Recently saw the Rogue One installment of the latest installment of the Star Wars series of films.
I feel obligated to warn you that this is a spoiler alert.
However, if you seen Episode IV: A New Hope, then you really know the outcome already. But read at you're own peril.
As we know from Episode IV, the Death Star plans were obtained "at a high cost". And Rogue One is all about how the rebels get these plans. The protagonist, Jyn Erso, struggles to locate her father who is actually a fifth column within the Empire - purposely building a weakness into the Death Star. However, for his plan to succeed the rebels need to get their hands on - you guessed it - an offsite tape backup!
I kid you not!
Think about it: even in "a long time ago in a galaxy far, far away", those tape backups are the main way the Empire keeps a backup of their data.
The dramatic scene when they are trying to get the backup tape requires the heroes to use mechanical arms to pull out the backup out of the tape library. Of course, the arms breakdown as the Storm Troopers are able to overrun the building requiring the heroes to get the data themselves.
Yes, they can travel at lightspeed but still have not managed to move away from tape backups on to the cloud or something else. Yikes.
To be fair the Star Wars movie makers had a tough balancing act: how do they remain true to the original but at the same time account for the fact that the original movie was made 2 decades before the Internet and 3 decades before the iPhone?
In a way, the epic Battle of Scarif, is in reality of how the rebels (the hacktivists if you will) do their best to defeat the myriad information security controls that the Empire has in place to keep their backups secure.
Physical security: Definitely, the Empire has good physical security, a whole Armada of ships to protect the Scarif - and light sabre wielding Darth Vader to boot! This includes the impenetrable shield that is used to prevent unauthorized vehicles/starships from entering the facility. Kind of like a futurized version of a bollard.
Logical security: Really Empire? Only passwords? Of course to enter the facility, required the Rogue One to give a valid "access code" to enter the facility. Perhaps, if they had two-factor authentication or changed the access codes more frequently their facilities would have remained secure.
Obscurity: Not sure if the Empire had encryption, but they ensured that to find the tapes you needed knowledge of how the backups were labeled and stored. To this point, perhaps the Empire could have used better training to ensure Erso's dad was instructed not to use names of family.
Offsite backups: Talk about offsite backups! Not only was the tape not located on the Death Star or the facility where Erso's dad was engineering the Death Star, it was located light years away!
Authorized communications: Part of the challenge the rebels had was that the file was too large and needed a special channel to communicate the plans to the rebel.
Probably not the full list of controls, but who would have thought a background in IT Audit would give you insights into a Star Wars Story :)
Today, I presented at the Canadian Accounting Technology Show and discussed how exponential technologies and their potential impact on the profession.
During the presentation, I promised a blogpost for the attendees who wanted to dig deeper in the presentation. So here it is!
IBM Watson's Victory over Ken Jennings
During the talk I refer to Ken Jennings and Brad Rutter's defeat at the hands of IBM's Watson. (See Engadet's video for more on this "exponential event".)
This post gives some background on the new "space race" between the tech-giants for the killer AI app and also gives a link to Ken's talk.
For additional information on Watson and the medical profession check out this video.
Exponential versus Linear Technological Change
Kodak - who invented the digital camera in 1975 - was ultimately disrupted by that very same technology. In fact, one of their employees applied Moore's Law to pixel's per dollar in digital cameras.
Why?
The problem illustrate that Kodak (as well as Polaroid) had linear thinking and didn't realize how quick digital technology would become the norm and preferred way of consuming photography. In this post, Peter Diamandis talks about how 30 exponential steps contrasts to 30 exponential steps (and talks more broadly about linear vs exponential thinking) and Ray Kurzweil talks about the infamous story of how the inventor of chess requested an exponential amount of rice (and is rumoured to have lost his head).
Predictions on the Automation of White Collar Work:
These stats are what actually prompted me to propose to CPA Canada that we should have a talk that would discuss this phenomenon. The variety of sources that have chimed in on the topic - combined with the understanding of exponential change - highlights the importance of looking deeper into the trend instead of dismissing it as just fear, uncertainty and doubt (FUD). This of course is not just limited to the accounting profession, but impacts all white collar worker (check out IBM's Watson latest application to automate aspects of the legal profession
"Job destruction will happen at a faster pace, with machine-driven job elimination overwhelming the market's ability to create valuable new ones.” (Gartner)
“…knowledge work automaton tools and systems could take on tasks that would be equal to the output of 110 million to 140 million full-time equivalents (FTEs).”’ (McKinsey)
‘94% probability accounting/auditing will be automated’ (Oxford Study)
Finance Department has seen a decrease from an average of 119 people (2004) to 71 people (2014); a reduction by 40% (Hackett Group; as taken from this WSJ article "The New Bookkeeper Is a Robot")
Exponential Technologies
As noted during the presentation, the key exponential technologies that are likely to enable the automation.
Artificial Intelligence: "Science of making computers do things that require intelligence when done by humans." During the presentation, I mention this pharmacist robot being able to dramatically reduce medications errors, which according to the FDA is responsible for 1.3 million injuries.
For other information check out this Deloitte publication on AI and Cognitive.
Internet of Things: "Billions of interconnected sensors and devices will soon exchange data; effectively the physical flow of goods, people, and things will now leave a “digital trail”." RFID inventory does provide some insights in how this digital exhaust left by physical goods can improve inventory management and responsiveness to customers (see this RFID Journal article for more details).
Blockchain: "The blockchain dis-intermediates the need for a centralized trusted authority to administer an exchange of value between parties." As I note in the presentation, I feel the blockchain needs a lot of nuance when discussing how the technology has the potential to disrupt the profession. The technology (as implemented in the exchange of the cryptocurrency Bitcoin) itself won't replace the audit because its controls are designed for the purposes of giving comfort to a retailer, such as Overstock.com, that the buyer has not spent the currency somewhere else. However, if a retailer was then to tell an auditor that they sold goods to these public addresses, the auditor would need to verify that the retailer was not selling the goods to itself (i.e. they would need to verify that the addresses that the retailer sold to are not controlled by the retailer). In other words a sale for the purposes of Bitcoin is not a sale for accounting purposes.
That being said, auditors can’t ignore blockchain as it is the first decentralized approach to exchange value that eliminates the need for a trusted intermediary.
To understand the blockchain better, check out the following videos:
Blockchain
technology will drastically change our lives: This
video gives a good overview of the implications of bitcoin
and illustrates the role of the network in maintaining the ledger.
Khan Academy: The
videos are about 90 minutes in total, but it is comprehensive.
Crowdsourcing: "Process of obtaining needed services, ideas, or content by soliciting contributions from a large group of people, and especially from an online community, rather than from traditional employees or suppliers."
For more on crowdsourcing, I wrote a post on the potential impact on crowdsourcing. The post gives a good background exploring the use-cases brought up by Jeff Howe (who coined the term crowdsourcing).
Near the end of the post, I noted that:
"Can accountants/auditors be crowdsourced like the way professional photographers were? It seems were crowdsourcing works best is an arena where you find hobbyists who do such things out of passion instead of obligation."
Since writing that post I found Gigwalk which illustrates how non-expert tasks within accounting or auditing can be done by the crowd (see this post near the bottom). Also, during the CATS conference it was noted that 50% of practitioners will be retiring over the next 5 to 10 years. Such retirees could form a huge pool of people who want to work casually in their retirement thereby enabling the audit to be crowdsourced. Concluding thoughts
To meet the challenge of the exponential change, I feel that we need to do the following:
Hands-on Approach to Technology: University courses on programming, data analytics and data sciences should become a standard part of the accounting student's education. Although tools change over time, I think accounting students who have an open-source statistical package like R would have more options in terms of employment. With respect to data science, (audit) sampling belongs to an era of small data. Consequently, for auditing theory to be keeping pace with the way big data is transforming the way organizations are dealing with their data auditors need to be able traverse data science and auditing theory.
Bring in the "hackers": An extension of the above recommendation, is to get the people who think outside the box and disrupt the way we do things.
Greater focus on cyber security: According to Alec Ross, cyber security is currently a 400 billion dollar problem and is expected to be a $175 billion industry by 2020. Security is a natural extension for CPAs who already need to understand internal controls, governance and concepts of risk (impact, likelihood, threats, etc.). With IoT, the security risks can only be expected to grow exponentially as now even the IoT-enabled fridge can be hacked (and the FTC thinks so as well).
Smart Contracts+AutoRepos of Smart Cars = Flash Crash10: As I have written previously about AlgoTrust (second post and first post), I noted that this was another area that CPAs can focus on - auditing algorithms. Just imagine how, these algorithms can feed into blockchain enabled smart contracts that could trigger a massive repossession of smart cars - leaving a city in chaos as people try to figure out how to get home. In other words, CPAs can act as independent monitors of algorithms to ensure such risks are safeguarded against.
CPAs-as-a-Crowd: CPAs should leverage the combined power of social and cognitive to get smarter by sharing knowledge and using "smart rooms" that use machine learning and other AI technologies.
To brings such change the profession, will not the work of one entity alone. Firms, educators, professional bodies and companies need to work together to ensure that the CPA profession will thrive in the world of exponential change that is just around the corner.
Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.
In the previous post on the BNY Mellon's technology woes, we explored what the company did right as well as the overall need for independent evaluation of the technology that runs the Information Age. In this post, we explore the costs and consequences of the breach.
One of the challenges for putting in controls around information integrity is that it is a hard sell: what's really the value of accurate information? This is in contrast to something like information security where it is also hard sell, but much easier. The reason? When an information security breach occurs, it is largely to access something of value that can be monetized. The Poneman Institute puts this cost at approximately $174 per record.
Consequently, it is easier for someone to go to the CEO/CFO and explain how tightening controls around information security will protect the company's bottom line. Furthermore, information security breaches are something that has entered the mass consciousness within the business community: SunGard was quick to reassure everyone that the issue affecting BNY Mellon's accounting software was NOT attributable to "any external or unauthorised systems access".
When making the business case for controls over information, it can be challenging to show how the control will lead to savings in terms of "decision failure", i.e. the cost of making the wrong decision due to unreliable information. Let's face it: most companies are willing take big risks on their information by continuing to rely on spreadsheets that have an error rate of 88%. Furthermore, as highlighted by this Protiviti study, internal auditors understand the information integrity challenges but are not getting the funding to tackle them.
So the incident at BNY Mellon is rare occurrence where something that is mis-priced can actually lead to costs. As noted in the Wall Street Journal:
"A software glitch this week at fund administrator Bank of New York Mellon Corp. caused difficulties in pricing many mutual funds and exchange-traded funds, prompting some fund sponsors to publish lists of funds whose stated asset values were erroneous. What can you do if one of your funds is on the list, meaning you may have overpaid for shares? Reach out to your fund company and ask for a refund. They don’t have to give you one but firms may do so because of their often long-term relationships—ones they want to keep—with investors, analysts said."
Regulatory scrutiny: Yes, BNY Mellon is under regulatory review. As noted in the Boston Globe and Yahoo Finance, BNY Mellon's technical problems have attracted regulatory scrutiny of Massachusetts's Secretary of State William F. Galvin who has sent letters of inquiry to the company to investigate what happened. Regarding the incident he said: "In the warp-speed of trading these days computer problems can happen...But the fallout that seems only to affect large financial institutions can hit the average investor looking at his and her retirement money".
Of course we won't know the full cost until, the regulatory probe finishes and the publish their findings or the cost was material and this shows up in the financial statements. Regardless, organizations should be proactive in ensuring that sufficient technology controls are in place and that these types of risk are controlled.
Recently, I was having a conversation with my friend's 12 year old daughter. She's an avid e-book reader and her Kobo is a close companion. We were discussing the susceptibility of Kobo (in contrast to her computer) to viruses. I wasn't sure what OS was on the Kobo, but I did a quick check and realized that it was a Linux operating system. So I explained the economics of malware: most malware are designed for the Windows or MAC Operating System: criminals want to get the most bang for their buck. So the likelihood that hackers would target the Kobo tablets would be quite low.
Then it struck me: would a CPA be able to lead this sort of discussion?
The recent merger of the professional accounting bodies prompted the publication of a new competency map. The new competency map, however, greatly reduced the amount of technology competence required by a CPA.
As with the conversation with the 12 year-old, I wondered whether a CPA could keep pace with the issues brought up in the article, which include:
If there's an OS, there's a risk of virus infection: The proliferation of "smart" devices is actually a proliferation of operating systems. As they point, no large scale infections to report yet. But the point is that there is a risk of infection and consumers need to figure out how to handle the virus.
Network controls versus end-point controls: The solution for the virus can either be put on each device (e.g. mobile phone, tablet, smart thermostat, etc.) or at a network level. But which one is better? And that's the point: could a CPA discuss the advantages and disadvantages of each approach
Evaluating intrusion detection systems (IDS): box is, in a sense, the IDS for the masses. As noted WSJ, the Box sent a number of "unhelpful alarms". In other words, the system generated "false positives" which means that users will initially check it alert diligently, but then ignore subsequent alerts assuming it's a false alarm.
Limitations of scanning devices: The article also notes how the device can't work on encrypted traffic. More generally, it talks about the overall (lack of) reliability and
Best security practices: The article also notes several best practices to make home networking safer including, patching/updating router software + enabling auto-update, use of strong passwords, hardening systems (i.e. changing the default user ID & password on things like routers), use WPA2 standards (i.e. not WEP which can be easily cracked), and use of guest network instead of sharing passwords.
Patching, i.e. installing software updates to plug security holes in the software,
Limiting connectivity of devices on a "need to do basis",
Encrypting data that is confidential or highly confidential (e.g. credit card data)
Use of physical security devices instead of just passwords
Independently assessing vendor compliance with security.
The interesting thing about this article is that it omits the use of SOC audit reports (see Amazon's FAQ on the topic or the AICPA's site) with respect to verifying the level of security compliance with the latter point.
But, again, does the current competency map train CPAs sufficiently to spot that?
We should keep in mind a couple of things.
Firstly, the WSJ is a good litmus test of what the business press can expect a business professional to know about IT security, and technology related controls more generally.
Although not explicitly mentioned in the first article, one of the key trends that has raised the level knowledge required for the average business professional is consumerization: individual have access to technology, such as tablets, smartphones, networks, etc. that were once the sole domain of corporate IT. Consequently, now the average business professional needs to increase their knowledge of IT and IT risks to avoid a virus or getting hacked. For example, I heard a couple of guys at the gym discussing the risks of downloading illegal movies: getting targeted by regulators and malware infection.
Secondly, my friend's kid is 12 years old and understands the concept of viruses, OS and risk at very rudimentary level.
Okay so we all know the kids are tech savvy.
But we need a competency map that would be relevant to the future generation that will be entering the profession. Furthermore, if the CPA profession wants to achieve its vision of being the "globally respected business and accounting designation" it must not just meet the level of the business press but must go beyond.
