Abstracts

To download all papers and PowerPoints please go to our UW CISA 2019 Symposium Papers and PowerPoints Dropbox.

An Ontological Methodology for Classifying Social Media: Text Mining Analysis for Financial Data

Zamil Alzamil, Rutgers, Deniz Appelbaum, Montclair State University and Robert Nehmer, Oakland University

Abstract

In this paper we utilize a natural language processing implementation of the Financial Industry Business Ontology (FIBO) to extract financial information from the social media platform Twitter regarding financial and budget information in the public sector, namely the two public-private agencies of the Port Authority of NY and NJ (PANYNJ), and the NY Metropolitan Transportation Agency (MTA). This research initiative is approached using the Design Science Research (DSR) perspective to develop a methodology to classify tweets as being either relevant to financial bonds or not. We apply a frame and slot approach from the artificial intelligence and natural language processing literature to operationalize this methodology. FIBO provides standards for defining the facts, terms, and relationships associated with financial concepts. One contribution of this paper is that it is the first to recognize that the FIBO structure provides a grammar of financial concepts which can be used to classify social media for knowledge representation. Previous research explores non-financial ontologies for knowledge representation and FIBO ontologies for sentiment analysis in social media, but research has yet to discuss financial ontologies for knowledge representation or environmental scanning extraction from social media. We show that FIBO grammar can be used to mine semantic meaning from unstructured textual data and that it provides a nuanced representation of structured financial data. Twitter streams are monitored and analyzed with frames derived from FIBO and key words. Using FIBO frames, constituent semantic structures can be uncovered to predict reactions to policies and programs and perform other environmental scanning more quickly than by following the feeds manually. With this methodology, social media such as Twitter may be accessed for the knowledge that its utterances contain about financial concepts at many levels. This process is anticipated to be of interest to bond issuers, regulators, analysts, investors, and academics. It may also be extended towards other financial domains that relate to FIBO ontologies, as well as any other domain for which an ontology exists.

Keywords: FIBO, ontology, social media, frames and slots, municipal bonds

To download this paper and PowerPoints for the session please got to our Dropbox.


A Taxonomy of Cybercrime: Theory and Design

Akhilesh Chandra, The University of Akron and Melissa J. Snowe, DFAS- Defense Finance and Accounting Service. Cleveland

Abstract

The objective of this paper is to develop a theory-based taxonomy for cybercrime. We define a cybercrime as an act, in which the use of a computer, its related technology, and/or the networked system in which it functions, integrally facilitates or enables a criminal act against victim(s). The need for a stable, comprehensive taxonomy stems from the lack of a universal definition with the associated clarity in describing, understanding, uniformly and consistently applying, in the vernacular, a language for cybercrime. The theoretical foundation for our taxonomy has its roots in four concepts: mutual exclusivity, structure, exhaustiveness, and well-defined, descriptive categories. Together, these precepts ensure stability, comprehensiveness, completeness, flexibility and adaptation of the taxonomy to describe, organize, report and consistently expand with the continual evolution of technology. We discuss the implications of our taxonomy for management, enforcement agencies, and international governance over regulation, as well as the judicial process.

Keywords: taxonomy, cybercrime

To download this paper and PowerPoints for the session please got to our Dropbox.


A View from the CISO: Data Classification Drivers, Challenges, and Outcomes

Marianne Bradford and Eileen Taylor, North Carolina State University and Megan Seymore, University of North Texas

Abstract

Data classification is the foundation for information security as it provides a structure for the rules that govern what users are allowed to do with organizational data (Everett, 2011). To examine data classification practices in organizations, we employ a qualitative research approach, conducting semi-structured interviews with 27 data security professionals in 23 different organizations. The interviews allowed us to explore data classification processes, drivers, controls, challenges, and outcomes in-depth. We find that most organizations use a collaborative approach led by the CISO (Chief Information Security Officer) to develop their data classifications, which generally include three categories (e.g., public, internal, restricted). Risk management is the main driver for data classification, with reputational, financial, and legal liability risks being mentioned most frequently. Efforts to comply with industry-specific and general regulations is another driver. Organizations implement a wide variety of automated controls to enforce data classification policies. However, they find that data loss prevention (DLP) tools are not yet mature enough for classifying complex or context-specific data. The main challenges to data classification are user non-compliance, complexity of the IT landscape, obtaining an accurate data inventory, lack of resources, and lack of mature classification tools. Positive outcomes from the data classification process include a greater organizational awareness of data security and privacy, more fine-grained controls around areas of highest risk, and improved data hygiene. CISOs and other data security professionals can benefit from this detailed analysis of the state of data classification practices as they seek to develop their own best practices.

Keywords: data classification, data security, data governance, General Data Protection Regulation (GDPR), information security risk management, data loss prevention (DLP) technology

To download this paper and PowerPoints for the session please got to our Dropbox.


Audit Process Automation and Process Redesign: A Case Study

Chanta Thomas and Chanyuan (Abigail) Zhang, Rutgers University

Abstract

Robotic Process Automation (RPA) is software technology for the automation of tasks that are repetitive, standardized, and rule-based. This paper focuses on the process of a CPA firm’s adoption of RPA for a specific type of audit and how that technology was integrated into its current audit methodology. This adoption required a redesign of their audit paradigm for these specific audits. The automated and redesigned audit procedure can complete the repetitive, and rule-based tasks in approximately 3 minutes, in contrast to 3 hours if done manually. The effectiveness of the audit can also be improved due to enhanced standardization, higher accuracy, and more time allocated to complicated tasks that require professional judgments.

Keywords: audit, robotic process automation, process redesign, audit automation

To download this paper and PowerPoints for the session please got to our Dropbox.


Big Data Prioritization in SCM Decision-making: Its Role and Performance Implications

Luigi Red Gaerlan, Carla Wilkin, Aldónio Ferreira and Kristian Rotaru, Monash University

Abstract

The value of big data is evident from firms’ investment in databases and analytical tools that incorporate big data into corporate systems for use in decision-making. The challenge is that the growth in size and variability in the quality of big data presents issues. Consequently, if firms fail to realize that certain big data inputs are irrelevant and of poor quality, this will negatively affect performance, and the costs associated with producing reports, wasted. This study aims to address such concerns by investigating firms’ prioritization concerning the supply of available big data (Big Data Availability) to inform organizational decision-making, with application to supply chain management (SCM). Results from a survey of 84 managers support hypothesis of a positive association between Big Data Availability and the use of big data in SCM decision-making, which in turn positively influences SCM performance. Further, the reported evidence shows a positive association between Big Data Availability and Big Data Prioritization, suggesting that Big Data Prioritization has a positive impact on the use of big data in SCM decision-making and SCM performance.

Keywords: big data, big data availability, big data prioritization, supply chain management, supply chain management performance

To download this paper and PowerPoints for the session please got to our Dropbox.


Blockchain and Internal Controls: the COSO* Perspective

Eric E. Cohen, Cohen Computer Consulting

Abstract

How might Blockchain and distributed ledger technologies impact the COSO principles? This session will cover the reasons COSO began this project, the development, the executive summary.
*COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, a joint initiative of five private-sector organizations (AAA, AICPA, FEI, IIA, IMA), providing thought leadership on enterprise risk management, internal control, and fraud deterrence.

To download the PowerPoints for the session please got to our Dropbox.


Blockchain Architecture: A Design that Helps CPA Firms Leverage the Technology

Nishani Edirisinghe Vincent, Anthony Skjellum, and Sai Medury, University of Tennessee at Chattanooga

Abstract

Blockchain technology has gained the interest of the accounting profession in recent years. However, when considering whether to adopt the technology, many business professionals have voiced a lack of a compelling use-case as a major challenge. In this paper, we design a blockchain architecture for firms that will enable auditors to leverage the technology to provide audit and assurance services. To design the architecture we consider two broad questions: first, how do CPA firms gain access to reliable audit evidence and, second, how can the firm maintain privacy and security of their data given a decentralized and distributed immutable ledger. Consequently, the proposed architecture helps auditors gain access to reliable audit evidence while incentivizing firms to adopt blockchain technology by substantially reducing the costs of replacing existing information systems. Given this architecture, auditors could also design continuous audit procedures for their respective clients without having to incur substantial investments in software integration. Further, the architecture can be expanded to include various use cases and supply chain participants, other CPA firms, customers, and regulators.

Keywords: blockchain, architecture, blockchain architecture, CPA firms, blockchain for audit 

To download this paper and PowerPoints for the session please got to our Dropbox.


Continuous Monitoring and Audit Methodology for Medication Procurement

Mauricio Codesso, Federal University of Santa Catarina; Miklos Vasarhelyi and Wenru Wang, Rutgers University

Abstract

Continuous audit has been widely adopted by public and private firms, despite at different adoption levels (PwC, 2006; Vasarhelyi, et al., 2012). However, implementations of continuous monitoring and audit on government procurement analysis are rare, while government procurement easily generates wastes and abuses during the process. By identifying and analyzing the anomalous patterns of medication acquisition value through text mining techniques, this study uses data from a Brazil city and establishes a continuous monitoring and audit dashboard to achieve timely and less costly management in procurement procedures. The methodology created in this study will not only shed light on government procurement analysis, but also give insights to armchair auditors to investigate government open data from different perspectives.

Keywords: text mining, continuous audit, continuous monitoring, government procurement, internal control

To download this paper and PowerPoints for the session please got to our Dropbox.


If You Cannot Measure It, You Cannot Manage It: Assessing the Quality of Cybersecurity Risk Disclosure through Textual Imagification

Arion Cheong, Soohyun Cho, Won Gyn No, and Miklos A. Vasarhelyi, Rutgers University

Abstract

The destructive nature of cybersecurity threats makes it crucial for stakeholders to understand the related risks that any given firm faces. In order to map a firm’s known cybersecurity risks and identify its specific risks as compared to its industry peers, we utilize text mining techniques to extract and analyze risk factor disclosures that firms report on Form 10-K. Since a comparison of firms’ cybersecurity risks through textual analysis is statistically infeasible, we introduce a new approach, textual imagification. This methodology enables analysts to provide a measurable and comparable image of a firm’s cybersecurity risks based on data extracted from Form 10-K. This imagification of cybersecurity risks factors can facilitate stakeholders’ decision-making processes by enabling such risks to be easily accessible and comparable.

Keywords: cybersecurity, risk assessment, text mining, machine learning

To download this paper and PowerPoints for the session please got to our Dropbox.


Public Companies' Cybersecurity Risk Disclosures

Lei Gao and Thomas G. Calderon, University of Akron and Fengchun Tang, Virginia Commonwealth University

Abstract

Companies are facing unprecedented threats from cybersecurity incidents. In response to the increased cybersecurity threats, the SEC issued cybersecurity risk disclosure guidance in 2011 and an updated guidance in February 2018 requiring public companies to disclose material cybersecurity risks and cyber incidents. While cybersecurity risk disclosure receives increasing attention from regulators and practitioners, there is limited empirical research on the cybersecurity risk disclosure practices of public companies. Yet, cybersecurity risks are significant and could materially affect business operations and financial reports integrity. In this study, we investigate the content and linguistic characteristics of cybersecurity risk disclosure of 56 public companies from 2005 to 2017. We first identify trends and patterns in cybersecurity risk disclosures, and then we investigate factors that drive the changes of cybersecurity disclosure practices over the years. Results show that the two most commonly faced cybersecurity risks are risks of service/operation disruption and risks of data breach. Item 1A of the 10-K Report is the most used location to disclose all types of cybersecurity disclosures except the disclosure related to cybersecurity procedures, which is mostly disclosed in Item 7. The increase in cybersecurity risk disclosures is driven by the SEC’s 2011 Guidance, industry, the overall cybersecurity risks in the general economy, company size, and prior cyber breach incidents. The overall disclosure readability decreased after companies experienced cyber breach incidents and increased after changes in corporate executives. In addition, the use of litigious language is positively associated with the proportion of intangible assets in registrants’ balance sheets.

Keywords: cyber security, risk disclosure, linguistic characteristics, Securities and Exchange Commission (SEC)

To download this paper and PowerPoints for the session please got to our Dropbox.


Talk Too Much? The Attribution of Cybersecurity Disclosures on Investment Decisions

Xu (Joyce) Cheng, Auburn University; Tawei (David) Wang, DePaul University; and Carol Hsu, Tongji University, China

Abstract

Recent high-profile cybersecurity breaches have raised the concern regarding how organizations disclose security management information to the public. The Securities and Exchange Commission (SEC) issues an interpretive guidance on security risk factor disclosures in 2018 while the American Institute of CPAs (AICPA) proposes a cybersecurity risk management reporting framework. In this study, we attempt to provide evidence and policy implications by examining nonprofessional investors’ investment decisions given different types of cybersecurity disclosures (i.e., existing cybersecurity risk factor disclosures versus the proposed cybersecurity risk management reports) before and after cybersecurity breaches. Our findings suggest that the disclosure of cybersecurity risk management program is negatively related to nonprofessional investors’ investment decisions after the security breach. However, when it is issued with an independent report, the effect on the negative investment decision after the security breach is indifferent from those who disclose on risk factors. Implications are discussed.

Keywords: cybersecurity disclosures, risk factors, cybersecurity risk management program, investment decisions

To download this paper and PowerPoints for the session please got to our Dropbox.


“The First Mile Problem”: Deriving an Endogenous Demand for Auditing in Blockchain-based Business Processes

Michael Alles, Rutgers University and Glen Gray, California State University, Northridge

Abstract

In this paper, we model the business process within which blockchain applications operate in order to extract an endogenous demand for auditing in that environment. We begin by undertaking a case study of the pharmaceutical drug industry supply chain, exploring both the proposed blockchain initiatives in it initiated by the FDA and startup companies, and the problems in the supply chain that blockchain cannot address. Drawing on this analysis, we derive an endogenous demand for auditing to overcome what we label the “first mile problem” with blockchains: ensuring that the data stored on the blockchain distributed ledger is isomorphic with the real life data that it purports to represent. The first mile problem arises only when the blockchain is used to store data about physical items, especially ones involving a service component, rather than being native digital, as is the case with the genesis blockchain application, bitcoin. We show that unless it is feasible to store a “digital twin” of the item, there is a role for auditors to help alleviate the first mile problem. There is no guarantee, however, that this new demand for auditing will be met by the traditional financial statement auditors.

Key words: blockchain, bitcoin, first mile problem, auditing

To download this paper and PowerPoints for the session please got to our Dropbox.