1

Click to edit Master title style

1

DigitizationSmart Business needs Smart AuditFranz Rauchbauer, Martin Obermoser, and Johannes Göllner

European Meeting Budapest 2017Sat. June 10, 2017Stream Session "Digitization"

2

Smart Business needs Smart Audit

Franz RauchbauerMulticont Revisions- und Treuhand GmbH, Vienna/AT

Martin ObermoserMulticont Revisions- und Treuhand GmbH, Vienna/AT

Johannes GöllnerMulticont Revisions- und Treuhand GmbH, Vienna/ATZRK – Zentrum für Risiko- und Krisenmanagement, Vienna/AT

3

Smart Business needs Smart AuditAGENDA

Understanding the Business of our Clients in the Smart Economy

Big Data, new Technological Concepts and Business Instruments, Smart Agents

Audit Profession not prepared for Digitization

Changes in the Audit Approach (Smart Audit) and New Services

Opportunities and Consequences

4

Understanding the business of our clients (ISA 315)• The auditor should obtain an understanding of the entity and its

environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures

• The Auditor has also to form his own point of view on the risks in the business (e.g. through research)

5

Understanding and evaluating internal control• Once we understand what management is trying to achieve and

the risks they face, we ask the question: How does management get comfort?

• Understanding how management gains comfort requires us to consider all components of the entity's internal control

• It is important that he has an understanding of how information flows through the entity’s systems and how it may be changed and/or reported on

• This includes mapping the linkage between the management information / financial statements and the business processes (systems / applications and computer environments)

6

Click to edit Master title style

6

Smart,-versus Cyber-Economy-Visions, Trends, Concepts and Risks

7

The 10 largest global business risks in 2016

1. Operational and supply chain interruption: 38% 2. Market development (volatility, competition, stagnating

markets): 34% (NEW)3. Cyber events: 28%4. Natural disaster: 24%5. Legal changes: 24%6. Macroeconomic developments (commodity prices, austerity

programs, deflation, inflation): 22% (NEW)7. Reputational risk: 18%8. Fire, explosion: 16%9. Political risks: 11%10.Theft, fraud, corruption: 11%

Source: Allianz Global Corporate & Specialty in Allianz Risk Barometer: Die 10 größten Geschäftsrisiken 2016

8

Threats and fear as driver for future conflictsTypical topics in future threat discussions in industrialized countries

Typical topics in future threat discussions in non industrialized countries

• Terrorist attacks• Cyber attacks• Espionage• Organized crime• Sound pollution• Light pollution• High tech threats• CBRN• Financial market instability• New technology discussions• Instability in resource markets

• Environmental damage

• High technology waste

• Climate threats

• Extreme weather

• Resources scarcity

Source: Goellner Johannes, Klerx Joachim: Emerging Risks and Disruptive Trends in (Global) Supply Chain Networks, NATO Strategic Foresight Analysis Workshop, 21-22 October 2015, Helsinki, http://www.act.nato.int/futures-ws-3

9

Cyber Economy is result of: • Smart Economy: Smart Cities-based in relation with:• Cyber Development

ICT- und Knowledge based Economy, where ICT catalyze and accelerate social, political and

economic development

Cyber Economy

10

Global Supply Chain Networks

Copyright by Goellner, Peer 2016 based on Goellner 2015

11

GE: Enterprise 4.0-Investments until 2020 per anno: EUR 40 Billion, in sum approx. EUR 160 Billion

Article: Controller Magazin, 05/06 2016

GE: until 2025-2030: approx. 50% unemployed blue coloured workersin production industry, based on extensive robotics-integration

Study: PwC-PricewaterhouseCoopers in 09/2016

ad Smart Logistics:

12

Complexity of Interactions/Networks

Source: Goellner Johannes, Qurichmayr Gerald: META-RISK: Meta-Risiko-Modell für kritische Infrastrukturen, ICT-Security Conference 2016, St. Johann i./Pongau, Salzburg, Austria,12.10.2016

13

5-stage-model: generic strategic disaster & crises management process model

pre-executionphase

executionphase

follow-upphase

IMPACT

prevention- & initialization

phase

postventionphase

operational intervention &management phase for impacts

perception-, information- & analysis process

•Evaluation•Lesson Learnt•etc…

turn back loop to prevention- & initialization phase after finishing postvention phase

strategic level

Source 1: first design by Göllner Johannes, 09/2012, National Defence Academy/Dept. ofCentral Documentation & Information of the Austrian Ministry of Defence and Sports;Source 2: Göllner J. & Peer A., 10-12/2012 for KIRAS „LMK-MUSE“-research project proposal;Source 3: published: EISIC 2013, Uppsala, SWE, 09/2013, dissemination activity: KIRAS QuOIMA;Source 4: Göllner J. & Peer A., published: HMS 2014, paper,-id: 40, p.3, Bordeaux, France, 09/2014;

•Laws / act generating•Standardisation generating•Stand By-functions•Preparatory actions•Strategic capabilitydevelopment•Capability management•Resource management•etc…

14

Future public infrastructure and governance

Globalized Migration: Complex Human

Transfers

Peer to peer nets against

surveillance

Globalisatio and strategic sourcing

Future public infrastructure

2030Establishment of international armed forces to protect supply chain networks

2020New forms of supply chain networks and increasing interdependence between these networks

2035Conflicts about power and influence in the new supply chain networks

2025A new power on the horizon –Information management for supply chain networks

New players in the struggle about political influence

Disruptive

EventsTrends

Nuclear espionage of non state actorsThe shape of Islam in the

21st century

Uncontrolled Uncontrolled release of

nuclear waste Dirty Bombs and CBRN terrorism

Dirty Bombs and CBRN terrorism

Threats TrendsSocial NeedsSocial Needs Weak Signals

The Risks of WMD Proliferation and Terrorism

Declining recruitment rates of armed forces

Epistemic networks in organized crime

Increasing power of transnational corporations

Globalization of criminal networks

Digitalization with increasing speed

Globalization and strategic sourcing

Political and commercial

disinformation

Democracy and terrorism

Source: Goellner Johannes, Klerx Joachim: Emerging Risks and Disruptive Trends in (Global) Supply Chain Networks, NATO Strategic Foresight Analysis Workshop, 21-22 October 2015, Helsinki.

15

Physical Internet: FP 7-Project MODULUSHCASupply Chain Application

New Concept for logistics operations:http://www.modulushca.eu

16

Supply Chain Security(FOCUS PROJECT - Foresight Security Scenarios: Mapping Research to a ComprehensiveApproach to Exogenous EU Roles, EU-FP 7 programme)

The “threat side of the Supply chain security equation” – includingexogenous threats to EU - is not well covered in the literature today.Instead, most of the literature refers vaguely to “terrorism threat” or“cargo crime” as main reasons behind Supply chain securityprograms, standards and regulations.

(see D5.1 www.focusproject.eu , page 99, point 8.3, Ending Date: 31/03/2013)

17

Capability development optionsDevelopment of a monitoring solution:

• First guideline of Working Group: Supply Chain Risk Management of the Risk Management Association, Munich, Germany (2013-2015) (https://www.rma-ev.org/Veroeffentlichung-zum-Download.696.0.html)

• „Supply Chain Monitoring Solution“, e.g. in analogy to the first guideline of Working Group: Supply Chain Risk Management of the Risk Management Association, Munich, Germany (2013-2015)

• „Strategic situation awareness center for permantly global analysis of strategic resource/raw material-SRA“ (www.kiras.at, 2014-12/2015)

18Source: Dr. Joachim Klerx, Emerging Risks and Disruptive Trends in (Global) Supply Chain Networks, NATO SFA WS, Helsinki, 10/2015

Crypto currencies as disruptive trend for international supply chain networks

19

Future threats and developments in cyber security

Right to be informed

Right to Right to deleteProactive

protectionProactive

protection

Clear identity Clear identity rules Clear rules

for usage

AnonymityFreedom of speech

IPR for data

Cyber Future

2030Geoshifts in cyber innovation, from industrialized countries to new economies

2040A new power on the horizon - Global virtual communities

2020Virtual currencies, infiltrated by organized crime

2035Intelligent sensors and tracking: finding anything, anywhere, anytime

2025New advanced persistent threats (APT) with intelligent autonomous bots, reconnaissance of future hybrid wars

Competition of large scale SIGINT systems

End of exponential increase of computing powerUbiquitous but filtered information

Increasing amount of mobile and embedded clients

Increasing asymmetric knowledge in cyber security

Factual unlimited storage in the cloud

Disruptive

EventsTrends

Prices explosion of Zero day exploits

A droid for all seasons

Dark-nets Global black hacker industry

Insider Insider attacks

Cyber Cyber warfare

Black markets for information

A society of surveillanceA society of surveillance

Network Network breakdown –accidental or

natural

Threats TrendsSocial NeedsSocial Needs Weak Signals

Quantum computing

Magnonic Computing

Ultra-paranoid computing

Source: Goellner Johannes, Klerx Joachim: Emerging Risks and Disruptive Trends in (Global) Supply Chain Networks, NATO Strategic Foresight Analysis Workshop, 21-22 October 2015, Helsinki.

20

The 2016 Digital Banking Readiness Index

21

Network Analysis of Banking & Finance Networks

Source:

22

Legal Compliance for Cyber, ICT & Supply Chain networksPolitical and content Levels of the Internet Administration

• Stability of the Infrastructure and Development Cooperation

• Internet-Security Policy

• Human- and Civil Right in the NETWORK

• Legal Development

Four levels of Internet-Regulation: (intern./national)

• Level 4: Level of Content: Content of User

• Level 3: Application-oriented level: Software Applications

• Level 2: Logical level: Technical Standards

• Level 1: Infrastructural level: Hardware

Source: Wer regiert das Internet? Akteure und Handlungsfelder, Friedrich Ebert Stiftung, Bonn, 2016

23

Big Data, new Technological Concepts and Business Instruments, Smart AgentsCYBER: H2020-Projekt: (project-partner: Zentrum für Risiko- und Krisenmanagement)

ASGARD-Analysis System for Gathered Raw Data:ASGARD has a singular goal, contribute to Law Enforcement Agencies Technological Autonomy and effective use of technology. Technologies will betransferred to end users under an open source scheme focusing on Forensics, Intelligence and Foresight (Intelligence led prevention and anticipation).ASGARD will drive progress in the processing of seized data, availability of massive amounts of data and big data solutions in an ever more connectedworld. New areas of research will also be addressed. The consortium is configured with LEA end users and practitioners “pulling” from the Research andDevelopment community who will “push” transfer of knowledge and innovation. A Community of LEA users is the end point of ASGARD with thetechnology as a focal point for cooperation (a restricted open source community). In addition to traditional Use Cases and trials, in keeping with opensource concepts and continuous integration approaches, ASGARD will use Hackathons to demonstrate its results. Vendor lock-in is addressed whilst alsorecognising their role and existing investment by LEAs. The project will follow a cyclical approach for early results. Data Set, Data Analytics (multimodal/multimedia), Data Mining and Visual Analytics are included in the work plan. Technologies will be built under the maxim of “It works” over “It’s the best”.Rapid adoption/flexible deployment strategies are included. The project includes a licensing and IPR approach coherent with LEA realities and Ethicalneeds. ASGARD includes a comprehensive approach to Privacy, Ethics, Societal Impact respecting fundamental rights. ASGARD leverages existing trustrelationship between LEAs and the research and development industry, and experiential knowledge in FCT research. ASGARD will allow its community ofusers leverage the benefits of agile methodologies, technology trends and open source . (Abstract)

ASGARD aims to create LEA Technological Autonomy, by building a sustainable, long-lasting community form the LEA and research and developmentindustry that will created (at little or no cost to LEAs), maintaining and evolving a best of class tool set for the extraction, fusion, exchange and analysis ofBig Data including cyber-offenses data for forensic investigation. ASGARD will help LEAs significantly increase capabilities. With forensics being a focusof the project, both intelligence and foresight dimensions will also be tackled by ASGARD.

(Data analysis; data fusion; data intelligence; big data; event detection; content and visual analytics; NLP; sentiment analysis; multimedia analysis; digital forensics; foresight; signal analysis; )

Project Costs: EUR 11,9 Mio

Project Duration: 01.09.2016-2019/2020 (36-42 PM)

Link: http://www.asgard-project.eu/ & http://cordis.europa.eu/project/rcn/203297_en.html

24

Capability development optionsDesign or re-design the supply chain network stuctures:

• Peer to Peer structure (decentralized) vs centralized managed supply chain networkremark: but loss of state sovereignity because of increasing peer to peer structure of supply chain network.

• How to protect and attack decentralized supply chain network?

25

Digitization - The World without Borders

Smart Factory

SmartContract

Industry4.0

Smart Mobility

Smart Grid

Smart Home

IoTShopping

4.0

26

Understanding the Business of our Clients in the Smart Economy

27

• Ransomware, esp. Crypto-Ransomware

• DDoS Botnet, Cloud, Internet of Things

• Phishing

• CEO- / CFO- / CxO-Fraud

• Hacking

• Trustworthy Sources

Threats

28

Audit Profession not prepared for Digitization?

Auditing is used to create trust for stakeholders

Annual audits (ex post) sufficient?

Cyber risks described in annual reports?

Are well-educated financial, business and legal experts able to assess complex digital business processes and risks?

Is our profession prepared for the new requirements?

29

Audit Profession not prepared for Digitization!

Fundamental changes are needed

Legislation and professional standards

Annual audits replaced by continuous audits

Regular reporting and information regarding the effects on the annual financial statements including cyber risks

IT knowledge as a key factor in the audit team

30

Shopping 4.0

Attractive forbeginners

Industry4.0

Virtual Audit Teams

Smart Audit for Smart Companies

IoTSmart Audit

Smart Factory

SmartContract

Smart Mobility

Smart Grid

Smart Home

AutomatedAudit

Innovative Services

IT-Knowledge

Data-networking: Client - Auditor

ContinuousAudit

31

Opportunities and Consequences

prevention products

intervention-productspostvention

productspre-execution execution phase follow-up

strategic operativly strategic operativly strategic Operativly Strategic Operativly Strategic Operativly

Soft Hard soft hard soft hard soft hard soft hard soft hard soft hard soft hard soft hard soft hard

1st Line of Defense

x

x x x x

x

2nd Line of Defense

x

x

x x

3rd Line of Defense x x

Consulting Products and Auditing Sevices

32

Opportunities and ConsequencesNew innovative services

• Cloud Computing: Security Audits / Consulting Services

• Big Data analysis

• Cyber & ICT Security Assessments

• Cyber Defence Consulting

• Supply Chain Security Assessment & Consulting

• Services for analysis of supply chain networks

• Legal compliance in the area: Cyber-, ICT and supply chainnetworks

• Audit of blockchain-applications

• Penetration tests

• Fintech-Audits

33

Opportunities and ConsequencesNew innovative services

• Forensic services

• Trend monitoing services for• decision building & making• Pre-aquisition and due dilliguence

• and so on.

More value added to the clients through

• continuous audit: deficiencies are reported immatediatly

• automated data analysis: less effort for the client, full coverageof the audited transactions

34

Opportunities and Consequences

Fundamental changes in the personell resources (audit teams) areneeded

IT Knowledge as a key factor – Smart Audit needs IT Experts

Education of Auditors – legal and economic know-how is not enough

Virtual teams – experts consult regardless of their location

35

Thank you for your attention !

36

Key Points for the Roundtable DiscussionTax Consulting

integrated business process, central database

bookkeeping and tax work on client's systems

client will reduce staff

new kind of work for taxconsultants, specialists w. overview will be needed

what can we do?

more IT-knowhow required

Research skills

Use the remaining time

Audit

Digitization changes the world

Big Data, new technological concepts and business instruments

New business risks

Audit profession is not prepared for Digitization

Changes in the audit approach are needed

Smart Audit for Smart Companies

New innovative Services