PricewaterhouseCoopers November 2007 Slide 1 How page must have a dark background from color schemes: From menu, select Format > Slide Design… then click.

PricewaterhouseCoopersNovember 2007

Slide 1

Ho

w p

ag

e m

us

t h

av

e a

da

rk b

ac

kg

rou

nd

fro

m c

olo

r s

ch

em

es

: F

rom

me

nu

, s

ele

ct

Fo

rma

t >

Sli

de

De

sig

n…

th

en

cli

ck

on

Co

lor

sch

em

es

an

d c

ho

os

e c

orr

es

po

nd

ing

co

lor.

Continuous Auditing and Reporting

The Role of Public Cryptography

Glenn RicartCenter for Advanced Research

14th Symposium on Continuous Auditing and Reporting

Slide 2PricewaterhouseCoopersNovember 2007

Continuous Auditing at PwC

Very active

Advisory Practice (non-attest)

Assurance Practice

Special Resources

Data Acquisition (Houston)

World Class Controls Project

How will public key cryptography help enable continuous auditing?*

*connectedthinking

PwCCenter forAdvanced Research

www.pwc.com/car


Acronym Confusion

C Continuous

A Auditing and

R Reporting


Acronym Confusion

C Center for

A Advanced

R Research


www.pwc.com/car


CAR’s Purpose

The PricewaterhouseCoopers Center for Advanced Research (CAR) conducts PwC-sponsored research and development on business problems that have no known solution in the marketplace.


Approach


Small teams Different points of view

Look outside

Experts from other areas

Practice people on tours

Work closely with US IT

Engage academia

Working prototypes

InternsBrainstorm

Innovate

How else could we do this?

File patents

Fail half the time

Problems we don’t know how to solve

Try again

Advanced technology

Problems no one else is tackling

Aha!Sponsors

Design

Take risk

High payoff

How will public key cryptography help enable continuous auditing?*

*connectedthinking


Data Collection in Continuous Auditing


Cryptography

Private, Shared Key – both sides guard a single secret

Public / Private Key Pair – shared information is public


Confidentiality and Non-Repudiation

Confidentiality

Non-Repudiation (signing)


Both Confidentiality and Non-Repudiation


Attestation from using public/private key pair

This information is correct (signed)

It came from me (non-repudiation, signed)

You are the only one who can read it (confidentiality)

Assumption:

Each organization takes great care with its private key


In Practice

The public/private key pair encryption is used to establish a more efficient, shared encryption key called a “session key” for a period of time.


What Really Happens


Continuous Financial Audit Data Flows


Continuous Financial Audit Data Flows


How can you gain assurance over real-time reported data?

Match against external counterparties (confirms)

Confidence in controls

Analytics against prior years or ratios

Tests of details (usually against samples)


Third Parties / Counter-parties

You can send my records under the PwC public key (to them)


All (cash) transactions verified by counterparty


Electronic matching of 3rd/counterparty info

Financial

Cash flows (via banks)

Orders, invoices (from counterparty, possibly via auditor or captive clearing house)

Operational

Shipments (via shippers)

Goods (from counterparty via auditor / CH)


Real-Time Assurance

From real-time data flows to auditors and from electronic matching of assured multi-party documents shared securely and as-needed via public cryptography.


www.pwc.com/car

PricewaterhouseCoopers November 2007 Slide 1 How page must have a dark background from color schemes: From menu, select Format > Slide Design… then click.

Documents

public slide

rreporting slide

continuous auditing

private key slide

connectedthinking pwc

nonrepudiation slide

format slide design

aadvanced rresearch