In the world in which we live and breathe, “trust” is developed over repeated interactions between parties with whom a relationship has been built. In the world of the Internet, trust is established much more quickly and subconsciously based on cognitive queues of similarity or credibility that are not always reliable. This apparent conflict of trust paradigm is the Trust Conundrum. The trust conundrum weakness has become the preferred and most successfully executed attack posture for hackers to exploit due to the relative ease of creating trust in the Internet. Cognitive hacks, or also known as; phishing, social engineering or by other names is the biggest threat in cybersecurity as the level of sophistication and variants of these attacks evolve.
Trust in the Internet is not a new or novel topic for those who have followed these trends over many years. In 2003, the University of Pennsylvania’s Lions Center was created to study cyber security, information privacy and trust.  The center was established in 2003 to serve three main purposes: (a) conduct research to detect and remove threats of information misuse to the human society: mitigate risk, reduce uncertainty, and enhance predictability and trust; (b) produce leading scholars in interdisciplinary cyber-security research; and (c) become a national leader in information assurance education. In the same year, the University of Oxford’s Oxford Internet Institute produced a research report titled, “Trust in the Internet: The Social Dynamics of an Experience Technology”. Today’s headlines would suggest that we have much more to learn about trust in the Internet.
After reviewing a variety of studies on the topic of trust in the Internet the general findings conclude that we have a healthy level of skepticism while conducting business in the Internet due to the perceived risks yet we trust the Internet to conduct an ever-expanding list of services. The studies suggest that our use and behavior on the Internet is driven by trust. Generally speaking, the more we use the Internet the more trust we have, a concept called cybertrust. Conversely, we trust (“net confidence”) the Internet more as our use increases exposing us to more threats (“net risks”). This conundrum is partly the reason why cyber attacks continue to grow unabated and demonstrate a huge and growing gap not fully addressed by either cyber security professionals, technology frameworks and standards or policies and procedures designed to mitigate these risks. These studies are dated and much more research on the topic of trust in the Internet is still needed but the initial research provides some insight into the root cause of the problem.
The tension between developing net confidence and the threat of net risks will not be solved in this article. The observation however is that consumer behaviors on the Internet are beginning to change. In a more recent survey posted on the blog of the website of the National Telecommunications & Information Administration (NTIA) for the U.S. Department of Commerce noted, “NTIA’s analysis of recent data shows that Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent. These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.”
The implications of these and other research suggests that if nothing is done the growth and huge economic benefits of ecommerce may be curtailed over time as “trust” diminishes as a result of increasing threats in cyberspace. The NTIA’s July 2015 survey found, “Nineteen percent of Internet-using households—representing nearly 19 million households—reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior.”
While most organizations have been primarily concerned with developing a defensive posture for internal security of customer data it is becoming increasingly clear that the development of trust will become a critical factor in the expansion of services and uses of the Internet by the government, business and the providers of new technology. Therefore, we are at the beginnings of a crossroads where innovation, growth and security may depend as much on developing trust in the Internet as it does on the features and benefits of products and services provided by the Internet. There are few easy solutions to this problem as demonstrated by the hacking of the DNC and the growth of breaches more broadly. However, given the lack of progress made since the early research into the issue of trust demonstrates that a more comprehensive approach is needed. Joint ventures from academia, industry, government and the military and law enforcement must be forged to address these issues of privacy, security and the open Internet. The window of opportunity may be closing.
The COSO ERM framework is being revised with a new tagline, Enterprise Risk Management – Aligning Risk with Strategy and Performance. Dennis Chelsey, PwC’s Global Risk Consulting leader and lead partner for the COSO ERM effort recently stated, “Enterprise risk management has evolved significantly since 2004 and stands at the verge of providing significant value as organizations pursue value in a complex and uncertain environment.” Chelsey goes on to state that, “This update establishes the relationship between risk and strategy, positions risk in the context of an organization’s performance, and helps organizations anticipate so that can get ahead of risk and embrace a mindset of resilience.”
Additionally, the ISO 31000:2009 risk framework is being revised as well. “The revision of ISO 31000:2009, Risk management – Principles and guidelines, has moved one step further to Draft International Standard (DIS) stage where the draft is now available for public comment,” according to the International Organization of Standardization’s website. As explained by Jason Brown, Chair of ISO’s technical committee ISO/TC 262, Risk management, “The message our group would like to pass on to the reader of the [DIS], Draft International Standard, is to critically assess if the current draft can provide the guidance required while remaining relevant to all organizations in all countries. It is important to keep in mind that we are not drafting an American or European standard, a public or financial services standard, but much rather a generic International Standard.”
And finally, the Basel Committee on Banking Supervision, is rolling out, in phases, its final updated reform measures (Basel III) to ensure bank capital and liquidity measures provide resilience in financial markets to systemic risks. The magnitude and breadth of these changes may feel overwhelming depending on where you sit on the spectrum of change impacting your business.
Likewise, more complex and systemic risks such as cybersecurity, prompted the National Institute of Standards and Technology to revise and update its Cybersecurity Framework not to mention changes to Dodd Frank, Healthcare and a host of other regulatory mandates. So where does the value proposition happen in risk management? Given the increasing velocity of change in business and regulatory requirements how does a risk professional in compliance, audit, risk and/or IT security demonstrate an effective and repeatable value proposition while struggling to keep pace?
In order to begin we must first acknowledge that, like risk management, the term “value” has very different meanings for different stakeholders. A shareholder’s definition of value will most likely be different than a customer’s definition. Given this context, we can focus on the “value” proposition derived from the role of a risk professional’s contribution to each stakeholder. However, we need more information to fully understand how a risk professional might approach this topic. If you are an internal auditor you may take a risk-based approach during the audits you perform. If your role is that of a regulatory compliance professional ensuring the effectiveness of internal controls, ethics and awareness are used to derive value. The same is true for the contributions each oversight team makes. In studying other risk professionals, I have begun to learn that I need to expand my definition of value to incorporate disciplines beyond my own skill set.
Sean Lyons, author of “Corporate Defense and The Value Preservation Imperative,” focuses on key strategies to preserve value by expanding the Corporate Defense model from 3 to 5 Lines of Defense creating an enterprise-wide risk approach. Andrea Bonime-Blanc, author of “The Reputation Risk Handbook,” has developed a focus on the importance of understanding the difference in Reputation Management and the role of Reputation Risk. Dr. Bonime-Blanc makes a compelling argument for understanding the strategic importance of developing clear steps to manage key risks within a firm that pose the greatest potential of damage to a firm’s reputation by adopting an enterprise risk approach to reputation risks. In thinking about where my practice adds value, I have proposed a Cognitive Risk Framework for Cybersecurity and extended the model to include enterprise risk management. The basis for a cognitive risk framework is derived from decades of research in behavioral economics, cognitive/decision science, and a deep look at the human-machine interaction as a way to infuse human elements into risk management much the same as automobile manufacturers, NASA & aerospace industries have redesigned the interior of their respective vehicles to account for human behavior to make the travel experience safer.
What is exciting about these and many more new developments in the risk profession is that “value” can be derived by each of these approaches. In fact, while each practice may seem uniquely different the differences compliment because risk is not one dimensional. The complexity of the risk profile of many firms has changed and evolved in ways that require more than one view on how to manage the myriad of threats facing a firm. The permutations of risk exposure will only expand given the velocity of change in technology and the speed of computing power being acquired by and expected of our competitors, customers, and adversaries alike.
The challenge for organizations is to not assume that a one dimensional approach to risk management is sufficient for dealing with three dimensional risks with a great deal of uncertainty.
The value proposition of risk management viewed from this perspective suggests that a cross-disciplinary approach is needed. Even greater value can be created by risk management through thoughtful design, value preservation and sustainable practices and behaviors. By this standard, risk management informs and supports the strategic plan through the value it [risk management] creates for each of its respective stakeholders. The lesson is that organizations should not get stuck in one dogmatic approach to managing risks while assuming it is sufficient for today’s risk environment. What we learn from others is simply another way that value is created for the organization.
“In 1981, Carl Landwehr observed that “Without a precise definition of what security means and how a computer can behave, it is meaningless to ask whether a particular computer system is secure.”[i]
Researchers George Cybenko, Annarita Giani, and Paul Thompson of Dartmouth College introduced the term “Cognitive Hack” in 2002 in an article entitled, “Cognitive Hacking, a Battle for the Mind”. “The manipulation of perception —or cognitive hacking—is outside the domain of classical computer security, which focuses on the technology and network infrastructure.”[i] This is why existing security practice is no longer effective at detecting, preventing or correcting security risks, like cyber attacks.
Almost 40 years after Landwehr’s warning cognitive hacks have become the most common tactic used by more sophisticated hackers or advanced persistent threats. Cognitive hacks are the least understood and operate below human conscious awareness allowing these attacks to occur in plain sight. To understand the simplicity of these attacks one need look no further than the evening news. The Russian attack on the Presidential election is the best and most obvious example of how effective these attacks are. In fact, there is plenty of evidence that these attacks were refined in elections of emerging countries over many years.
A March 16, 2016 article in Bloomberg, “How to Hack an Election” chronicled how these tactics were used in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela long before they were used in the American elections.
“Cognitive hacking [Cybenko, Giani, Thompson, 2002] can be either covert, which includes the subtle manipulation of perceptions and the blatant use of misleading information, or overt, which includes defacing or spoofing legitimate norms of communication to influence the user.” The reports of an army of autonomous bots creating “fake news” or, at best, misleading information in social media and popular political websites is a classic signature of a cognitive hack.
Cognitive hacks are deceptive and highly effective because of a basic human bias to believe in those things that confirm our own long held beliefs or beliefs held by peer groups whether social, political or collegial. Our perception is “weaponized” without our knowledge or full understanding we are being manipulated. Cognitive hacks are most effective in a networked environment where “fake news” can be picked up in social media sites as trending news or “viral” campaigns encouraging even more readers to be influenced by the attacks without any sign an attack has been orchestrated. In many cases, the viral nature of the news is a manipulation through the use of an army of autonomous bots on various social media sites.
At its core the manipulation of behavior has been in use for years in the form of marketing, advertisements, political campaigns and in times of war. In the Great World Wars, patriotic movies were produced to keep public spirits up or influence the induction of volunteers to join the military to fight. ISIS has been extremely effective using cognitive hacks to lure an army of volunteers to their Jihad even in the face of the perils of war. We are more susceptible than we believe which creates our vulnerability to cyber risks and allows the risk to grow unabated in the face of huge investments in security. Our lack of awareness to these threats and the subtlety of the approach make cognitive hacks the most troubling in security.
I wrote the book, “Cognitive Hack, The New Battleground in Cybersecurity.. the Human Mind”, to raise awareness of these threats. Security professionals must better understand how these attacks work and the new vulnerabilities they create to employees, business partners and organizations alike. But more importantly, these threats are growing in sophistication and vary significantly requiring security professionals to rethink assurance in their existing defensive posture.
The sensitivity of the current investigation into political hacks by the House and Senate Intelligence Committees may prevent a full disclosure of the methods and approaches used however recent news accounts leave little doubt to their effect as described more than 14 years ago by researchers and more recently in Paris and Central and South American elections. New security approaches will require a much better understanding of human behavior and collaboration from all stakeholders to minimize the impact of cognitive hacks.
I proposed a simple set of approaches in my book however security professionals must begin to educate themselves of this new, more pervasive threat and go beyond simple technology solutions to defend their organization against them. If you are interested in receiving research or other materials about this risk or approaches to address them please feel free to reach out.
[i] C.E. Landwehr, “Formal Models of Computer Security,” Computing Survey, vol. 13, no. 3, 1981, pp. 247-278.
You must be logged in to view this document. Click here to login
Organizations are striving to manage projects more efficiently, yet many fail each year at great cost. Over 50% of all projects exceed budgets or miss deadlines. Project risk plays a big role. Sponsored Post
You must be logged in to view this document. Click here to login
TheGRCBlueBook combines risk advisory services with cutting edge research, a knowledge of the GRC marketplace and a platform for GRC solutions providers to educate and showcase their products and services to a global market for risk, audit, compliance and IT professionals seeking cost effective solutions to manage a variety of risks. Partner with TheGRCBlueBook to help educate corporate buyers about your GRC products and services.
Behavioral economics has only recently begun to garner gradual acceptance by mainstream economists as a rigorous discipline that may serve as an alternative perspective on decision-making. However, the broad acceptance and growing adoption of behavioral economic theories and concepts along with advancements in computational firepower present opportunities to put into practice practical applications for improving risk management practice. The goal of this article is to develop a contextual model of a cognitive risk framework for enterprise risk management that frames the limitations and possibilities for enhancing enterprise risk management by combining behavioral science with a more rigorous analytical approach to risk management. The thesis of this paper is that managers and staff are prone to natural limitations in Bayesian probability predictions as well as errors in judgment due in part of insufficient experience or data to draw reliably consistent conclusions with great confidence. In this context, a cognitive risk framework helps to recognize these limitations in judgment. The Cognitive Risk Framework for Cybersecurity and the Five Pillars of the framework have been offered as guides for developing an advanced enterprise risk framework to deal with complex and asymmetric risks such as cyber risks.
“A major task in organizing is to determine, first, where the knowledge is located that can provide the various kinds of factual premises that decisions require.” – Herbert Simon
In a 1998 critique of Amos Tversky’s contributions to behavioral economics (Laibson and Zeckhauser) discussed how Tversky systematically exposed the theoretical flaws in rationality by individual actors in the pursuit of perfect optimality. Tversky and Kahneman’s Judgment under Uncertainty: Heuristics and Biases (1974) and Prospect Theory (1979) demonstrated that actual decisions involve some error. “The rational choice advocates assume that to predict these errors is difficult or, in the more orthodox conception of rationality, impossible. Tversky’s work rejects this view of decision-making. Tversky and his collaborators show that economic rationality is systematically violated, and that decision-making errors are both widespread and predictable. This now incontestable point was established by two central bodies of work: Tversky and Kahneman’s papers on heuristics and biases, and their papers on framing and prospect theory.”
Much of Tversky and Kahneman’s contributions are less well known by the general public and misinterpreted as a purely theoretical treatment by some risk professionals. As researchers, Tversky and Kahneman were well versed in mathematics, which helped to shine light on systemic errors in complex probability judgments and the use of heuristics in inappropriate context. As groundbreaking as behavioral science has been in challenging economic theory, Tversky and Kahneman’s work centers on a narrow set of heuristics: representativeness, availability and anchoring as universal errors. The authors used these three foundational heuristics broadly to describe how decision-makers substitute mental shortcuts for probabilistic judgments resulting in biased inferences and a lack of rigor in making decisions under uncertainty.
Cognitive Risk Framework: Harnessing Advanced Technology for Decision Support
In the thirty years since Prospect Theory data analytics expertise and computational firepower have made significant progress in addressing the weakness in Bayesian probabilities recognized by Tversky and Kahneman. Additionally, the automotive industry and Apple Inc., among others, have been successful in incorporating behavioral science in product design to reduce risk, anticipate human error and improve the user experience adding value in financial results. This paper assumes that these early examples of progress point to untapped potential if applied in constructive ways. There are distractors, and even Tversky and Kahneman admitted to inherent weaknesses that are not easy to solve. For example, observers are skeptical that laboratory results may not replicate real-life situations; that arbitrary frames don’t reflect reality as well as a lack of mathematical predictive accuracy.
Since Laibson and Zeckhauser’s (1998) critique of Tversky’s contributions to economics a large body of research in cognition has evolved to include Big Data, Computational Neurosciences, Cognitive Informatics, Cognitive Security, Intelligent Informatics, and rapid early stage advancements in machine learning and artificial intelligence. A Cognitive Risk Framework is proposed to leverage the rapid advancement of these technologies in risk management however technology alone is not a panacea. Many of these technologies are evolving yet additional progress will continue in various stages requiring risk professionals to begin to consider how to formalize steps to incorporate these tools into an enterprise risk management program in combination with other human elements.
The Cognitive Risk Framework anticipates that as promising as these new technologies are they represent one pillar of a robust and comprehensive framework for managing increasingly complex threats, such as, cyber and enterprise risks. The Five Pillars include Intentional Controls Design, Intelligence and Active Defense, Cognitive Risk Governance, Cognitive Security Informatics, and Legal “Best Efforts” Considerations. A cognitive risk framework does not supplant other risk frameworks such as COSO ERM, ISO 31000 or NIST standards for managing a range of risks in the enterprise. A cognitive risk framework is presented to leverage the progress made in risk management and provide a pathway to demonstrably enhance enterprise risk using advanced analytics to inform decision-making in ways only now possible. At the core of the framework is an assumption about data.
One of the core tenets of Prospect Theory is the recognition of errors made in decision-making derived from small sample size or poor quality data. Tversky and Kahneman noted several observations where even very skilled researchers routinely made errors of inference derived from poor sampling techniques. Many recognize the importance of data however organizations must anticipate that a cross-disciplinary team of expertise is needed to actualize a cognitive risk framework. Data will become either the engine of a cognitive risk framework or its Achilles Heel and may be the most underestimated investment in ramping up a cognition driven risk program. A cognitive risk framework anticipates much more diverse skills than currently exists in risk management and IT security.
Data is but one of the considerations in developing a robust cognitive risk framework. Other considerations will include developing structure and processes that allow ease of adoption by practitioners across multiple industries and in different size organizations. While it is anticipated that a cognitive risk framework can be successfully implemented in large and small organizations risk professionals may decide to adopt a modified version of the Five Pillars or develop solutions to address specific risks such a cybersecurity as a standalone program. It is anticipated that if cognitive risk frameworks are adopted more broadly that technology firms and standards organizations would take an active role in developing complementary programs to leverage these frameworks to advance enterprise risk using advanced analytics and cognitive elements.
 LAIBSON/ZECKHAUSER Kluwer Journal @ats-ss8/data11/kluwer/journals/risk/v16n1art1 COMPOSED: 03/26/98 11:00 am. PG.POS. 2 SESSION: 15
You must be logged in to view this document. Click here to login
Protiviti and North Carolina State University’s ERM Initiative are pleased to provide this report focusing on the top risks currently on the minds of global boards of directors and executives. This report contains results from our fifth annual risk survey of directors and executives to obtain their views on the extent to which a broad collection of risks are likely to affect their organizations over the next year.
“Never let the facts get in the way of a good argument”
Facts, or more precisely, our understanding of facts or the truth have become more transient in the information age or has it? The Internet has radically changed how we access information in ways that few appear to challenge or even understand. Today, anyone can Google a fact or story or news event about any topic imaginable to “learn” about a topic instantly with only a few keystrokes. We are bombarded today with opinion pieces, rumors, false news stories and innuendoes without bothering to check the validity of the stories. In fact, depending on the viewer of said data, the facts are easily dismissed when the “information” disagrees with one’s views or beliefs about the topic. So the question here is “has the information age inhibited critical thinking?” Risk managers are not immune to these same biases and the implications may help explain why risk management is at risk of failing.
It turns out that the definition of the “truth” does not answer the question of what a truth really is. Here are a few examples: Merriam-Webster states that truth is “sincerity in action, character, and utterance”. Or “the state of being the case: a fact. Or “the body of real things, events, and facts”. Or a transcendent fundamental or spiritual reality” Or “a judgment, proposition, or idea that is true or accepted as true. Or my favorite, “the body of true statements and propositions.” Dictionary.com has 10 different definitions each in contrast with Merriam-Webster. In other words, truth is what we believe it is. You know you are in trouble when truth and transcendental or spiritual reality are used in the same definition. Apparently, we have no idea what a truth is or we are simply more confused than ever as we get bombarded with different truths.
But why is this important for risk professionals? If the truth changes based on evolving norms, opinions, perception and biases how does a risk professional manage emerging risks in an environment where a variance from the old truths conflict with new truths? Operating models change as new leadership dictates his or her view on old operating models requiring risk professionals to question how does one assess these new risks? What was once indisputable no longer applies and old assumptions are considered impediments to progress. Or does it?
In the age of Big Data corporations are in search of the truth in customer behavior, buying preferences, and managing the risk of strategic plans. However, even with the assistance of advanced analytics we are more “archaeologists “ than true scientists. Archaeologists apply a body of knowledge and a great deal of conjecture in constructing their view of the past. Each new discovery has the potential to disrupt or partially validate assumptions in our belief about what ancient civilizations or animals were really like. We don’t have enough information to confirm these conjectures but instead believe them in the absence of data that fails to contradict them. This is the crude method in how humans learn — through trial and error. If something is proven to work reasonably well over time it becomes the truth. If it is fails, miserably, it is considered to not be the truth. But we know from scientific experiments that truth can be derived from failures, even massive failures like the space shuttle catastrophe or major battles in war. We “learn” from mistakes and vow to never repeat them again.
The truth is we seldom, if ever, have perfect information. Imperfect information is uncertainty NOT a risk. Risk is a known quantity. It can be measured and we know to avoid it or accept it and that is why we call it a risk. The failure in risk management is not knowing the difference. Fear, confusion, and hope are signs of uncertainty and are emotional signals that we have crossed the Rubicon of not knowing whether the outcomes will result in losses or gains. This is when risk managers become archaeologists. Archaeological risk managers try to develop stories from past experience and imperfect information to describe the new truths using old methods. This happens in every industry from insurance to financial services and beyond and partly explains why we miss really big emerging risks until a “learning” experience teaches us what a risk really looks like.
Fear, confusion and hope are natural responses in our primitive brain of “Fight vs Flight” mechanisms of survival. These emotional responses are also signals that we must tread lightly, gather information gradually and take measured risks without betting the farm on a new shiny thing that may be a train coming through the tunnel of darkness.
How can risk professionals avoid the freight train? Don’t be afraid to say you don’t know. When worry, fear, and confusion permeates communications that is a signal a freight train may be barreling down the tracks. Instead you must use this time to understand what you know and separate what you don’t know. Understanding the difference is critical because it provides risk managers with direction to gather information, perform advanced assessments and provides definable boundaries where risks may be lurking. It is also important to understand that huge potential is the other side of uncertainty. Big rewards can be found when uncertainty is at its highest level however risk professionals must have a measure approach to understanding the upside of uncertainty.
This is not the time to follow the crowd.
The upside of uncertainty requires risk managers to seek opportunity where others are fleeing or cannot see how the change in the new rules may benefit organizations poised to leverage change. What risk professionals must avoid during uncertainty is becoming archaeologists. Old methods may help to tell a compelling story but the real risks and upside to uncertainty will be lost as the new rules obscure what the truth really is.
Christopher P. Skroupa, Contributor to Forbes.com Interviewed James Bone, Executive Director, TheGRCBlueBook on his upcoming book, “Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind”. In the interview Chris explores the thesis of the book and major trends impacting cyber risk professionals, including topics such as the “Internet of Things” or IoT. Lastly, James covers why a Cognitive Risk Framework for Cybersecurity is needed and briefly describes the Five Pillars that stand up the Cognitive Risk Framework. The book is scheduled to be published in the first quarter of 2017
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – —
Chris Skroupa’s bio:
“I focus on the intersection of government, Wall Street & Main Street.”
Opinions expressed by Forbes Contributors are their own.
I work with institutional investors and fund managers in the U.S., Europe and Asia on issues involving asset allocation, risk management, corporate governance, active investing and socially responsible investments. I focus on the intersection of government, Wall Street and Main Street. It’s an active crossroad these days as companies and investors address how to bring stakeholders into the discussion of value creation, beyond share price, and through sustainability. I encourage a constructive, solutions-based approach to many hot buttons on the current market agenda.
The author is a Forbes contributor. The opinions expressed are those of the writer.
You must be logged in to view this document. Click here to login
Our [KPMG] work as audit professionals is fundamentally about “trust.” For the capital markets to operate effectively and to the benefit of investors and society more broadly, there must be integrity and confidence in the system. In serving the capital markets and the public interest, we work to help instill trust and confidence in the information used to make important decisions.
In the following pages, we begin to explore how we can continue to promote trust during a time of profound change across the business landscape. Given the explosion of data and the digitization of our lives, we want to promote a discussion about how the audit profession must evolve its tools and approach to keep up with the pace of change and remain relevant in a dynamic marketplace. Specifically, our profession must embrace the use of advanced technologies, including data and analytics (D&A), robotics, automation and cognitive intelligence, to manage processes, support planning and inform decision making. At KPMG we are constantly thinking about the development of innovative capabilities and technologies that will enhance quality and strengthen the relevance of our audit into the future.