From its early uses during World War II, radio frequency identification (RFID) technology has evolved in its complexity and mode of implementation. Thanks to technological advances, many organizations are able to use RFID tags as a way to enhance business efforts. For instance, to lower operating costs, many companies today require their partners and suppliers to use RFID tags that comply with their internal policies. However, although RFID is a powerful tool that can help organizations improve business efficiency, implementing this technology is not easy. Furthermore, evaluating and operating RFID systems can be a challenging process. For organizations contemplating the use of RFID, an auditor familiar with the technology and its risk can be an effective resource in the planning, implementation, and post-planning phases.
How RFID Works
RFID technology consists of a tag or transponder, which uses a computer chip and antenna to emit radio waves that can be used to identify and track a specific item. RFID chips can operate in an active or passive mode, broadcasting data as required. The chips store an item's Electronic Product Code (EPC), which is divided into numbers that identify an item's manufacturer, product, version, and serial number. The EPC also has an extra set of digits that can store additional information, such as a product's expiration date.
While chips are used to store information, the antenna enables the chip to transmit information to readers by converting radio waves received from RFID tags into a format that can be read by middleware software, which then passes this data to various company applications, such as supply chain, asset tracking, and shop flow control programs.
For more information on how RFID technology works, refer to
Overview of RFID Components. (PDF, 5 KB). To learn about the different ways organizations are using RFID technology, refer to
Examples of RFID Use in Different Industries (PDF, 3 KB).
Auditing RFID Implementation
As many retail companies begin to mandate that suppliers incorporate RFID into their products, for some companies, not implementing RFID technology could result in the loss of a significant amount of business revenue. For other companies, the decision to implement RFID is more complex and depends on an examination of the pros and cons of using RFID. (To learn more, see the "Pros and Cons of RFID Use" below) For an organization exploring the use of RFID, a preliminary assessment can help to determine if and when this technology should be implemented, prior to preparing a formal business case. During the preliminary assessment, the company should ask questions such as:
Is there really a need to invest in RFID technology?
Can we afford to make the anticipated investment?
What are the consequences of not implementing RFID technology?
Are there projects that might be more beneficial or that provide a better return on investment for the company at this time?
If proceeding with the implementation is justified after completing the preliminary assessment, the next step is to develop a formal justification or business case for the technology followed by the creation and execution of an implementation plan. To maximize the system's compliance with internal and external regulations, internal auditors should be involved in the implementation process from the beginning. Following is a discussion of some of the activities involved when evaluating and implementing RFID technology at the business level, as well as suggestions on how internal auditors can add value to the evaluation, implementation, and post-implementation phases of the project.
The auditor's focus during the formal justification phase is to make sure that the business case given to management is objective and accurate, paying close attention to implementation cost estimates, which can be quite complex. For instance, the cost of implementing RFID varies from company to company, depending, for the most part, on the level of implementation needed and whether the company will be upgrading an existing bar code infrastructure to include RFID functionality or implementing an RFID system for the first time. The implementation of an RFID system in either environment may require the company to invest in tags, readers, printers, middleware, infrastructure improvements, consulting, training, and service-provider fees, among other costs. Companies also may have to upgrade their IT systems to handle RFID-generated data. Finally, companies that are not working with bar codes may have to purchase or modify back-office, manufacturing, or warehouse management systems to use RFID data.
Internal auditors can help ensure that appropriate cost elements are included in the business justification proposal and that cost estimates are supported with factual information. The auditor also can examine the business case to determine whether it articulates the company's RFID ambitions; identifies the benefits and risks of the proposed RFID initiative; and includes comprehensive return on investment (ROI) calculations that can help management assess the benefits of the investment and compare these benefits to other choices.
Procedures internal auditors can perform to detect potential issues with ROI calculations include:
Reviewing the methodology used to determine if it makes sense. The analysis should use assumptions that clearly indicate what management intends to do and show the tangible and intangible costs and benefits of the proposed implementation.
Making sure ROI calculations are comprehensive and robust. The analysis should be supported by detailed metrics, which measure the return on the IT investment and associated business process changes. The analysis also should include a carefully prepared and detailed assessment of labor costs, loss of revenue due to stock not being available for sale, theft, and inventory reductions.
Ensuring implementation cost estimates are reasonable and supported adequately with facts. Each RFID system implemented will vary based on the specific needs of the company. As a result, auditors working for companies that are implementing RFID technology for the first time need to identify whether estimates are based on lowest possible costs, because issues and additional costs may arise that cannot be anticipated.
Identifying whether ROI calculations measure the investment's total cost, including the cost of investment risks and disruptions to operations. Measuring the total cost is important, because otherwise companies can end up with an ROI estimate that is too high and, thus, misleading.
Ensuring the company's ROI is not calculated to begin as soon as the system is implemented, especially if the system is to be implemented in phases. Assuming benefits will begin immediately after implementation could provide an ROI result that is hard to achieve, because it takes time to fully identify the benefits of any new system.
When assessing ROI calculations, auditors also need to be on the look out for any signs of careless cost reports, such as the omission of costs related to problem analysis, training, and ongoing system operations.
Pros and Cons of RFID Use
- Real-time data on assets and goods.
- Increased data and knowledge for decision making.
- Reduced theft and loss.
- Improved inventory efficiency and management.
- Reduced labor costs.
- Increased efficiency and product flow.
- Goods authentication.
- Improved risk mitigation.
- Reduced human error.
- High implementation cost.
- Lack of globally accepted use standards.
- Lack of better middleware.
- Privacy intrusion.
- Strain in the IT infrastructure by overwhelming information systems as real-time scans move between multiple applications.
Source: What Every Internal Auditor Should Know About RFID, Knowledgeleader, June 2006.
Planning and Implementing RFID
Detailed project planning and carefully prepared implementation plans are important to the success of any RFID implementation. To ensure a successful implementation, the company should establish a cross-functional RFID team and assign an executive sponsor to the team. Also, companies that do not have the in-house expertise required to implement an RFID system should hire outside consultants to assist with planning efforts. Once the team is assembled and the consultants are on board, planning can begin.
One of the first tasks facing the team will be the development of functional specifications and a project plan. When reviewing functional specifications and project plans, auditors need to review whether adequate consideration has been given to issues such as:
Data encoding requirements.
What data needs to be encoded onto the RFID chip.
Whether the RFID chip will be embedded or visible.
Where and when data needs to be read.
Whether the RFID chip will be subjected to surface contamination (e.g., dirt).
What the required reading range will be for the items.
Whether multiple RFID inventory items will need to be read at the same time.
Whether the RFID system will be operated in a single location, multiple locations, domestically, or internationally.
The impact of new data requirements on existing information systems.
Once functional specifications are developed, the team can begin searching for hardware and software vendors. When evaluating and selecting vendors, the team should consider important issues, such as the RFID transmission frequency, protocols, and standards supported by each vendor; the interoperability of the hardware with RFID systems from other suppliers; the cost of upgrading and maintaining equipment; and the vendor's ability to customize elements of their system based on company needs. The auditors also should ensure that the team seeks vendors that can validate the successful operation of their systems.
Furthermore, companies implementing an integrated RFID system may experience problems with incompatible software applications and getting middleware to communicate with each other, as well as problems handling large data streams from readers at high speeds and formatting data. The auditors should make sure that the company gives sufficient attention to these potential issues and develops testing routines that ensure these and similar issues are detected prior to going live with the system.
One of the key outputs of the planning phase should be a detailed implementation plan. Auditors should review the implementation plan to determine whether it provides a detailed overview of the hardware's and software's roll out approach. The auditor also should identify if the plan makes adequate testing provisions and is designed to ensure the RFID system works with other systems. Finally, the plan should include provisions for volume testing to ensure the RFID system can handle daily operation volumes. If multiple facilities are involved, implementation plans should include provisions for conducting pilot tests before initiating a full-scale implementation. Plans involving multiple facilities should be presented on a facility-by-facility basis and should detail the metrics used to measure when it is appropriate to move forward with the subsequent implementation phase.
The company should do a post-implementation assessment after the system has been operational for a few months to determine whether the project met its objectives, especially in terms of costs and benefits. Auditors should perform a post-implementation assessment on the effectiveness of planning and implementation activities, and identify whether the company's bar coding and RFID activities are controlled appropriately. As part of this post-implementation assessment, the auditor should:
Assess tracking or counting risks. These risks are increased significantly when the company's products contain metal, which can reflect radio frequencies, or liquids, which can absorb them.
Ensure that the company's shipping procedures automatically (i.e., electronically) double-check items being loaded against bills of lading to verify product movements.
Ensure that read rates are verified. As part of this procedure, the auditor should check for faulty tag reads resulting from tags that do not transmit signals quickly enough or too many tags being read at once, which may confuse readers on which signals to pick up.
Ensure that used tags are appropriate for the application. Expensive RFID tags should not be used for inexpensive items, while expensive tags should not be used if a less expensive tag works just as well.
Ensure that someone is responsible for balancing and reconciling RFID transactions to company records and correcting all errors.
Finally, auditors need to check for issues that tend to exist in non-RFID applications, such as failure to add new hardware and software to maintenance contracts, failure to update operation manuals, and failure to document procedures for resolving errors.
The Implications of RFID for Internal Auditors
RFID has been around for decades. However, there has been a recent surge of interest in RFID due to the technology's potential to enhance business efficiency, reduce operation costs, and, perhaps, enhance the company's competitive advantage. Internal auditors should continue seeing improvements in RFID technology and significant decreases in the cost of implementing and operating RFID solutions. These changes likely will ensure a continuing migration to RFID use.
Furthermore, implementing properly controlled systems is always a challenge, and the earlier internal auditors can become part of the implementation project, the higher the likelihood the system will be implemented with the desired controls. Therefore, it is more critical than ever for internal auditors to learn as much as possible about RFID technology. This, in turn, will enable them to help their companies plan, implement, and monitor their RFID initiatives more effectively and efficiently.