Call in to speak with the host
In this unique interview, Bill shares with us some insights about Unstructured Data and how unstructured data is linked to IT General controls for most organizations in light of the New COSO Framework.
Bill is COO and Managing Director of Consulting at TechLaw Solutions in Washington DC. He is a C-level executive with 20+ years’ experience in professional services management, consulting and support services. He has extensive experience in information technology, corporate compliance and electronic discovery. He has performed technology, compliance and e-discovery consulting for Intel, KPMG, Nestlé, Microsoft, Philips Electronics and Pfizer.
Hi! I'm Sonia Luna, CEO and founder of Aviva Spectrum, an internal audit and compliance consulting firm headquartered in Los Angeles, California. I am also a well-known speaker on topics like the new COSO 2013 framework, SOX 404, Quality Assessment Reviews, Internal Auditing and related topics. Today's interview is with Bill Schiefelbein, hopefully I said that right though.
That was good enough (laughs).
Alright. Bill is the COO and managing director of consulting at TechLaw Solutions in Washington DC. He is a C-level executive with over 20 years of experience in professional services management consulting and supports services. He has extensive experience in information technology, corporate compliance and electronic discovery also known as E-Discovery. He has performed technology compliance and E-Discovery consulting for companies that you may have heard of like Intel, KPMG, Nestlé, Microsoft, Phillips electronics and Pfizer. So, I became aware of Bill's work after reading a great article on unstructured data and the general of accountancy and we are lucky to have him here as our guest today. Welcome Bill!
Thank you very much Sonia. It's great to be here.
Yeah. We were really excited to schedule this interview because -- I personally was very intrigued about your article on unstructured data and for our listeners, could you share with us what was your inspiration first and foremost for even writing his article?
Yeah. You know, it was a confluence of really three different kind of trade that say -- you know the first is the, my co-author and I, Chris Beach is a forensic account of about 40 years, and I have been in litigation myself versus practicing attorney and then from a technical consulting standpoint for over -- you know good 25 years. And one of things we noticed is that when some kind of internal control breakdown or risk -- you know emerges into an investigation or litigation. The first thing of the attorneys and the regulators reach for is they to the email -- you know it's in the email or in the other unstructured data PowerPoint and so on where they get the story. How that this happened, what -- you know how this come about and of course later on, then they argue about "Oh you should have know was coming -- Oh how could I know was coming" you know all of that happening out in unstructured data. It does not happen in the -- you know the accounting system so speak. Then another thing, this is all kind of -- you know that whole area of litigation has been really developing and one of the reasons is and this is the second threat. This just an incredible increased specialist since the internet -- you know came alive in 1996 and incredible increased in the volume and then proliferation of the forms of communication that people participate in. All happening at the same time that corporations are becoming less centralized about -- you know that corporate organizations becoming less centralized, less evil to kind of assert top down controls. So all that is happening and then in the third thing really from the standard and regulators side of things -- you know we notice there is a lot of -- more pressure coming from COSO -- you know for example-- you know to expand beyond internal controls into a large risk management and risk mitigation policies, procedures and so on and we see the same thing -- you know in the legal, the legal market coming from regulators statued you know just the conference where they are talking about the FCPA -- you know the Foreign Corrupt Practices Act and how corporations they use to have sort of an excuse "Yeah, we did our diligence, we just then know that this employee of our was bribing a Chinese official." What is happening is the government is getting less and less -- forgiving of that sort of thing "We don't care what your excuses" were going to hold you liable and in some cases criminally liable for not having caught that type of problem -- you know and also the sorts of problems we see out in email -- you know for example. So those sorts of the things made us really focused on the fact that there is a lot of risk happening at a greater pace within corporate organizations and kind of the standard models of internal controls do not touch it or do not catch it fast enough or catch it after the fact rather than how do we catch in the front end while it still emerging and so we wrote that article really to talk about mining and monitoring email, social media and so on in order to identify emerging risk before they turn into a controls problem or litigation.
Yeah. Its kind of like companies do not know what they do not know but the problem with this unknown element, there is lack of risk-based approach to that monitoring of unstructured data that part struck me that most because like you stated earlier, I mean the technology-- first of the communication style for example Twitter right?
140 characters (laughs) you know.
There is data out there okay. So, some of it going to be keyword issues and like you said emails, you know is not just only the content of the email by who is going too and then timing of it what attachments like an emerging PowerPoint. So, companies are making a very broad assumption that everybody is doing the right thing. Right. There is --
That, that the do diligent process is, well I have got a sub-certification from that subsidiary I have in Hong Kong that is responsible for doing all the financial reporting for all my Asia. Right?
Entities and they just submit the document saying everything all the controls are fine and therefore, I am good to go but like you stated earlier, regulators are starting to put the pressure on saying your do diligence really was not good enough you know that --
You know this bribery issue etc., it could had been caught it's your responsibility to have a more sophisticated monitoring process for these items and boom! Here comes the penalty and I think that's why causing people -- it catching them by surprise because before -- you know was it make the same major trim but not I do mentioning the Foreign Corrupt Practices Act is becoming bigger and bigger issue which tentatively means to...
And that's exactly right and one of the issues is just the speed at which risks can emerge into a problem and go viral is just so -- you know even compared to 10 years ago when we have a corporate email and there are some internet email going on, but now things can really blow up. A serious problems for corporations can really blow up in a matter of 24-hour period is all of the post facto reporting or investigations or whatever are often too late and in some sense - I mean, this is really one of the things that we toyed with the -- drawn the council editors -- you know it's kind of what angle to take on this and we were finishing up this article, I see you know the whole issue where the NSA obviously monitoring -- you know telephone metadata and emails and so on kind of blew up and we felt "well we may take that angle" and we thought that's rather negative angle, but it points out the fact that the government has this seem sort of problem with regards to terrorist organizations worldwide is how do you -- how do you mind the information out there in order to get advanced warning of problems rather than waiting until you know the Twin Towers blow up and then saying afterwards "Oh who did this" and going to Afghanistan. So, it's really the same sort of problem but corporation have their own serious problems and how do you deal with it. One of the things that we notice in the literature and then I will be done -- one of the things that we noticed in the literature around risk management internal controls was everybody was noting the problem __08:19__ was and some of that -- you know bigger players in the industry and they were get to the point where the question is what do I do about this and then you sort to get -- I am going to say somewhat weak answers what I call people process answers -- you know we need to form a committee focusing on risks training people and these are good things but the people process answers need to be supplemented. We thought with going right at the data which you can do with volume and you can to it with machines and you know the technology of course is there today which was not 10 years ago to really zip through things and look for serious problems.
Yeah. And talking about assisting through things and looking at serious problems, so the CEO of Mozilla -- I saw this on the paper yesterday that there were certain people, a group of well -- it's a group about marriage proposals, etc. and the long story short, the CEO had made a very minor contribution on something that was like for this one group very hot topic.
They went online to -- an online form called Okay Cupid and they were blasting the CEO of Mozilla. Okay this is the guy who actually started Mozilla, it's a web browser.
Very powerful -- you know FireFox it's an open source kind of thing. Well, the board sent a press release an email blast too saying "We are so sorry that we didn't catch this earlier this fire storm of this negative social media blasting of our CEO" so he resigned and stepped down and I though "Oh my God here's" first of all it's an online dating form to begin was like (laughs).
If you want to talk about resignations and the impact of not monitoring the speed of which this negative PR could impact your job -- you know and then having board member say we are owe to their shareholders right. We're sorry we didn't see this, we should react it faster you follow what I am saying?
And by the way this only spanned for less than two months. So it's tells you the speed of which of how this is actually running and having those monitoring controls are critical be as it -- again people are having the resign over the lack of -- you know doing some damage control and who knows what could have happened had they kind of douse the flames a little bit or said something you know because...
It just went viral...
Yeah. It's not just an issue of somebody losing his job -- you know this sort of things happens at the lower levels of organizations all the time. It does not matter but a certain level of the organization especially a CEO you can have an impact on share value and stock rise, and you know one of the things that we talked about really is you know what does an organization focus on and -- you know one of the things we talk about this is that fact that you really need to pay attention to the quarterly agenda of the board of directors I mean they are the ones who in the end have fiduciary duty or identifying and managing this kind of risks that impact share price and if those things -- you know and so of course obviously any kind of scandal related to the CEO is a major issue. There is another of other risk they have in and how can we monitor and how could be mine for that sort of risk ahead of time when happens or is in this case, you are mentioning have some kind of monitoring program going on so that there are certain kinds of -- you know there is companies out there that focus on customer sentiment monitoring to say how is out of the unit, they are pulling all kinds of internet unstructured data sources trying to figure out how their current product is being received in the market before some -- you know mommy blog, for example shoots down their entire product in 48 hours of blogging you know and this is really a similar thing. I mean a good marketing department should probably at this point and they are tools and services out there that will monitor for this kind of risk you are saying. Negative sentiment that is emerging very quickly and you know being able to report that to the board before their next quarterly meeting. Right?
And it's too late.
Yeah. Yeah. And now we want to kind of switch gears on something that has been a hot topics things that I have been seeing on various blogs etc and that's the update some people called it "The refreshed COSO framework" and in it, it finally clarifies that information technology. Right? IP general controls should have it some principle okay. And I wanted to get your thoughts and share with our listeners how this unstructured data fit in or linked to if you will to IP general controls for most organizations.
Yes. So, a couple of this, I mean just starting with COSO, you know it's __13:25__ that they finally articulated that principle and they reflects to something that everybody understood, but its clearly now articulated and sets some standard out there -- you know of course, they aren't and should not be specific about all the little granular details about IT controls, but it does, it does -- you know there are other you know like ISAC you know the Information Systems Audit Control association I think it is or __13:51__ or even ISO you know where ISO 2701 certified for our information management of our client data. Those kinds of frameworks which drive down into the details of what this means and I think it's you know based with the COSO you saying you need to have those sort of processes in place -- you know for managing IT in the controlling you know technology. __14:17__ okay, what is the relationship to unstructured data -- you know it's kind of interesting when we were writing this article and spending process for about a year and half. A lot of the feedback we had including we have some very interesting discussions with the general accountancy editors who were very sharp people and they were talking about -- you know what do you mean by unstructured data and I guess that price __14:43__ you know probably should just describe that for your listeners -- you know generally unstructured data is the data that you find inside the accounting system the HRIS system. It's -- you know it's kind of database around it and it's -- you know rose and counts of number that sort of thing. When we talk about unstructured data it's a -- it's a term of arm exist in the IT world. You find the IBM and EMC you know the big technology players distinguishing between structured and unstructured data. Now, it's technically true. There is no really such thing of unstructured data -- you know even email has a structure to it and it got to and from or -- you know and a...
And a date and a time and...
Yeah. Exactly, so it's technically structured and what we toy it with and this is the interesting thing, we toy it with the advantaging that term maybe thinking that was on -- confusing some people -- you know what were really talking about here if you are honed on it is this is the data that is essentially unmanaged.
This is the stuff. You think about the accounting system and the audit process and so on that data is highly managed. A lot of eyeballs on it, everything ties out. But when you talk about the email system is just stuff where people say thing and do things and it's backup, but it's really essentially unmanaged and in the drivers beyond and not just becoming and increasing problems because there is big drivers behind that lack of management, it's the centralize organizations and the mobile devices and users are now sophisticated about what they say and where and which form of -- should I send this on my person email account rather than the corporate email account just in case it is uncovered and the volume and the speed of all that. So, its essentially unmanaged and so when COSO say something like you did have controls over things including unstructured data that really means something and so if I grow up to kind of a typical framework for IT controls probably that the areas that come to mind are physical security and logical security around the data and then what is your incident management, your problem management response when something happens. But I would also say and this is not driven by any of the framework there is still the problem of content and volume and you will find a lot of organization, especially driven by the general council who are developing information governance program to do this like just eliminate any email older than six months unless it has -- there is a good business purpose of keeping it because in the end you can have good physical and logical controls around the email but the content on what's in there can still be blow up in the organization space if they have litigation and you look at some of the -- I mean, oh I think it was a single email from Bill Gates that really was not play in there anti-trust issue several years ago. So that's how do you control of the content, but the flip side of that is well all of that data and this is the point we make in the article to the extent of that data is out there. It's also an ISA, it's a tool for you to go out and figure out and identify risks that you would be able to identify if the data did not exist and it's so it goes kind of beyond even the IT controls around the physical and logical security and so on.
Yeah. Some of our clients are taking -- so to your point about limiting the space and/or dates. Right, of an email saying in this attempt.
Some clients are making a routine training most of its annual and saying to their especially in the finance and HR department. If it is really important than email to support a conclusion, okay, we talking significance and they kind of lay out what the significance are, what is the criteria use your PDF of it. You follow?
Then, it's something that your PDF but in six or nine months it's gone. Right.
So you put in a folder so that email various to supporting document but before or after, you know what I mean in terms of email but if it just one for conclusion.
That's the one you save. You follow? So, therefore that record retention policy per email account is good because they are telling the theme with this exception if you really think its -- that important to keep that email there is a lot of different software products that can PDF that thing and in worse case scenario if you do not have a PDF application add in tool print it, scan it or fax it to someone.
For an email.
I worked on a large number of those kind of projects as a consultant and it kind of -- it really depends on the culture and the organization how strict they want to be, but you are able to implement controls in the wide variety of means just to give you an example that is really similar to what you are talking about were done a project it's a very large Tobacco company that you would recognize and Tobacco companies and Pharmaceuticals companies by the way our well-known litigation risk if you are in a litigation industry, they constantly sue for right or for wrong and so they are very sensitive to that sort of thing and you know a single email again can be the end of the company if the wrong person says a wrong thing about nicotine for example of jokingly, it said something about nicotine that can be used by the opposing side that can be the end of your case and the end of your company and so what this one company did is they developed a policy that all emails forged to anywhere it is may where etc. if it is on the desktop or in the email server or an archive after 30 days are varies for a short period of time and their method is you much printed out. They want it on paper. They do not want it the electronically available even in the PDF form or even can say if an outlook message just out to your desktop, they don't want it in electronic form. They want it in paper and that forces and users to really think through what they save and but they also have be -- the key thing is the governance on this because you really have to get to the point where everybody understands it and complies it is going to be driven down to the lowest level of supervisor that this is what we do. Otherwise, there are sort of policies and there is a 100 ways and users get around them and of course select governance and behavior aspect of these programs is end up being the most important.
Right and I kind of, want to want to dub tail of that last comment I mean in your opinion, what are top five risk areas when you are dealing with unstructured data and in organization?
Yeah. You know so I just I am of the top I would say is something like this first of all email and word files and PowerPoint and excel spread sheets in the accounting are all pretty well-managed from an IT controls standpoint. If what you're focused on is disaster recovery in logical access around file shares and who can get in to the email system and hack it that sort of thing and those sorts of controls are pretty good. The risks you are seeing I think are it just from the proliferation of the share number of access point. Now going back 10 years all of us who were CIOs were really worried about just connecting to the internet because as soon as you do, you are not working with the world and so the number of problems you have to secured against is huge but were sorts to seeing now with a different issue and that's the mobility issue you got people with. You cannot even distinguish between the different types of devices there is so many different types of phones which morphed into PEDS you know on tablet which morphed in computers or __22:32__ clients and so on and those -- and of course also the different communication avenues that people have from. People nowadays have corporate email but they usually have several personal email accounts and email is kind of old news now and they are out in Twitter there is other kind of -- you know Facebook another kinds of social media doing a mix of personal incorporate activity and often not knowing, I remember several years ago when it became a big issue I think it was the Bush administration when a lot of the high-level government employees -- you know were talking the president in our circle, we are doing a lot of their communication kind of sometimes on the government email system and sometimes on their republic and national committee email system and of course, there is a huge amount of controls and law and regulation around the government email system, none of which apply to the RMCs system and then it becomes an issue of how do we get that stuff. How do we put it in the national archives because the stuff is all records and so on. And you have the same problems in the corporate environment now, how do you get people to do or not do certain things on the Facebook and you know the corporate -- a Facebook account versus the personal so that, that whole commingling of the personal and business through so many different communication mechanisms and devices I think is really that the kind of next big challenge from a risk standpoint and also again always complicated by the fact that organizations are constantly decentralizing owing to less hierarchical controls and the speed and the volume with which a single person can cause problems. That again -- so that speech to I think the risks side then I again I would also point out and there is also the opportunity side of that and this is where you see this in every industry you have got all these risks, but now you have the same people using technology to say well, how can I monitor mind and proactively see what my problem is using technology. Technology causing the risks how can I use the technology to go out and opportunistically discover those risks and that was kind of the point of our article.
Yeah and most of the clients that were seeing right now in terms of key risk surrounding that unstructured data definitely logical access. Right, whose got, in terms of level of access, etc and then this whole thing about devices? So...
So, there is very little to stop someone from sending from a corporate email account to their personal email account. Right, and then...
And then what are those devices actually doing in terms of access. Right. And then just the share number of accounts so like you are said earlier it's not uncommon for one individual to have three personal emails. Right and if think about later from profiles that you have out on the internet from Linden to Twitter to what have you.
And then the monitoring risk that and because of __25:45__ has its component
Its own true principles that we have, like a bunch of different avenues to deal with, so the risk that you are mentioning definitely Ties in to __25:59__ just something that I am seeing in the field today which actually just kind of leads me to skills sets. So I mean what is your thought on key skills that you think you know the internal audit profession. Right? The internal auditor...
What is it that they need to have to have the ability to assess like the company's unstructured data challenges those risks that were talking about?
Yeah. You know and I am certainly no internal audit expert you know but I have been a CIO and works through it that sort of long time and like I say my co-author is obviously familiar with that as a forensic accountant and a lot of discussions with him and certainly you understand this extremely well. My sense is that the audit process as I mentioned is somewhat focused on a post facto -- it's focused generally on the structured data and on the post back the results, a quarterly or yearly annuals sort of audit and that the challenge and I think there has been a lot of progress on for the structured data at least there is tools technologies and so on very much focused on continuous auditing and monitoring of the expense reimbursements, the look for fraud, fraud detection in the structured data and so on. I think there a lot of that going on, in my mind, probably the biggest issues is really kind of increasing the awareness and the understanding of the internal audit professionals that is out in the unstructured data. Go talk to the lawyers because the lawyers, who do not focus on anything until the risks has developed into an out right problem, but is that all of the development of the major risks, the thing, the CEO said something and now he inspired in this __27:59__. Now that kind of thing is all developing and broadly the unstructured data. Its people are sending email so discussing thing. You mentioned earlier it not just the content its, do I have employees sending emails back and forth with Chinese government officials. Are they sending encrypted attachment that could be good because you want to encrypt certain kind of things but it could be bad if the kinds of things are encrypting as the things that we do not wan to encrypt. It's a flag of sorts. Do I have a sell people you know regularly corresponding with competitor's emails domains? There are certain things like that, that really are the tell-tale who is beginning to talk about something, who is beginning to do something that troubles in structured data it is recorded. If they do something tell we are offline in oral or verbal, what do you do about that, but the foot set is people not do that anymore they are recording it all in some kind of communication format or other and that is good if you mind it but it's bad because it can be uncovered like your Mozilla for example. So, I think just generally understanding that, that is where the risks developed and can be caught is probably a change in position and I think the biggest reason you might not want to deal with that is that it's big and it's a problem what do I do. How do I tackle that? How do I -- and I think the short answer of that is, is this is not a kind of second pieces I think on understanding that the technology is developing rapidly for mining and monitoring for those kinds of risks on unstructured data just like what you has over the last I think less than 10 years, but there is a lot of tools now the resource planning system, CPRs accounting systems for doing a kind of continuous auditing and monitoring, let us say the technology is now they are to deal for -- with key risks out on unstructured data and that awareness and saying I can do something about it just probably one of the key things it is not really a skills that, it's that awareness. I think the second thing is from the skill standpoint than is to have that __30:15__this is --I am of the skill set, but it is to make sure that you are not having that dialog with your IT folks consultants and so on around in the risks management space about what I can do about I have got all that big data. We have all heard the phrase big data. I have got all and out there how can I mind and monitor that. Start to think about IT people had been doing this for 15 plus years. When you think about it the risks that IT people face, the risks of network intrusion and the risks of spammer or viruses and so on. They used to be was a post factor enterprise you would the virus checking companies of the world published signatures of known viruses and you would constantly compare every email coming in that is a thing have a virus and gives the non-viruses the problems was that if the new virus -- remember it was not that long ago that every other day we woke up and would on CNN that there was some kind of virus hitting everybody around the globe.
Who want to be...?
And there was like a subject line on the header like "Watch out for..."
I love you or something like that.
And you do not see that as much anymore that is because in the IT world, the tools have gotten very sophisticated in looking for predicting problematic things before the fact, so I am not just looking for the after the fact for viruses with known signatures, but I am looking for the virus behavior of something new and different and so the tools -- and there is a number of areas in IT where they have done this. So, you talk on IT person and you say your CIO whatever whoever then say we really need to get at SCPA risks in Shanghai and get them thinking in this down the same vein and you will find that you have some really good partners there who can make that transition and start taking about possible tools on approaches I guess the other point I have make is went internal audit folks in terms of controls when it comes to this kind of the risks of latent out in unstructured data. Probably that from easiest to less expensive to hardest the most difficult. The way that think about attacking it is mining kind of periodic basis. Mining certain chunks of unstructured data for potential problem is cheaper and easier than kind of an ongoing monitoring of it and then automated monitoring is going to be cheaper and easier that actually managing. Managing in a sense of controlling what is going on out in unstructured data from a risks standpoint is the hardest thing. Yeah. How do you control what people do and what avenues they --when you think about all the different devices and so the people communicate on and accounts of the __33:12__. How do you manage it? How do you control it? There are ways but there are some of the most difficult stuff to do. We are mining and monitoring for certain kind of risk at least like you said risks regarding are highest level executives and the PR blow up or something like that, those sorts of things I think are relatively easy to mine and monitor for without I don't know how you control them always.
Yeah. In terms of -- so when I was at university they -- so the audit classes really dealt with account balances pieces of paper and then when we got to the IT element of auditing. Okay. It was generally it was around physical security logical access type of security issues but when we came to unstructured data kind of what I am hearing from you is it's putting your problems solving head on. Right. And talking to...
And talking to your IT personnel and saying what are the true risks at this company. Right.
And being a good listeners but also no that getting a no answer of like "Oh no there is no risks in unstructured data" you intuitively know that that is wrong (laughs) but more importantly it's the soft skills of interviews and ...
And you know they are saying in auditing you know its' trust but verify. Trust and verify. So...
So, putting those soft skills to test -- you may not have every single IT subject matter expertise on what is best prior transfer encryption versus non-encryption is more of asking the right question...
And then getting other keys. Stakeholders say "Look is this exactly what you want to IT department to do as well." You director of sales, you director of finance because this is really what is going on. Okay.
Yeah you know, I mean you make a very good point and I -- as you are talking I am kind of thinking, one of the problem for internal audit professionals is as the scope of what they need to deal with expands to risk management per se as opposed to just the standard audit process you just described. They really have to be able to put on this different hats I mean and think IT people are accustomed to thinking about certain kind of risks, but also the general council I mean thinking about -- you know I give you a great example, in the legal space, any time two companies significant companies are going to merge, there is always this issue where the department of justice or the FTC one and the other has to bless the merger because they worried about the market impact, they end up wit the monopoly and the way that the DOJ does this is they request a huge number of documents that is called the second request. They request a huge number of documents relating to the market position of the company blah, blah, blah. And the double layers basically review they collect all that, they shift it, they review it and handed over to the DOJ and they say here you go and then the DOJ does its own analysis when we were writing this article is roughly a year ago __36:42__ but you recognize that there was a huge technology company they had acquired another technology company out of the UK and it was a huge strategic asset etc. and then I think the new CEO ended up having to do about $8 billion right off on that because all the audit firms -- I mean a lot of sophisticated people involved who done their due diligent __37:09__ for the company and for the auditors and so on. I think there is -- you know at least a couple of the big four involved all doing great jobs doing what they do and yet somehow something was missed to the $208 billion and of course from the legal side __37:23__ look at well you know. One of the things that would be interesting for companies to do during a merger is not just the, but the DOJ look at email just from competitive market share standpoint, but for the due diligence spokes to proactively go out and mind some of the email from the company they are acquiring as part of dealing just say you are going to be looking for emails between the CFO and certain business unit leaders around inflated revenue recognition, something like that which was apparently the issue in this case and you know just that kind of basic mining of the unstructured data during due diligence and on a volume basis not just kind of ones that you chose the emails that might be related to a transaction the auditors look at, that sort of think can make an $8 billion difference and it is relatively straightforward to do and it is something to DOJ does, but the commercial the corporations engage in the merger do not generally do and it makes sense. So you know somebody thinking from a lawyer standpoint internal auditor thinking you know if this seems to unwind later on what are the kind of things that were going to be unwind it and how would I find, I do not find it in the books of the company that I am acquiring. I find it out in the email where people are discussing some of the shadier aspects of revenue recognition or whatever.
It's a classic eminence and we're not talking small dollars here (laughs).
$8 billion is huge, so I mean from a cost __38:55__ standpoint because I know there is some -- maybe some mid-sized companies that might be listening to the show...
And they were saying "Well, you know I don't have the time and/or budget to do something like that" but trust me when it's, that big of a transaction...
It's almost like why did she do it you know it's too big of a deal to fail therefore dealing with unstructured data should have been included --you know, however, but auditor love checklist. Okay (laughs)...
Imagine the master do diligence checklist and one of them needs to now include there is -- you know at least the checklist should say the team really evaluated the risk surrounding on structured data like you were stating is especially on revenue cognition because a lot of __39:41__ are based around that revenue recognition...
Right. And -- you know and major net income items that impacted so I mean it's almost like when it's too big of a deal right deal side it's almost like yes. Check the box that has to be done.
Well, I think that's right and you know better than I do but I am sure that those checklists of what is done and not done. First of all they have existed for long time and they are very reliable and they properly have been updated to accommodate certain aspect of technology and the other coming system and so on. And I would say until you know within the last several years it could be certainly first in small and medium sized companies and smaller __40:29__ transactions this kind of thing might be cause prohibited or not worth it. It's sort of -- but is not now I mean, I say the technology is there now to do this sort of thing -- and you still want to be on the targeted basis. I mean if the internal auditors are -- engaging in any size merger acquisition just think about the broader risk issues you might have beyond --the standard financial --controls and financial audit. What are the broader risk issues that might think this thing after the fact and just often think are those of the kind of things I might find in unstructured data. There are risks like you acquire an oil services company that has environmental problems out in the field and their physical problems that nobody's talk about an email -- although it would be amazed of how much of that happens too but there is certain kinds of risk that aren't mitigated. They mitigated by going on __41:23__ water you know not by looking at email but sitting and thinking about the kinds of risk that can really blow -- you know the valuation of corporation by $8 billion -- you know and thing -- you know could I learn a little bit more about of that kind of risk by sampling mining looking at using some technology to do really efficiently. You do not have to have hundreds of lawyers looking at documents you can have -- you know a couple of people basically using technology smart for a month and just sampling so. It is the awareness that that sort of risk out there and sort of opportunity that I think is the biggest thing probably missing from the internal audit world and it's probably because they really have this larger risk management and responsibility now.
Right. Right. It's ever changing and also its growing and I wanted to switch to something also growing (laughs) not only domestically but internationally and that is mobile devices.
I mean it's -- I was reading an article about recently how the telecom, right, business...
The Wi-Fi and the people who hooked up the fiber optics for us to communicate with our mobile devices that, we are at a point, a tipping point actually, where the data flow right just here megabytes -- you follow?
Like the data.
And the capacity right, to get that flow of data where at the point where there is just too much data that this whole community is trying to address this issue of satellites and fiber optics, etc. because we are just a data, data, data culture and it's affecting our mobile devices. So, where at the point were they need to figure out a better solution to get that data across. So, I want it to find out from your perspective. Okay. How are you seeing organizations deal with unstructured data and the use of mobile devices?
I have been involved in a quite of few of those sorts of policy and technology implementation and so here is going to how it lays out. A good company now I think is at least engaged in -- and has written that all companies for long time have had a computer usage or internet usage policies which you can and can't do and so on. But I think the more progressive one is now have social media usage policies they kind of expanded their policies to say what you can and cannot do from a user behaviors standpoint on the internet you cannot talk about the corporation on your personal Facebook account, you cannot make representations about it just stop that. You know, similar to just user behavior clarifying what you should and should not do and people kind of come along for the ride. But -- before I get to the mobile devices I just want to finish social media but some of the things that are not really being dealt well with is realizing that so much of that kind of unstructured data never goes away. We say that but -- just for example I would not verify this fact but I talk to quite regularly to a company that specializes in collection of social media for lawsuits and it's a specialized skill onto what they have got. One of the things they mention is they want to sure people realize that the library of congress as I understand it archive every tweet, every tweeted on Twitter. Now, I not ever verify that but you see the same thing though that any of you who have a Google Gmail email account and you think you are deleting your emails you're not, you are simply deleting it from the view that Google basically __45:17__ I think it's true of many organizations. I mean they single them up but you will notice that they tend to archive everything, even something that you think you deleting they tend to archive it and one reason is that stuff is a gold mine from a mining standpoint.
They can mine those sorts of thing and figure out people's consumer behavior and so on. So, there is a lot of data preservation of what we do on the internet and mining of it. We're concerned about the NSA but the corporations are doing it to a fairly well and so and I do not think that's common knowledge now and so that -- whatever happens on the internet you can just assume it is trapped, it is replicated, it is mined and it is analyzed on a automated basis by a whole of people. Long comes the mobile devices what you now have it's so darn easy. I find even in my own family I communicate by email and I am dinosaur -- you know they are, they are Face booking and Twitting and there is always.
New, new types of communication is snap chatting that I do not even they now exist and my kids is going to keep me up-to-date and so those devices proliferate and what happens is that people lose track of the corporate personal distinction. They have got both kinds of data on their device. They want their device to access their personal accounts but also corporate applications and so on. Now, one good -- besides having explicit policies that deal with this and some education because some people a lot of times they do not know what they are doing. They are just doing things on their device. They cannot from an IT standpoint. No, is this in the corporate system versus this is on my personal system after years of supporting and users as a CIO I can tell you they do not often know that difference but they are very good, one recommendation to your audience should be, if you've got pressure to allow access to corporate data and corporate systems from a variety of mobile devices, a BYOD bring your own device policy. In addition to the policy make sure from the beginning that you're pairing that up with one of the many mobile device management systems. I mean one of them that's -- there are now dozens of these that are very good just one __47:38__ that throw up to top Air watch -- you know is one that's kind of one of the leaders in this category but these things are very good at allowing the corporation to have very granular control over access to corporate applications, segregating corporate data from personal data on these devices, allowing the corporation to go out and collect the corporate data if they want but to hide personal data if they want to be able to, if somebody leaves the company to be able to reach out to that device and erase corporate applications access rights corporate data, etc. There is a really high degree granular control so for sure you need a social media, the policy and bring your own device policy and you need one of these mobile device management applications to manage those things and also of course can be __48:29__ and monitor if you so choose.
Yeah. There is a couple of quick stories I know about the big four accounting from where they have a policy that if your laptop right, so it's moving around client to client. If you were to lose it their policy as you going to report it within -- you know 5 or 10 minutes if that right you can report it immediately. There is 1800 number and there is a code if you have an employee ID number and your entire laptop is completely wiped out...
It does not matter if you had personal items, pictures, photos whatever it maybe personal they do not care. They said "that's our equipment" and that is wiped out. Now they have a policy that your mobile device cannot access any of their stuff, okay? So, you know that's one from that's kind of taking it two different extremes, right?
One is they were giving you the equipment and we're getting rid off it and by the way mobile devices just X on that. So, I literally see some people from that firm have two phones, right?
They have got (laughs) their personal phone and then something else that kind of work-related but then kind of it does telling to -- this is the chief auditing execute I know at the bank fairly on the larger size of a Meteor Bank and they decided that they were going to do a vendor audit for their least fax machines. Okay.
And in the audit process they actually went on site to this vendor. Okay. And they say "What happens when you collect or outdated least equipment and what do you do with it, etc." and in the interview process, they were asking some of the technicians there, there is vendor like well -- you know what is that thing actually have in it and __50:24__ has a chip in it that records every single fax and could reproduce. Okay, with clarity every image. Right. Every fax that you sent out and so what is your policy of wiping that out like oh we actually don't (laughs).
There was really like. They were flabbergasted as you can imagine because guess what in the bank Sachs so security numbers, account numbers, wire information, account balance information (laughs). If you want to talk about identity stuff potential gone a way wrong it's not. So, they brought in legal councils -- you know we have got a major issue. Okay, because we do not know the scope of this. We do not know who has had access to this. We thought the vendor was taking care of it, etc. So, it sometimes it's not even just a mobile device it just equipment in general that has corporate data that you do not realize how it could easily re-perform a function of something that it is highly valuable to the corporation like a fax machine that you are using.
Right. Right. In fact -- you know we see that on the legal side all the time. We have an obligation -- you know when somebody hires me the consultant on a case I mean it is my job to think through all those different places where our client or the opposing side or the government -- you know whatever, has that kinds of data were __51:58__ and you are exactly right -- you know especially, copy machine as they get increasing smart and now use for scanning and faxing and copying and so on -- you know there is a certain amount of data of certain types that is track on the -- they have a hard drive now they do not use the hard drive they have drive drives. And you know __52:13__ interesting buzz words your audience -- you know is going to hear of course they are sort of an up tech towards the internet up things of the client. What was that it mean is you know were not talking about computing and mobile -- communication devices anymore which was were typically think of but you know home appliances and corporate -- you know smart board -- you know so everything is starting to get a chip in the hard drive and track data for all the -- you know all the things that make us more efficient and more convenient and so -- you know the internet of things is going to also. In addition to this proliferation of communication devices there is a proliferation of things that have chips in their cars obviously now -- you know I mean car are sending of signal and tracking where you at so the location of the customer and you know this it that is going to be extremely important to some corporations to -- you know I assumed I do not know anything about this but I would assume at some point the GM as well as on the stars of the world will be track. I will give you an example and I did a project to the wine and spirit industry where there is -- you know they do a lot of driving around with important assets and they are now a party services that will track where the driver goes. How long they stop some place that did take a diversion that sort of thing and when I was helping them with their records management policy I said you know that's good information for you to have to manage your people but at the certain point you want to make sure that data is deleted by the third party service otherwise what are they going to do with it.
They are going to mine that kind of information about consumer behavior, track drivers, etc, they are going to resell that as an asset, they can make money on it and you also have got the downstream litigation risks -- you know it is good for you to know that your guys stopped off the bar they have on but its' a bad thing if the opposing side in lawsuit so you have got a bunch of people are constantly drinking and driving and you are not managing that.
So, that sort of -- yeah and thinking through the risks -- you know depending on your business -- you know of the internet of things that now is tracking data forever and mining it for commercial purpose is kind of also a risk to consider.
Yeah. I know it's a huge risk and it something that -- these are new questions that again both auditors and sometimes compliance people forget to keep asking is so what happens to the data when, right, and then fill in the blank. So you've captured the data where? Okay. What happens to it X, Y, Z, follow like afterwards, so it's kind of putting again that problem solving thinking head on and saying okay let's assume it's a real physical asset. Okay what will I do with the chair who is finding of on that etc, etc, etc you follows? So...
So, you can almost use the same inquiries skill said right.
Of a physical assets and just say well what happen to that asset when it goes through this trail of disposals, etc. so.
I am really appreciate that, that kind of clarity and Air watch I put it twice actually and it's a very sophisticated program and has a lot of -- just a ton of robust features some kind of glad that you share it with our audience but I know our time is wrapping up here and I wanted to say that this was just a very wonderful and insightful interview with you Bill and just as a reminder for people who are listening. You can find Bill's article on unstructured data online at the general of accountancy located at generalofaccountacy.com and this is Sonia Luna, CEO and founder of Aviva Spectrum signing off.
Thank you Sonia.
Sorry we couldn't complete your registration. Please try again.
Please enter your email to finish creating your account.
Receive a personalized list of podcasts based on your preferences.