CPAs to the Future: Why Data Governance?

In 2018, CPA Canada held the Foresight Sessions where they consulted CPAs and others how the profession should move forward. CPA Canada took a broad view of the topic and brought a diverse crowd of people to look at how things could unfold. There were a number of facilitated sessions that looked at a number of possible scenarios and how the profession could thrive in each of those scenarios. What I liked about the sessions was the diversity of thought. The environment was so open that attendees were even willing to talk about things like wealth inequality and its potential impact on the profession. 

So where did things end up? 

A report was published and the two key areas that became the focus where Value Creation and Data Governance. 

Before looking at where we are now, it is good to take a step back and look at the underlying need to re-examine the profession. The CPA profession was borne in a book-based world where knowledge went through a manufacturing process of sorts. Regardless of whether it is the accounting standards themselves or the actual financial statements, the idea was there was a sense of finality to the process. The Internet, and more specifically the hyperlink, changed that. Data, information and knowledge are now networked. 

It's not to say that the profession was unaware of this. 

As a CPA who got his start in the world of Audit Data Analytics back in 2000 (yes, 20 years ago, when this type of work was known as computer-assisted audit techniques). Back then, IT-focused CPAs like myself used to tools like Audit Command Language or IDEA  (sometimes referred to as 'generalized audit software'). This required the analysis of data largely for audit support. 

CPA Canada also published the Information Integrity Control Guidelines (authored by Efrim Boritz and myself), which looked at how controls and "enablers" would create information integrity. The project was designed to take a fresh look at the traditional dichotomy between "general computer controls" and application controls". For example, the publication also looked at controls specifically around content. 

Why Data Governance? 

The challenge I have found is how to succinctly articulate how CPAs can play on the dividing between business and technology.  Data governance probably is a good place to start. Even when you consider something more technical like a 'data scientist', a key component is to have business domain knowledge. Hence, to capture the future it makes sense to look at something that is beyond technology but rather data and information. After accountants have experience with data, but not configuring routers. Furthermore, as pointed out in this CPA Canada article "there is already a need for foundational standards of practice around all aspects of data governance and the data value chain".

Why are CPAs suited for data governance? 

I have always felt that CPAs have a solid foundation in understanding information. Through the FASB framework, we realize the trade-offs between relevance and reliability, as well as understanding the reality of what is needed to audit something. When looking at the work Efrim and I have done around information integrity, this was a key resource because it is unique in understanding the parameters of information. 

When teaching a class at Waterloo, I linked how this framework is now even relevant to social media companies. Google/YouTube, Facebook, and Twitter have all been "auditing" posts on their respective sites due to misinformation about COVID-19 or other matters. When covering this in-class, the concern I raised was around the "slippery slope". For example, does that mean all the other posts are "materially correct"? Such things illustrate how CPAs can add value when it comes to data governance.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.

 

The other DDoS: Denial of Service by DMCA

In information security, the common definition of DDoS is Distributed Denial of Service attack. However, there is a legally sanctioned form of DDoS: DMCA Denial of Service, where a user acting in good faith is 'denied service' because of an alleged infringement of the DMCA. The DMCA (i.e. the Digital Millennium Copyright Act) provides a means to enforce of copyright protections online and was ultimately responsible for killing Napster (who enabled peer-to-peer sharing of  music and other files). Although the Napster case was cut & dry to some (like the Recording Industry), there are some where users are actually acting in good faith, but are taken down through enforcement of such  an Act.

The case that illustrates this issue is the take down of 1.45 million education blogs in October. James Framer, CEO of EduBlogs, noted that "ServerBeach, to whom we pay $6,954.37 every month to host Edublogs, turned off our webservers, without notice, less than 12 hours after issuing us with a DMCA email." He went on to explain what the actual infringement was: "one of our teachers, in 2007, had shared a copy of Beck’s Hopelessness Scale with his class, a 20 question list, totalling some 279 words, published in 1974, that Pearson would like you to pay $120 for." Reading the blog further it turns out that EduBlogs did actually comply with the DMCA request that they received. However, the issue that Pearson had was (a) it was accessible via Google's cache and (b) it was accessible by its Varnish cache. In other words, James Farmer got legally DDoSed: 1.45 million blogs were made unavailable due to ServerBeach rush to comply with the DMCA instead of "calling any of the 3 numbers for us [ServerBeach] have on file".

Edublogs, however, is not the only company to be DDoSed in this manner. Small companies that publish news reports on YouTube or other content sharing sites also face this danger. Take for example Leo Laporte's This Week in Tech (TWIT) new media network, which publishes tech related podcasts and videocasts. The business model of this network resides on him being able to make the video available soon after its airing. Failure to do so will result in the company losing out on ad revenue because the "eyeballs never made it" to the particular show. Consequently, when one of their episodes gets pulled down by Google's robots, or due to request of the copyright holder (as noted here), it jeopardizes the TWIT business model making him another DDoS victim.

From a risk perspective, the risk of such event should be evaluated, especially for businesses that rely on revenues via the distribution of online content. Specifically, the agreement with the third parties that host their content should include provisions that enable them to at least demonstrate compliance prior to be taken down. However, both James Farmer and Leo Laporte have attempted to work with their respective providers to prevent this type of risk. Farmer complied with the request, while Laporte has attempted to contact Google and explain that he is news organization. So this is easier said then done. Laporte hosts the videos on his own servers, however the popularity of YouTube limits the effectiveness of this "backup strategy" (i.e. users won't go to the site to watch the video instead of YouTube). In the end, it may just be an unavoidable cost of relying on such providers.

From a longer-term perspective, it illustrates clash of legacy laws and the capability of the Internet to "network knowledge". This the concept is taken from David Weinbergers's "Too big To Know", who identified how the ability to share, link and debate information on the Internet transforms knowledge into a more fluid state in contrast to the static nature of books. He explains this concept in the following video:

James Farmer implicitly argued this point in his rant against Pearson when he said: "Here’s another idea Pearson, maybe one that you could take from Edublogs, howabout you let this tiny useful list be freely available, and then you sell your study materials / textbooks and other material around that… maybe use  Creative Commons Non Commercial Attribution license or similar to make sure you get some links and business." In other words, Pearson has failed to understand this new world of networked knowledge, where a link to the "offending" list would link to other resources that has Pearson has - enriching both Pearson and those using its publications.