What Auditors Ought to Know About the Internet of Things

Whenever I think about the Internet of Things ("IoT"), my mind jumps to a Disney original movie from 1999 called Smart House. If you haven’t seen it (no real surprise), here’s a clip. Fast forward less than two decades and “smart” technology is ubiquitous. As of 2013, there were more internet connected devices than people on earth and the number of connected devices is multiplying at a faster rate.

Just so we are on the same page, by definition, “IoT devices have embedded network, computing and other information processing capabilities, which allow these devices to be interconnected,” according to a recent ISACA white paper.

If you ever daydream about how it would be nice to be a fly on the wall... Boom. It’s easy. Simply add a sensor. You can create millions of digital eyes and ears to keep tabs on anything you can dream up. Just look at the rapid adoption of Fitbit and other connected wearables. Oh, the possibilities!

Even devices that never used to be considered “smart” are beginning to automatically capture what is happening around them. Plus, although it is borderline creepy, devices are able to interact with each other without any human intervention. (I’m ok with it as a long as they don’t attack us in our sleep.)

This type of technology is cool -- really cool. But, as with any disruptive technology, there is a lot to consider. Here’s a brief list of what auditors ought to know about IoT.

Vouching for existence will get a source data reboot
Over time, the disappearing audit trail has changed the types of audit evidence available. IoT will escalate this trend. Source data will be different and it is up to auditors to get comfortable with it.

For example, RFID tags have matured and there has been a resurgence in adoption over the last couple of years. I anticipate physical inventory counts will become less and less necessary as we become more comfortable with the reliability of the real-time data about inventory. A remote inventory count based on RFID tags, rather than a physical count, will be more accurate as long as your client isn’t actively trying to deceive you. If they are, you have a bigger problem.

Continuous auditing is not science fiction
What if we didn’t wait until the end of the year to do an audit? Well, first off... NO MORE BUSY SEASON! Yippee. But, there is a lot more to it. IoT enables continuous auditing (also called continuous monitoring or CA/CM) because sensors and other connected-devices provide real-time information. If variances start cropping up in the middle of the period, pre-programmed or artificially-intelligent alerts can notify the auditor to poke around.

I anticipate continuous auditing is not too far in the distant future. Give it a decade or two, especially for publicly-traded companies. Smaller businesses may be able to adopt continuous auditing sooner, as with any innovative technology including IoT.

Everyone prefers real-time information and requiring more frequent published financial reports isn’t all that crazy. The auditing profession will need to be able to provide reasonable assurance over more frequent reporting. It’s best we start contemplating how to do it now, before companies get ahead of us.

IoT will impact revenue recognition
IoT is already shifting the way businesses sell products from individual devices and discrete “things” to subscription-based services. I am sure you have noticed it; you can’t just buy software outright anymore. You have to subscribe to it and don’t get to keep it if you stop paying. As assets become more intelligent, ongoing monitoring and updating is required.

It’s clear that revenue recognition will have to deal with separate performance obligations and may be more dependant on sensors that meter actual usage. With the new revenue recognition standard in the mix, it’s time for auditors to give this topic some extra attention.

Physical security will be a bigger deal
Physical security used to be easy. Lock the data center up tight. Add a camera. Done. Thanks to IoT, not anymore.

IoT is decentralization on steroids. Each connected device is one more opportunity for unauthorized network access. In addition, most bring your own device (BYOD) policies are focusing on cellphones and don’t even consider addressing wearable tech. Another reason to beware of BYOD.

Privacy is as important as security when it comes to IoT
Is personal privacy dead? Yes (or at least we should be very concerned), according to 69% of respondents in an ISACA study. With sensors collecting data everywhere, it is easy to see how the data generated could provide unanticipated information about people. Auditors need to be vigilant of this big brother trend. I don’t know what the possible ramifications might be.

Do you and your co-workers only use the stairs because of your busy season Fitbit challenge? Is your client using IoT in a unique way? Let’s hear it.

Image: Imgflip.com

Comments