‘Auditing and compliance must be part of AMdEX protocols’

KPMG is an audit and advisory firm that employs about 250,000 people worldwide. It is one of the Big Four in its field and provides services for large national and international organisations and government agencies.

What solution(s) can the smart use of data offer in your line of work?

Sander Klous (KPMG)
Photo: Don Wijns

“Currently, there are no proper mechanisms in place to enforce or even monitor compliance with the many rules and regulations around data and AI”, says Sander Klous. “In other regulatory domains, organisations like KPMG, as an independent third party, enable organisations to demonstrate their compliance through an auditing process. Unfortunately, this process is complicated in the domain of data and AI. Firstly, because it is hard to reach the necessary scale to audit all relevant applications. This could be addressed by automating large parts of the process, leading us to the second challenge: rules and regulations are extensive and complex. Take for example the General Data Protection Regulation (GDPR). It is rather voluminous with many grey areas that contain a wealth of issues for potential disagreement. At present, it is too complicated to translate into computer-interpretable policies. Verification of compliance needs to be done by human beings, prohibiting the required automation.”

Wherein lies the challenge?

“Auditors need to know what is allowed and what is not, what agreements are in place, what the rules are. You cannot check something if you do not know what to check against. The same holds for the organisations being audited. It is difficult to comply with the rules if you do not know what they are. In short: We need to know what good looks like. Then, if we all carry out our work according to the same specifications, statements can be made on compliance. The outcome of the work should become largely independent from the party that performs the verification. In the audit business this is a crucial step.

Automation of compliance to specifications is done through protocols. A good example is internet connectivity. The specifications on how to connect to the Internet are automated through the TCP/IP protocol. The semantics of policies that can be interpreted by computers, are reaching levels of richness and sophistication that allow for translation of most rules and regulations into computer-interpretable policies. Research by the University of Amsterdam and research institute TNO has demonstrated this. Once policy specification, monitoring and enforcement are embedded in protocols on the data analysis layer, the automated audit of compliance is within reach.”

Why did KPMG become an endorsing partner for AMdEX?

“AMdEX aims to become a national coordination point, stimulating initiatives to share data in a responsible way. Similar to what AMS-IX has done for connectivity. One of the crucial elements to make that effort a success are the independent verification mechanisms, as described above. Usually, audit and assurance parties are invited at a very late stage in the development process of such initiatives. Parties get together to create something. Once it is close to deployment in a production setting, they realise: ‘Oh hey, this thing needs to be audited’. By the time we do get invited, the product has been built and no thought has been given to audit and compliance. Because it is not the expertise of the parties that developed the solution. Trying to fix it as an afterthought is expensive, causes delays and leads to suboptimal results. We hope, as an endorsing partner of AMdEX, to avoid these situations by making sure features for audit and compliance are built into the protocols by design in a way auditors would like to see them.”

What is your data dream?

“I have many, but this is one. In one of my research projects, I teamed up with the Prinses Máxima Centrum, a hospital specialised in child oncology. We are working on DIPG (Diffuse Intrinsic Pontine Glioma), a rare type of brain cancer that occurs in very young children. Because it is so rare, it is hard to do any statistical analysis on the related data. Hundreds of hospitals worldwide started collaborating in the so-called DIPG registry, making their data available with unified definitions in a large globally federated database. Unfortunately, each hospital has its own rules on how and when this data can be accessed, making it hard for a researcher to analyse all that data. We are the prisoners of our own rules and regulations. With the mechanisms described here, we could facilitate this research by providing easy access to the data whilst being compliant with rules and regulations. I hope this will enable the necessary breakthroughs to treat this horrible disease.”

Text: Karina Meerman
Portrait: Don Wijns

Get in touch

You may also like