The Latest Progress and Concerns Regarding Mobile Technology Auditing Abstract

The relevance of mobile technology in today’s world cannot be overstated. This is more so the case when it comes to convenience and efficiency enhancement. However, as much as mobile technology presents numerous benefits for organizations operating in today’s increasingly competitive marketplace, it also introduces several unique risks. This text concerns itself with mobile technology auditing. In so doing, it will not only highlight the latest approaches towards risk assessment, but also the controls that are being embraced in an attempt to mitigate risks associated with mobile technology.

Introduction

Smart devices such as tablets and phones have effectively revolutionized organizational processes and functionalities. In essence, a mobile device could be thought of as a “small computing device used for the assistance and convenience of certain aspects of a conventional computer in environments where carrying a computer would not be practical” (Institute of Internal Auditors, 2017). Today, thanks to mobile technology, we have a truly mobile workforce. With the computing power of today’s mobile devices, employees can function remotely as effectively as they would in a centralized physical office setting. It therefore follows that with mobile technology, business can be conducted in a way that is truly mobile via the utilization of a myriad of applications (apps) designed for various functionalities. With this in mind, it is important to note that while some organizations provide employees with mobile devices for the conduction of organizational duties and roles, others permit (or encourage) employees to make use of their own devices in what is commonly referred to as bring your own device (BYOD). Towards this end, it should be noted that whichever policy an organization has in place regarding the use of mobile devices (organization provided or BYOD), mobile technology still remains an expanding technology – effectively meaning that the use of mobile technology still presents a wide range of challenges and risks. This effectively warrants the adoption of a well-defined risk assessment, management, and control plan. The relevance of mobile technology auditing, therefore, cannot be overstated. This is more so the case when it comes to ensuring that the organization has in place strengthened security controls to rein in the various risks associated with the active utilization of mobile technology devices.

Technology Involved

In essence, it is important to note that the risks as well as controls relevant to mobile technology devices form the basis of audit procedures. These inform the direction of audit objectives as well as scope. Therefore, towards this end, the need to evaluate risk exposures cannot be overstated especially when it comes to the assessment of risk exposure. In the past, there have been a number of recurrent risks associated with mobile technology. Senft, Gallegos, and Davis (2012) identify these as “unauthorized access risks, physical security risks, mobile data storage device risk, operating system or application risk, network risk” (600). The nature as well as form of these risks keeps changing over time. In the words of Khan (2016), “in order for the proper controls for mobile apps to be developed and tested, one must first dissect the layers of risk.” As the author further points out, the said layers of risk could be numerous. In general however, in seeking to assess as well as evaluate the technology involved in mobile device security controls, various risks could be grouped into definitive categories.

i. Risks Relating to Information Security

Information security risks relate to not only applications, but also network connections as well as data storage and backup. With regard to applications, it should be noted that there are various apps (mostly developed by third party vendors) that users could download from app stores. Towards this end, if the relevant restrictions or limitations on third-party apps are not put in place by app stores as well as mobile technology platforms, mobile technology devices are left exposed to infections from Trojan horses, viruses, etc. Khan (2016) identifies four mobile app security risk segments – i.e. mobile...

When it comes to network connections, it should be noted that most mobile technology devices have internet connection capabilities. As Antonucci (2017) observes, unsecure Wi-Fi connections have been used numerous times in the past to gain unauthorized access to mobile devices. In the author’s own words, “mobile devices can become an easy entry point for cyber criminals” (329). On this front, data transmitted through cellular or wireless networks could be compromised or intercepted while in transit via untrusted networks. Lastly, on data storage and backup, without the deployment of the relevant security measures, it is possible for data stored in mobile technology devices to be accessed by third parties. Backing up data is also of great relevance for recovery purposes.
ii. Risks Relating to Physical Security

Mobile technology devices are, true to their defining term, mobile. This effectively means that unlike fixed items, these devices are at a constant risk of being stolen or misplaced/lost – which puts the information contained therein at risk of being accessed by an unauthorized party. Antonucci (2017) points out that it is not uncommon for users to have automatic login preferences on their mobile devices or store various login credentials in the said devices. This effectively means that the loss of such a device permits “access to multiple business or private systems and applications” (Antonucci, 2017, p. 329). There is need for there to be a well-defined theft/loss reporting protocol and response measures such as remote deletion of files in lost devices.

iii. Risks Relating to Compliance

It is worth mentioning that even in instances whereby the risks highlighted above are sufficiently addressed via the relevant controls, procedures, and measures, users could still ignore or seek to bypass the said controls and procedures. For instance, an employee could still fail to install the relevant updates even when there is a clear policy recommending such a course of action on a periodic basis.

Having highlighted the various risks associated with mobile technology devices, it would be prudent to assess the current approaches involved in related audits. The planning phase involves the identification of not only the objectives, but also the scope as well as timing of the audit engagement. Further, the resources to be allocated for the entire exercise should be highlighted during this phase. When it comes to the objective, the focus ought to be on specific activity risks (Kim and Solomon, 2016). For instance, it should be noted that given the fast paced nature of today’s business, most organizations deem quick access to various data as a priority. This must not be permitted to get in the way of proper risk assessments and controls. Towards this end, the audit engagement could focus on highlighting and sealing loopholes so as to minimize quick access risks. Scope, on the other hand, has got to do with the extent, timing, as well as form/nature of an audit engagement (Kim and Solomon, 2016). Given the risks organizations are exposed to today as a consequence of mobile technology device utilization, the relevance of ensuring that the various layers of the organization’s information technology architecture have adequate controls cannot be overstated. It therefore follows that the scope of the engagement should be on mobile technology device utilization procedures and policies, proper management of apps and other software, as well as user training. Lastly, adequate resources ought to be allocated for the engagement to be meaningful. Resources in this case, as Kim and Solomon (2016) point out include, but they are not limited to, the skill set (knowledge and expertise) required for meaningful audits. In this case, an organization could deploy internal resources, employ external resources, or embrace a mix of the two. The work program phase of the engagement ought not to commence without proper evaluation and assessment of the deployment as well as utilization of mobile technology devices within the organization. Towards this end, the various enquiries to be made relate to access to the network of the organization using mobile technology devices; BYOD considerations; departments/centers involved in the enforcement…