control, and governance
Implementing RFID Technology: Issues and Challenges for Internal Auditors
Internal auditing plays a distinct role before, during, and after the implementation of any RFID initiative. Learning what this role is will enable auditors to add value to their organization's use of this powerful technology.
Morris C. Attaway, DBA, CIA, CPA
Senior Internal Auditor
Solvay America Inc.
From its early uses during World War II, radio frequency identification (RFID) technology has evolved in its complexity and mode of implementation. Thanks to technological advances, many organizations are able to use RFID tags as a way to enhance business efforts. For instance, to lower operating costs, many companies today require their partners and suppliers to use RFID tags that comply with their internal policies. However, although RFID is a powerful tool that can help organizations improve business efficiency, implementing this technology is not easy. Furthermore, evaluating and operating RFID systems can be a challenging process. For organizations contemplating the use of RFID, an auditor familiar with the technology and its risk can be an effective resource in the planning, implementation, and post-planning phases.
HOW RFID WORKS
RFID technology consists of a tag or transponder, which uses a computer chip and antenna to emit radio waves that can be used to identify and track a specific item. RFID chips can operate in an active or passive mode, broadcasting data as required. The chips store an item's Electronic Product Code (EPC), which is divided into numbers that identify an item's manufacturer, product, version, and serial number. The EPC also has an extra set of digits that can store additional information, such as a product's expiration date.
While chips are used to store information, the antenna enables the chip to transmit information to readers by converting radio waves received from RFID tags into a format that can be read by middleware software, which then passes this data to various company applications, such as supply chain, asset tracking, and shop flow control programs.
For more information on how RFID technology works, refer to Overview of RFID Components. (PDF, 5 KB). To learn about the different ways organizations are using RFID technology, refer to Examples of RFID Use in Different Industries (PDF, 3 KB).
AUDITING RFID IMPLEMENTATION
As many retail companies begin to mandate that suppliers incorporate RFID into their products, for some companies, not implementing RFID technology could result in the loss of a significant amount of business revenue. For other companies, the decision to implement RFID is more complex and depends on an examination of the pros and cons of using RFID. (To learn more, see the "Pros and Cons of RFID Use" below) For an organization exploring the use of RFID, a preliminary assessment can help to determine if and when this technology should be implemented, prior to preparing a formal business case. During the preliminary assessment, the company should ask questions such as:
If proceeding with the implementation is justified after completing the preliminary assessment, the next step is to develop a formal justification or business case for the technology followed by the creation and execution of an implementation plan. To maximize the system's compliance with internal and external regulations, internal auditors should be involved in the implementation process from the beginning. Following is a discussion of some of the activities involved when evaluating and implementing RFID technology at the business level, as well as suggestions on how internal auditors can add value to the evaluation, implementation, and post-implementation phases of the project.
The auditor's focus during the formal justification phase is to make sure that the business case given to management is objective and accurate, paying close attention to implementation cost estimates, which can be quite complex. For instance, the cost of implementing RFID varies from company to company, depending, for the most part, on the level of implementation needed and whether the company will be upgrading an existing bar code infrastructure to include RFID functionality or implementing an RFID system for the first time. The implementation of an RFID system in either environment may require the company to invest in tags, readers, printers, middleware, infrastructure improvements, consulting, training, and service-provider fees, among other costs. Companies also may have to upgrade their IT systems to handle RFID-generated data. Finally, companies that are not working with bar codes may have to purchase or modify back-office, manufacturing, or warehouse management systems to use RFID data.
Internal auditors can help ensure that appropriate cost elements are included in the business justification proposal and that cost estimates are supported with factual information. The auditor also can examine the business case to determine whether it articulates the company's RFID ambitions; identifies the benefits and risks of the proposed RFID initiative; and includes comprehensive return on investment (ROI) calculations that can help management assess the benefits of the investment and compare these benefits to other choices.
Procedures internal auditors can perform to detect potential issues with ROI calculations include:
When assessing ROI calculations, auditors also need to be on the look out for any signs of careless cost reports, such as the omission of costs related to problem analysis, training, and ongoing system operations.
PROS AND CONS OF RFID USE
Source: What Every Internal Auditor Should Know About RFID, Knowledgeleader, June 2006.
One of the first tasks facing the team will be the development of functional specifications and a project plan. When reviewing functional specifications and project plans, auditors need to review whether adequate consideration has been given to issues such as:
Once functional specifications are developed, the team can begin searching for hardware and software vendors. When evaluating and selecting vendors, the team should consider important issues, such as the RFID transmission frequency, protocols, and standards supported by each vendor; the interoperability of the hardware with RFID systems from other suppliers; the cost of upgrading and maintaining equipment; and the vendor's ability to customize elements of their system based on company needs. The auditors also should ensure that the team seeks vendors that can validate the successful operation of their systems.
Furthermore, companies implementing an integrated RFID system may experience problems with incompatible software applications and getting middleware to communicate with each other, as well as problems handling large data streams from readers at high speeds and formatting data. The auditors should make sure that the company gives sufficient attention to these potential issues and develops testing routines that ensure these and similar issues are detected prior to going live with the system.
One of the key outputs of the planning phase should be a detailed implementation plan. Auditors should review the implementation plan to determine whether it provides a detailed overview of the hardware's and software's roll out approach. The auditor also should identify if the plan makes adequate testing provisions and is designed to ensure the RFID system works with other systems. Finally, the plan should include provisions for volume testing to ensure the RFID system can handle daily operation volumes. If multiple facilities are involved, implementation plans should include provisions for conducting pilot tests before initiating a full-scale implementation. Plans involving multiple facilities should be presented on a facility-by-facility basis and should detail the metrics used to measure when it is appropriate to move forward with the subsequent implementation phase.
The company should do a post-implementation assessment after the system has been operational for a few months to determine whether the project met its objectives, especially in terms of costs and benefits. Auditors should perform a post-implementation assessment on the effectiveness of planning and implementation activities, and identify whether the company's bar coding and RFID activities are controlled appropriately. As part of this post-implementation assessment, the auditor should:
Finally, auditors need to check for issues that tend to exist in non-RFID applications, such as failure to add new hardware and software to maintenance contracts, failure to update operation manuals, and failure to document procedures for resolving errors.
THE IMPLICATIONS OF RFID FOR INTERNAL AUDITORS
RFID has been around for decades. However, there has been a recent surge of interest in RFID due to the technology's potential to enhance business efficiency, reduce operation costs, and, perhaps, enhance the company's competitive advantage. Internal auditors should continue seeing improvements in RFID technology and significant decreases in the cost of implementing and operating RFID solutions. These changes likely will ensure a continuing migration to RFID use.
Furthermore, implementing properly controlled systems is always a challenge, and the earlier internal auditors can become part of the implementation project, the higher the likelihood the system will be implemented with the desired controls. Therefore, it is more critical than ever for internal auditors to learn as much as possible about RFID technology. This, in turn, will enable them to help their companies plan, implement, and monitor their RFID initiatives more effectively and efficiently.
Morris C. Attaway, DBA, CIA, CPA, is a senior internal auditor with Solvay America Inc., a chemical, plastics, and pharmaceutical company. He has more than 30 years of internal audit experience in the areas of finance and accounting, operations, and information systems.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.