Internal Audit Needs to Be Ready for Changes in Risks, Processes, and Controls as Business Embraces Mobile
I just posted (on my other blog) on the topic of "Mobile will brings both risks and opportunities. Is your company’s strategy optimized?" I point out that the great majority of companies worldwide are embracing the opportunity to improve not only how they work with consumers, but the productivity and satisfaction of employees.
Are you ready for the changes in risks, key controls and security (for all forms of risk, including SOX)?
Its not only the data that is moving to mobile, creating concerns over the loss of confidential and personal information. The enterprise applications are moving as well (and I don't mean Google Maps; I mean procurement and accounts payable, and information security processes).
I provide some examples in the other post, but consider the situation where security intrusion alerts are sent to the mobile devices of the CIO, CISO, and other key individuals in the response process. Can you afford for that alert process to fail? How about when the CFO's review of the quarter's financial statements, key metrics and trends, is done from his iPad while traveling? Or the procurement manager approving purchase orders using a Samsung tablet?
As enterprise applications start using or moving to mobile, consider the following:
- Controls may be needed to ensure the completeness and accuracy of information transferred to and from host systems (which may be on premise or in the cloud - or both).
- Controls may be needed to ensure that the mobiles used in applications are those of the appropriate employees, etc.
- Security measures are required to protect the mobiles from viruses and intrusion.
- Measures are requried to protect not only the data on the device but its use in business applications should it be lost or stolen.
- Controls are needed to ensure the applications on the mobile function as intended. These will include change control processes.
- The efficiency and effectiveness of the business if mobile devices are deployed in an uncontroller fashion. How can IT manage business applications on mobile devices if there are a wide variety of models with different operating systems?
Mobile is here and will probably become the primary way employees work in the future. Have you thought through how this will impact risks and controls — and you audit approach?
Are you involved as a consultant, or will mobile run you over?
Posted on Nov 26, 2011 by Norman Marks
Share This Article: