Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Internet of Things’ role in internal audit & compliance

Jose Tabuena | September 27, 2016

A few years ago I briefly mentioned the Internet of Things in questioning whether internal audit and compliance can ever tame increasingly emerging and complex technology. Not surprisingly, the IoT has since become even more positioned to become an integral part of everyone’s lives.

Where disruptive innovations may have once taken a decade or more to transform an industry, research shows the elapsed time frame to disruption has compressed considerably. The rise of Internet-connected devices and systems bring both new opportunities and risk for modern organizations. Internal audit, as the third (and last) line of defense can play a role in identifying and defending risks that emerge. And with compliance as part of an enterprise-wide risk assessment, there are also roles for both on the importance, benefits, and competitive edge that the IoT can bring.

Refining the Internet of Things. The rise of Internet-connected devices and systems bring both new opportunities and risk for modern organizations. The definition of the IoT has evolved over time. TechTarget describes IoT as “a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.” Forbes provides a nice simple description of the concept as one of “connecting any device with an on and off switch to the Internet (and/or to each other).”

Several factors have arisen that resulted in this “perfect storm” for the IoT. Internet Protocol version 6 essentially enables a seemingly infinite amount of Internet connections. Broadband Internet is more widely available, the cost of connecting is decreasing, more devices are being created with Wi-Fi capabilities and sensors built into them, technology costs are going down, etc. We’ve evolved from the Internet to smart phones to wireless sensors.

What is the significance of this interconnectivity? There are many recent examples for the potential value of the IoT. Common ones include your car could have access to your calendar and knowing the best route to take as you rush to a meeting. If the traffic is heavy your car might send a text to the other party notifying them that you will be late. Your office equipment can immediately know when it is running low on supplies and automatically re-order more. Your wearable device could tell you when and where you were most active and productive, and share that information with other devices.

More exotic examples include Microsoft in partnership with Fujitsu deploying a system to monitor cattle herds for health issues and prime breeding times to enhance conceptions rates. On a broader scale, the IoT is being applied to projects like transportation networks, so-called “smart cities” that can help us reduce waste and improve efficiency for energy use, are being actively explored.

The reality has become clear—to stay ahead of the disruption curve, internal audit and compliance must quickly discern the vital signs of change and the related implications to the business model of their organization.

Strategic risk. McKinsey & Co. analyzed more than 150 use cases, ranging from people whose devices monitor health and wellness to manufacturers that utilize sensors to optimize the maintenance of equipment and protect the safety of workers. Their analysis for the applications estimates that the IoT has a total potential economic impact of $3.9 trillion to $11.1 trillion a year by 2025.

But as with any major technological shift, realizing the IoT’s potential will require significant management attention not just to new technical imperatives but also to organizational issues The strategic risk confronting organizations can be as significant as missing the boat and falling behind competitors. Corporate board members rank reputational risk an even bigger overall concern than they have in the past, according to the sixth annual Concerns About Risks Confronting Boards survey from CPA firm EisnerAmper. Moreover 71 percent of public company directors say they rely on internal audit to identify these risks.

An internal audit function can advise management on the importance, benefits, and competitive edge that the IoT can bring to the enterprise. Auditors can demonstrate to management how the IoT can be implemented in processes such as sales distribution and inventory control. In addition, with the risk management function they can assist in facilitating risk assessment sessions with management and perform research to understand how the IoT can be used within the organization’s specific operating environment. Of course, while performing such advisory services, internal auditors are to maintain their objectivity and not assume management responsibility.

Compliance risk. With the potential for reward comes the prospect of risks to be anticipated. Already recognized is the data security implications of implementing the IoT as it poses not only the normal risks associated with the increased use of data, but also the vastly greater risks of systemic breaches as organizations connect to millions of embedded sensors and communications devices. Each is a potential entry point for malicious hackers, and the damage from a break-in can be literally life threatening—disrupting machine-control systems on an oil rig or in a hospital, for example. The same interoperability that creates operational efficiency and effectiveness also exposes more of a company’s units to cyber-attacks. The Open Web Application Security Project, an open software security community, provides a list of what they consider are the top IoT security vulnerabilities.

Related to data security are privacy risks to be monitored and managed. When you as a consumer use services on the Internet you are entering into a legal agreement and agree to all of these terms. This includes the privacy policy, which covers how the company collects, uses, shares, and stores your personal information. Organizations utilizing the IoT will need to monitor use of such data and audit for compliance with the privacy policies to ensure that consumer rights are protected. Privacy will likely continue to be a major concern with horror stories about hacked baby monitors, companies violating children’s online privacy, and even a smart vibrator in the news being subject to privacy class action litigation. In addition to privacy, data being used for health and wellness purposes can result in negligence and malpractice cases for mishaps and questions regarding the accuracy and integrity of the data.

Support from internal audit and compliance on IoT. Notably on professional firm surveys, such as Protiviti’s 2016 Internal Audit Capabilities and Needs Survey, the Internet of Things ranked among this year’s top internal audit priorities. Several surveys on expectations and the future of internal audit indicate that stakeholders’ expect more forward-looking reports as well as insights regarding risks, strategic planning, IT, and business performance. Key gaps in certain skills, including analytics, IT, and communications must be addressed in order to increase impact and influence.

The challenge for audit and compliance professionals is the rapid development and advancement of the IoT. The associated risks and controls are changing and evolving rapidly and internal auditors need to stay abreast of IoT developments and advancements to be able to assess the risks and controls in their organization.

The following are key questions to consider in developing audit plans and considering their role for the IoT:

  • How is the IoT deployed in our organization today? Who owns the IoT or the respective components of it?
  • Consideration of the risks associated with the IoT presence? How have those risks been quantified and controlled?
  • Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy, and security implications?
  • Do we have contingency plans for Internet connected “things” that are hijacked or modified for unintended purposes?
  • To what extent are third parties utilizing the IoT acting on our behalf? Do we have appropriate process and agreements in place to appropriately monitor those third parties?
  • What role does the IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
  • What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to full potential?

Internal audit and compliance units will need to ramp up for the challenge of ensuring that controls related to risks of the IoT systems are operating effectively, and that opportunities are not lost. The reality has become clear—to stay ahead of the disruption curve, internal audit and compliance must quickly discern the vital signs of change and the related implications to the business model of their organization.