Digital IDentity: For People … and For Devices?
Decentralized ID and Decentralized Identifier Methods
A U.S.-based CPA Firm started late last year to provide signed, on-demand, real-time independent accountant’s reports for examination-level (reasonable assurance) attestation of the conformance of certain of its clients’ reports in accordance with specific measurement and disclosure criteria. From a specialized website, anyone can click to download the related PDF report incorporating both the client’s report and the auditor’s report, both automatically generated on-the-spot.
That was a mouthful; one thing to pull out of this is that this CPA Firm is having its technology, not a person, sign an auditor’s report. No partner is sitting there to authorize the reports that are customized for the moment the requestor clicks for a report.
Broadly, this raises a litany of issues:
- In Canada and the US, partners sign on behalf of the Firm on the report proper. If this were a PCAOB engagement, a partner would have to be identified for the Form AP. In other regions, the signing partners may required to sign their own name. Is the approach taken limited?
- Do US or international audit, audit ethics or audit practice standards permit machines to sign such reports in the first place?
- Do the standards require complete sets of audit documentation to support each and any such report?
- Are the Criteria “suitable”?
And so on. But I want to focus here not on the “should they” but on the nature of the signature itself.
The report bundle is available as a PDF (not XML or structured other than text) from a specific web site. The audit firm’s name is a graphic image in the letterhead and a graphic signature. It is not automatically consumable without using optical character recognition (OCR). Therefore, this real-time report can only be manually requested (requiring a CAPTCHA) and manually interpreted. Any trust comes from someone downloading it manually from the “official” website for the assurance delivery.
As we consider our path forward in the COVID era, technology, including artificial intelligence (AI) and Internet of Things (IoT) will likely take more of a role that people previously took on. For this to work, AI and “locked down” systems, including IoT devices, will need to be easily identified, their role and authorizations controlled, and their contributions unambiguously traced back to them.
As part of the XBRL era, I was tasked to bring the human auditor’s signature and related issues from the paper-paradigm to the electronic age. Now twenty years later, it is clear that people do not understand the difference between an electronic signature (such as that graphic display on the real-time report discussed above) and a digital signature – one that can be checked electronically and used for issues related to authentication and/or authorization (as orthogonal as those may be).
As Internet of Things devices supplement the manager or auditor in the field, observing inventories with drones or performing reconciliations and reperformances; as they come and go and act in different ways – do we need trustworthy digital IDs for IoT devices? Will they need to be able to sign in to systems using “Single sign-on/in” (SSO/SSI)? Will such devices be shared devices rather than individually owned? Will they be discoverable using blockchain technologies?
A new world of decentralized identifiers and decentralized identified methods is emerging. The World Wide Web Consortium has provided a draft community group report in May with a registry of such methods (https://w3c-ccg.github.io/did-method-registry/) as part of its effort to “reboot” the “Web of Trust” and delivered a working draft of Decentralized Identifiers 1.0 in late April (https://www.w3.org/TR/did-core/). That specification says this about DID: “Decentralized identifiers (DIDs) are a new type of identifier that enables verifiable, decentralized digital identity. A DID identifies any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) that the controller of the DID decides that it identifies.”
This is fascinating stuff, and I hope to provide more information soon.
Comments
- No comments found
Leave a comment