Depending on whom you ask, the business disruptor known as the Internet of Things (IoT) is either the launch pad for an indispensable digital future, or a Pandora’s box of unfathomable risks that have only begun to present themselves. Either way, that’s a lot to lay on a technology trend that only 13 percent of consumers had even heard of, as recently as 2014.
As with most disruptive change that has come before, the IoT poses both opportunities and threats. The internal audit function, as the line of defense tasked with scanning the horizon to ensure that emerging risks are known and accounted for in strategic plans and control frameworks, must now consider both the industry implications and the specific organizational challenges.
Small wonder it ranks among the top five priorities in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Judging by the packed house for our June 1 webinar on this topic, a number of you agree. We crammed a lot into that hour, and I’ll only be able to whet your appetite here. But here’s a taste, and some questions to take back to your organization.
To be clear, IoT is the term used to describe the online exchange of data gathered from uniquely identifiable objects, animals and people, without human-to-human, or human-to-computer, interaction.
This is the world of wearable technology — fitness trackers, heart monitors, insulin pumps, and other “smart” devices, like remote home thermostats. It exists primarily in the cloud, and also includes engine sensors, diagnostic controls and transdermal, and even ingestible, medical devices.
Risks, of course, include personal privacy, data security, system integrity and more. Conversely, companies face the risk of failing to adapt to a fundamental shift in the competitive environment. But there are also opportunities for risk mitigation through advances in predictive analytics and continuous auditing.
The archived version of the webinar offers a rich and informative discussion, with many good questions from our audience, who felt the content was timely and pertinent. In the meantime, here are some questions for internal auditors to take back to their organizations:
- How is IoT deployed in our organization today? Who owns IoT or the respective components of IoT?
- Have we considered the risks associated with our IoT presence? How have those risks been quantified and controlled?
- Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy and security implications?
- Do we have contingency plans for internet-connected “things” that are hijacked or modified for unintended purposes?
- To what extent are third parties acting on our behalf? Do we have the right processes and SLAs in place to appropriately monitor those third parties?
- What role does IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
- What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to its full potential?
This risk is clear and present. Disruptive innovations that once may have taken a decade or more to transform an industry are now occurring much faster. To stay ahead of the disruption curve, internal audit must quickly discern the vital signs of change and the related implications to the business model of their organization.
The IoT and the related risks will continue to evolve and we will continue to track those risks and developments here on our blog and in upcoming publications, so check here and on our website often.
[…] We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things. […]