Friday, November 3, 2017

Big Data Auditing Revisited: Context is King

It has been a few years since I wrote up on Big Data and the Audit.  It was one of the more popular posts with over a 1,000 hits to date.

The post looks at Big Data: A Revolution That Will Transform How We Live, Work, and Think by Kenneth Cukier and Viktor Mayer-Schönberger. I enjoyed the book as it really broke down the business impact of big data without getting in technical details of the underlying technology.

Why take a second look at big data auditing?

Big data and the accompanying analytical models are key a precursor to artificial intelligence. Machine learning algorithms that power the AI bots requires the users to analyse the problem and teach the underlying algorithm.

Part 1: Context is King

To make things a bit more digestible, I thought it would be good to divide the post into two parts. The first post is more palatable as I want to explore the second use case in a bit more detail and its relevance to today.  The second post will be a bit more controversial as I will take a look at the difficulty of applying fraud or cancer-fighting algorithms in the realm of (external) financial audit.

But let's look at the first issue: how can big data analytics give us better context? 

In the original post, I spoke discussed the use case used in Cukier and Mayer-Schönberger's work around Inrix. The book gives the example of how an investment firm is using traffic analysis, from Inrix, to determine the sales that a retailer will make and then buy or sell the stock of the retailer on that information. In a sense, the investment is using vehicular traffic as a proxy for sales. In an audit context, auditors can develop expectations of what sales should be based on the number of vehicles going around stores. For example, if sales are going up, but the number of vehicles are going down then the auditor would need to take a closer look.

What I realized from this example is that what big data can give auditors better context around things and assess reasonability of things. That is as more sensor data and other data are available to auditors to integrate into statistical models, the more they will be able to spot anomalies. 

One of the issues with Barry Minkow's ZZZBest accounting fraud was the lack of context. For more on the fraud, check this video:

I actually studied this case in my auditing class at the University of Waterloo. One of the lessons we were take away from this case was that the auditors didn't know how much a site restoration would cost on average (see the first bullet in this text on page 129). But how would an auditor be able to access such data? Even with the advent of the internet, it is not simply a matter of Googling for the information.

More recently, an accounting professor was found to have generated data fraudulently. The way he got caught was that a statistic he used didn't correspond to reality. Specifically:

"misrepresented the number of U.S.-based offices it had: not 150, as the paper maintained (and as a reader had noticed might be on the high side, triggering an inquiry from the journal)" [Emphasis added]

Again, the reader had the context to understand what was presented was unreasonable causing the study to unravel and exposing the academic fraud perpetrated by Hunton. 

What will it take to make this a reality? 

What's missing is a data aggregation tool that can connect to the private, third party, and public data feeds that an auditor can leverage for statistical analysis. Furthermore, for this to be useful to clients and the business community large are visualized depictions that enable the auditor to tell the story in a better way rather than handing over complex spreadsheets.

Of course for auditors to present such materials requires them to have deeper training in data wrangling, statistics and visualization tools and techniques. 

In the next post, we will revisit the first use case that I presented in the original post that explored how the New York City was better able to audit illegal conversions through the use of big data analytical techniques. Originally, I had thought this would be a good model to apply in the world of audit. However, I am revisiting this idea. 

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Sunday, October 15, 2017

What's missing from this Top 5 uses of Blockchain list?

TechRepublic's Tom Merritt  walks us through the "Top 5" uses of blockchain in the following video. The accompanying post lists the following 5 use cases:
  • Stocks
  • Shipping
  • Diamonds 
  • Livestock 
  • Law

What's missing? 

Stocks use case is actually limited to Initial Coin Offerings (ICOs). For more on an overview of ICOs, check this article. However, the post excluded Linq's blockchain that allows for the settlement of private securities.

But on a broader note, the post excluded the financial industry altogether in terms of being a forerunner for the use of blockchain. Following the hype-cycle, one of the early areas of interest for the use of the permissioned blockchain were financial institutions. It seemed like every week that a company joining the R3 Consortium.

However, since that initial fervor, a number of players, such as Goldman Sachs, Santander, Morgan Stanley and the National Australian Bank, have left the consortium.


The problem lies in understanding the actual business case for the permissioned blockchain (for the differences between public and private/permissioned, see this post). The permissioned blockchain helps parties to have a common view of transactions that they have transacted with each other via a shared ledger database. With the use of digital signatures, it incorporates authorization into this as well, so in addition to sharing information, it also enables the ability to "sign-off" on that information.

The banks could decide that they would use such a framework to make it easier to settle payments, however, how do they keep things private such as pricing and other data? This is something that needs to be sorted out but points to a bigger question as to what is the strategic advantage of blockchain for FIs. That is, this exponential technology doesn't lead to cost savings like robotic process automation or strategic insights like big data analysis.

And that's why I think something like shipping or supply chain more broadly is a much better beachhead for blockchain. With multiple partners involved in supply chain, have a shared database enables the partners to see where things are at between the wholesaler, shipper, and retailer, enabling each partner to get better insights into movement of goods and other business information. Such a system would allow for creative ways to settle payments or even enhance the ability of retailers to design consignment contracts with wholesalers. For example, BestBuy is marketplace (e.g. Brainydeal is one such retailer) within its retail front requiring such coordination. The one caveat, however, is to ensure that (cheaper) existing technology doesn't actually do this already. After all, shared databases are not a novel concept.

I would contend that legal would be a great place for the blockchain to expedite paperwork - more so than supply chain. However, such technology would be fought tooth and nail by lawyers. And they have unlimited resources to fight such technology in the courts. Also, politicians have little incentive to look into such advances as most of them are lawyers, depend on lawyers or have friends who are.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Tuesday, October 3, 2017

Should drone inventors have thought about this risk?

Came across this article on Wall Street Journal about how the wedge-tailed eagles have turned out to be the drones worst nightmare. Here are some videos that illustrate the problem:

Being someone who works on innovation as the GRC Strategist - risk is something that I think about daily. Of course, you need need to be prudent and make sure that you've documented. All the known risks and have a plan and how to mitigate them.  For example, you should patch your software when the vendor tells you there is an issue.

But how could drone inventors possibly think about the risk formula about the impact and likelihood of eagles tearing up your drone?

It's a good illustration of how innovation requires taking risks of which you will only encounter when actually deploying innovation into the real world. They're just some things that literally will fall out of the sky that you didn't think of and a workaround will need to be designed after the fact.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Monday, October 2, 2017

What can driving algorithms tell us about robo-auditors?

On a recent trip to the US, decided to opt for a vehicle with the sat-nav as I was going to need directions and wanted to save on the roaming charges. I normally rely on Google Maps for guiding me around traffic jams but thought that the sat-nav would be a good substitute.

Unfortunately, it took me on a wild goose chase more than once – to avoid the traffic. I had blindly followed the algorithm's suggestions assuming it would save me time. I ended up being stuck at traffic lights waiting to a left-turn for what seemed like forever.

Then I realized that I was missing was that feature in Google Maps that tells you how much time you will save by taking the path less traveled. If it only saves me a few minutes, I normally stick to the highway as there are no traffic lights and things may clear-up. Effectively, what Google does is that it gives a way to supervise it’s algorithmic decision-making process.

How does this help with understanding the future of robot auditors?

Algorithms, and AI robots more broadly, need to give sufficient data to judge whether the algorithm is driving in the right direction. Professional auditing standards currently require supervision of junior staff – but the analogy can be applied to AI-powered audit-bots. For example, let’s say there is an AI auditor assessing the effectiveness of access controls and it’s suggesting to not rely on the control. The supervisory data needs to give enough context to assess what the consequences of taking such a decision and the alternative. This could include:

  • Were controls relied on in previous years? This would give some context as to whether this recommendation is in-line with prior experience.
  • What are the results of other security controls? This would give an understanding whether this is actually an anomaly or part of the same pattern of an overall bad control environment.
  • How close is it between the reliance and non-reliance decision? Perhaps this is more relevant in the opposite situation where the system is saying to rely on controls when it has found weaknesses. However, either way the auditor should understand how close it is to make the opposite judgment.
  • What is the impact on substantive test procedures? If access controls are not relied on, the impact on substantive procedures needs to be understood.
  • What alternative procedures that can be relied on? Although in this scenario the algo is telling us the control is reliable, in a scenario where it would recommend not relying on such a control.

What UI does the auditor need to run algorithmic audit?

On a broader note, what is the user interface (UI) to capture this judgment and enable such supervision?

Visualization (e.g. the vehicle moving on the map), mobile technology, satellite navigation and other technologies are assembled to guide the driver. Similarly, auditors need a way to pull together the not just the data necessary to answer the questions above but also a way to understand what risks within the audit require greater attention. This will help the auditor understand where the audit resources need to be allocated from nature, extent and timing perspective.

We all feel a sense of panic when reading the latest study that predict the pending robot-apocalypse in the job market. The reality is that even driving algos need supervision and cannot wholly be trusted on their own. Consequently, when it comes to applying algorithms and AI to audits, it’s going to take some serious effort to define the map that enables such automation let alone building that automation itself.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Saturday, September 30, 2017

CPAOne: AI, Analytics and Beyond

Attended the CPA One Conference almost two weeks ago in Ottawa, Ontario. Given that my space is in audit innovation, I attended the more techno-oriented presentations. Here's a summary of the sessions that I attended:

"Big data: Realizing benefits in the age of machine learning and artificial intelligence": The session was kicked off by Oracle's Maria Pollieri. The session delved deep in the detail of machine learning and would have been beneficial to those who were trying to wrap things around thing more from a technical side. She was followed up by Roger's Jane Skoblo. She mentioned a fact that really grabbed my attention: when a business can just increase its accessibility to data by 10%; it can result in up to $65 million increase in benefits.

The next day started with Pete's and Neeraj's session on audit automation, "Why nobody loves the audit". They want over a survey of auditors and clients on the key pain points of the external audit. It turns out that these challenges are actually shared by both. For example, clients lack context on "the why" things are being collected, while auditors found it difficult to work with clients who lacked such context. On the data side, clients have hard time gathering docs and data, while the auditors spent too much time gathering this information. From a solutions perspective, the presenters discussed how Auvenir puts a process around gathering the data and enables better communication. This will be explored in future posts when we look at process standardization as a key pre-requisite to getting AI into the audit. 

The keynote on this day was delivered by Deloitte Digital's Shawn Kanungo, "The 0 to 100 effect". The session was well-received as he discussed the different aspects of exponential change and its impact on the profession (which was discussed previously here). One of the key takeaways I had from his presentation was how a lot of innovation is recombining ideas that already exist. Check this video he posted that highlights some of the points from his talk:

Also, checked out the presentation by Kevin Kolliniatis from KPMG and Chris Dulny from PwC, "AI and the evolution of the audit". Chris did a good job breaking down AI and made it digestible for the crowd. Kevin highlighted in his presentation noting the link that AI is key for identifying unusual patterns.

That being said, the continuing challenge is how do we get data out of the systems in manner that's reliable (e.g. it's the right data, for the right period, etc.) and is understood (e.g. we don't have to go back and forth with the client to understand what they sent).

Last but not least was "Future of finance in a digital world" with Grant Abrams and Tahanie Thabet from Deloitte. They broke down how digital technologies are reshaping the way the finance department. As I've expressed here, one of the keys is to appreciate the difference between AI and Robotic Process Automation (RPA). So I thought it was really beneficial that they actually showed how such automation can assist with moving data from invoices into the system (the demo was slightly different than the one that can be seen below, but illustrates the potential of RPA). They didn't get into a lot of detail on blockchain but mentioned it is relevant to the space (apparently they have someone in the group that specifically tackles these types of conversations).

Kudos to CPA Canada for tackling these leading-edge topics! Most of these sessions were well attended and people asked questions wanting to know more. It's through these types of open forums that CPAs can learn to embrace the change that we all know is coming.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Monday, September 25, 2017

Will the iPhone's blue ocean strategy work?

Apple unveiled its much-anticipated iPhone upgrade - the iPhone X - earlier this month.

The following video is a splashy summary of what the phone offers:

The following video has Jony Ive's voice-over and gives a bit more about the actual technology behind everyone's favourite iDevice:

The most interesting feature for me was the augmented reality piece. With the success of Pokemon Go, the business opportunity is just waiting to be exploited. However, there seems to be more work that needs to be done for it is ready for mass consumption.

Perhaps, the following Funny or Die "review" of the release summarizes the sentiment out there:

But is it fair?

It's definitely not the wow of the first iPhone or iPad release. It feels incremental. However, Wall Street Journal has a different theory: Apple is targeting the Chinese "elite" who would want such a phone because of the status it affords:

"The iPhone X design has raised hopes that it can reverse Apple’s fortunes in China, Apple’s most important market outside the U.S., where sales have fallen six straight quarters.

“The high-end Chinese phone market is super competitive and customers are very discerning but also enthusiastic,” said Benedict Evans, a partner at Andreessen Horowitz, a venture-capital firm. “If Apple can get something that rings the bell [with them], then this will work.”"

This could be a blue ocean strategy at work (see the video below for more).

The idea of a blue ocean strategy is that instead of competing in the blood-soaked waters of intense competition companies migrate to the blue ocean where there is no competition or where the existing competition doesn't matter. 

Let's face it.

Either we're guilty of lining up for one of those iDevices - or know someone who did/does. But at the same time, there are no big line-ups for Microsoft or Samsung computing devices. This uniquely positions Apple is to capitalize on its brand - while others are left fighting in the red oceans on product features and price.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.

Wednesday, September 13, 2017

Bitcoin clampdown: Towards a corporate-cryptocurrency?

WSJ reported that the Chinese government was working to shut down Bitcoin exchanges:

"China’s central bank together with other regulators has drafted instructions banning Chinese platforms from providing virtual-currency trading services, according to people familiar with the matter...regulators told at least one of the exchanges that the decision to shutter them has been made, one of the people said. Another said the order may take several months to implement."
China, however, is not the only has such issues with crypto currency. The US also has limited the use of Bitcoin by taxing it as a capital gain:

"Capital-gains tax rules could make using bitcoin as a currency a logistical nightmare. It meant that when U.S. citizens filed taxes, they had to account for every single bitcoin acquired, sold, or used for purchases, and the prices and dates at which those transactions happened. If you purchased 0.5 bitcoins at $360 in April 2014 and sold them for $645 on June 9, you’d have to declare that gain as a taxable event in 2015. Fair enough. But did you have to account for swings in the value if you used your bitcoin to purchase a vacation on Expedia or to order a pizza? The IRS’s move seemed to undermine bitcoin’s potential for use as a currency." Vigna, Paul. The Age of Cryptocurrency: How Bitcoin and Digital Money Are Challenging the Global Economic Order (p. 260). St. Martin's Press. Kindle Edition. 

However, the key regulatory action against Bitcoin came from the FDIC and DOJ:

"bitcoiners would report that agents from the Federal Deposit Insurance Corporation, the body charged with cleaning up failed banks so that insured depositors can be kept whole, were pressuring bank compliance officers not to work with bitcoiners. It’s hard to verify this claim. The FDIC had long communicated its concerns to bankers over supposedly high-risk categories of merchants, and bitcoin businesses were told by bank compliance officers they were included in those groups...

The U.S. Department of Justice, too, sent banks messages that contradicted FinCEN’s accommodating message. In 2013, the DOJ launched an initiative known as Operation Choke Point, in which it investigated banks dealing with merchants in businesses that weren’t necessarily illegal but were considered high fraud risks. Miami-based lawyer Andrew Ittleman, who has become something of an accidental expert on the subject, told us that Operation Choke Point now occupied most of his time and that primarily his clients were legal providers of bitcoin services and medical marijuana, along with a few pornographers and gun dealers. The law was having a chilling effect: banks might not be breaking the law by servicing such businesses, but the risk of an audit from the DOJ was enough to dissuade them from doing so. Ittleman fought hard for his clients, who were denied a vital instrument of financial access, but it was an uphill battle. The matter, he said, should be taken up to the Supreme Court by civil rights activists such as the American Civil Liberties Union." (ibid p. 258-259)

Why are governments so worried about Bitcoin?

The WSJ article cited above gives a clue:

"Beijing’s crackdown on bitcoin is part of a broader effort to root out risks to the country’s financial system. Officials earlier this year circulated a draft of anti-money-laundering rules for bitcoin exchanges, a powerful warning, even though the regulations were never formalized, according to people familiar with the matter...Virtual currencies in theory allow holders to bypass China’s traditional banking system to move money outside its capital-controlled borders. That could make it more difficult for Chinese regulators to maintain a tight grip on the yuan." [Emphasis added]

Cryptocurrency has its roots in the anarchist activists and others who saw Bitcoin as a way to challenge the power of banking sector. Given that Bitcoin had its debut during the Financial Crisis, it may have been reasonable to believe that there would be sufficient groundswell to believe that the cryptocurrency would gain popularity.

However, popularity in the realm of currency and capital is not sufficient to change institutional realities of societies. 

The reality of societies today is that financial institutions, and corporations more broadly, represent institutions that keep the society together. Since they hold the keys of the society, ultimately they will control the change that will proliferate through society. And something that undermines the ability of the society's today to control capital flows is pretty much a national security issue - and can expect a response that reflects that reality. In other words, it was reasonable to expect the Empire to Strike Back as they did. 

Can we ever expect a corporate-sponsored cryptocurrency? 

Given the way power works, the only one that can really challenge banks hegemony are other corporations. For example, Walmart teams up with generic drug makers (in competition with expensive brand-name alternatives) to reduce the healthcare benefits they pay to their employees.

On requirement would be to have direct access to customers so they can actually convert their cash into that digital currency. For example, online realtors are dependent on banks and their electronic payment networks to essentially get cash into the system. 

So likely a retailer alliance could be something that poses a challenge to banks and their networks. 

Amazon already has Amazon Coin, but I think that if they teamed up with Walmart you would have something that basically has wide acceptance. And that's when the games will begin.

Retailers also have an incentive to cut-out the banks and save those credit card fees. However, for this to have user acceptance the retailers would need to give their consumers a cut. 

But would this be a true cryptocurrency? 

Such a currency would likely take a permissioned or private blockchain route. Essentially, there will be a need for 'independent verifiers' (instead of miners) that will ensure that the transactions are properly accounted for. This is likely cheaper than using miners which are costly in terms of the energy costs that have to be paid

Although I think external auditors could play the role of the independent verifier, these systems can be highly automated and an assurance model can be developed where you have real-time assurance as the source documents would be digital. This is assuming that the cryptographic keys can be relied on for such a purpose and auditors are able to get "effortless" access to such evidence and systems. So it may lead to a renaissance in the audit but may help auditors realize their potential within the field of audit data analytics and more broadly as data scientists. 

This speaks to one of the key aspects of automated audits that I raised on this post. As promised, my plan is to delve deeper on this topic, where we can look at how blockchain can facilitate AI or automated audits. 

Ultimately, banks play a critical role in extending credit which essentially makes them gatekeepers of the consumer economy. However, other companies, largely the tech sector, are hoarding cash:

Courtesy of Business Insider

So the question is whether these non-banks could move into bank territory. For example, Rogers Wireless (cell phone provider) is also a bank. That being said, it likely won't be a revolution but could be something that evolves over time that steadily erodes bank power. However, that would mean that the banks would take this lying down and I don't think that the Empire will go out without a fight.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the way we do financial audits. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir, Deloitte's or anyone else.