The Internet of Things (IoT) is poised to become an integral part of everyone's lives in the not-too-distant future. From coffee machines churning out the kind of coffee people want depending on their mood, to their automobile switching on by itself and adjusting the climate control as they approach it on a weekday morning, the IoT potentially could make people's lives easier as their devices generate data and communicate with each other over the Internet (see "A World of Smart Things," below right).
The definition of the IoT has evolved over time.
TechTarget describes the IoT as "a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction."
The big question is, does the IoT have a similar outlook for organizations? The answer is the possibilities are limitless, which is why many organizations already have started to adopt the IoT. Internal auditors should evaluate the operational and financial risks that IoT can expose their organizations to and provide assurance that those risks are controlled appropriately.
Auditors as IoT Advisers
For organizations that are not yet fully awake to the IoT, an internal audit function can advise management on the importance, benefits, and competitive edge that the IoT can bring to the enterprise. Auditors can demonstrate to management how the IoT can be implemented in processes such as sales distribution and inventory control. Moreover, they can facilitate brainstorming sessions with management and perform research to understand how the IoT can be used within the organization's specific operating environment. That said, while performing such advisory services, internal auditors should maintain their objectivity and not assume management responsibility.
Assurance on New Risks
Management and internal auditors need to fully acknowledge that although the IoT can bring many rewards, it also gives birth to numerous risks. Inadequate understanding of the risk environment or applicable controls can lead to disaster for the organization. Furthermore, given the rapid development and advancement of the IoT, the associated risks and controls also are changing and evolving rapidly. Internal auditors need to stay abreast of IoT developments and advancements to be able to assess the risks and controls in their organization.
The first step for auditors is conducting a risk assessment of the IoT in use in their organization. Specific risks will depend on the nature of the IoT systems the organization has deployed and the overall business process they support.
A World of Smart Things
According to the Deloitte publication
TMT Predictions 2015 — The Internet of Things Really Is Things, not People, 60 percent of all IoT devices will be paid for and used by enterprises and industries in 2015. Furthermore, enterprises and industries will generate 90 percent of IoT services revenue this year.
"The development of the Internet of Things is expected to surge in the coming years," says Stéphane Richard, CEO of Paris-based telecommunications company Orange S.A., in a
M2M Magazine article. "By 2020, we believe that there will be more than 25 billion objects connected in the world."
The two studies listed below illustrate the depth and breadth of possible gains from adopting the IoT:
Internal auditors can start by looking at these areas:
Security. IoT systems are connected to the Internet, so they are prone to attacks from cyber criminals and hacktivists. Seventy-two percent of global IT and cybersecurity professionals surveyed by ISACA say there is a medium or high likelihood that an organization will be hacked through an IoT device. Among other information security audit procedures, IT auditors should perform a vulnerability assessment of such devices and consider conducting penetration tests on those systems periodically. Results of these procedures should be used to strengthen the security of IoT systems, where necessary. Auditors should carefully consider where third parties are involved to support IoT systems and assess whether third parties have adequate security controls in place to protect data residing in IoT systems. Furthermore, they should assess the adequacy of the encryption IoT systems use for communication.
Resilience. IoT systems may support a business process that is critical or time-bound, such as the delivery of perishable goods. IT auditors should assess whether controls are in place to recover IoT systems in the event of a failure. Auditors should determine whether management understands the potential business impact of an IoT system outage and whether appropriate and adequate policies, procedures, and processes are in place to recover affected business processes timely in the event of an outage or disaster.
Health and Safety. Many of today's IoT systems can pose a serious threat to human life and safety. Examples include implantable biomedical devices, such as pacemakers and defibrillators, and assembly line robots at a manufacturing facility. An important area internal auditors should assess is whether such IoT systems have undergone sufficient testing using appropriate test cases before being deployed into production. Furthermore, controls should be in place to ensure adequate testing is performed before upgrades, patches, and changes are made to IoT systems where health and safety is a significant risk.
Monitoring. Like any other system, controls should be in place to monitor whether IoT systems are functioning as intended. Internal auditors should assess whether adequate monitoring controls are in place and whether all such controls have been operating effectively over time. Furthermore, auditors should assess whether exceptions and failures that occur are logged appropriately and resolutions to incidents are recorded timely. Auditors also should assess whether management has a process that takes recurring incidents into account and analyzes their root causes.
Scoping of IoT systems. Because many vendor-provided IoT systems can be simple to implement, some systems may be deployed by business units without the IT department's involvement. For example, fire detection systems in enterprise facilities may have IoT capability that the IT department does not know about and risk management professionals and internal auditors may not notice. Auditors should be vigilant to see where and when IoT systems are deployed by different departments at the organization and prioritize IoT systems audits according to their criticality and sensitivity.
Realizing the Benefits
It's likely that the need to perform sound audits of IoT systems will grow at organizations in all industries worldwide. Internal audit departments should gear up for the challenge of ensuring that controls related to risks of IoT systems are operating effectively. Although there is a diverse range of IoT systems in service today, auditors can use the five areas above as a guide to planning and executing an IoT systems audit. However, they should keep an open mind to understand the overall context in which a particular IoT system operates and develop creative ways to perform their audits depending on that system's specific functionality. Such internal audits can help position organizations to realize the full benefits of the IoT.