Home / Resources / ISACA Journal / Issues / 2021 / Volume 4 / Algorithms and Audit Basics

IT Audit in Practice: Algorithms and Audit Basics

Author: Cindy Baxter, CISA, ITIL Foundation
Date Published: 30 June 2021
Related: Auditing Artificial Intelligence | Digital | English

I must admit, when I saw the theme of this volume of the ISACA® Journal, algorithms, or as we call them at work “algos,” I thought, “There’s a topic I don’t understand.” Of course, that is not really the case because every industry I have worked in uses algorithms although the definition or perception of how they work has changed over the course of my career. My more recent encounter was an integrated audit regarding insider trading. As I interviewed the business team to confirm the details of my scope of work, the team raised legitimate concerns that no one conducting previous audits of their operational environment really understood what was going on. I was intent on getting it right by following good audit practices with a thorough walkthrough, even using test of one1 examples to confirm my scope of work at some of the more complex process stages. At the time, the word “algorithm” was not actually thrown around, but instead the conversation was about the code used in the various systems and applications that interfaced to track risky and potentially noncompliant behavior. The insider trading work I did and the processes and systems I tested had several algorithms in play, but a number of manual processes as well. I closed my review three times before I finished the full scope of work, a valuable lesson for me about asking and re-asking questions to uncover details and making sure all the key process owners are involved. I also learned to keep the importance of the intent, or algorithmic methodology, in mind—a critical examination that goes beyond the coding itself.

It is useful to look at the history of algorithms, review the evolution they have gone through and demystify what they are. My objective here is to bring confidence to auditors who face the challenge of algorithms and the code that enables algorithmic methodologies.

The best place to start is to define “algorithm.” Instead of heading to the dictionary, I dipped into my geekier online resources. One definition notes that algorithms are specific step-by-step directions used to solve a specific problem with a specific intended outcome.2 The definition I like best explains that algorithms are no more than a series of steps for solving a problem, completing a task or performing an operation.3

The History of Algorithms

If that is all an algorithm is, how did things get so mysterious? Is it that we are just more focused on the inputs (good data to avoid the “garbage in, garbage out” syndrome) and we do not need to worry about the “magic” in the algorithmic black box? As is often the case, things evolve over time. Something works well, becomes popular and multiple people make adaptations to it and, suddenly, what started as a simple concept takes on a life of its own. I thought the history of algorithms would be dry and boring, but not at all. The term “algorithm” is attributed to ninth century mathematician Abu Abdullah Muhammad ibn Musa-Al-Khwarizmi, often considered the father of algebra. Al-Khwarizmi may not sound like “algorithm,” but that is exactly how his name was translated from Arabic to Latin, where Al-Khwarizmi morphed into algoritmi, referring to the decimal system.4 The original intent was purely mathematical and, true to definition, involved laying out a step-by-step methodology to solve a numeric problem.

The more familiar concept associated with algorithms has also been around a while, with the “modern” view of specific steps to solve a problem going back to the early 1800s. Even more interesting, the person attributed with being the visionary for the computational methodology that algorithms represent was Ada Byron Lovelace, daughter of famous English poet, Lord Byron. Ada Byron Lovelace dabbled in both sides of creativity, writing poetry, but was renowned for her documented algorithm for solving complex sequences of numbers called Bernoulli numbers.5 The algorithm she developed was widely recognized, but the machine for which she had developed the methodology, the Analytical Engine created by colleague Charles Babbage, was never finished.6

THE PERSON ATTRIBUTED WITH BEING THE VISIONARY FOR THE COMPUTATIONAL METHODOLOGY THAT ALGORITHMS REPRESENT WAS ADA BYRON LOVELACE, DAUGHTER OF FAMOUS ENGLISH POET, LORD BYRON.

Algorithms Today

Things have changed in the 21st century. The concern about data inputs, although important, does not mitigate the responsibility of understanding the “black box,” that is, the algorithms that lead to the coding that produces the expected solution. The evolution of algorithms, however, has grown in complexity by the pure ubiquity of general problem-solving steps. Individual interpretation of the intent of a problem-solving model adds complexity because people look for different outcomes. Algorithms that facilitate scientific research on genetics can lead to ground breaking improvements in medical care or can be used to engineer the perfect human. The intentions are endless and, therefore, the outcomes can be multiple. In fact, it is well worth rewatching The Matrix.7 The movie, which predicted the early 21st century to be where, in many ways, we find ourselves today regarding an algorithmic revolution, focuses its plot on artificial intelligence (AI) gone awry. In the never-ending battle for power, machines/computers have taken over by creating a world that is not reality and humans are struggling to overcome misinformation and inaccurate perceptions to regain power and restore the world as it used to be. Are we there today? Social media, with code generated by algorithms, has created a world we think is real, but is that really the case? We are constantly reminded that what we read and how we view the world are modified by business interests, political interests, and marketing interests outside our control. Code and AI-enabled programs look for our behavior patterns based on our viewing, buying and listening behaviors to engage us and encourage us to act in certain ways. We are all familiar with some of the more famous, or perhaps, infamous, algorithms that foster discussion and emotion today:

  • Amazon’s recommended purchases, with ads tailored for your viewing pleasure
  • Google marketing algorithms, which, with the small note of “ad,” shows how often the marketers’ aspirations of selling their thoughts or products permeate our search requests
  • Facebook, which fostered terminology such as “misinformation” that led to the term “disinformation,” impacting opinions, economies and politics
  • Twitter, the soundbite selection that algorithmic philosophy has constructed providing instant but perhaps slanted knowledge

Algorithms are certainly not all bad or even questionable. Instead, it is a matter of how the steps that enable a program to reach a conclusion are constructed. We all know coding, the computational result of algorithmic thought, can be tough to develop exactly as expected by the business or institution using the application. The importance of thorough user acceptance testing (UAT) underscores how intention can get lost in translation when what developers create is not carefully checked by those who will use the final product. There are myriad benefits that algorithms provide, not the least of which is the accelerated pace of clinical research that is helping fight the COVID-19 pandemic. And there are algorithms that can check continuing efficacy of vaccines as a watchdog to the drugs that were finalized through algorithmic methodologies. Healthcare alone expects to benefit from algorithms in numerous ways, including:

  • Medical diagnostics
  • Pharmaceutical discovery
  • Clinical trial acceleration
  • Pain management with virtual reality
  • Clinical brainstorming
  • Virtual nursing and personalized medicine8

Use of algorithms today has lived up to the visions prognosticators had, but complexity and even the enticing nature of algorithms in our daily lives creates the risk that errors with grave consequences can go unnoticed. Algorithmic influence appeals to our desires while creating revenue for organizations that leverage their efficiency and pervasiveness. Nation-states and political thought can be influenced too often without scrutiny or rules. It is not unusual that technology has moved faster than policy, governance and controls. The problem is the rules have yet to be written and the IS auditor call to action has only begun.

ALGORITHMS, LIKE OTHER CRITICAL AREAS FOR AUDITING, NEED TO BE DEALT WITH BY USING THE BASICS.

For a topic that I originally felt was a “check the thought process, then check the code” assignment, behavior around the development of algorithms is as highly controversial as it has been benevolent. Digging deeper into the often unregulated or underregulated uses of algorithms is most concerning because the efforts to govern use are often grassroots and not widespread. The Matrix is here, and too many of us do not recognize the urgency around risk analysis and controls. Or, worse, we know the importance, but do not always find a thorough review within our scope of work.

A compelling screenplay is the recently released Coded Bias.9 For someone like me who too often forgets that math can tell lies, it is a powerful reminder that intervention is necessary, both to avoid algorithm misuse and to ensure equitable use of the algorithms that benefit society.

IS Auditing and Algorithms Today

Here we are, as auditors and risk professionals, standing at the cusp of this revolution. These are exciting and, yes, scary times. But someone needs to worry about this stuff beyond philosophical thought, so it might as well be us. Now, before I put on my Super Auditor shirt and fasten my cape, I started this article by admitting that I had to look up the definition of “algorithm.” When considering the plethora of uses for algorithms and the pervasiveness of algorithmic interpretation by zillions of coders, how can this risk possibly be evaluated, controlled and examined for effectiveness? I am convinced that the investigative culture that is the hallmark of audit success is the underpinning of dealing with and conducting productive, informative audit and assurance engagements on a variety of processes that are driven by algorithmic thought. Algorithms, like other critical areas for auditing, need to be dealt with by using the basics. Here are some key points auditors must consider:

  • Keep the definition of algorithm in mind. It is not magic. It is a series of steps based on someone’s logic.
  • Recognize that the logic often comes from the developer assigned to understand steps that will solve a complex problem. The developer is not necessarily the person or group interested in solving the problem, but instead is enabling the solution by interpreting the need and basic algorithmic thought into code that will, hopefully, arrive at the outcome intended by the requester.
  • When possible, talk to the business users who have asked for the code or program. Auditors must understand what they have asked for, why they use it and what the process flow/sequence of events is in the operational environment.
  • Get a clear understanding of inputs. It is important to understand what is the big (or little) data that are being used as source information.
  • Ask what the algorithm does with the data and ask what it does not do. Are there data pieces that are excluded or ignored? If so, why?
  • Ask how the data set is used. Does it look to match with something? And if so, what “match” is it looking to find? If it is asked to associate different pieces of data, ask how the association is derived and carefully examine the outputs.
  • Think out loud with those you are auditing about the manipulation that could occur with the data—some intentional, and perhaps others unintentional.

With knowledge in hand regarding the problem the algorithm solves, how the data are and are not used, and confirmation regarding expected outcomes with users, it is time to start investigating.

Risk and Controls

The IS auditor needs to walk into this investigative step with a solid process flow and a draft scope of work for the audit at hand. There needs to be an understanding of what the process outcome should be and the potential risk of influencing an inaccurate outcome because of an inaccurately interpreted or administered algorithm. Does the documentation held by the enterprise include all the potential risk scenarios envisioned from the audit perspective? If there is a gap in risk assessment, what is the basis for that gap or interpretation of how the gap is covered from a compensating control perspective? Is reasoning sound for the execution of the algorithm or are there potential missing steps that will impact the outcome accuracy?

SINCE THE AUDIT IS EVALUATING ALGORITHMS AND THE ENABLING CODE THAT DELIVERS THE INTENDED OUTCOME, EXAMINATION OF THE AUDIT METHODOLOGIES TO BE USED IS IMPORTANT.

With the risk areas identified and gaps uncovered or appropriately rationalized, it is time to make sure the control coverage is in line with the risk criticality. Risk impact needs to be carefully defined and accepted by the auditor in relation to the scope. Risk management in a scope of work focused on accelerated drug clinical trials will be vastly different than a scope of work focused on capture of consumer marketing preferences. Based on risk criticality, are controls documented objectively and clearly? Is the control specific enough for development of test steps that examine all key attributes of the process? If not, documentation must be delineated and details agreed upon between the business owners and the audit team before proceeding with test steps. Further, since the audit is evaluating algorithms and the enabling code that delivers the intended outcome, examination of the audit methodologies to be used is important. Is a test of one possible and appropriate to derive a conclusion, or is more detailed sampling required as was the case with my insider trading work where both testing of one methodology and standard statistical sampling was the best way to accomplish an accurate assessment?s

As auditors, we have taken the time to understand the intent of the algorithm and thoroughly reviewed the business processes, both automated and manual. We have reviewed risk factors and controls to make sure they are clear and the documentation is in place. Our call to action is clear: Leave no black box unopened. Ask why and how the algorithm is enabled and make sure the tests conducted examine all aspects of an algorithm and the code itself.

Endnotes

1 “Test of one” refers to the audit methodology that concurs that a single test of an automated process is an acceptable means of reaching an audit conclusion. The test of one concept is appropriate when the nature of the automation will produce a consistent and repeatable result because of the automation. A test of one must be redone on an automated process whenever a significant change, often considered a change to code, is made. The methodology of change management addresses the need to retest an automated process based on the nature of the change.
2 Kowalkiewicz, M.; “How Did We Get Here? The Story of Algorithms,” Towards Data Science, 10 October 2019, https://towardsdatascience.com/how-did-we-get-here-the-story-of-algorithms-9ee186ba2a07
3 Spacey, J.; “Algorithms vs. Code,” Simplicable, 6 August 2016, https://simplicable.com/new/algorithm-vs-code
4 Op cit Kowalkiewicz
5 Ibid.
6 Ibid.
7 Lana Wachowski and Lilly Wachowski, directors, The Matrix, Warner Bros. Pictures, Burbank, California, USA, 1999
8 Arsene, C.; “Artificial Intelligence in Healthcare: The Future Is Amazing,” Healthcare Weekly, 8 April 2021, https://healthcareweekly.com/artificial-intelligence-in-healthcare/
9 Kantayya, Shalini, director, Coded Bias, 7th Empire Media, Brooklyn, New York, USA, 2020

Cindy Baxter, CISA, ITIL Foundation

Is director at What’s the Risk, LLC. Her practice focuses on integrated risk, control and process assessments for cybersecurity and business continuity/recovery. She enjoys the opportunity to learn the nuts and bolts of a client’s business and uses her risk assessment and applications/network background to build a more secure operating model for her clients. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles in State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not conducting risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.