​Auditing the Internet of Things

​The rise of Internet-connected devices and systems bring both new opportunities a​nd risk for modern organizations.​

Comments Views

The Internet of Things (IoT) is poised to become an integral part of everyone's lives in the not-too-distant future. From coffee machines churning out the kind of coffee people want depending on their mood, to their automobile switching on by itself and adjusting the climate control as they approach it on a weekday morning, the IoT potentially could make people's lives easie​​r as their devices generate data and communicate with each other over the Internet (see "A World of Smart Things," below right).

The definition of the IoT has evolved over time. TechTarget describes the IoT as "a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction."

The big question is, does the IoT have a similar outlook for organizations? The answer is the possibilities are limitless, which is why many organizations already have started to adopt the IoT.  Internal auditors should evaluate the operational and financial risks that IoT can expose their organizations to and provide assurance that those risks are controlled appropriately. ​

Auditors as IoT Advisers

For organizations that are not yet fully awake to the IoT, an internal audit function can advise management on the importance, benefits, and competitive edge that the IoT can bring to the enterprise. Auditors can demonstrate to management how the IoT can be implemented in processes such as sales distribution and inventory control. Moreover, they can facilitate brainstorming sessions with management and perform research to understand how the IoT can be used within the organization's specific operating environment. That said, while performing such advisory services, internal auditors should maintain their objectivity and not assume management responsibility.

Assurance on New Risks

Management and internal auditors need to fully acknowledge that although the IoT can bring many rewards, it also gives birth to numerous risks. Inadequate understanding of the risk environment or applicable controls can lead to disaster for the organization. Furthermore, given the rapid development and advancement of the IoT, the associated risks and controls also are changing and evolving rapidly. Internal auditors need to stay abreast of IoT developments and advancements to be able to assess the risks and controls in their organization.

The first step for auditors is conducting a risk assessment of the IoT in use in their organization. Specific risks will depend on the nature of the IoT systems the organization has deployed and the overall business process they support.

A World of Smart Things

According to the Deloitte publication TMT Predictions 2015 — The Internet of Things Really Is Things, not People, 60 percent of all IoT devices will be paid for and used by enterprises and industries in 2015. Furthermore, enterprises and industries will generate 90 percent of IoT services revenue this year.

"The development of the Internet of Things is expected to surge in the coming years," says Stéphane Richard, CEO of Paris-based telecommunications company Orange S.A., in a September 2015 M2M Magazine article. "By 2020, we believe that there will be more than 25 billion objects connected in the world."

​The two studies listed below illustrate the depth and breadth of possible gains from adopting the IoT:

​​Internal auditors can start by looking at these areas:

  • Security. IoT systems are connected to the Internet, so they are prone to attacks from cyber criminals and hacktivists. Seventy-two percent of global IT and cybersecurity professionals surveyed by ISACA say there is a medium or high likelihood that an organization will be hacked through an IoT device. Among other information security audit procedures, IT auditors should perform a vulnerability assessment of such devices and consider conducting penetration tests on those systems periodically. Results of these procedures should be used to strengthen the security of IoT systems, where necessary. Auditors should carefully consider where third parties are involved to support IoT systems and assess whether third parties have adequate security controls in place to protect data residing in IoT systems. Furthermore, they should assess the adequacy of the encryption IoT systems use for communication.
  • Resilience. IoT systems may support a business process that is critical or time-bound, such as the delivery of perishable goods. IT auditors should assess whether controls are in place to recover IoT systems in the event of a failure. Auditors should determine whether management understands the potential business impact of an IoT system outage and whether appropriate and adequate policies, procedures, and processes are in place to recover affected business processes timely in the event of an outage or disaster.
     
  • Health and Safety. Many of today's IoT systems can pose a serious threat to human life and safety. Examples include implantable biomedical devices, such as pacemakers and defibrillators, and assembly line robots at a manufacturing facility. An important area internal auditors should assess is whether such IoT systems have undergone sufficient testing using appropriate test cases before being deployed into production. Furthermore, controls should be in place to ensure adequate testing is performed before upgrades, patches, and changes are made to IoT systems where health and safety is a significant risk.
     
  • Monitoring. Like any other system, controls should be in place to monitor whether IoT systems are functioning as intended. Internal auditors should assess whether adequate monitoring controls are in place and whether all such controls have been operating effectively over time. Furthermore, auditors should assess whether exceptions and failures that occur are logged appropriately and resolutions to incidents are recorded timely. Auditors also should assess whether management has a process that takes recurring incidents into account and analyzes their root causes.
     
  • Scoping of IoT systems. Because many vendor-provided IoT systems can be simple to implement, some systems may be deployed by business units without the IT department's involvement. For example, fire detection systems in enterprise facilities may have IoT capability that the IT department does not know about and risk management professionals and internal auditors may not notice. Auditors should be vigilant to see where and when IoT systems are deployed by different departments at the organization and prioritize IoT systems audits according to their criticality and sensitivity. ​

Realizing the Benefits

It's likely that the need to perform sound audits of IoT systems will grow at organizations in all industries worldwide. Internal audit departments should gear up for the challenge of ensuring that controls related to risks of IoT systems are operating effectively. Although there is a diverse range of IoT systems in service today, auditors can use the five areas above as a guide to planning and executing an IoT systems audit. However, they should keep an open mind to understand the overall context in which a particular IoT system operates and develop creative ways to perform their audits depending on that system's specific functionality. Such internal audits can help position organizations to realize the full benefits of the IoT.​​​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

 

 

Comment on this article

comments powered by Disqus
  • ITACS_Dec1_Dec15_A_Dec2017_Prem1
  • PwC RPA_Dec2017_Prem2_Cx
  • IIA BkStr-Fall-Catalog_Dec2017_Prem3