors of Big Data: A Revolution That Will Transform How We Live, Work, and Think raised this issue in there book. As I had noted in a previous post:

"The authors, however, raise a much more interesting point when discussing privacy in the era of big data. They highlight the conflict between privacy and profiting from big data. They note how the value of big data emerges from the secondary uses of big data. However, privacy policies require the user to consent to a specific use of data at the time they sign up ahead. This would prohibit companies from big data. However, corporations in their drive to maximize profits will ultimately make privacy policies so loose (i.e. to cover secondary uses) that the user essentially has to give up all their privacy in order to use the service. What the authors propose is an accountability framework. Similar to how stock issuing companies are accountable to the security regulators, the idea is that organizations would be accountable to a privacy body of sorts that reviews the use of the big data and ensures that companies are accountable for the negative consequences of the data.

For those of use that have been involved in privacy compliance, such an approach would make it real for companies to deal with the privacy issues in proactive manner. We saw how companies attitudes towards controls over financial reporting shifted from mild interest (or indifference) to active concern with the passage of Sarbanes-Oxley. In contrast, no similar fervour could be found the business landscape when addressing privacy issues. Although the solution is not obvious, the reality is that companies will make their privacy notices meaningless in order to reap the ROI from investments made in big data."

Monday, October 26, 2015

Hey CPA: What's this machine learning all about?

Harvard Business Review online published a great article summarizing how the machine learning, and analytics works in a business context. It uses an illustrative set of decision trees to show how in a cable business scenario (something we can all relate to) and then ends with the following graphic on how a hypothetical algorithm would determine whether a customer would continue with the cable subscription or join the cord cutter crowd.

It's a great illustration of HBR breaks down these "glob" words like, machine learning, algorithm, etc., and transforms them into digestible concepts. Furthermore, and I would say more importantly, it illustrates a rising level of expectation of technology knowledge for client facing business professionals, like accountants and consultants.

In a previous post, I had noted the following with respect to a couple of WSJ articles on information security and malware :

"WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally.

Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection. "

We could also apply this to the HBR article: it too is a good litmus test of the level of competence that a Canadian CPA should know about leading edge topics such as machine learning and its relationship with analytics.

We should recognize that the technology and security concepts discussed in these articles represent the minimum standard of what is expected from an accountant. If we as a profession want to achieve the vision of being the "globally respected business and accounting designation" [emphasis mine], then we must go above and beyond this minimum and surpass expectations of our clients, employers and business community at large.

Saturday, September 5, 2015

Monitoring the FIs: Auditors to the rescue?

Wall Street Journal had an interesting article earlier this week on the inner workings of out-of-court settlement deals with FIs. It noted how Western Union had to use a "monitor" to independently oversee the implementation of policies and procedures to remediate it's business practices that were found to be illegal by the Arizona's attorney-general. Specifically, the company had to pay $94 million (this was mentioned in the AG's website, not the WSJ article) for facilitating "blood wires" on behalf of "organized criminal cartels that seek to profit from Arizona’s porous border".

Activists, such as Matt Taibbi, have criticized such out of court of settlements as examples of a two-tiered justice system. He specifically cites how HSBC paid $1.9 billion for laundering drug money, but no jail time for the CEOs. In contrast, Cameron Douglas, son of the famous Michael Douglas, got 5 years for drug crimes (including possession and dealing).

Regardless of such a critique, it does give insights into how the audit profession can play an effective role in balancing the needs of businesses and oversight. The WSJ article goes into some detail as to how monitors are chosen by law enforcement officials (and the companies themselves) to ensure that the corporate governance and controls are implemented to ensure that the particular indiscretion does not occur again.

The article focused on the relationship between one of the monitors, Ted Greenberg (who according to the WSJ was a prosecutor) and his work with Western Union. However, Greenburg and Western Union had a fallout over the aggressive nature of his recommendations. The Arizona AG agreed and fired Greenburg.

And that's what I find interesting. Often the concept of "reasonable assurance" is something that non-auditors find hard to digest. And it seems that this could have played a role in the overbearing recommendations provided by Greenburg - who is a prosecutor not an auditor. And as it turns out, the Arizona AG seems to have the same line of thinking: they ended up replacing Greengburg with BDO.

Wednesday, August 26, 2015

PCs: "The news of my death has been greatly exaggerated!"

With Apple's iPad storming the scene, some felt that the PC was dead giving away ground to the tablet form factor. What I felt that Apple achieved with the iPad, was the "toasterfication of IT": turning the relative complex device in something that is easy to operate as a toaster. This lent it to be something that would a fan favourite with the elderly and kids.

Things don't look as rosy for the iPad. Fortune reported that "the iPad is the current leader in the tablet market, accounting for 24.5% of all tablet sales, its market share has consistently decreased by about 18% over the last few years".

Nick Statt of CNET posted a great article that discusses some possible reasons as to the declining fortunes of the tablet. Once seen as a PC killer, now is in a state of normalization. One could argue that the tablet is entering into the "trough of disillusionment" after slide down the "peak of inflated expectations". Nick explains in his article that mini-tablets have lost market share to the the phablet (as I have noted in previous posts, I strongly dislike this term. But phonelet isn't much better!). Quoting IDC analyst, Jean Philippe Bouchard, "When your phone is only an inch or two shy, what's the point".

I find his analysis dead on: when I migrated from the Blackberry, I went straight to the Samsung Note to get a larger screen that would be easier to type because I was so used to the physical keyboard. However, when I was contemplating getting the Nexus 7 from Google, I thought exactly that: why bother with the tablet when my Note is already a "pocket tablet"?

When it comes to the larger tablet form factors, Nick points out that tablet owners are favouring to keep their iPads for a longer period of time and now are opting for the 2-in-1s (like Lenovo's Yoga line of laptops), which enable more productivity than the tablet counterparts.

Why is this the case?

It seems to me that people have realized that tablets are more of a consumption device rather than a productivity device: they are great for reading, listen to podcasts or watching videos. However, if you want to churn out a blogpost, document or even email - you need that physical keyboard.

Wall Street Journal also had an interesting op-ed pointing to the continued usefulness of the PC. Geoffrey Fowler attempts to convince us that the next computer should actually be - wait for this - a desktop! Mr. Fowler, not without humour, mentioned how a friend asked him whether he still drove a horse and buggy!

Jokes aside, I think he does a pretty good job in pointing out that when you are able to connect remotely via multiple devices to cloud based software to get your work done, desktops make a lot of sense. In the article, he included the following link that points to the improved productivity (17% more to be exact) of using a full keyboard and mouse. The article includes a number of suggestion, including the HP Pavillion mini, which looks quite tempting (see the CNET preview below). Definitely agree with the tip about using the keyboard and mouse: I actually lug around my ergonomic Microsoft mouse and keyboard connecting to my work issued 2-in-1 Lenovo Yoga to save my wrists and neck.

The revised interest in the PC and retreat in sales of the iPad highlights the importance of being on top of tech trends and avoiding the "bleeding edge": executives should be sure of the business value of the technology before jumping the bandwagon.

Wednesday, June 17, 2015

Can Inadequate Disaster Recovery Planning be worse than locusts?

Why are US farmers facing a disaster?

Is it due to locusts? No.

It's due to inadequate IT disaster recovery planning.

As reported in the Wall Street Journal, the US Immigration Department is unable to issue visas to temporary workers due to a system failure. Specifically:

"“The system that helps perform necessary security checks has suffered hardware failure,” said Niles Cole, a State Department spokesman. “Until it is repaired, no visas can be issued.” He said technicians are working around the clock to resolve the issue but couldn’t offer a timeline for when the system would be back in action.

Specifically, a central database isn't receiving biometric information from U.S. consulates world-wide, he said. Biometric data, including fingerprints, are used for security screening of applicants."

And the losses are mounting daily. Over 200 workers are sitting at the Mexican-US border waiting to be processed by system so they can get into the US and help harvest the crops. The article reported that farmers are losing between $500,000 to $1,000,000 per day because the fruits are spoiling.

Reading this article I had the following questions

Why isn't there a hot site?
Given the importance of the technology, why don't they have the ability to swap to a new piece of hardware instantaneously?

Was the security information backed up and why is there no manual work around?
If it's digital information, why isn't there a manual work around to transmit the information and circumvent the faulty hardware? The data could be manually uploaded to the central database.

Was a proper risk assessment done? When a disaster recovery plan (DRP) is created for a system, the organization must determine the Recovery Time Objective (RTO) that determines how quickly a system will be stored after failure. Google, for example, has an RTO of zero. To determine what the RTO is there needs to be an assessment of the impact of such a failure. In this case when setting the RTO did the risk management professional include the fact that this system was critical in supporting the visa program H2-A for temporary farm workers? It should be noted that the US farmers association had paid into this program and now they are suffering losses of over $500,000. This will also reduce the amount of tourist visas issued potentially resulting in lost tourist dollars to the US.

The lesson we can learn from this is to ensure that we understand what business processes a system supports and understand the impact to those business processes should the system go down.

Monday, May 11, 2015

Hey CPA: Should I get anti-virus for my home network?

Recently, I was having a conversation with my friend's 12 year old daughter. She's an avid e-book reader and her Kobo is a close companion. We were discussing the susceptibility of Kobo (in contrast to her computer) to viruses. I wasn't sure what OS was on the Kobo, but I did a quick check and realized that it was a Linux operating system. So I explained the economics of malware: most malware are designed for the Windows or MAC Operating System: criminals want to get the most bang for their buck. So the likelihood that hackers would target the Kobo tablets would be quite low.

Then it struck me: would a CPA be able to lead this sort of discussion?

The recent merger of the professional accounting bodies prompted the publication of a new competency map. The new competency map, however, greatly reduced the amount of technology competence required by a CPA.

Coincidentally, the WSJ published a review of the Bit Defender BOX around the same time I had this discussion. For what it is, see Amazon's Video Review.

As with the conversation with the 12 year-old, I wondered whether a CPA could keep pace with the issues brought up in the article, which include:

If there's an OS, there's a risk of virus infection: The proliferation of "smart" devices is actually a proliferation of operating systems. As they point, no large scale infections to report yet. But the point is that there is a risk of infection and consumers need to figure out how to handle the virus.
Network controls versus end-point controls: The solution for the virus can either be put on each device (e.g. mobile phone, tablet, smart thermostat, etc.) or at a network level. But which one is better? And that's the point: could a CPA discuss the advantages and disadvantages of each approach
Evaluating intrusion detection systems (IDS): box is, in a sense, the IDS for the masses. As noted WSJ, the Box sent a number of "unhelpful alarms". In other words, the system generated "false positives" which means that users will initially check it alert diligently, but then ignore subsequent alerts assuming it's a false alarm.
Limitations of scanning devices: The article also notes how the device can't work on encrypted traffic. More generally, it talks about the overall (lack of) reliability and
Best security practices: The article also notes several best practices to make home networking safer including, patching/updating router software + enabling auto-update, use of strong passwords, hardening systems (i.e. changing the default user ID & password on things like routers), use WPA2 standards (i.e. not WEP which can be easily cracked), and use of guest network instead of sharing passwords.

But that's not all. WSJ also published this article detailing five key corporate security practices, including:

Patching, i.e. installing software updates to plug security holes in the software,
Limiting connectivity of devices on a "need to do basis",
Encrypting data that is confidential or highly confidential (e.g. credit card data)
Use of physical security devices instead of just passwords
Independently assessing vendor compliance with security.

The interesting thing about this article is that it omits the use of SOC audit reports (see Amazon's FAQ on the topic or the AICPA's site) with respect to verifying the level of security compliance with the latter point.

But, again, does the current competency map train CPAs sufficiently to spot that?

We should keep in mind a couple of things.

Firstly, the WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally.

Secondly, my friend's kid is 12 years old and understands the concept of viruses, OS and risk at very rudimentary level.

Okay so we all know the kids are tech savvy.

But we need a competency map that would be relevant to the future generation that will be entering the profession. Furthermore, if the CPA profession wants to achieve its vision of being the "globally respected business and accounting designation" it must not just meet the level of the business press but must go beyond.

Tuesday, May 5, 2015

Should Algorithm Audits be mandated for HFT firms?

Was heading into work on train and came across WSJ's op-ed piece on the need for regulation around algorithms involved in trading. The article mentions how the regulators have not done much since the Flash Crash of 2010.

What is the Flash Crash of 2010?

As noted in the piece, "flash crash hit on the afternoon of May 6, 2010, as riots in Athens and a European debt crisis weighed on markets. In about eight minutes the Dow Jones Industrial Average fell 700 points before rebounding."

The op-ed goes on to dismiss the "official" explanation (i.e. a large hedge placed by a US firm and financial shenanigans of UK based day trader) and states: "More important, they say, is the role of high-frequency firms, which use hard-to-monitor algorithms to trade large amounts of stock in fractions of seconds. If they trade erratically, the market can come unglued, as happened in the flash crash."

The article notes that the SEC has been exploring the mandating disclosure requirements and controls on firms that use algorithms. However, the article also quotes a number of regulators who say they don't have enough funds to keep pace with the firms.

Before I go back down memory lane, it is also worth noting that there are other experts who hold that algorithms - from a privacy perspective - need to be regulated. Bruce Schneier, a well known information security expert who helped review the Snowden documents, in his latest book, Data and Goliath (see clip below for a summary), also calls for "auditing algorithms for fairness". He also notes that such audits don't need to make the algorithms public, which is it the same way financial statements of public companies are audited today. This keeps a balance between confidentiality and public confidence in the company's use of our data.

So is it time for auditing algorithms through an "AlgoTrust" offering?

As I noted on my reflections on "Big Data: A Revolution That Will Transform How We Live, Work, and Think":

"[H]ow would you go about auditing an algo? Although auditors lack the technical skills of algoritmists, it doesn't prevent them from auditing algorithms. The WebTrust for Certification Authorities (WebTrust for CAs) could be a model where assurance practitioners develop a standard in conjunction with algorithmists and enable audits to be performed against the standard. Why is WebTrust for CAs a model? WebTrust for CAs is a technical standard where an audit firm would "assess the adequacy and effectiveness of the controls employed by Certification Authorities (CAs)". That is, although the cryptographic key generation process is something that goes beyond the technical discipline of a regular CPA, it did not prevent the assurance firms from issuing an opinion."

I also noted:

"some of the ground work for such a service is already established. Fundamentally, an algorithm takes data inputs, processes it and then delivers a certain output or decision. Therefore, one aspect of such a service is to understand whether the algo has "processing integrity" (i.e. as the authors put it, to attest to the "accuracy or validity of big-data predictions"), which is something the profession established a while back through its SysTrust offering."

What I saw to be the challenge at the time I penned that blog post is market demand for this type of service. The answer appears to be that SEC could mandate such audits and leverage the CPA firms the same way they do for financial audits. However, instead of rendering opinion on the financials, such audit firms would render an AlgoTrust opinion on the algorithms to ensure that they are in-line with Generally Accepted Algorithmic Principles instead of Generally Accepted Accounting Principles (sorry I couldn't resist!).

Beyond WebTrust for Certification Authorities, companies are currently leveraging SysTrust which has been subsumed into the SOC 2 and SOC 3 audit reports. For example, Salesforce.com gets an audit opinion that provides reasonable assurance that its systems are secure, available and that it maintains confidentiality of the information they are provided with.

The AlgoTrust standard should address issues such as the ones raised in WSJ (i.e. as it relates to trading algos) as well ensuring the preservation of privacy. But it should not stop there. In the original post, Chris Steiner explains how algos are invading all parts of life, including things like robot pharmacists.

We have at least three experts from three different fields: finance, data, and information security that all see the value in auditing algorithms. If the CPAs don't take the lead on this, who will? As Bruce Schneier notes it won't be easy, but it is something that will eventually be tackled by either the CPA profession or someone else.