Mobile Technology Auditing and Assurance

The Latest Progress and Concerns Regarding Mobile Technology Auditing
Abstract
The relevance of mobile technology in today’s world cannot be overstated. This is more so the case when it comes to convenience and efficiency enhancement. However, as much as mobile technology presents numerous benefits for organizations operating in today’s increasingly competitive marketplace, it also introduces several unique risks. This text concerns itself with mobile technology auditing. In so doing, it will not only highlight the latest approaches towards risk assessment, but also the controls that are being embraced in an attempt to mitigate risks associated with mobile technology.
Introduction
Smart devices such as tablets and phones have effectively revolutionized organizational processes and functionalities. In essence, a mobile device could be thought of as a “small computing device used for the assistance and convenience of certain aspects of a conventional computer in environments where carrying a computer would not be practical” (Institute of Internal Auditors, 2017). Today, thanks to mobile technology, we have a truly mobile workforce. With the computing power of today’s mobile devices, employees can function remotely as effectively as they would in a centralized physical office setting. It therefore follows that with mobile technology, business can be conducted in a way that is truly mobile via the utilization of a myriad of applications (apps) designed for various functionalities. With this in mind, it is important to note that while some organizations provide employees with mobile devices for the conduction of organizational duties and roles, others permit (or encourage) employees to make use of their own devices in what is commonly referred to as bring your own device (BYOD). Towards this end, it should be noted that whichever policy an organization has in place regarding the use of mobile devices (organization provided or BYOD), mobile technology still remains an expanding technology – effectively meaning that the use of mobile technology still presents a wide range of challenges and risks. This effectively warrants the adoption of a well-defined risk assessment, management, and control plan. The relevance of mobile technology auditing, therefore, cannot be overstated. This is more so the case when it comes to ensuring that the organization has in place strengthened security controls to rein in the various risks associated with the active utilization of mobile technology devices.
Technology Involved
In essence, it is important to note that the risks as well as controls relevant to mobile technology devices form the basis of audit procedures. These inform the direction of audit objectives as well as scope. Therefore, towards this end, the need to evaluate risk exposures cannot be overstated especially when it comes to the assessment of risk exposure. In the past, there have been a number of recurrent risks associated with mobile technology. Senft, Gallegos, and Davis (2012) identify these as “unauthorized access risks, physical security risks, mobile data storage device risk, operating system or application risk, network risk” (600). The nature as well as form of these risks keeps changing over time. In the words of Khan (2016), “in order for the proper controls for mobile apps to be developed and tested, one must first dissect the layers of risk.” As the author further points out, the said layers of risk could be numerous. In general however, in seeking to assess as well as evaluate the technology involved in mobile device security controls, various risks could be grouped into definitive categories.
i. Risks Relating to Information Security
Information security risks relate to not only applications, but also network connections as well as data storage and backup. With regard to applications, it should be noted that there are various apps (mostly developed by third party vendors) that users could download from app stores. Towards this end, if the relevant restrictions or limitations on third-party apps are not put in place by app stores as well as mobile technology platforms, mobile technology devices are left exposed to infections from Trojan horses, viruses, etc. Khan (2016) identifies four mobile app security risk segments – i.e. mobile devices, mobile networks, mobile app web servers, and mobile app databases. When it comes to network connections, it should be noted that most mobile technology devices have internet connection capabilities. As Antonucci (2017) observes, unsecure Wi-Fi connections have been used numerous times in the past to gain unauthorized access to mobile devices. In the author’s own words, “mobile devices can become an easy entry point for cyber criminals” (329). On this front, data transmitted through cellular or wireless networks could be compromised or intercepted while in transit via untrusted networks. Lastly, on data storage and backup, without the deployment of the relevant security measures, it is possible for data stored in mobile technology devices to be accessed by third parties. Backing up data is also of great relevance for recovery purposes.
ii. Risks Relating to Physical Security
Mobile technology devices are, true to their defining term, mobile. This effectively means that unlike fixed items, these devices are at a constant risk of being stolen or misplaced/lost – which puts the information contained therein at risk of being accessed by an unauthorized party. Antonucci (2017) points out that it is not uncommon for users to have automatic login preferences on their mobile devices or store various login credentials in the said devices. This effectively means that the loss of such a device permits “access to multiple business or private systems and applications” (Antonucci, 2017, p. 329). There is need for there to be a well-defined theft/loss reporting protocol and response measures such as remote deletion of files in lost devices.
iii. Risks Relating to Compliance
It is worth mentioning that even in instances whereby the risks highlighted above are sufficiently addressed via the relevant controls, procedures, and measures, users could still ignore or seek to bypass the said controls and procedures. For instance, an employee could still fail to install the relevant updates even when there is a clear policy recommending such a course of action on a periodic basis.
Having highlighted the various risks associated with mobile technology devices, it would be prudent to assess the current approaches involved in related audits. The planning phase involves the identification of not only the objectives, but also the scope as well as timing of the audit engagement. Further, the resources to be allocated for the entire exercise should be highlighted during this phase. When it comes to the objective, the focus ought to be on specific activity risks (Kim and Solomon, 2016). For instance, it should be noted that given the fast paced nature of today’s business, most organizations deem quick access to various data as a priority. This must not be permitted to get in the way of proper risk assessments and controls. Towards this end, the audit engagement could focus on highlighting and sealing loopholes so as to minimize quick access risks. Scope, on the other hand, has got to do with the extent, timing, as well as form/nature of an audit engagement (Kim and Solomon, 2016). Given the risks organizations are exposed to today as a consequence of mobile technology device utilization, the relevance of ensuring that the various layers of the organization’s information technology architecture have adequate controls cannot be overstated. It therefore follows that the scope of the engagement should be on mobile technology device utilization procedures and policies, proper management of apps and other software, as well as user training. Lastly, adequate resources ought to be allocated for the engagement to be meaningful. Resources in this case, as Kim and Solomon (2016) point out include, but they are not limited to, the skill set (knowledge and expertise) required for meaningful audits. In this case, an organization could deploy internal resources, employ external resources, or embrace a mix of the two. The work program phase of the engagement ought not to commence without proper evaluation and assessment of the deployment as well as utilization of mobile technology devices within the organization. Towards this end, the various enquiries to be made relate to access to the network of the organization using mobile technology devices; BYOD considerations; departments/centers involved in the enforcement of the policies and procedures relating to mobile device use; approaches in place to prevent loss, theft or manipulation of data; conformity of the organization to the various regulatory and legal policies in place, etc. (Antonucci, 2017).
Future Trends
Going forward, the relevance of mobile technology audit is likely to be even greater. This is more so the case given the increasing utilization of mobile technology in organizational settings as well as the growing complexity of mobile technology. With regard to increased utilization of mobile technologies, Kim and Solomon (2016) point out that mobile technology is likely to be even more relevant in future especially when it comes to the utilization of the same in facilitating access to applications and information. As the author further notes, we are likely to witness further enhanced levels of connectivity between organizations and their customers as well as between organizations and their employees. With organizations embracing global operations as a consequence of the world becoming a global village, the need for real-time communication is likely to be even more pronounced. Mobile technologies effectively bridge distance as well as connectivity gaps, hence their growing utility on this front. It is, however, important to note that the growing complexity of mobile technology calls for more pronounced and deliberate controls to protect against security breaches. Like other technologies, mobile technology experiences continual change. This is to say that the solutions of yesterday cannot be used to address the challenges and threats of the future. In that regard, therefore, there is need for advances in security controls and procedures to match both existing and emerging threats. Going forward, audit engagements ought to be more pronounced in the areas of risk management and maintenance of effective controls. With regard to risk management, the proper evaluation and assessment of risk exposure remains paramount. This is more so the case given the growing relevance of mobile technology in the further advancement of organizational goals and objectives, and the growth in complexity of security exploits. It therefore follows that in the future, risk management approaches ought to be focused on the enhancement of the organization’s ability to utilize mobile technology to advance strategic objectives within a well-defined framework of appropriate controls and safeguards.
Continuous improvement is also likely to be even more important in the promotion of effective controls in the future. In general terms, organizations ought to have in place the relevant policies and systems designed to mitigate mobile technology risks in an ever changing and fast advancing technology environment. Features on this front include, but they are not limited to, data encryption, remote wipe, as well as authentication. Going forward, authentication as a security control is likely to be even more pronounced. Essentially, when it comes to securing mobile technology devices (more specifically data and apps), authentication is a frontline course of action (Tallez and Zeadally, 2017). In the past, approaches towards authentication have typically been inclusive of personal identification number (PIN), biometrics, swipe patterns, as well as passcodes. According to Antonucci (2017), the use of biometrics in seeking to secure mobile technology device data and apps is going to be even more pronounced. This, according to the author, is more so the case given that biometrics remain a highly secure approach towards authentication due to their specificity and resident opportunities to minimize risks associated with non-compliance. Like authentication, going forward, remote wipe is also likely to continue being an important security control – and so is software and hardware encryption. In the final analysis, therefore, it is clear that audit activities are likely to be even more relevant as organizations seek to rein in the risks that arise as a consequence of smart device use.
Example Companies Involved
As it has been pointed out elsewhere in this text, an organization could deploy internal resources, employ external resources, or adopt a mix of the two in mobile technology auditing. When it comes to the employment of external skill sets, organizations could rely on independent entities to conduct the relevant reviews. One of the key benefits of engaging external entities is for purposes of process improvement. In this case, external entities could come in handy in seeking to highlight weaknesses in internal controls. External audits are also likely to be more thorough depending on the terms of engagement. Here, opportunities for poor internal audit and assurance efforts that could be synonymous with a poor organizational culture are eliminated. It should also be noted that in basic terms, external auditors are more likely to be well-versed with new developments in the mobile technology arena. Players in this arena include, but they are not limited to, the big four audit firms, i.e. KPMG, PWC, EY, and Deloitte.
According to Tysiac (2015), the threats most organizations have to contend with today are technology related. In that regard, therefore, “internal auditors are paying close attention to areas such as cyber security, data privacy, and social media...” especially because “these areas—and others related to technology—have the potential to deliver devastating setbacks to a company or organization” (Tysiac, 2015). Towards this end, the Institute of Internal Auditors has laid down numerous standards that come in handy in supporting organizational efforts towards the management as well as control of risks that come about as a consequence of the utilization of mobile technology devices. The said standards relate to mobile technology governance, risk management and control, and audit engagement procedures and systems (Institute of Internal Auditors, 2017). In that regard, therefore, the internal audit of mobile technology is becoming pivotal in seeking to address the various risks and related concerns associated with emerging technologies.
Regulatory Issues
According to KPMG (2017), regulatory compliance remains one of the key areas that companies have to grapple with. More specifically, as KPMG (2017) further points out, “organizations must comply with requirements to secure customer data, adhere to privacy standards in multiple geographies, protect customer personal identifiable information (PII), obtain customer consent to use their data, or disclose to customers how their data will be used.” The ever-present and evolving threat to mobile technologies has been a burden for financial institutions. As a matter of fact, the ability of data breaches and other forms of attack to disrupt operations and cause significant losses continues to inform debate on regulatory compliance. This is born out of the need to ensure that internal audit functions embrace the relevant assurance measures in an attempt to rein in emerging threats. There is need for organizations to conduct regular privacy regulation audits with an aim of highlighting the various privacy regulations that have an impact on organizational processes. This is one of the internal audit focus areas identified by KPMG in its call for entities to review how well they are responding “to new policies and emerging legislative mandates and regulations” (KPMG, 2017). On this front, it is also important to note that privacy regulations vary from jurisdiction to jurisdiction. Organizations with operations in various jurisdictions ought to be aware of this fact for compliance purposes. Also, the complexity as well as pace of regulatory change efforts is yet another concern that organizations ought to be aware of. According to KPMG (2017), compliance is likely to continue being a critical concern in the future due to enhanced regulatory scrutiny, coupled with what the audit firm refers to as enforced action coming from the various authorities charged with the same.
Conclusion
In the final analysis, it is important to note that going forward, mobile technology is expected to continue driving growth and innovation in a wide range of areas including, but not limited to, business, finance, and healthcare. Mobile technologies, however, present some unique challenges to businesses especially with regard with how to secure data and prevent unauthorized access. Given the evolving nature of mobile technology, static approaches to the management and control of risks are not viable. Towards this end, audit teams ought to ensure that their practices evolve so as to reflect current threat levels. However, given the relevance of mobile technology devices in driving growth in today’s increasingly competitive business environment, risk management ought to be done in a way that does not frustrate innovation.


References
Antonucci, D. (2017). The Cyber Risk Handbook: Creating and Measuring Effective Cyber Security Capabilities. Hoboken, NJ: John Wiley & Sons.
Institute of Internal Auditors (2017). Auditing Your Company's Mobile Devices - Institute of Internal Auditors Raleigh-Durham Chapter. Retrieved from https://chapters.theiia.org/raleigh-durham/News/ChapterDocuments/Auditing%20Mobile%20Devices.pdf
KPMG (2017). Top 10 Internal Audit Focus Areas for Technology Companies. Retrieved from https://assets.kpmg.com/content/dam/kpmg/us/pdf/2017/03/kpmg-top-10-internal-audit-tech-2017.pdf
Khan, M.J. (2016). Mobile App Security—Audit Framework. Retrieved from https://www.isaca.org/Journal/archives/2016/volume-4/Pages/mobile-app-security-audit-framework.aspx
Kim, D. & Solomon, M.G. (2016). Fundamentals of Information Systems Security (3rd ed.). Burlington, MA: Jones & Bartlett Publishers.
Senft, S., Gallegos, F. & Davis, A. (2012). Information Technology Control and Audit (4th ed.). New York, NY: CRC Press.
Tallez, J. & Zeadally, S. (2017). Mobile Payment Systems: Secure Network Architectures and Protocols. New York, NY: Springer
Tysiac, K. (2015). How Internal Audit Can Help Manage 10 Top Technology Risks. Retrieved from https://www.journalofaccountancy.com/news/2015/aug/internal-audit-technology-risks-201512911.html