The Importance of Data Lineage for AML System

By Vishal Ranjane, Managing Director
Risk and Compliance

 

 

 

Financial organizations have long embraced the advantages that information technology offers, and many are looking forward to larger digitalization initiatives to gain market advantage. Customers appreciate the convenience of digital offerings, while firms enjoy the reduction in operating costs that information technology enables. Of course, in the multifaceted, highly regulated environment in which financial institutions operate, mastering the complexity of this digital future is both rewarding and risky.

In any financial firm’s application landscape, data flows from system to system. In an ideal world, key data gathered at the front end (customer-facing systems) makes it to the back-end systems without hitches. In reality, in the application architecture of almost any financial institution, systems are sometimes imperfectly integrated, often as a result of multiple acquisitions, and data does not always make the journey from system to system without some amount of attrition or change. However, banks and other financial institutions that handle customer data must be able to demonstrate that the information which originates upstream, in customer-facing systems, is the same information found in the bank’s risk and compliance systems downstream. This is where data lineage becomes important.

Data lineage tells the complete story of how data within an organization was produced, consumed, and manipulated by the organization’s applications. It traces the data’s movement through systems.

Once, it was sufficient to demonstrate to regulators that the right policies were in place, that the right procedures were followed, and the right reports were generated and reviewed to protect against threats like fraud and money laundering. Now, financial institutions must be able to demonstrate to regulators that they are using complete and accurate data to monitor for these activities.

Asserting data legitimacy

An organization asserts de facto data legitimacy when it relies on the integrity of its data for key reporting or decision-making activities, such as those involved with risk and compliance solutions. It is imperative that data from upstream systems of record or points of capture arrives in these downstream risk and compliance systems in a manner that does not materially alter or obscure the content received from the system of record or point of capture.

De facto data legitimacy claims is an area of focus for regulatory authorities who require that these claims be documented and proven. The recent Part 504 regulation by the State of New York Department of Financial Services emphasizes the importance of data lineage in an AML context, stating that a covered institution must not only identify all data sources that contain data relevant to its transaction monitoring and watchlist filtering programs, but also must ensure that these programs include the validation of the integrity, accuracy, and quality of the data to ensure that an accurate and complete set of data flows into these programs. In addition, the regulation specifically notes data mapping as a key component of end-to-end pre- and post-implementation testing of transaction monitoring and watchlist filtering programs.

Going back to the firm’s application landscape, upstream data – data entered initially by the customer, for example – may not survive the journey downstream, and facts about the transaction may be lost with each hop from system to system. Can an auditor know if a particular transaction was made with a teller, a wire, or via an ATM, for example? Was a deposit made by check or cash?

Data lineage documentation can be done using a variety of tools ranging from simple to sophisticated. In smaller, less complex systems, simple spreadsheets and diagramming tools may suffice, while large financial institutions may deploy vendor toolsets to automate tedious and error-prone capture and documentation activities.

Data lineage as part of data governance

Establishing the data lineage should, of course, be more than just an exercise in documenting what’s already in place. Performing this level of analysis and uncovering previously unknown silent errors or gaps in the data being used to manage AML risks and generate reports should lead to increased accuracy and confidence in the reports and management information presented to senior management, internal audit and regulators. An additional benefit is getting better insights into customer behavior – a value for any business.

Having a sustainable data lineage initiative is only the start. To be sustainable over the long run, such initiative needs to be part of a larger data governance program that is firm-wide and involves all departments and functions. Data governance efforts are viewed well by regulators, who increasingly put pressure on financial institutions to formally document business processes, data controls, source-to-target mapping, and defend all activities around data management. A Protiviti white paper, “AML and Data Governance: How Well Do You KYD?,” provides more information and may be of relevance to your company.

Benjamin Kelly of Protiviti’s Regulatory Risk and Compliance practice contributed to this content.

Pro-Growth Signs in Washington Present Opportunity for Power and Gas Capital Investments

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Power utilities trying to gauge what the future regulatory landscape will look like are likely getting frustrated with the political cacophony in Washington. Yet judging by legislative activities in Congress and some of President Trump’s executive orders to date, pro-growth and job-creation policies are clearly top-of-mind among the nation’s lawmakers. For organizations that have been putting off capital programs to expand or upgrade facilities and infrastructure, the business-friendly tone could signal a chance to launch these deferred capital investment programs.

As we pointed out in our Flash Report on the new administration’s first 100 days, Trump reversed a handful of Obama administration memoranda, reports and executive orders that were largely considered by the industry to be red tape bogging down capital investment. Among other actions, Trump eliminated multiple policies that built climate change considerations into federal decision-making and ended White House guidance on energy, infrastructure and other proposed projects. Additionally, in mid-May the Senate Committee on Homeland Security and Government Affairs advanced several bills aimed at regulatory reform that could affect utilities. One of these bills, the Senate version of the Regulatory Accountability Act, would require agencies to develop new regulations in the most cost-effective way possible and has the broad support of power, utility and other industrial organizations.

It is still too early to predict how much of Trump’s proposed agenda will ultimately end up as policy, but clearly the need for new and continued investment in the power and gas sectors is not diminishing. According to the American Society of Civil Engineers (ASCE), which this year gave U.S. energy infrastructure a D+, most of this country’s electric transmission and distribution lines date to the 1950s and 1960s, have a 50-year life expectancy, and were not designed to meet today’s energy demands. ASCE also anticipates a $177 billion funding shortfall for generation facilities and infrastructure through 2025.

Meanwhile, increasing the mix of power generation sources to include wind, solar, geothermal and hydrothermal alternatives, along with a retirement of coal-fired plants in favor of natural gas-fueled facilities, requires expansion investment to ensure the transmission grid’s reliability. As we mentioned in our 100 days Flash Report, Trump policies may ultimately relax federal emphasis on renewable energy sources like wind and solar, but that won’t curtail state mandates for more alternative generation or the progress that utilities are making in that area. A case in point is a 2015 California law requiring utilities to procure 50 percent of their energy from renewable sources by 2030, an increase from an earlier target of 33 percent.

Similarly, while the Trump administration has loosened coal regulations to make the commodity more competitive, the U.S. Energy Information Administration reported in January that the electricity industry was planning to increase natural gas-fired generating capacity by more than 35 gigawatts through 2018. Successful completion of the expansion surge would mark the largest net addition in natural gas generating capacity since 2005 and follows five years of net reductions in coal-fired generating capacity.

Protiviti’s perspective — proceed with caution

Though excitement may be building as a result of the new winds in Washington, organizations pursuing plant or infrastructure capital improvements need to keep in mind the pitfalls and risks that could derail the projects. Power and gas industries are still heavily regulated, and environmental constraints still exert influence on right-of-way, for example. To avoid risks, utilities need insightful and skillful management over planning and execution, including oversight of contract compliance, utilization of efficient and well controlled processes, and project risk assessments, among other services.

If your organization is planning or embarking upon a large capital expenditure to expand or upgrade its plant or infrastructure, here are some questions to ask before proceeding:

  • Will existing management processes provide sufficient visibility into decisions that impact project costs?
  • How are project risks identified, communicated and mitigated throughout the project lifecycle?
  • Are current resources capable of managing the project’s complexity?
  • Is the team of engineers, procurement staff, construction managers, trade contractors and material suppliers familiar with and comfortable working in a regulated environment?
  • Is the organization prepared to vigorously defend project costs during review by regulators, intervenor groups, and the public?

Some companies may be willing to wait and watch until the uncertainty over the implementation of Trump’s agenda begins to clear. Wall Street is certainly cautious and jitters in the market have given some investors pause. Nevertheless, lawmakers largely appear to be concentrating on economic policies intended to create and promote growth. Given the shape and age of the transmission grid along with the continuing transformation of power generating sources, the time is certainly ripe for a conversation about capital investment projects that position utilities for future growth while bolstering grid reliability.

Protiviti subject-matter experts Jon Critelli and Marius Anelauskas contributed to this blog.

Digital Transformation Success Requires Looking Inward First and Never Wearing Blinders

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader

 

 

 

To stay relevant in the digital economy, technology, media and communications companies must evolve on two fronts: externally and internally. The trick is that they must do both in tandem — and many find this difficult.

External evolution relates to the role the company is playing to help propel the digital wave forward. Namely, what new and game-changing digital products, services and business models is the company innovating and bringing to market successfully? This type of evolution is also about how the business positions itself among its competitors in the digital market and responds to new market demands and rapidly changing consumer expectations. Are those approaches effective? How does the company know?

Internal evolution, meanwhile, is about the ability of the organization to strategically transform its business processes, technology infrastructure, workforce culture and more to compete effectively in an increasingly digital age. Evolving internally is vital to supporting the company’s external evolution. Yet business leaders don’t always make that association.

At some companies, external dynamics — shareholders’ views, consumers’ sentiments, market perceptions about the company’s brand or reputation — are the impetus for external evolution. To respond, these businesses are constantly channeling resources into developing new products, services or campaigns, often at the expense of addressing internal issues that could cause the business to falter, or even fail, over time. Siloed business processes and weak cybersecurity practices are examples of such issues.

In other organizations, too much change is undertaken too quickly, both internally and externally. These businesses launch sweeping digital initiatives that aren’t backed by well-thought-out strategies. They also fail to evaluate the competitive landscape thoroughly. They focus on trying to outpace known and well-established rivals, and overlook or underestimate emerging players that have the potential to disrupt the marketplace and erode their market share.

In both examples, these businesses are making digital journeys with blinders on. One group is focused on short-term wins that don’t spark meaningful or lasting change. The other group is barreling toward a finish line in a race without an end, paying little or no attention to emerging threats and changing conditions in the field around them. In either case, the decisions these companies make are unlikely to position them for long-term digital success. I suggest a better approach below.

Look inward first

Using technology to improve operations internally is one way for companies to further their digital transformation and bring it to a broader scale. Evolving internally builds a safe foundation that can support their external evolution. For example, a business that has the right digital processes in place and is not burdened by legacy IT systems undermining its agility can score a number of operational successes — from simplifying or automating repetitive or labor-intensive business processes to implementing new tools to enhance workforce communication and collaboration. These successes can then be translated externally into the ability to innovate quickly, deliver better service to customers and meet the expectations of stakeholders.

I recommend reading Protiviti’s white paper, Catching the Digital Wave of Change, which explains how the way a business embraces technology can, in turn, help to change the way employees and customers perceive the organization. Change from the inside shines to the outside.

Tear off the blinders

When setting the strategy for a digital initiative, businesses must analyze the markets in which they are operating, as well as the competitor landscape. In their quest to achieve digital transformation, they must be careful not to miss what’s happening in the “ecosystem” around them.

Ron Adner, a professor of strategy and entrepreneurship at Dartmouth College’s Tuck School of Business, explained in a 2016 Harvard Business Review article that the “nature of disruption is changing … [and now] occurring at the level of ecosystems,” rather than at the product or service level. He posited that businesses need to “approach their competitive strategy with a wide lens that captures ecosystem dynamics” if they want to succeed in an Internet of Things world.

Adner pointed specifically to the example of a well-known company that produces imaging products with its historic basis in photography. That company’s long and painful journey to becoming a digital company as an example of what can happen when leadership “does not appreciate the dynamics of the broader ecosystem around it.” The company did not respond fast enough or appropriately to changes in the digital imaging ecosystem, and it cost the company dearly. Adner wrote that the “lesson for today’s leading firms is that risk lies not only in a lack of attentiveness to disruptive change but also in embracing the wrong part of the change.”

I don’t have much more to add to Adner’s insight other than to say that wearing blinders — not looking at the whole picture — in the digital era is likely to cause a company to lose or never find its way. Businesses may miss the right moment to pursue transformation or make the wrong decision about how and what to change. And no matter how innovative the business may be today, if it’s focused only on achieving one type of change or pursuing only one goal blindly, it’s bound to be overtaken or pushed off the track by competitors in the future.

States Champion Regulatory Streamlining; CFPB Remains Focused on Consumer Loan Servicing and Fair Lending

By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice

 

 

 

While regulatory relief remains a topic within the Beltway, the Conference of State Bank Supervisors (CSBS), the nationwide organization of financial regulators from all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, has already taken action to streamline the multistate regulatory oversight framework for one group of its regulated entities – money services businesses (MSB). In April, the CSBS launched the Money Services Business Call Report (MSB Call Report) which will allow MSBs to submit a single periodic financial form and other activity reports rather than deal with state-specific reporting requirements in varying formats. The MSB Call Report includes a Financial Condition Report, Transaction Activity Report, Permissible Investment Report and (to be added in the fourth quarter 2017) a Transaction Destination Country Report. The initial report was due by May 15, 2017. While individual states need to opt into this reporting, this move is nonetheless a step in the right direction for the MSB community.

Among the topics on the agenda of the Consumer Financial Protection Bureau (CFPB) are mortgage servicing rights for consumers and fair lending. The CFPB’s 2016 final rule amending certain provisions of Regulation X (Real Estate Settlement Procedures Act) and Regulation Z (Truth in Lending) will be effective in October 2017. The rule requires a series of modifications to the procedures and technology platforms used by mortgage services. These modifications affect, among other things, key definitions (successors in interest, delinquency), lender-placed insurance, loss mitigation, communications with borrowers in bankruptcy, and periodic statements and coupon books. With the effective date less than six months away, mortgage services need to understand and be prepared to implement all of the required changes.

The 2016 CFPB Fair Lending Report, published in April, signals the agency’s fair lending priorities for 2017. These include identification of redlining activities; mortgage and student loan servicing issues based on race, ethnicity, sex or age; and fair lending challenges faced by women-owned and minority-owned businesses. Lenders engaged in mortgage and student loan servicing and small business lending activities should consider stepping up their monitoring and testing of these areas in preparation for upcoming CFPB examinations.

Learn more about these developments in our May issue of Compliance Insightsavailable here, and review our monthly recap of compliance developments on the same site.

Retailers, Tech Firms and Financial Services Providers: It’s Time to Shape the Future of Mobile Payments — Are You Ready?

By Gordon Tucker, Managing Director, Technology, Media and Communications Industry Leader; Rick Childs, Managing Director, Consumer Products and Services Industry Leader; and Jason Goldberg, Director, Financial Services Business Performance Improvement

 

The global mobile payments market is projected to reach US$780 billion by the end of 2017, according to research firm TrendForce. That figure seems impressive until you consider that the ability to pay for goods and services with a mobile device has been a reality for years. It’s been nearly a decade since Starbucks, one of the biggest mobile payments success stories to date, launched its app and rewards program. And recent research by the Mobile Economic Forum found that one-fifth of global consumers have made a mobile payment in-store. Given the exponential growth in smart device innovation and adoption over the past decade and consumers’ inherent desire for convenience and speed when making a purchase, it is logical to think that the mobile channel would dominate as the avenue for payments by now. It’s where we’re headed, to be sure. But some formidable obstacles have been impeding the growth of the industry, such as:

  • Persistent concerns about fraud, privacy and security: Even though most consumers are aware of “digital wallets” — apps on smartphones that store credit card information and facilitate mobile payments — many remain wary of the risks. Fraud has been a problem, with weak authentication practices and identity theft at the root of many incidents — including those involving well-known brands like Apple Pay and Samsung Pay.

Consumers also worry about how companies are collecting and using data, including purchasing history and even geolocation. How and if that sensitive information is being protected from hackers is yet another concern. Tokenization helps to secure valuable transaction data, but data stored in digital wallets or merchants’ payment systems may still be vulnerable. Also, new entrants to the market may lack the security sophistication needed to protect sensitive data from compromise.

  • Bad timing: When solutions like Apple Pay, Google Wallet and Android Pay were being rolled out by mobile manufacturers and tech providers a few years ago, EMV chip card technology was also hitting the market. Retailers were initially confused, and frustrated, about whether to adopt mobile payments or EMV chip card technology. Most prioritized the latter. Now, adoption of that technology is near-universal in retail, even though EMV chip card transactions are slower than mobile payments or even traditional credit card payments.
  • Lack of a consistent experience: Merchants of all types have been racing to launch their own digital wallets. But it is unlikely that many will achieve long-term success with their ventures because consumers are already overwhelmed by choice in the market. Plus, these offerings are diverse, which means the mobile payments experience for consumers also varies. That works against efforts by retailers, and the mobile payments industry to engage consumers and convince them to pay with their smart devices at every opportunity. And there’s another ingredient for mobile payments success that not all retailers can capture: A key reason that apps from brands like Starbucks, Taco Bell and Dominos are so popular is that consumers do business with these retailers frequently — sometimes daily.
  • The fact that old habits die hard: One more dynamic that’s working against mobile payment adoption is the simple fact that it’s still easier and faster, in most cases, for consumers to pay for goods and services with cash, debit card or credit card. They’re comfortable with these methods, so they’re in no hurry to change. And many businesses that offer mobile payment options fail to do enough to incentivize consumers to make the switch — for example, they don’t provide compelling rewards to customers who use their app frequently.

A Growing Swell of Expectations From Consumers

The picture is not all bleak. There are other strong trends in motion that will help to drive mobile payments innovation as well as consumer adoption and use of these solutions. Here are some of the dynamics to watch:

  • New shopping trends will help mobile payments grow — a lot. Showrooming — where consumers examine merchandise in a traditional brick-and-mortar retail store or another offline setting and then buy it online, sometimes at a lower price — is just one example. It’s a retail experience that’s made for mobile — and it’s expanding as large e-commerce players like Amazon and Microsoft get in the game. Retailers can use mobile payment apps to incentivize shoppers to buy items in the store by offering discounts, special rewards or free delivery.
  • Mobile shopping apps are becoming more experiential for consumers. The core purpose of a mobile payment service is to facilitate transactions, of course, but that’s not enough to engage a consumer. Mobile shopping apps are evolving to help customers discover and research products before they are at the store and then help them locate those products while they’re in the store. These apps can also store shoppers’ receipts, gift cards and shopping lists; present discounts and coupons; enable comparison shopping; make the checkout process simple and fast, and more. Look for customer loyalty programs to evolve, as well; for instance, using data insights, a retailer could offer individualized incentives to mobile shoppers and reward them for specific behaviors.
  • A friction-free experience is becoming an expectation, fast. Mobile payments success hinges on creating a simple, seamless, value-adding and branded customer experience. Leading players in the person-to-person (P2P) payments space are setting the standard for the frictionless consumer experience — and winning over mobile-minded millennials. Recent research from Bank of America found that 62 percent of millennials use a P2P service.

Entrants in the P2P space are also focusing on the back end, trying to simplify operations and bake in security wherever possible without undermining the consumer experience. Good infrastructure that supports a secure and seamless customer experience is essential to the future of mobile payments. In the coming months on the blog, we’ll be exploring topics that retailers, technology companies and financial services providers, specifically, should consider when developing their mobile payments strategy. These topics include operational effectiveness, risk and compliance issues, technology strategy, and security and data privacy. Each of the industries mentioned above has an important role to play in helping to shape the evolution of the mobile payments industry. It will be through their collaboration, cooperation and innovation that the mobile payments experience can become what businesses and consumers alike envision it can — and should — be.

Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting

 

 

 

Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

The Internet of Things: A Game Changer for IT Audit

By Anthony Chalker, Managing Director
IT Audit Practice

 

 

 

I recently had the honor of attending the ISACA’s 2017 North America CACS Conference in Las Vegas, where I discussed how the Internet of Things (IoT) continues to transform the mission of IT auditors. The IoT is a perfect example of an all-around disruptor, including in IT audit departments, as businesses collect, analyze and act on data captured outside of the traditional IT boundaries. As a result, IT auditors now routinely must take steps to provide assurance over systems that are no longer under their direct control.

Auditors are fully aware of the challenge. Participants in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey acknowledge that they need to improve their IoT technical knowledge, or they’ll be unable to do their job. Technical knowledge ranked as a top-five issue among the most important internal audit priorities in the survey report. Without an in-depth understanding of the IoT, the technology that enables it and the business opportunities and risks it presents, we as auditors will be unable to quickly recognize innovations and how they could affect the organization’s business model or strategic objectives in the midst of a disruptive environment.

Below are just a few baseline points we covered during the conference discussion panel:

What is the IoT?
The IoT is an environment in which virtually any object, animal or person with a unique identifier on the internet has the ability to communicate over a network with another device, without the need for human-to-human or human-to-computer interaction. The IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet. In short, the IoT is giving the world a digital nervous system that’s connecting people, processes and systems, from devices, such as smartphones and tablets on the consumer level, to machine sensors on the industrial level.

What is driving the IoT’s growth?
The explosive growth of IoT is supported by several converging supporting technologies including:

  • Adoption of IpV6 – The ability to have a seemingly unlimited number of unique identifiers on the Internet. To put this in perspective, IpV6 allows every atom on the face of the earth to have its own identifier, with enough left over for another 100 Earths.
  • Enhanced sensors – The dramatic drop in cost combined with the equally dramatic increase in capabilities of sensors to capture, analyze, store and transmit data.
  • Low-power/wide area communications – The ability to transmit data from a wide range of sensors across a simplified and secure communication infrastructure utilizing batteries or other low-power sources designed for the expected useful life of the sensor.

The convergence of these developments is ushering in a new digital platform that allows organizations to devise new and inventive methods of reaching strategic objectives. In a recent McKinsey article, the authors estimate that the IoT will have a $4 to $11 trillion economic impact over the next eight years.

What is the role of the IT auditor in an IoT environment?
The IoT integrates technologies to enhance business information needs. However, this does not mean that IoT projects necessarily originate in the IT organization. Many of the current IoT projects are occurring outside of the traditional walls of IT. As such, the IoT does not represent as much of a change in the purpose of the IT landscape or the types of issues that auditors typically address as it represents a change in where strategy is being implemented. We need to acknowledge this shift and ensure that we have a seat at the table to understand how the organization’s strategy is driving the IoT vision and the related IT risks that need to be addresses to successfully fulfill that vision.

To be sure, IoT discussions are happening across organizations today, from purchasing to research and development. IoT is not limited to a single industry or business process. As an IT auditor, are you part of these conversations? Are you in the loop of your organization’s IoT strategic initiatives? Again, we need to ensure a seat at the table to effectively perform our role as risk counselors and assurance advisors to management and the board about this rapidly evolving area. Unlike many areas on our traditional risk plan, IoT does not have an embedded platform of existing policies and procedures to leverage.  If we are not part of the strategic discussion, it will be difficult to fulfill our risk advisory role. Simply stated, we need to get in the loop, or we’ll find ourselves  on the outside looking in.

IoT does not inherently require a new IT audit skill set as much as it demands a new approach to identifying the linkage of strategy to IoT solutions. Here are a few questions we as auditors should consider as we continue to develop and refine strategies and solutions to help businesses maximize their IoT experience:

  • How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
  • Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
  • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.

Auditors recognize that they need to improve their IoT technical knowledge, a skill set that is only going to grow in demand given the rapid deployment of connected devices throughout industry. We need to continually communicate with IoT experts and company managements and boards to create policies and procedures that address IoT opportunities and risks for organizations and industries alike. Perhaps the biggest risk on the auditor’s side of the ledger is failing to help his or her organization utilize IoT to make the most of its growth potential.