It has always struck me how well the field of finance and more specifically accounting has done to standardize on its terms. This standardization is such that there is a general appreciation that when something is said to be so then it is. When you are on, or associated with, Boards of public or private companies you can with some experience easily process the state of finances, financial controls, valuation and myriad other topics. You also have reasonable assurance that what is claimed and audited is, within some margin, correct. Of course, there is still scope for error or malfeasance, but generally accounting can be relied upon, and any exceptions to this usually do prove the rule. Now, when it comes to cybersecurity, or more generally technology and information risk, this is less so. Representing the status of an enterprise’s security is quite artisanal and crafted in a unique way to each company. This forces executive leadership and Boards to have to divine ways of checking that their security is adequate enough. I’ve written about various techniques for this in these posts:
Technology and cybersecurity risk has various industry frameworks for which certifications can be obtained such as ISO 27001, PCI-DSS and so on. There are also audit frameworks like SOC2 and others which permit some degree of standardization of assessment and representation. But, despite some of their utility, they are rightly deemed as necessary but not sufficient. For example, a Board (Audit Committee or otherwise) may take comfort from the organization’s SOC2, and the SOC2's of key suppliers but those don't always provide the breadth and depth needed. Also, remember that the uncanny valley plays strongly here in that the best organizations who take this seriously may look worse than those who don't and who deliver cursory reports. For example, I’ve been part of organizations where we had strong SOC1/SOC2 and other attestations with realistic scope and rigorous depth. This was of such depth that there were regularly some small number of control exceptions (despite constant effort to avoid such things). Such exceptions were well within expected parameters, error rates, while assuring overall risk mitigation because of multiple lines of control. Yet, these voluminous reports with a small number of exceptions were regularly compared unfavorably with the reports from competitors who had zero exceptions because their reports were scoped so narrowly and control depth framed so minimally that it gave no assurances beyond the organization having a few basic policies. Most consumers of such reports just looked at the top line exception number and didn’t pay attention to the detail. I’m sure those other companies laughed at their competitor’s predicament for a few years, at least until they were forced by the auditors to increase their own scope/depth and then walked into the buzzsaw of a real audit which resulted not just in exceptions but in a full-on qualified report with all of those consequences. Anyway, I digress. Accounting is generally good at these things, it has standards, professional bodies with rigorous examinations, oversight boards (like the PCAOB), regulators with strong oversight (like the SEC) and severe (potentially criminal) consequences for corporate officers and Boards who are fraudulent or negligent in their oversight. There are numerous feedback loops in the accounting profession to learn from errors and in many countries sweeping changes occur when more systemic issues are uncovered (like the Sarbanes-Oxley Act which came after the Enron and other scandals in the US in the early 2000’s). So, let’s do the inverse thought experiment of what the world would be like if accounting were actually like cybersecurity. By the way, I’m not an accountant, I’ve not even played one on stage but I’ve worked with many - they’re very fine people - so some of these examples might in fact be off base. There may, in fact, be annual Las Vegas jamborees for accountants - these might even be fun.
Every year 10,000’s of accountants wearing shorts and t-shirts gather in Las Vegas and come up with ways to defraud companies and misrepresent financial statements to auditors while manipulating their bar bills to charge things to other rooms. They gather in conference rooms to play “capture the fraud” and attend cocktail parties paid for by vendors of products that help solve 1/1000th of their problems. But no-one really minds as the people that control the spending went to a different event in a different city anyway.
Professional Qualifications and Codes of Conduct
There are few rules of the road for accountants. Anyone can claim to be an accountant and there’s no way to determine whether someone is qualified, skilled, actually experienced or subject to regular scrutiny. The community feels occasionally good, but opinion is divided as to whether a few multiple choice exams that delivers a certification to those willing to invest the time in showing enough knowledge to pass it, are really good enough.
What’s an oversight body? Accountants can do what they want, decide what standards to promote, form multiple different associations to set minimum standards and methods while claiming each one’s perspective is the right one. Some other adjacent professions use their oversight frameworks to try and impose some order to the situation.
Accounting Software Packages
There’s a whole industry of software to help accountants identify, record, monitor, respond to discrepancies and recover from issues. It is even enshrined as the NIFT ASF (National Institute of Financial Testing Accounting Standards Framework) that everyone has developed tremendous skills in showing that whatever they do conforms to it. You need to buy multiple products and arrange them in arcane ways to feel like you have a semblance of control over your financial situation. There are some large vendors of financial systems that have deeply embedded control issues that also sell a lot of financial control packages to correct for those same problems. No-one seems to mind for some reason.
Organizations are constantly re-stating their financial reports or disclosing financial errors (or not disclosing them). You can buy insurance against your finances being misstated but there’s a lot of debate on how to charge premiums for that. You get used to getting some regular token compensation when you’ve been delayed in receiving payment because of these misstatements. In the end, most people have gotten used to this. There are some really good "error bounty" programs where researchers pore over company accounts looking for issues and get paid well for reporting these.
Every accountant, Chief Accounting Officer (CAO) or Chief Financial Officer (CFO) has their own unique way of representing the financial situation of the company, the accounting controls and other key aspects of the books and records. There’s a whole industry of people giving advise to those accountants on how to talk to the Board to demystify such a complex subject of accounting for where the money has gone and whether the organization is in fact making any money. A lot of those people giving such advise have never actually been accountants, CAOs or CFOs.
There is constant debate over whether Boards need to have Board members with some familiarity with finance, let alone financial controls. Board members who sit on multiple Boards are confused by all the different ways finances are represented to them at those various organizations. Every now and again a particularly diligent Board member will try and get the accountants together from their various companies to try and standardize on some means of reporting. The accountants don’t like doing that, but will comply and then a management consulting firm will be hired to help jealously guard that framework so that it doesn’t actually get used broadly.
Many parts of Government have similar issues in controlling their finances and start musing on the idea that maybe the private sector has some insight into this - especially on how to avoid financial misstatements and fraud. There are numerous think-tank reports that produce lots of calls to action that people mostly applaud but then file away - until they need to crib from it for the next think-tank report. There are organizations called ISACs (Inter-company Shared Accounting Controls) set up to share patterns of fraud, best practices and provide a conduit for such public/private sharing. Everyone feels good about this and loves receiving the information but generally don’t contribute that much because of some possible legal issues (whether or not these are real......the accountants like blaming the lawyers for some reason).
Financing and Valuations
No one can agree on what the right and fair method is for valuing particular assets or companies might be. Actually, scratch this example. Cyber’s not bad.
There are regular, rigorous, audits of organization's accounts and controls. Sometimes there are some standards that are used as the basis of those audits. The accountants spend a lot of time suggesting that the auditors can never appreciate the complexity of their role such that the audit scope is reasonable.
There is an emerging consensus of what financial controls are needed, how they work together and importantly how they should be embedded early the lifecycle of business process design. This movement, called “count left”, has been championed by many organizations that have had the novelty of building new companies or new processes, or are using a new thing called a “number cloud”. The rest of the grizzled accountants are left to deal with their legacy processes built when no-one could imagine that anyone would even want to rely on the numbers always being accurate. Despite this there is a lot of resistance to rebuild and there’s a whole industry of things like RAA (Robotic Accountant Automation) which papers over the cracks for another year.
Reporting line of the Chief Accounting Officer
There’s a regular debate about how the whole accounting situation could be improved if only the Chief Accounting Officer could report to the CEO. The logic of this is that the Chief Accounting Officer (CAO) and the Chief Financial Officer (CFO) are in an inherently conflicted position because the CFO wants to make the numbers look good but the CAO wants to make them accurate. For some reason most of the people who have the strongest views on this have never actually been a CAO or CFO. The CEO doesn’t care who works for who as she just wants everyone to get along and improve the business for the sake of the customers, while running a tight ship.
No one can agree what the essential metrics are that need to be regularly reported to the public. Nor can people agree what is a significant enough event that would cause a regulatory or other public disclosure filing. There’s a whole industry of legal opinion and advice on this topic. This is when the accountants love the lawyers, mostly.
I wrote this for a bit of fun rather than snark. I know we’re all working hard at an, arguably, more complex problem than many of our colleagues in financial control have had to face. Despite the fun, such comparisons are useful for learning as well as showing us we can see the art of the possible, especially if we let go of the binary curse thinking that would have us fall into the trap of assuming that just because we can’t come up with approaches that are perfect then that means that any attempt is pointless.
Bottom line: we need to keep learning from other disciplines and keep focused on iterative improvement, systemic adjustments, and perhaps even some braver thoughts around professional standards and standards of reporting.