Last month, Compliance Week published "Internet of Things' Role in Internal Audit & Compliance."
I heartily agree that this is a topic that merits internal audit's (and the compliance function's) serious attention.
To quote the article, "Forbes provides a nice simple description of the concept as one of 'connecting any device with an on and off switch to the Internet (and/or to each other).'"
The Internet of Things (IoT) is not futuristic. It is here today. It will only mushroom in the future, with just about everything interconnected.
For example, I armed my home security system using my phone while on the way to the airport (I was not driving). If anybody tries to break in, I will receive an alarm on my phone wherever I happen to be.
Some people have their hearts monitored over the internet — see this article from Forbes.
What should internal audit be doing about it?
Certainly, the level of work should be driven by the level of risk. But do we know what the level of risk is when it comes to IoT?
The article appears to expect internal audit to assess the risk by finding out how "IoT [is] deployed in our organization today."
I would take a different approach. I would find out whether management knows what is connected to what and why. If they don't know, that is a huge risk itself — how can IoT and its attendant risks be assessed and addressed if they are now known to management?
Assuming that they know the current state, I would ask for their risk assessment and how they are addressing the identified risks.
My next step would be to find out what changes are expected over the next 12 months and whether management is addressing them in its risk assessment.
These few questions would give me a "feel" for the level of risk and whether an audit engagement is merited.
I might go a step or two further and ask how they know what is connected to what, and how they have identified and addressed the risks.
That should give me sufficient confidence to know whether an audit engagement should be performed, what form of engagement it should be (assurance or advisory), and when.
Too many commentators want internal audit to identify and assess emerging risks, such as IoT.
I strongly disagree. That is management's role, not internal audit's.
Internal audit can assist by ensuring management has sound practices for identifying, assessing, and addressing risks — both emerging risks and existing risks where the level changes.
Do you agree?