Sunday, September 27, 2015

It's been 17 years since Google went live!?

Can you believe it's been 17 years since Google has been around?! 

Google's Doodle for today takes us back down memory lane to an era prior to Google. It's especially memorable for those of us who were in university in the late 90s because we had access to high speed internet on campus unlike the painfully slow dial-up at home. 

I remember my first job as a coop student at the UW Federation of Students (I can't believe this quote is still hanging around from that time!) when a co-worker was explaining to me how OpenText was the best search engine (of course using my NetScape Browser). Of course back then there was a number of search engines including, Yahoo, Lyco, Alta Vista, etc. However, I stuck to OpenText for a while then eventually switched, along with everyone else, to Google. 

Back then Google was a struggling start up. Of course now its tech behemoth facing the regulatory scrutiny that was once reserved for Microsoft (again from the late 90s). 

Well Lycos, OpenText (as a search engine) and AltaVista may be long gone, but it looks like plaid is back!

Wednesday, September 23, 2015

Google Glass: Where is it at?

Ever wondered what happened to Google Glass?

Well wonder no longer!

According to recode, Google glass has been re-branded as project Aura. As noted in this Fortune article, the company decided to focus on the business potential of the project as the consumer oriented device had lackluster demand. According to Fortune, Google glass is being used by industries such as healthcare, energy and manufacturing.


What does this mean?

It yet again gives credence to the trend that IT is being repatriated to the enterprise, as predicted Deloitte's 2015 TMT predictions. On a previous post, I had noted that the Intel's growth area was in support of data centres instead of consumer products - giving kudos to Duncan Stewart and team. But this serves as another evidence of their prediction being right.

Interestingly, Google has been able to procure the services of employees used to work on Amazon's Kindle tablets. Will this breathe in the consumer savvy that Amazon has been bringing to US customers?

Although the sources cited earlier say that this will be hitting the consumers some time in the near future, I still think that the privacy concerns I raised on a previous post on Glass still exist. Specifically:

"The issue, however, with Google Glass is that it is integrated into one's person's physical body and, unlike a smartphone, video camera or that ancient camera with smoke and all,  it inherently lacks the social mechanism to communicate that the interaction is being recorded. Even with social media, it is well understood that the communication is occurring in a medium that can be easily shared, so those that engage in such a communication understand there is a possibility that their conversation is not private and may not be kept confidential. In other words, precisely because Google Glass is integrated into the moment, it inherently lacks the ability to gather:
  • "Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed."
  • "Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information."
(This was taken from AICPA-CICA Generally Accepted Privacy Principles, see page 7)"

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.

Thursday, September 10, 2015

12.9 inch iPadPro: Too pricey or a step towards "2-in-1 Domination"?

Yesterday, Apple launched its latest line of mobile devices. However, it's the "off year" where the "S-ify" their existing line up, so mostly incremental improvements around their successful line of smartphones and tablets. Perhaps the most interesting announcement with respect to the phone line up was the new payment plans you can get. As reported by the Verge, "You can either pay for the 6S in installments of $27 per month, or lease an iPhone for $32 per month, which lets you trade in your phone for a new one every year". Note: this is a US only program.

The other big announcement was the 12.9 inch iPad Pro, which seems odd at first glance as they decided for a bigger form factor. The following video gives a good overview of the features that this new "mega-tablet" offers:



This very much seems to address the woes in the tablet market that we discussed recently. As I noted in a recent blogpost:

"Things don't look as rosy for the iPad. Fortune reported that "the iPad is the current leader in the tablet market, accounting for 24.5% of all tablet sales, its market share has consistently decreased by about 18% over the last few years". 

Nick Statt of CNET posted a great article that discusses some possible reasons as to the declining fortunes of the tablet. Once seen as a PC killer, now is in a state of normalization. One could argue that the tablet is entering into the "trough of disillusionment" after slide down the "peak of inflated expectations"...When it comes to the larger tablet form factors, Nick points out that tablet owners are favouring to keep their iPads for a longer period of time and now are opting for the 2-in-1s (like Lenovo's Yoga line of laptops), which enable more productivity than the tablet counterparts." [emphasis added]

As they have highlighted in the video, they have designed the tablet to work with the Logitech "Create" magnetic clip on keyboard. The keyboard interfaces via the magnetic clips instead of Bluetooth, thus saving battery life. They also unveiled the $99 Apple Pencil, featured in the following video:

Apple has been the vendor of choice for the creative, so it's no surprise that they decided to focus on the stylus instead of the keyboard.

The biggest proof, however, that they are going for the 2-in-1 market is that they invited Microsoft to demo how the Microsoft Office leverages the Apple pencil to work with Excel, Word and PowerPoint. As the Verge notes in this article, the pencil can draw shapes that converts to actual shapes. The video also highlights how you can use the multi-window feature to move content between the Office Apps. Microsoft gives more details on these features on post the put up yesterday.

Although I thought the size of the mega-tablet would throw people off, the price may be a bigger factor that could be an obstacle to consumers. The tablet starts at $799 coming with 64 GB of storage, the keyboard runs about $169, and the pencil is another $99. That puts the starting price at $1,067. In contrast a 2-in-1 Yoga starts at $829.

Will Apple be able to turn its tablet fortunes around?

I think that this move will enable them to compete effectively in the 2-in-1 market place as well as the traditional tablet marketplace: those who are in the market for a new laptop or new tablet will give this a serious look. However, I don't think it will change the overall market demand for the tablet. Tablets are no longer a novelty device: they are largely consumption devices where you can get some work done, but the heavy lifting is best left to a good old laptop.   




BNY Mellon Software Glitch: Cost of IT Control Failure

In the previous post on the BNY Mellon's technology woes, we explored what the company did right as well as the overall need for independent evaluation of the technology that runs the Information Age. In this post, we explore the costs and consequences of the breach.

One of the challenges for putting in controls around information integrity is that it is a hard sell: what's really the value of accurate information? This is in contrast to something like information security where it is also hard sell, but much easier. The reason? When an information security breach occurs, it is largely to access something of value that can be monetized. The Poneman Institute puts this cost at approximately $174 per record.

Consequently, it is easier for someone to go to the CEO/CFO and explain how tightening controls around information security will protect the company's bottom line. Furthermore, information security breaches are something that has entered the mass consciousness within the business community: SunGard was quick to reassure everyone that the issue affecting BNY Mellon's accounting software was NOT attributable to "any external or unauthorised systems access".

When making the business case for controls over information, it can be challenging to show how the control will lead to savings in terms of "decision failure", i.e. the cost of making the wrong decision due to unreliable information. Let's face it: most companies are willing take big risks on their information by continuing to rely on spreadsheets that have an error rate of 88%. Furthermore, as highlighted by this Protiviti study, internal auditors understand the information integrity challenges but are not getting the funding to tackle them.

So the incident at BNY Mellon is rare occurrence where something that is mis-priced can actually lead to costs. As noted in the Wall Street Journal:

"A software glitch this week at fund administrator Bank of New York Mellon Corp. caused difficulties in pricing many mutual funds and exchange-traded funds, prompting some fund sponsors to publish lists of funds whose stated asset values were erroneous.

What can you do if one of your funds is on the list, meaning you may have overpaid for shares?

Reach out to your fund company and ask for a refund. They don’t have to give you one but firms may do so because of their often long-term relationships—ones they want to keep—with investors, analysts said."

The other costs include:

Of course we won't know the full cost until, the regulatory probe finishes and the publish their findings or the cost was material and this shows up in the financial statements. Regardless, organizations should be proactive in ensuring that sufficient technology controls are in place and that these types of risk are controlled. 









Monday, September 7, 2015

BNY Mellon Software Glitch: Time to make SysTrust mandatory?

As was widely reported in the business press, BNY Mellon experienced a technical glitch that affected its ability to price mutual funds accurately. Based on the press release from one of the affected funds, the problems started on Monday August 24th, where one of BNY Mellon's system "InvestOne" managed by SunGard was pricing about 800 mutual funds inaccurately.

So what was the cause of this fiasco?

According to CNN, "BNY Mellon outage occurred after a SunGard accounting system it uses became "corrupted" following an upgrade. A back-up also failed."

Normally, this type of thing will force the party experiencing the breach intense scrutiny over what went wrong. However, as I went through the timeline posted by the company, I found (reading between the lines) that they did a number of things right, such as:
That being said, there is always room for improvement. When I was reflecting on this, I speculated that this was another case of inadequate testing of the system upgrade. However, according to SunGard, this was not the case. As they noted on their website:

"The issue appears to have been caused by an unforeseen complication resulting from an operating system change performed by SunGard on Saturday, August 22nd. This maintenance was successfully performed in a test environment, per our standard operating procedure, and then replicated in SunGard’s U.S. production environment for BNY Mellon. This change had also been previously implemented, without any issues, in other InvestOne environments. Unfortunately, in the process of applying this change to the SunGard production environment of InvestOne supporting BNY Mellon’s U.S. fund accounting clients, that environment became corrupted. Additionally, the back-up environment hosted by SunGard, supporting BNY Mellon’s U.S. fund accounting clients, was concurrently corrupted, thus impeding automatic failover. Because of the unusual nature of the event, we are confident this was an isolated incident due to the physical/logical system environment and not an application issue with InvestOne itself."

Given my background as a CA, CPA and CISA, I have always thought it is an odd contradiction that we expect infrastructure (road, dams, bridges, etc.) to be certified by engineers to be in working order (key word is expect, as John Oliver notes in the video below, this is not exactly up to snuff!), but do not have the same expectations for the technology that runs the Information Age.

And that's where I have always proposed that it is necessary to have a framework like SysTrust (now SOC2 and SOC3) in place that requires companies to ensure that their systems are reliable: secure, available, and able to process information without messing it up.

Based on the experience between SunGard and BNY Mellon, I think it actually proves the case. Although companies, like SunGard, likely have such controls in place it is beneficial to others to have a second set of eyes on those controls, ensuring that they are in place, are designed effectively and are operating effectively. The reason is that with such mandatory audits in place, it will allow for the circulation of best practices through such audits. This occurs in the financial auditing world through "management letter points".

One other area that we should explore is the total impact of this error, as it will give insights into the "total impact of failed IT controls". This will be the topic of the next blogpost.



Saturday, September 5, 2015

Monitoring the FIs: Auditors to the rescue?

Wall Street Journal had an interesting article earlier this week on the inner workings of out-of-court settlement deals with FIs. It noted how Western Union had to use a "monitor" to independently oversee the implementation of policies and procedures to remediate it's business practices that were found to be illegal by the Arizona's attorney-general. Specifically, the company had to pay $94 million (this was mentioned in the AG's website, not the WSJ article) for facilitating "blood wires" on behalf of "organized criminal cartels that seek to profit from Arizona’s porous border".

Activists, such as Matt Taibbi, have criticized such out of court of settlements as examples of a two-tiered justice system. He specifically cites how HSBC paid $1.9 billion for laundering drug money, but no jail time for the CEOs. In contrast, Cameron Douglas, son of the famous Michael Douglas, got 5 years for drug crimes (including possession and dealing).

Regardless of such a critique, it does give insights into how the audit profession can play an effective role in balancing the needs of businesses and oversight. The WSJ article goes into some detail as to how monitors are chosen by law enforcement officials (and the companies themselves) to ensure that the corporate governance and controls are implemented to ensure that the particular indiscretion does not occur again.

The article focused on the relationship between one of the monitors, Ted Greenberg (who according to the WSJ was a prosecutor) and his work with Western Union. However, Greenburg and Western Union had a fallout over the aggressive nature of his recommendations. The Arizona AG agreed and fired Greenburg.

And that's what I find interesting. Often the concept of "reasonable assurance" is something that non-auditors find hard to digest. And it seems that this could have played a role in the overbearing recommendations provided by Greenburg - who is a prosecutor not an auditor. And as it turns out, the Arizona AG seems to have the same line of thinking: they ended up replacing Greengburg with BDO.