Friday, December 30, 2016

RPA and the Accountant: A path out of the mundane?

One of the latest hype technologies is Robot Process Automation (RPA).

My first question when coming across this, is what is the difference between this and cognitive computing? 

As can be seen by these videos, it's more about "dumb" automation instead of "smart" innovation: where routine tasks are handled by the system instead of a person. This is in contrast to something like IBM's Watson, which attempts to understand language and offer probabilistic judgments as to what is the right answer to a question like it did on Jeopardy!


The first video (produced by Deloitte UK) does a great job of actually showing us how RPA can automate the process of extracting information/documents from email and the generating invoices through the company's ERP:



The strength of this video (produced by EY) is showing us the business case for RPA:


The idea is that RPA can automate routine tasks, instead of offshoring. In other words, it brings the world of automation onced reserved for the assembly line to the back office.

As described in this Deloitte publication, it puts RPA as the first step towards a cognitive enterprise - automate the task and then bring cognitive, AI, machine learning, etc., into the process to make it smarter.

To use a maturity model approach, RPA is the first level in bringing together the necessary data and processes to actually train the algorithm to make it smarter.

What does this mean for auditors and accountants?

For accountants, the back office is going to require less people in terms of executing these mundane tasks.

However, this doesn't necessarily mean that jobs will be lost.

As with the advent of cloud computing, the enterprises will have to determine whether such talent can be used more effectively to improve the quality of financial reporting and work on the back log of finance projects that haven't been attended due to staff working on these low-value tasks. That being said, the problem of meeting quarterly targets to feed investors insatiable desire for profits is something that can't be ignored when discussing whether management will choose profits over better processes.

For auditors the story is a little different.

The reality of the profession is that it can't retain talent because people find the work unsustainable: it's hard to shutdown your personal life for a third of the year or more to meet the needs of clients during busy season.

RPA and automation could make the profession more sustainable, as these mundane tasks could be handed to a system instead of a junior. This is similar to the "race with the machine" concept I mentioned in this post, when referring how Watson is helping doctors treat cancer.  Auditor could then focus on more value added tasks, such as assessing aggregate risks, industry trends, etc. Such insights will improve audit quality and give clients better understanding of business and audit risks, making the work more interesting for both auditors and auditees alike.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.

Thursday, December 29, 2016

Blogging for bitcoins? A look at the crypto-change alternative to paywalls

Another interesting talk at the American Banker conference discussed how cryptocurrency more broadly could address the issue of advertising, ad blockers and paywalls.

One of the presenters, Victoria Van Eyk, wrote a post on medium that essentially summarizes the issues as follows:
  • Advertisers loses one to many medium to the Internet: Although not explicitly mentioned in her post, our journey begins with the Internet displacing the incumbents - TV, print and radio - as the advertisers destination of choice. It was the Internet that enabled the "attention merchants" (as Tim Wu puts in his latest book) to better target us in terms of ads.
  • Targeted Ads, Privacy and the Invasion of our minds: The post does a good job in terms of summarizing the creep factor of the ads - in terms of how technology has been developed to actually follow you around on the web to get you buy something based on your habits. The other aspect is the whole idea of advertising itself or as Tim Wu puts the "sale of attention". In his talk at Google, which summarizes the history of how both public and private enterprises used the media and "sticky eyeballs" to attract attention; see this video below for a quick snippit of the type of things he discusses.


  • Ad Blockers - the remote control of the Internet: Of course technology is a double-edged sword. So like the remote control that enabled people to skip commercials (which Tim Wu explains was invented by the eccentric owner of Zenith, Eugene F. McDonald, as an electronic device that would literally zap the commercial), ad-blockers came to be our best friend in terms of protecting us from these unwanted ads.
  • Media companies strike back: Just when you think the consumer rebellion would succeed against the corporate empires, they strike back. Companies make you turn off the ad blocker to use their website. As the hold access to the material, they ultimately have the power to withhold the content unless we comply with their demands. 
  • Enter crypto-currency based micro-payments: The solution to this tug-of-war? Micropayments. When I heard the panelist discuss this, I thought this made a lot of sense. Being someone who has given into paywalls, I would most likely have a media budget set aside that would allow me to pay for articles - 10 cents here or 25 cents there - to consume content. This is much better than being on the hook for hundreds of dollars a month for subscriptions you may or may not use. In Victoria's post, she mentions a number of services that are working on this model, including Brave (which uses cryptocurrency) as well as Patreon (see video below). 


As I mentioned in my last post, the bitcoin represents the world of open and this is one of the use cases that illustrates its potential. With bitcoins micro-payments can be potentially cheaper, friction-less way of making these types of payments that were prohibitive in the credit card centric world that we currently inhabit. For example, Brave notes that they charge 5% in their FAQ. However, without bitcoin they would have to charge a 2.5% credit card fee on top of that for their business to be viable.

Although it would be nice for us to see this hit a critical mass, I think one of the challenges beyond the cost is the underlying psychology that prevents people from paying out: I think many would rather sell access to their mind to the attention merchants instead of paying out digital cash. 
  

Wednesday, December 28, 2016

Public versus Permissioned Blockchain: All of the above?

Earlier this year, I attended the American Banker's conference on Blockchain.

One of the sessions that attracted me to the conference was the session, "The Debate: Permissioned vs. Permissionless Blockchains".

This is one of those good old tech "religious" debates on whether the future is open or closed - similar to open source versus proprietary software debates of old.

As for public blockchain this is referring to Bitcoin or Ethereum.

As for permissioned or closed blockchains, I had written an earlier post where I explored Goldman's take on the "permissioned blockchain" where the participants are known to each other.  I had noted in the post that the "consensus mechanism in the permissioned blockchain is quite different than it's public counterpart, which relies on the proof of work (POW)... This is not the case for permissioned system which require the consortium who set-up the blockchain to determine how they will work with each other". Some main examples of permissioned are R3Hyperledger, and NASDAQ's Linq. The following video gives a quick breakdown of Hyperledger and the key features of a permissioned ledger:


Before seeing the debate (more of a spirited discussion), was that permissioned was going to win out.

To be honest, what I see as the main obstacle of the public blockchain is the amount of energy it needs to sustain itself.  Linked to that is how much more energy it would require to hit the level of Visa or other credit card transaction processing to become mainstream.

It's not to say there aren't other issues, such as confidentiality and regulatory opposition to the technology, but I see this as one of the key challenges. So I thought we would at least see permissioned ledgers dominate at the outset.

However, what I realized after seeing the debate was that I wasn't approaching this from the right perspective.

What Siddharth Kalla (Chief Technology Officer, Acupay) noted in the debate was that you need to think what's the equivalent of Google and the blockchain. What he was saying was to think of blockchain as the equivalent of the Internet: how could we have predicted that TCP/IP would have ushered in the technology-giant we now know as Google? 

That concept hit my mind like a bolt of lightning: think about all the things that Google has brought about, search, gmail, Android, and cloud-based office productivity

That's the power of open.

And that's what I realized is that I needed to think of bitcoin or Ethereum as the Internet of Value's first proof-of-concept (POC). There will be someway to overcome the limitations I noted above and make it viable. It's only matter of time before the equivalent of Sergey Brin and Larry Page will unleash the power of open on the public blockchain. 

So what about the permissioned blockchain? Will it die out?

Where I am is that this not about one or the other. Rather, each solves for different problems. The public blockchain is about exchanging value with strangers. The permissioned blockchain is about exchanging value with private parties that an entity regularly deals with. In a gross oversimplification of the latter, it is a "secured-shared-spreadsheet" that replaces the routine exchange of spreadsheets by email. I like the term distributed ledger ledger technology, as used by the World Economic Forum, to describe the latter. 

Although the two are closely linked now in terms of community and development, eventually the two communities will separate based on what societal or business challenge they address. 

Monday, December 26, 2016

Virtual Personal Assistants: How far will they go? Part 2

In the last post, I spoke about the advent of the Virtual Personal Assistants (VPAs) in terms of Gartners predictions as to where they will go and how popular culture sees them coming to enable our lives.

For the second part of this post, I wanted to talk about my first work experience - ever - with a fully virtual assistant.

Let me set the context.

In the course of my work, I was dealing with a vendor who was trying to arrange a meeting with us through his personal assistant, Amy Ingram.

So we were going back and forth to fix a date and time for the conference call.

I responded to the initial request as follows:

"Hi Amy,

Actually out of town on Tuesday; Thursday is open though. Does that work with you?"

"Her" response was (using Billy as a pseudonym):

"Hi Malik,

I'm sorry, but that time doesn't work for "Billy".

How about Wednesday, Jun 22 at 11:30 AM EDT? "Billy" is also available Wednesday, Jun 22 at 3:00 PM EDT or Thursday, Jun 23 at 9:00 AM.

Amy
"


When I read Amy's response, I thought to myself something like: "I told her that Thursday is open, so why did she say that doesn't work for the "Billy"?"  But I thought something like "whatever" and just responded with:

"Thursday at 9 am works, thanks"

To which Amy responded:

"Hi Malik,

Thanks for letting me know.

I'll send out an invite once I've confirmed a time with "Jim".

Amy
"

[Jim is my colleague; true name hidden for confidentiality purposes]

Eventually, it dawned on me: I wasn't dealing with a person, but a robot!

And then it hit me: the future is here.

The one thing that I realized through my interaction is how forgiving I was about the error because I thought the thing on the other side was human: everyone makes mistakes and so it's no big deal that "she" didn't get that I was open on Thursday.

This has a deeper implication on how "knowledge work" gets automated.

When we gauge machines for the ability to perform cognitive tasks, such as booking meetings, we should be careful as to how good is good enough for us to work with machines instead of humans. As we can see based on my interaction, they don't need to be perfect - they just need to get the job done.

In my interaction above, we were able to schedule a meeting and the fact "she" didn't understand that I had told her Thursday was open had no real consequence on the overall role "she" was playing. The meeting eventually got booked and that was that.

Ironically, I realized that I had already come across Amy at the DLD Conference in NY that had attend a few weeks earlier.

Dennis Mortensen (Founder of x.ai.), describes the challenge of setting up meeting and how this technology can solve the problem (profanity alert!):

His talk starts 5m47s:


As Dennis mentions, it's a very basic problem but at the same time it's so complicated. Specifically, the challenge with dealing with politeness: it's hard for AI to parse through this and understand the substantive facts that pertain to setting up the meeting. If we take a look at my response, we can see the challenges first hand:

  • When I said I was out of town that the AI had to understand that meant I am not available. 
  • I did not include Wednesday as a date that was possible so that implies that I'm also not available that day.
  • When I stated I was open on Thursday, I meant I was available all day. 
So what does this mean for jobs? Are accountants going to be replaced by Amy one day?

It's actually shows the level of complexity involved in the most basic of human interactions and how much more complex it would be to train AI in terms of doing even the most basic of auditing procedures - at least for now. 

Dennis actually made a good point about this in the Q&A portion of the discussion as it relates to jobs. The other presenter noted how he sees massive displacement as a result of AI; specifically in the truck driving industry. Dennis, on the other hand, was a bit more optimistic. He noted that what tools like his will do is essentially give assistants to people who don't have assistants. For example, the vendor we were dealing likely wouldn't have hired an assistant to help book appointments. 

And I think that's where auditors and accountants need to actually see how AI assistants, like Amy Ingram, can help with automating those mundane tasks that none of likes to do.  

Sunday, December 25, 2016

Virtual Personal Assistants: How far will they go? Part 1

Gartner in a recent press release gave some predictions around "virtual personal assistants".

What are virtual personal assistants or VPAs?

Currently, they are the not-so-perfect voice-activated software that accompanies our mobile devices - Apple has Siri, Microsoft has Cortana and Google has Google Now

On the latest Google phone, Pixel, they have Google Assistant:


Although only available for limited release, the video is actually a good summary of the promise of VPAs: the software that will help us coordinate our lives through our-ever-so-central-to-our-lives smartphones.

And that takes us back to how important these VPAs will become. According to Gartner, within two years 20% of all interactions with our smartphones will be through VPAs.

The press release from the research giant also noted some interesting stats on how frequently people are using Siri and Google Now.

In the UK/US, 54% of people surveyed used Siri in the last 3 months. With respect to Google Now, 41% have used it in the UK and 48% have used the service in the US (in the last 3 months). They also noted that they will move from simple tasks (e.g. setting alarms) to more complicated things such as executing transactions.

By 2020, Gartner predicts that VPAs combined with machine learning, IoT, biometrics and other technologies will enable 2 billion devices to operate without a touch interface.

How far can this go?

When I was thinking about writing this post, I thought about my first interaction with an artificial intelligent assistant.  However, before going there I thought it would be first interesting to go back to the movie "Her".

I saw the movie on the plane on one of the business trips that I took.

The movie is about the ultimate stage of, well, virtual personal assistants.

As noted in the trailer below, the "OS" is something that exists on the mobile device but acts as a central management point that brings a persons data together. In the movie, the OS (voiced by Scarlett Johansson) has a real personality that in a sense accompanies the protagonist, played by Joaquin Phoenix, everywhere. The movie goes a bit crazy as they apparently start "dating".

On a side note, I thought the movie was interesting as it speaks to how technology has filled the void in the life of the atomized individual. The story shows how the protagonist has had a bad breakup and turns to this OS for substitute companionship.

Sure this is far-fetched.

But how many times have we left a real conversation with a real loved one only to get to the virtual world of our phones? Of course, it's not some fake person but it's not difficult to see how we could switch the artificial world of VPAs because we have become accustomed to interacting with this endless streams of notifications.

The other part of the movie that I found interesting was how the mobile device is so nondescript. For someone like myself, smartphones have always had this novelty. But in the movie it's a not anything exciting to look at it. In a sense, what's more important is the actual OS running the device. As Gartner predicts, what becomes more important is the "touch-free interaction" between the OS and Joaquin - and the device disappears into the background.

Only time will tell how far this technology go. But I think it's fairly easy to see how such VPAs will become more entrenched in our lives the more "human" they become.


Friday, December 23, 2016

[Update] New Auditors on the Blockchain? Zcash gets non-audit firms to attest to its security

Earlier this year, Zcash went live.

What is Zcash?

Zcash is a public blockchain similar to bitcoin. Zooko Wilcox, the founder of Zcash, explains what it is in the following video:



As he notes in the video, what distinguishes Zcash from bitcoin is that it offers greater privacy of the users as they don't have to disclose their private key (which is a pre-requisite for bitcoin). However, because Zcash uses zero knowledge proofs (see the amazingly easy to follow explanation below), there is no need for the private key to be revealed - thereby offering extra anonymity to the user.


However, what I thought was exceptional noteworthy about the Zcash is how it went about proving to the world that its code is sound. When Zcash went live, Coindesk reported the following:

"Notably, the development team released two audits conducted by NCC Group and Coinspect, respectively, ahead of the launch.

The reports sought to identify potentially harmful bugs in the cryptocurrency's code prior to launch. (The audits can be found here and here)."
The article referenced, a blogpost, which described the scope of the security audits as follows:

"Today we are publishing the final reports of each external security auditor we contracted this summer to review our code. We've triaged the issues found and addressed any we considered severe (e.g. could compromise user privacy, lose funds, break consensus, etc...).

NCC Group's conclusion was (also available here):

“NCC Group performed a two-part targeted review of the Zcash cryptocurrency implementation. The first part, performed by the Group's Cryptography Services practice, focused on validating that Zcash's implementation adhered to the Zcash Protocol Specification. An assessment looking for security errors within the cryptographic implementation was also performed. The second part was a C++ source code review for vulnerabilities using static and dynamic analysis and fuzz testing. The review also included a cursory assessment of dependent libraries and recommendations for improving software assurance practices at Zcash.

NCC Group identified an issue that would allow an adversary to tamper with the verification and proving keys used by the Zcash daemon as well as a number of C++ coding errors that could result in stack-based buffer overflows, data races, memory use-after-free issues, memory leaks, and other potentially exploitable runtime error conditions. Additionally, most, if not all, third-party open source library dependencies were identified as being out-of-date. In the end, NCC Group did not find any critical severity issues that would undermine the integrity of the Zcash blockchain or undermine the security of confidential transactions during the time that the review was conducted (from August 8 – September 2, 2016).”

As for Coinspet, they noted (also available here): 

"Coinspect reviewed Zcash's innovations over the Bitcoin Core source code, focused on evaluating its resistance against specific threats to cryptocurrencies. Coinspect identified high-risk and moderate-risk issues during the assessment that affected the performance and availability of the Zcash p2p network. The security issues identified did not allow remote code execution nor allowed an attacker to steal funds or compromise the privacy of Zcash users. However we found exploitable 51% and isolation attacks with minimum resources.

It is an honor for Coinspect to contribute with our cryptocurrency security experience to the exceptional team behind this exciting project."

What I thought was interesting, was a couple of things.

Firstly, these are purely tech experts, not CPAs. They are producing "audit reports" that users will rely on for privacy, ability for the protocol to generate consensus, and loss of funds. 

Of course, these are all things that a CPA firm couldn't opine on such things because the liability would be too much for the firm to bear.

But I think that's the point: if things are so complex/risky that a CPA firm can't produce the audit report, it leaves the field wild open for competitors like Coinspect and NCC Group (who were likely paid $250,000).

And is the twist, that they retained 2 or 3 firms to do this. I think that's the real interesting part. 

Audits completed by CPA are governed by strict standards of independence to ensure that the auditors are independent.  However, what Zcash is in effect saying that such issues can be overcome by getting two "unlicensed" auditors to opine on the same thing. Implicitly, why would the two independent parties collude on a lie? 

Initially Zcash as a cryptocurrency was not doing so well price-wise. When this post was originally written (on Dec 23rd) there were 188,905 transactions executed on this by blockchain. Today, roughly 3 months later on April 10th, the transaction count has more than doubled to 463,560. Furthermore, it is now the 9th most popular by market capitalization.

The world of cryptocurrency is not as conservative world of financial statements. However, the approach that Zcash to gain trust essentially. Although we can have philosophical debates on whether this meets GAAS or not, the reality is someone has found a way to eat our lunch. 



Thursday, December 22, 2016

Rogue One: A Star Wars Story or A Backup Story?

Recently saw the Rogue One installment of the latest installment of the Star Wars series of films.



I feel obligated to warn you that this is a spoiler alert.

However, if you seen Episode IV: A New Hope, then you really know the outcome already. But read at you're own peril.

As we know from Episode IV, the Death Star plans were obtained "at a high cost". And Rogue One is all about how the rebels get these plans. The protagonist, Jyn Erso, struggles to locate her father who is actually a fifth column within the Empire - purposely building a weakness into the Death Star. However, for his plan to succeed the rebels need to get their hands on - you guessed it - an offsite tape backup!

I kid you not!

Think about it: even in "a long time ago in a galaxy far, far away", those tape backups are the main way the Empire keeps a backup of their data.

The dramatic scene when they are trying to get the backup tape requires the heroes to use mechanical arms to pull out the backup out of the tape library. Of course, the arms breakdown as the Storm Troopers are able to overrun the building requiring the heroes to get the data themselves.

Yes, they can travel at lightspeed but still have not managed to move away from tape backups on to the cloud or something else.  Yikes.

To be fair the Star Wars movie makers had a tough balancing act: how do they remain true to the original but at the same time account for the fact that the original movie was made 2 decades before the Internet and 3 decades before the iPhone? 

In a way, the epic Battle of Scarif, is in reality of how the rebels (the hacktivists if you will) do their best to defeat the myriad information security controls that the Empire has in place to keep their backups secure. 
  • Physical security: Definitely, the Empire has good physical security, a whole Armada of ships to protect the Scarif - and light sabre wielding Darth Vader to boot! This includes the impenetrable shield that is used to prevent unauthorized vehicles/starships from entering the facility. Kind of like a futurized version of a bollard
  • Logical security: Really Empire? Only passwords? Of course to enter the facility, required the Rogue One to give a valid "access code" to enter the facility. Perhaps, if they had two-factor authentication or changed the access codes more frequently their facilities would have remained secure.  
  • Obscurity: Not sure if the Empire had encryption, but they ensured that to find the tapes you needed knowledge of how the backups were labeled and stored. To this point, perhaps the Empire could have used better training to ensure Erso's dad was instructed not to use names of family. 
  • Offsite backups: Talk about offsite backups! Not only was the tape not located on the Death Star or the facility where Erso's dad was engineering the Death Star, it was located light years away! 
  • Authorized communications: Part of the challenge the rebels had was that the file was too large and needed a special channel to communicate the plans to the rebel.
Probably not the full list of controls, but who would have thought a background in IT Audit would give you insights into a Star Wars Story :)