Discussant Comments “Information Fusion in Continuous Assurance”
Kiran Samra, CISA
October 2, 2009 – Symposium on Information Integrity & Information Systems Assurance
© 2009 Ernst & Young LLP. All rights reservedPage 2
Disclaimer
The views expressed are those of the presenter and do not necessarily represent the views and opinions of Ernst & Young LLP. This publication contains information in summary form, current as of the date of publication, and is intended for general guidance only. It should not be regarded as comprehensive or a substitute for professional advice. Before taking any particular course of action, contact Ernst & Young or another professional advisor to discuss these matters in the context of your particular circumstances. We accept no responsibility for any loss or damage occasioned by your reliance on information contained in this publication.
© 2009 Ernst & Young LLP. All rights reservedPage 3
Outline
► Information Overload is not Inevitable
► Practical Application of Continuous Assurance Fusion
Unclear
► Human Processing vs. Machine Processing
► Key Contributions
© 2009 Ernst & Young LLP. All rights reservedPage 4
Information Overload is not Inevitable
There are ways of dealing with too many exceptions. To reduce the number of exceptions:► Define greater flexibility in control analytics to
accommodate business processes► Provide greater granularity in control analytics and scope
using parameters► Re-align business processes to comply with controls
Handling a large number of exceptions remains a key challenge for continuous auditing systems. Real issue is: Why are there so many exceptions in the first place?
© 2009 Ernst & Young LLP. All rights reservedPage 5
Practical Application of Continuous Assurance Fusion (CAF) Unclear
Purchase-to-Pay process is used to try and put CAF in practical terms but the examples don’t go far enough:► P2P example effectively illustrates the Resources, Events,
Agents (REA) ontology► Unclear where Information Fusion fits into CAF in practical
terms. ► Narrative + Clear End-to-End example would have
provided more clarity than set theory
Good leverage of existing research however CAF itself is presented too abstractly to guide an implementation.
© 2009 Ernst & Young LLP. All rights reservedPage 6
Human Processing vs. Machine Processing
Humans perform Information Fusion all the time► There are many exceptions to rules that we wouldn’t want
the artificial neural network (ANN) to learn► Organizations have been slow to adopt continuous
auditing, CAF would be even more complicated & expensive
► Cost of implementing and maintaining CAF might negate any efficiency gains
► Simpler solution exists: Minimize the # of exceptions generated
© 2009 Ernst & Young LLP. All rights reservedPage 7
Key Contributions
► Provides a novel way of approaching the “information overload” problem of continuous auditing
► Shows how far we could go to automate the auditing process
► Current technology may not be sufficient to implement this right away but CAF provides a framework for further research and development