This paper examines the current state of mobile technology auditing, addressing the unique risks organizations face as mobile devices become central to modern business operations. It identifies and categorizes key risk areas β including information security, physical security, and compliance β and outlines audit planning approaches such as objective-setting, scope definition, and resource allocation. The paper also surveys future trends, including the growing role of biometric authentication, remote wipe capabilities, and data encryption. Additionally, it discusses the role of both internal and external auditors, the standards issued by the Institute of Internal Auditors, and the regulatory compliance challenges posed by evolving data privacy requirements across multiple jurisdictions.
Smart devices such as tablets and smartphones have effectively revolutionized organizational processes and functionalities. A mobile device can be thought of as a "small computing device used for the assistance and convenience of certain aspects of a conventional computer in environments where carrying a computer would not be practical" (Institute of Internal Auditors, 2017). Today, thanks to mobile technology, organizations benefit from a truly mobile workforce. With the computing power of modern mobile devices, employees can function remotely as effectively as they would in a centralized physical office setting.
It follows that business can be conducted in a genuinely mobile fashion through the utilization of a wide range of applications (apps) designed for various functionalities. While some organizations provide employees with mobile devices for carrying out organizational duties, others permit or encourage employees to use their own devices β an arrangement commonly referred to as bring your own device (BYOD). Regardless of which policy an organization has in place, mobile technology remains an expanding field, meaning its use still presents a wide range of challenges and risks. This effectively warrants the adoption of a well-defined risk assessment, management, and control plan.
The relevance of mobile technology auditing cannot be overstated β particularly when it comes to ensuring that an organization has in place strengthened security controls to address the various risks associated with the active utilization of mobile devices.
The risks and controls relevant to mobile technology devices form the basis of audit procedures, informing the direction of audit objectives and scope. The need to evaluate risk exposures is therefore critical to risk assessment. Historically, a number of recurrent risks have been associated with mobile technology. Senft, Gallegos, and Davis (2012) identify these as "unauthorized access risks, physical security risks, mobile data storage device risk, operating system or application risk, [and] network risk" (p. 600). The nature and form of these risks continues to change over time. As Khan (2016) notes, "in order for the proper controls for mobile apps to be developed and tested, one must first dissect the layers of risk." The layers of risk can be numerous; however, in assessing the technology involved in mobile device security controls, various risks can be grouped into the following categories.
Information security risks relate to applications, network connections, and data storage and backup. With regard to applications, various apps β mostly developed by third-party vendors β are available for users to download from app stores. If relevant restrictions on third-party apps are not put in place by app stores and mobile platforms, devices are left vulnerable to infections from Trojan horses, viruses, and other malware. Khan (2016) identifies four mobile app security risk segments: mobile devices, mobile networks, mobile app web servers, and mobile app databases.
When it comes to network connections, most mobile devices have internet connection capabilities. As Antonucci (2017) observes, unsecured Wi-Fi connections have been exploited numerous times to gain unauthorized access to mobile devices. In the author's own words, "mobile devices can become an easy entry point for cyber criminals" (p. 329). Data transmitted through cellular or wireless networks can be compromised or intercepted while in transit via untrusted networks. With respect to data storage and backup, without the deployment of relevant security measures, data stored on mobile devices may be accessed by unauthorized third parties. Backing up data is also critically important for recovery purposes.
Mobile technology devices are, by their very nature, mobile. Unlike fixed assets, these devices are at constant risk of being stolen or lost, which puts the information contained within them at risk of unauthorized access. Antonucci (2017) notes that it is not uncommon for users to have automatic login preferences on their mobile devices or to store login credentials on them. This means that the loss of such a device could permit "access to multiple business or private systems and applications" (p. 329). Organizations need a well-defined theft and loss reporting protocol along with response measures such as the remote deletion of files on lost devices.
Even where the risks described above are adequately addressed through controls, procedures, and policies, users may still ignore or seek to bypass those controls. For example, an employee might fail to install required updates even when a clear policy mandates doing so on a periodic basis.
Having identified the various risks associated with mobile technology, it is prudent to assess current approaches to related audits. The planning phase involves identifying the objectives, scope, and timing of the audit engagement, as well as the resources to be allocated. When it comes to objectives, the focus should be on specific activity risks (Kim and Solomon, 2016). Given the fast-paced nature of modern business, many organizations prioritize quick access to data β but this must not be permitted to override proper risk assessments and controls. Accordingly, an audit engagement could focus on identifying and closing loopholes that expose the organization to quick-access risks.
Scope relates to the extent, timing, and nature of the audit engagement (Kim and Solomon, 2016). Given the risks arising from mobile technology use, it is essential to ensure that the various layers of an organization's information technology architecture have adequate controls. The scope of engagement should therefore cover mobile device utilization procedures and policies, proper management of apps and other software, and user training. Adequate resources must also be allocated for the engagement to be meaningful. As Kim and Solomon (2016) note, resources include β but are not limited to β the skill set (knowledge and expertise) required for meaningful audits. An organization may deploy internal resources, engage external resources, or use a combination of both.
The work program phase should not commence without a proper evaluation and assessment of the deployment and utilization of mobile technology devices within the organization. Relevant inquiries include: how mobile devices access the organization's network; BYOD considerations; which departments enforce mobile device policies; approaches in place to prevent loss, theft, or manipulation of data; and how well the organization conforms to applicable regulatory and legal requirements (Antonucci, 2017).
"Authentication, encryption, remote wipe, and evolving threats"
"Big Four firms and IIA standards for mobile auditing"
"Privacy regulations, data protection, and jurisdictional variation"
Going forward, mobile technology is expected to continue driving growth and innovation across a wide range of sectors including business, finance, and healthcare. However, mobile technologies present unique challenges β particularly around securing data and preventing unauthorized access. Given the evolving nature of mobile technology, static approaches to risk management and control are not viable. Audit teams must ensure that their practices evolve to reflect current threat levels. At the same time, given the central role mobile technology plays in driving growth in today's competitive business environment, risk management must be conducted in a way that does not stifle innovation.
You’re 50% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.