PricewaterhouseCoopersNovember 2007
Slide 1
Ho
w p
ag
e m
us
t h
av
e a
da
rk b
ac
kg
rou
nd
fro
m c
olo
r s
ch
em
es
: F
rom
me
nu
, s
ele
ct
Fo
rma
t >
Sli
de
De
sig
n…
th
en
cli
ck
on
Co
lor
sch
em
es
an
d c
ho
os
e c
orr
es
po
nd
ing
co
lor.
Continuous Auditing and Reporting
The Role of Public Cryptography
Glenn RicartCenter for Advanced Research
14th Symposium on Continuous Auditing and Reporting
Slide 2PricewaterhouseCoopersNovember 2007
Continuous Auditing at PwC
Very active
Advisory Practice (non-attest)
Assurance Practice
Special Resources
Data Acquisition (Houston)
World Class Controls Project
How will public key cryptography help enable continuous auditing?*
*connectedthinking
PwCCenter forAdvanced Research
www.pwc.com/car
Slide 5PricewaterhouseCoopersNovember 2007
Acronym Confusion
C Continuous
A Auditing and
R Reporting
Slide 6PricewaterhouseCoopersNovember 2007
Acronym Confusion
C Center for
A Advanced
R Research
PwCCenter forAdvanced Research
www.pwc.com/car
Slide 8PricewaterhouseCoopersNovember 2007
CAR’s Purpose
The PricewaterhouseCoopers Center for Advanced Research (CAR) conducts PwC-sponsored research and development on business problems that have no known solution in the marketplace.
Slide 9PricewaterhouseCoopersNovember 2007
Approach
PwCCenter forAdvanced Research
Small teams Different points of view
Look outside
Experts from other areas
Practice people on tours
Work closely with US IT
Engage academia
Working prototypes
InternsBrainstorm
Innovate
How else could we do this?
File patents
Fail half the time
Problems we don’t know how to solve
Try again
Advanced technology
Problems no one else is tackling
Aha!Sponsors
Design
Take risk
High payoff
How will public key cryptography help enable continuous auditing?*
*connectedthinking
Slide 11PricewaterhouseCoopersNovember 2007
Data Collection in Continuous Auditing
Slide 12PricewaterhouseCoopersNovember 2007
Cryptography
Private, Shared Key – both sides guard a single secret
Public / Private Key Pair – shared information is public
Slide 13PricewaterhouseCoopersNovember 2007
Confidentiality and Non-Repudiation
Confidentiality
Non-Repudiation (signing)
Slide 14PricewaterhouseCoopersNovember 2007
Both Confidentiality and Non-Repudiation
Slide 15PricewaterhouseCoopersNovember 2007
Attestation from using public/private key pair
This information is correct (signed)
It came from me (non-repudiation, signed)
You are the only one who can read it (confidentiality)
Assumption:
Each organization takes great care with its private key
Slide 16PricewaterhouseCoopersNovember 2007
In Practice
The public/private key pair encryption is used to establish a more efficient, shared encryption key called a “session key” for a period of time.
Slide 17PricewaterhouseCoopersNovember 2007
What Really Happens
Slide 18PricewaterhouseCoopersNovember 2007
Continuous Financial Audit Data Flows
Slide 19PricewaterhouseCoopersNovember 2007
Continuous Financial Audit Data Flows
Slide 20PricewaterhouseCoopersNovember 2007
How can you gain assurance over real-time reported data?
Match against external counterparties (confirms)
Confidence in controls
Analytics against prior years or ratios
Tests of details (usually against samples)
Slide 21PricewaterhouseCoopersNovember 2007
Third Parties / Counter-parties
You can send my records under the PwC public key (to them)
Slide 22PricewaterhouseCoopersNovember 2007
All (cash) transactions verified by counterparty
Slide 23PricewaterhouseCoopersNovember 2007
Electronic matching of 3rd/counterparty info
Financial
Cash flows (via banks)
Orders, invoices (from counterparty, possibly via auditor or captive clearing house)
Operational
Shipments (via shippers)
Goods (from counterparty via auditor / CH)
Slide 24PricewaterhouseCoopersNovember 2007
Real-Time Assurance
From real-time data flows to auditors and from electronic matching of assured multi-party documents shared securely and as-needed via public cryptography.
PwCCenter forAdvanced Research
www.pwc.com/car