a guide to internet of things - basics and applications
TRANSCRIPT
Digital Accounting and Assurance Board
The Institute of Chartered Accountants of India
(Set Up by Act of Parliament)
20
21
1 | P a g e
INTRODUCTION
The Institute of Chartered Accountants of India
The Institute of Chartered Accountants of India (ICAI) is a statutory body established by an Act of Parliament,
viz. , The Chartered Accountants Act, 1949 (Act No.XXXVIII of 1949) for regulating the profession of Chartered
Accountancy in the country. ICAI is the one amongst accountancy bodies in the world, with a strong tradition of
service to the Indian economy in public interest.
Over a period of time, ICAI has achieved recognition as a premier accounting body not only in the country but
also globally, for maintaining highest standards in technical, ethical areas and for sustaining stringent examination
and education standards. Since 1949, the Chartered Accountancy profession in India has grown leaps and bounds
in terms of
• Members and student base.
• Regulate the profession of Accountancy
• Education and Examination of Chartered Accountancy Course
• Continuing Professional Education of Members
• Conducting Post Qualification Courses
• Formulation of Accounting Standards
• Prescription of Standard Auditing Procedures
• Laying down of Ethical Standards
• Monitoring Quality through Peer Review
• Ensuring Standards of performance of Members
• Exercise Disciplinary Jurisdiction
• Financial Reporting Review
• Input on Policy matters to Government
20
21
2 | P a g e
Digital Accounting and Assurance Board of ICAI
ICAI has constituted “Digital Accounting and Assurance Board” (DAAB) for fostering a cohesive global strategy
on aspects related to digital accounting and assurance, through sharing of knowledge and practices amongst the
members. DAAB is endeavouring to identify, deliberate and highlight on issues in accounting (including
valuation) and assurance (including internal audit) issues in the digital world.
DAAB is focusing on issues in accounting and assurance arising from the high pace of digitization, including use
of artificial intelligence in audit, big data analytics in audit, relevance of sampling, valuation of data as an asset,
impairment testing of digital assets, insurance of data - valuation and premium fixation, etc. The Board is taking
up initiatives to develop knowledge base through position papers and articles on issues relating to impact of
technology on accounting and assurance.
Initiatives to position the profession for opportunities in digital era are:
• Conducting Scalable, Employable and Updated Post Qualification Course on Information System Audit
(DISA)
• World Class Training to Members on Forensic Accounting and Fraud Detection (FAFD)
• Imparting Hands on Training through Forensic Labs
• Evolving firms into thriving digital practice by providing leading technology solutions
• Research on Emerging Technologies - Artificial Intelligence, Cloud Computing and Robotics
• Executive Development Program on “Blockchain Technology – Driver of Digital Era”
• Capacity building in digital ecosystem of stakeholders including banks, PSUs
• Mentoring of Technology Driven Startups by Chartered Accountants
• Team of Innovators for helping members navigate digital path
• Digital Competency Maturity Model for upgrading firms in digital landscape
• Incubation Centre for Blockchain Technology
• Webinars on strategies and approach to adopt technology in assurance services
• Research on embedding the understanding and use of technology in accounting and assurance services
3 | P a g e
Foreword
ICAI has played a pivotal role in developing a resilient reporting framework for sustained economic growth of
the nation in the last seven decades. The accountancy profession has endeavored to bring in the best global
practices and standards for a robust financial reporting and assurance framework, inspiriting trust and confidence
amongst the stakeholders. ICAI members have played a key role in the development of a robust Indian corporate
sector and its glorious prominence on the global horizons.
With the new technological advancements happening each day it is imperative for Chartered Accountants to
understand the fundamentals about the Internet of Things (IoT), how this is being used, the business emerging
models and various uses of this technology. It is also important for Chartered Accountants to understand how to
establish a governance process, identify risks and assess the controls to make this technology serve the intended
purpose.
As a knowledge-based institution, ICAI has always been striving for perfection, integrity and assurance which
make the word 'Chartered Accountant' synonymous with excellence in service. ICAI is continuously educating
its students and members in the field of Digital transformation and we are happy to bring before you a compilation
which is the first of its kind.
“A Guide to Internet of Things - Basics and Applications” issued by Digital Accounting and Assurance Board
(DAAB) of ICAI, is an endeavor to provide an overview of the concepts of IoT, how it has impacted business,
benefits and risks involved, auditing and the future of IoT. This is the new age technology which is being used to
help, manage and respond to COVID-19 holds the potential to spur and accelerate new opportunities to boost
organizational and individual resilience. Over the next few years, the implementation of a variety of new
technologies will likely increase the range, capabilities, and analytical sophistication of IoT.
I compliment CA. Manu Agrawal, Chairman, DAAB, CA. Dayaniwas Sharma, Vice-Chairman, DAAB, and other
members of the Board for taking up this initiative for the benefit of profession. I am confident that our members
would take benefit of this Concept paper, and will make tangible progress in embracing technology in their
professional work.
We, at ICAI, will continue to deliver many such initiatives that are meant to add to the capacity, capabilities, and
skills of our professionals with the overall objective of making them the best in the world.
Wish you a happy learning!
CA. Nihar N Jambusaria
President, ICAI
4 | P a g e
Preface
The term Internet of Things (IoT) describes several technologies and research disciplines that enable the Internet
to reach out into the real world of physical objects. A wide range of researchers from academia and industry, as
well as businesses, government agencies, and cities, are exploring the technologies comprising the Internet of
Things from three main perspectives: scientific theory, engineering design, and the user experience. The birth of
IoT has transformed businesses and led them to altogether new directions. Business models and ideas that
previously existed only in fiction can now become a reality using IoT devices.
With IoT assisted accounting, CAs would be able to automatically receive all associated data through a digital
system, which could help CAs gain access to real-time transactional data, along with many controls and exposures
in the existing operations, increasing the need for continuous auditing processes. This will also allow a wider and
more comprehensible risk evaluation, which will help to quicken issue assessment and remediation. It will also
offer real-time management which will enable businesses and CAs alike to respond to issues immediately.
Combined with machine learning and artificial intelligence, the Internet of Things, creates vast opportunity for
innovators, start-ups, and industries. From an accounting and auditing perspective, IoT has the potential to
revolutionize the way businesses gather data—and, in the process, transform many aspects of accounting and
auditing.
ICAI has leveraged technology and infrastructure to impart world class education, training and professional
development by introducing “A Guide to Internet of Things - Basics and Applications” which equip its members
with wide variety of skill sets and morph them into Indian multinational service providers. Apart from polishing
skills in the field of Digital Transformation that will enhance their competence, it will prepare students and
members to achieve their organizational and national objectives. This Concept paper outlines the importance of
IoT in today’s era, IoT Architecture, IoT Value Chain, risk involved in IoT and governance risk and compliance
(GRC) issues with IoT.
At this juncture, we wish to place on record sincere gratitude to CA. Narasimhan Elangovan for taking time out
of their pressing preoccupations and contributing in preparation of “A Guide to Internet of Things - Basics and
Applications”.
We would like express our gratitude to CA. Nihar N Jambusaria, President, ICAI and CA. (Dr.) Debashis Mitra,
Vice President, ICAI for their continuous support and encouragement to the initiatives of the Board. We also wish
to place on record our gratitude for all the Board members, Co-opted members and Special Invitees for providing
their invaluable guidance and support to various initiatives of the Board. We also wish to express our sincere
appreciation for CA. Amit Gupta, Secretary DAAB and the entire team of DAAB for once again coming up with
this wonderful Concept Paper for the benefits of the Members and leading the technological developments in
ICAI.
We urge all the students and members to educate themselves in the field of Technology essentials with an open
mind and a willingness to adapt and prosper.
Wish you a Happy Learning!
CA. Manu Agrawal CA. Dayaniwas Sharma
Chairman, DAAB Vice- Chairman, DAAB
5 | P a g e
Author’s Note
The world is increasingly getting connected day by day. Starting from wearables such as smart watches to devices
that can track industrial production in real time, everything today has started speaking with one another! This
growing range of smart devices have entered our homes, our streets, our factories, our offices and even the services
or products we procure. This popularly called “Smart” technology is technically known as “Internet of Things”.
In a lay man’s language, it is a technology which has sensors enabled which transmit information such as
temperature, proximity, motion detection, air pressure, location, heartbeat etc. Today using these technologies,
newer products and business models are being developed, to solve various challenges. From autonomous vehicles
to smart cities, from bike rental companies to aerial surveys using drones, Internet of Things has found a variety
of use cases.
Combined with machine learning and artificial intelligence, the Internet of Things, creates vast opportunity for
innovators, start-ups, and industries. From an accounting and auditing perspective, IoT has the potential to
revolutionize the way businesses gather data—and, in the process, transform many aspects of accounting and
auditing. As with cloud computing, accountants need to understand what is coming so that they can adapt to the
changes the IoT will bring, including new opportunities for advisory services in big data and analytics. IoT will
change the sources of transactional data flowing into billing, enterprise resource planning, and accounting
systems, it will alter the way audits of these transactions are carried out.
This has made it imperative for Chartered Accountants to understand the fundamentals about this technology,
how this is being used, the business emerging models and various use cases on this technology. It is also important
for Chartered Accountants to understand who to establish a governance process, identify risks and assess the
controls to make this technology serve the intended purpose.
This Guide to IoT covers the concepts of IoT, how it has impacted business, benefits and risks involved, auditing
and the future of IoT. Happy reading.
Remember, IoT- It is coming soon in a “THING” near you.”
6 | P a g e
Contents
The Institute of Chartered Accountants of India ..................................................................................... 1
Digital Accounting and Assurance Board of ICAI .................................................................................. 2
Foreword ................................................................................................................................................. 3
Preface ..................................................................................................................................................... 4
Author’s Note .......................................................................................................................................... 5
1. Introduction ..................................................................................................................................... 7
2. Key Concepts in IoT ...................................................................................................................... 10
3. IoT Architecture ............................................................................................................................ 11
4. How has it impacted personal life? ............................................................................................... 16
5. Use cases - Personal Life ............................................................................................................... 18
6. How has it impacted business? ...................................................................................................... 20
7. Industrial IoT ................................................................................................................................. 24
8. Business transformation strategies around IOT ............................................................................ 25
9. Smart Cities ................................................................................................................................... 27
10. IOT in the domain of finance .................................................................................................... 29
11. How has it impacted audit? ....................................................................................................... 31
12. Use cases in Audit ..................................................................................................................... 35
13. Risks involved in IOT ............................................................................................................... 36
14. OWASP Top 10 IoT Risks ........................................................................................................ 37
15. Privacy Issues / concerns ........................................................................................................... 40
16. Governance Risk and Compliance (GRC) issues with IOT ...................................................... 42
17. Auditing IoT .............................................................................................................................. 45
18. Audit Challenges ....................................................................................................................... 48
19. Future of IOT............................................................................................................................. 49
20. IoT Professional Opportunities.................................................................................................. 51
21. References ................................................................................................................................. 53
Annexure A - Case Studies .................................................................................................................. 54
a. Smart Farming (Precision Agriculture) ..................................................................................... 54
b. Smart Cold Chain Solution ........................................................................................................ 56
c. Smart Parking ............................................................................................................................ 56
7 | P a g e
1. INTRODUCTION
From Smart Phones to Smart Watches, from Smart bulbs to Smart refrigerators, the world around us is changing
fast. One such technology which is enabling this rapid change is the Internet of Things (IoT). The IoT is the
network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity,
which enables these objects to collect and exchange data. These devices / sensors are provided with
unique identifiers on the internet and the ability to transfer data over a network without the need for human-to-
human or human-to-computer interaction. The IoT has evolved from the convergence of multiple technologies
such as the wireless technologies, micro-electromechanical chips, and circuits, and most importantly the internet.
The definitions of IoT vary from perspective to perspective and from scenario to scenario. One perspective is that
IoT devices are those which communicate over the Internet or any network. An IEEE (Institute of Electrical and
Electronics Engineers, USA) special report states the following:
TechTarget defines IoT as:
The embedded computing elements in IoT objects control how the physical objects behave, the utility that
the objects provide to the end user and the way users interact with the objects. For instance, household appliances
are now available that can automatically schedule repairs or routine service with minimal (or no) user
intervention, wearable devices can track physical activity and automobiles have computerized navigation,
accident prevention and fuel efficiency features.
“The Internet of Things, “or “IoT”, which you probably have heard about with increasing frequency, is
not a second Internet. Rather, it is a network of items— each embedded with sensors—which are
connected to the Internet.”1
“The Internet of Things (IoT) is a scenario in which objects, animals or people are provided with
unique identifiers and the ability to transfer data over a network without requiring human-to-human or
human-to computer interaction.”1
8 | P a g e
While this transformative change may take a few more years to be fully realized, there is an increasing trend being
observed on the way in which IoT has been adopted by industries., The healthcare vertical has used embedded
connectivity and computing components for many years and the usage is only evolving day by day. For instance,
biomedical devices (including implantable devices), such as pacemakers and insulin pumps, and diagnostic
equipment, such as imaging equipment, have the capability to communicate with each other and the outside world,
in addition to having built-in computing elements to automate tasks.
With the reduction in cost of IoT technology, the number of possible use cases that integrate embedded
components have been on the rise and can be economically incorporated into more large appliances and vehicles,
and, ultimately, into smaller, lower-cost items, such as wearable objects. Importance of IoT in today’s era
There are more connected devices than people in the world, according to the World Economic Forum's State of
the Connected World report, and it is predicted that by 2025, 41.6 billion devices will be capturing data on how
we live, work, move through our cities and operate and maintain the machines on which we depend. Not just that,
it is worth to note the digital transformation that is taking place due to emerging technologies, including robotics,
the IoT and artificial intelligence, popularly known as the Fourth Industrial Revolution - and COVID-19 has
accelerated the use of these technologies.
It is also to be noted that COVID-19 has highlighted the essential role the internet of things (IoT) has come to
play in our lives. IoT applications such as connected thermal cameras, contact tracing devices and health-
monitoring wearables are providing critical data needed to help fight the disease. while temperature sensors and
parcel tracking will help ensure that sensitive COVID-19 vaccines are distributed safely.
Figure 1: How COVID-19 has sped up the adoption on IoT technologies
Source: World Economic Forum –
9 | P a g e
The “State of the Connected World - 2020 Edition” by the World Economic Forum further states that COVID-19
has accelerated the adoption of IoT and below are few findings as per their research:
Thus, Internet of Things has brought in many use cases which businesses are exploring extensively. This has
also resulted in newer services, products, and business models. Chartered Accountants by understanding the
landscape of this technology shall be better equipped to perform risks assessments, audits, and other value-
added services discussed in the subsequent sections.
IoT has introduced new use cases and applications,
bolstering, demand in select areas such as health
technology and the smart home.
The interoperability of systems and advancement
of global technology standards remain important
priorities for the continued development and
expansion of IoT.
IoT which is being used to help manage and
respond to COVID-19 hold the potential to spur and
accelerate new opportunities to boost organizational
and individual resilience.
Over the next few years, the
implementation of a variety of new technologies
will likely increase the range, capabilities and
analytical sophistication of IoT.
10 |
P a g e
2. Key Concepts in IoT
It is critical to understand the key concepts in IoT and how they are related. The below image explains the Key
Concepts:
Figure 2 - Key Concepts of IoT
Source: sciforce
11 |
P a g e
3. IoT Architecture
The IoT architecture is a fundamental way to design the various elements of IoT, so that it can deliver services
over the networks and serve the needs. In essence, IoT infrastructure and architecture consists of multiple
components. Below is the list of few of them:
Figure 3 - IoT Architecture
Source: scnsoft
12 |
P a g e
Sensors:
Popularly referred to as “thing” is an object equipped with sensors that gather data which will be transferred over
a network and actuators that allow things to act. For example, to switch on or off the light, to open or close a door,
to increase or decrease engine rotation speed and more. This concept includes fridges, streetlamps, buildings,
vehicles, production machinery, rehabilitation equipment and everything else imaginable.
Gateways:
Data goes from things to the cloud and vice versa through the gateways. A gateway provides connectivity between
things and the cloud part of the IoT solution, enables data pre-processing and filtering before moving it to the
cloud to reduce the volume of data for detailed processing and storing and transmits control commands going
from the cloud to things. Things then execute commands using their actuators.
Data lake:
A data lake is used for storing the data generated by connected devices in its natural format. When the data is
needed for meaningful insights, it is extracted from a data lake and loaded to a big data warehouse.
Big data warehouse:
Filtered and pre-processed data needed for meaningful insights is extracted from a data lake to a big data
warehouse. A big data warehouse contains only cleaned, structured and matched data in comparison to a data lake
which contains all sorts of data generated by sensors. Also, data warehouse stores context information about
things and sensors, for example, where sensors are installed, and the commands control applications.
Data analytics:
Data analysts can use data from the big data warehouse to find trends and gain actionable insights. When analysed
(and in many cases – visualized in schemes, diagrams, infographics) big data show, for example, the performance
of devices, help identify inefficiencies and work out the ways to improve an IoT system (make it more reliable,
more customer-oriented). Also, the correlations and patterns found manually can further contribute to creating
algorithms for control applications.
13 |
P a g e
Machine learning and the models ML generates:
With machine learning, there is an opportunity to create more precise and more efficient models for control
applications. Models are regularly updated (for example, once in a week or once in a month) based on the
historical data accumulated in a big data warehouse. When the applicability and efficiency of new models are
tested and approved by data analysts, new models are used by control applications.
Control applications which are capable of sending automatic commands and alerts to actuators, for
instance:
o Car Park Doors of a smart home can receive an automatic command when the car is arriving.
o Agriculture irrigation systems can start watering the plants when the soil is dry beyond a particular level.
o Preventive maintenance of Industrial equipment could be performed based on proactive alerts issued by
the sensors deployed in industrial equipment.
These commands sent by control apps to actuators could also be further analysed using analytics engine and data
driven models can be developed that could insights. This could provide many opportunities to analyse the data,
understand the challenges, investigate problematic cases etc. For instance, commands sent by the control app
which are not performed by actuators, could possibly be due to issues arising at the connectivity, gateways and
actuators. In addition, storage of such logs can enhance the security of the IoT System
User applications:
These are a software component of an IoT system which enables the connection of users to an IoT system and
gives the options to monitor and control their smart things (while they are connected to a network of similar
things, for example, homes or cars and controlled by a central system). With a mobile or web app, users can
14 |
P a g e
monitor the state of their things, send commands to control applications, set the options of automatic behaviour
(automatic notifications and actions when certain data comes from sensors). These coupled with measures such
as end to end encryption, and ensuring the required firewalls are in place shall ensure the security and integrity of
data.
Device management:
To ensure sufficient functioning of IoT devices, it is far not enough to install them and let things go their way.
There are some procedures required to manage the performance of connected devices (facilitate the interaction
between devices, ensure secure data transmission and more):
o Device identification to establish the identity of the device to be sure that it is a genuine device with
trusted software transmitting reliable data.
o Configuration and control to tune devices according to the purposes of an IoT system. Some parameters
need to be written once a device is installed (for example, unique device ID). Other settings might need
updates (for example, the time between sending messages with data).
o Monitoring and diagnostics to ensure smooth and secure performance of every device in a network and
reduce the risk of breakdowns.
o Software updates and maintenance to add functionality, fix bugs, address security vulnerabilities.
User management:
Alongside with device management, it is important to provide control over the users having access to an IoT
system.
User management involves identifying users, their roles, access levels and ownership in a system. It includes such
options as adding and removing users, managing user settings, controlling access of various users to certain
15 |
P a g e
information, as well as the permission to perform certain operations within a system, controlling and recording
user activities and more.
Security monitoring:
Security is one of the top concerns in the internet of things. Connected things produce huge volumes of data,
which need to be securely transmitted and protected from cyber-criminals. Another side is that the things
connected to the Internet can be entry points for villains. What is more, cyber-criminals can get the access to the
“brain” of the whole IoT system and take control of it.
To prevent such problems, it makes sense to log and analyse the commands sent by control applications to
things, monitor the actions of users and store all these data in the cloud. With such an approach, it is possible to
address security breaches at the earlies stages and take measures to reduce their influence on an IoT system (for
example, block certain commands coming from control applications).
Also, it is possible to identify the patterns of suspicious behaviour, store these samples and compare them with
the logs generated by an IoT systems to prevent potential penetrations and minimize their impact on an IoT
system.
16 |
P a g e
4. How has it impacted personal life?
From connected home hubs, smart thermostats to remote door locks, from smart Watch to Smart electronic
equipment, and various app-controlled appliances, IoT has already entered our everyday lives. The “Sensors” are
constantly collecting information and transmitting. These devices have intervened all aspects of our personal
lives. Below are a few such cases:
Smart home hubs (that control lighting, home heating and cooling, etc.)
Smart assistants (like Amazon Alexa or Apple’s Siri)
Fitness trackers, sleep trackers, and smart scales
Smarter homes and offices that can save energy costs, or modify the inner ambiance of a building to suit the
tastes and needs of the resident,
Better security by constant surveillance and taking proactive action (such as alerting the local police) in case
of security breach.
Reminders of mundane tasks such as payment of utility bills, parking meters
Smart automobiles that can summon assistance if required, assist in controlling vehicle speed based on traffic
and environmental conditions
Reducing traffic congestion; for example, routing cars away from an area where a major traffic accident has
just occurred
Smart city lighting will reduce energy consumption when no one is present.
The self-driving car (powered by Artificial Intelligence) may be the ultimate IoT device reshaping how we
use and own cars. Even today human driven cars are using IoT for navigation, safety, and infotainment.
18 |
P a g e
5. Use cases - Personal Life
Imagine an intelligent house, programmed to save energy, and make life more convenient. Alarm clocks will be
synced with traffic apps; heating systems will be synced with external temperature sensors, which will be synced
with cost evaluations; lighting will react as we enter a room, as might our coffee makers. With the seamless
integration of light, heat and air conditioning that reacts to a person, a lot of resources could be saved. These are
just a few illustrations and things can go beyond. For instance, anything a person does not eat in the fridge can be
recorded so a person can examine trends and patterns.
On the other end, they are smart enough to even remind if one left their house without taking their keys. The car
can perhaps anticipate the rider and open themselves via a sensor in our phones, or
keys. In addition, intelligent traffic detection powered by sensors can allow the car navigation system to speak
with the signals and drive through the shortest route to work or home.
Wearables on the other end can track much more, starting from sleeping patterns, nutritional balance, healthcare
checks and check-up schedules, exercise routine, etc. At the same time, to keep one safe, sensors around the city
could also enable citizens with potential dangers including traffic accidents, proximity alerts around vehicle, bad
weather, and more.
Not just that, on a tiring day from office, one can through a mobile phone application activate the oven,
refrigerator, and the air cooling at home to ensure things are perfectly set up when one enters his/her residence.
Voice Assistant powered Smart Lights, bulbs, fans and many more devices can get activated based on one’s voice
command. The above is just an illustrative case of how this has been used in our personal lives.
20 |
P a g e
6. How has it impacted business?
Just like how IoT has impacted our personal lives, it has also impacted the way business is done. More and more
organizations have adopted the use of various devices that utilize the great potential of IoT. IoT devices like
sensors are cost-effective and impactful, helping companies gather big data, monitor operations, predict
equipment breakdowns, and streamline operations. By gathering big data, IoT gives a birds-eye-view on business,
allowing it to become data-driven. IoT can provide greater visibility across the fulfillment process, enabling
retailers to track orders from the moment an order is placed until it reaches the consumer’s doorstep. Durable
goods manufacturers could leverage the connectivity to establish long-term relationships with consumers by
offering ancillary services like predictive maintenance and performance analytics. The number of connected
things also equates to more data from which marketers could gain insight into consumer behavior, leading to more
intuitive websites customized to the individual consumer.
On the other end, many startup companies are exploring the potential of such technology and are increasingly
being used in their innovative products and services they render. Once the business value of the IOT domain is
understood, new products, services and revenue models will emerge which will attract higher investments and
therefore create jobs in the domain of IOT.
Adoption of IOT will also give rise to adoption of big data and analytics technologies that can provide insight to
take meaningful decision. The large number of devices, coupled with the high volume, velocity, and structure of
IOT data, can creates opportunities especially in the areas of security, data, storage management, servers and the
data center network, data analytics and Big Data. This means skills such as knowledge of business analysis, math
and statistics, creative design for end user visualization, big data frameworks, programming and architecting large
scalable systems and knowledge of devices used in the IOT ecosystems will be in demand in addition to
understanding business specific usage patterns, customer behaviors and innovative marketing techniques.
21 |
P a g e
The below are Use Cases where Businesses can use IoT:
• Sensors imbedded in machinery and hardware can provide real time feedback about their current conditions and can send alerts when they need maintenance.
Predicting hardware
maintenance -
• Smart lighting, heaters etc. implanted in factories and business organizations can determine when they are in need and effectively conserve energy when not in use. Heaters can also be used in temperature sensitive rooms such as server rooms to ensure that no equipment damage occurs due to temperature fluctuations.
Optimizing energy consumptions
• Motion sensors and cameras connected to the internet can render business premises safer and more secure than ever before.
Enhancing security
• Smartphones and tablets, personal activity trackers and other wearables, smart home appliances and smart thermostats are already widely available and in use.
Consumer technology
• Smart grid technology are enabling distribution intelligence and providing a two-way opportunity to send electricity back to the grid, particularly during peak usage periods. Automatic detection of outages by smart meters can lead to faster repairs. Other IoT advancements, such as the ability to schedule smart home appliances to run during lower usage periods, are helping to reduce consumers’ energy consumption.
Electricity and utilities
• IoT technology is helping businesses in this sector to increase efficiency through advancements in pressure, temperature, and flow rate monitoring, as well as in the measurement of handoffs, volume, and pipeline integrity. Sensors in the field can enable smart forecasting and help companies optimize well production. By becoming “digital technology companies” oil and gas companies can further improve rig uptime and oil recovery rates, reduce oil spillage, boost employee productivity, shrink costs, and more.
Oil and gas
• Geospatial applications can alert drivers to potential severe weather events (e.g., hailstorms), helping them to avoid vehicle damage and the need to file an insurance claim. Environmental sensors in workplaces and other buildings and facilities are already being used to detect temperature, smoke, toxic fumes, mold, earthquake motion, and more.
Insurance
• Autonomous cars can help reduce traffic and increase road safety. Road sensors can alert drivers of sensor-equipped cars to rain, frost, and ice. Some road sensors also can measure the amount of stagnant water, thickness of ice etc. to analyze the makeup of chemicals on the road surface that have been used for deicing, and then report back to departments of transportation so they can improve their application of those chemicals.
Driverless / Autonomous Cars
• Patient care is an obvious application for IoT technologies — from scheduling appointments to monitoring conditions like diabetes to ensuring the proper dosage of medicine has been administered. Medical device downtime also can be reduced through remote monitoring and support. IoT technology is already helping hospitals optimize the supply chain while reducing risk:
Medical
• Supply cabinets with built-in RFID readers with antennas can record which staff members have accessed the inventory, what they took and when. It can also reduce the need for doing physical verification of inventory and doing reconciliation between physical stock and book records. In addition, proactive alerts can be designed to replenish stock.
Managing Inventory
• IoT can help Telecom sector in asset management and remote system monitoring. By using an IoT solutions, telecom companies can connect their diverse physical assets to the cloud and remotely manage their operations, investigate malfunctions, run firmware upgrades, and keep track of inventory.
Telecom Sector
23 |
P a g e
Companies using IoT
Using IoT for predictive maintenance can reduce maintenance costs and breakdowns. Water and gas utilities are
using sensors on pipes to detect and fix leaks. For instance, GE is using sensors in airplane parts and engines to
better maintain planes and have more available to optimize utilization and minimize airline delays.
Source: yourstory.com
Apache Corporation, an oil and gas exploration company are using IoT to help customers predict when oil pump
failures will happen. Just reducing these failures by 1 % for the global oil industry would add $19 Billion more
output per year. Michelin is using sensors in tires to gain insight to help truck fleet manager reduce fuel
consumption.
TagBox uses IoT automation and analytics as the foundation of its cold chain supply business. It helps clients create
reliable and sustainable cold chains through comprehensive solutions that use IoT, advanced analytics, as well as
automation and control, which gives real-time visibility of the entire cold chain (cold storage, cold transit, and retail
refrigeration). This helps reduce product spoilage, helps meet compliance requirements, cuts energy costs, prevents
theft and pilferage, decreases cargo insurance premiums, and optimizes transportation costs.
DeTect Technologies an IoT start-up, focuses on asset integrity management, especially in the conventional
oil and gas industry, and has built a unique, patented technology for pipeline condition monitoring in real-time
using a long-range ultrasonic sensor for temperatures of up to 350 degrees Celsius. The solution helps reduce
productivity losses due to a breach. The company also offers Noctuan intelligent solution for structural health
monitoring on hard-to-reach assets such as stacks, columns, pipe racks, vessels, tanks, boilers, chimneys etc,
and has several Fortune 500 companies as its clients.
24 |
P a g e
7. Industrial IoT
Industrial Internet of Things (IIoT) refers to the combination of IoT technology and data with manufacturing and
other industrial processes, often with the goal of increasing automation, efficiency, and productivity. This is where
IoT gets applied in practice at various industries, such as:
IIoT helps organizations leverage the power of data that their machines created over several years and use that
for real-time analytics to drive faster, more accurate business decisions.
Figure 7 - Various potential applications of Industrial IoT
01
Factory equipment,
machines, and
devices used in
manufacturing
02
Remote Health
monitoring,
equipment
maintenance in
healthcare
03
Sensors and
Supervisory Control
and Data Acquisition
(SCADA) systems in
oil and gas
production
04
Telemetry data
from autonomous
vehicles
25 |
P a g e
Business transformation strategies around IOT
The birth of IoT has transformed businesses and led them to altogether new directions. Business models and
ideas that previously existed only in fiction can now become a reality using IoT devices. An example of such a
device would be Amazon’s Alexa. The concept of a virtual home assistant was only heard of in science fictions
or movies until its introduction. Today Alexa has already transformed the way millions of people interact with
their home appliances and it is still in its naissance stage.
The application of IoT in the creation of new and innovative products has large scale implications on our lives
and the way we carry out day to day activities. IoT can also be used to revolutionize the way traditional businesses
are conducted. Heavy machinery imbedded with IoT can perform a large portion of their maintenance by itself
and provide regular updates about its condition to the foreman or manager. This frees up the foreman’s or
manager’s time and energy to focus on more important matters, thereby increase the quality of his/her
management. In Similar lines, IoT can bring great changes in the way both old and new business are carried out.
One can notice the power of IoT can either independently be harnessed to render newer services and products,
and thereby bring in newer business models or strategies surrounding this. Alternatively, this can be used to better
optimize or utilize the existing processes and resources to add more value-added insights.
27 |
P a g e
8. Smart Cities
As more and more people move into cities worldwide, there is increasing demand for water and energy, and an
increased potential for disease outbreak, pollution, traffic congestion, and crime. At the same time, most of the
developed world needs to deal with an aging population. By installing sensors in every building and road, the
government can construct a 3D virtual representation of the city to perform more in-depth analysis of the everyday
challenges that the city faces.
Ever since the concept of a smart city was introduced, IoT (Internet of Things) has been considered the key
infrastructure in a smart city. While the perspective of “smart city” differs from region to region and country to
country, it is generally understood as using information and communication technologies (ICT) to solve the
various urbanisation challenges starting from lighting, parking, traffic management, housing and urban
development, waste management, sewage treatment etc. It can be described in a wide sense as the convergence
of ICT, the ecological environment, energy technologies, and support facilities within urban and residential
environments.
Figure 9 - Few of the applications of IoT in Smart Cities
Source: Internet
28 |
P a g e
Overall, IoT-based smart cities use data and technology to create a more efficient and sustainable infrastructure
to manage the resources, traffic flow, population behavior, develop the local economy, and improve the quality
of life of residents. Smart cities will be able to deliver many benefits including:
Reducing traffic congestion; for example, routing cars away from an area where a major traffic accident has
just occurred.
An ambulance can go through the streets sounding an alarm which stops all other traffic by changing the
traffic lights. Additionally, a nearby connected hospital will be standing by to expect the arrival of the patient.
Smart parking can reduce a great deal of driving time and fuel while searching for a parking space during
busy times.
Smart city lighting will reduce energy consumption when no one is present.
Smart buildings can be stand-alone projects or part of a smart city, in which energy can be monitored during
peak usage hours to minimize brown outs.
Early warning systems can be installed in a smart city so when major accidents, earthquakes, or storms occur,
the nearby first responders, police and hospitals can be informed all at the same time.
Better waste and sewage management
IoT can provide sensors that collect information that can be used to predict maintenance needs before such
devastating events occur.
29 |
P a g e
9. IOT in the domain of finance
The Financial Services Industry, being a data-driven industry offering intangible products may not have a lot of
direct impact due to IoT, in contrast to say the retail industry. However, the indirect impact say in the form of
data from IoT devices is used to improve financial products and services, which will be far reaching.
IoT leads to a much more intense customer relation, as it allows business to develop value-added services on top
of their strategies. IOT as part of data strategy can do the following:
Delivery of new innovative products and services (personalization by the IoT delivered data)
Fine-tuning of Risk Management (e.g., improvement of fraud detection or improved quality checks and
follow-up of credit collaterals)
Improve the sales process of existing products (e.g., identification of cross-sell opportunities, more
personalized contextual messages) and the customer relationship (e.g., churn detection, more accurate
customer segmentation)
Execute payments, i.e., devices executing automated payments
Identification and authentication, i.e., use IoT devices to identify and authenticate a person more accurately
Improved Decision-Making to get data for various types of risk assessment including credit, underwriting etc.
Real-time Data Gathering is possible, with continuous data gathering enabled by IoT tools, attending to the
customers’ needs and requirements. IoT lets companies access real-time databases thus allowing them to
render services instantly.
Seamless Communication between Financial Devices with a wide range of applications. Leveraging IoT can
enable automated cashless payments, offer financial advice to the customers based on their spending habits
etc.
Smart IoT devices help the companies in rendering better security to their branches. By installing IoT driven
devices such as cameras, motion sensors and connecting them to the Internet, banking and financial
companies can prevent money losses.
30 |
P a g e
An interconnected network of IoT devices allows finance function to automate important business processes.
Specialized IoT applications help banking and financial institutions in automating financial requests handling,
transfer of ownership of a specific asset and other processes.
31 |
P a g e
10. How has it impacted audit?
As the IoT will change the sources of transactional data flowing into billing, enterprise resource planning, and
accounting systems, it will alter the way audits of these transactions are carried out. Auditors must still ensure
that transactions are properly monitored and controlled, but the methods and internal control design are changing.
Instead of going to the bookkeeper for client information, for instance, auditors will automatically receive data
from a digital system. Because the IoT provides real-time visibility into transactions, controls, and exposures in
processing systems, it will increase the need for continuous auditing. It will also allow for greater visibility into
risks, making for quicker assessment and remediation, and will require real-time interactions with management
throughout the year. If a sensor sends a warning or error message in real time, companies and their auditors can
respond immediately.
The IoT will also bring auditors new opportunities for client service in the areas of business process design and
data analysis. Clients will need auditors to help set up accounting and recording systems, such as dashboards that
aggregate data received from the IoT.
32 |
P a g e
The following are a few considerations for auditors:
With IoT assisted accounting, CAs would be able to automatically receive all associated data through a digital
system, which could help CAs gain access to real-time transactional data, along with many controls and
exposures in the existing operations, increasing the need for continuous auditing processes. This will also
allow a wider and more comprehensible risk evaluation, which will help to quicken issue assessment and
remediation. It will also offer real-time management which will enable businesses and CAs alike to respond
to issues immediately.
IoT makes it easier for organizations to keep tabs on their resources, in relation to Inventory and Assets, and
that has direct implications for the accountants who are responsible for overseeing the budget and its relation
to assets.
IoT also helps in reducing time lapse between an event and its recording for more timely decision making
and facilitating assessment of process-driven activities.
With IoT in place, there would be more data, more action, more observation, and reduction of immediate
direct human impact.
Technologies such as Drone can help gathering evidence to support assertions and perform audit much faster
and in fact in real time. This could be used for physical verification of inventory, assessing the mines and
quarries etc.
33 |
P a g e
IoT based automation and intelligent systems can ensure that the presence of personnel is detected, and their
physical appearance checked for ensuring the safety measures have been taken care by the worker, every
check conducted leaves an audit trail and if there are exceptions found and alarms raised with evidence. Also,
if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any
such evidence of compliance as the compliance is ensured automatically.
IoT cloud-based workplace and process enhancements will lead to ground-breaking transformations. The
workplace is now touted to be commonplace for humans as well as robots to work together. The raw materials
needed get demanded or pulled from the repositories or warehouses based on the jobs at hand and planned
for the day. The raw materials automatically routed to the place of work. Every step moved ahead in the
workflow gets detected or communicated to get additional inputs and take the outputs to the next step in the
process. This kind of a self-managed factory setup will have the all the statistics and logs around the process
already created and available.
34 |
P a g e
Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item
would have its own set of quality requirements embedded and would reach out to instruments which can
verify a specific parameter; thus, each product would have its size verified by a machine, based on the
specifications embedded.
The documentation is one thing that may be solved on its own since the workflow or process maps which
would be used for automation themselves are good enough documentation. Also, the need for documentation
now gets reduced from instructional purposes since it is the IoT data, which drives the processes.
35 |
P a g e
Use cases in Audit
The implementation of IoT devices can greatly facilitate the process of audit. Using the various IoT devices that
are available, an auditor can perform previously mundane and repetitive tasks with greater ease and flexibility.
For example, cash registers linked to the internet can provide real time data about the quantity and amount of
sales that take place within an organization regardless of its size. Such facilities enhance the capabilities of
auditors and allow them to deal with data of previously unfathomable quantities.
IoT provides the auditors with a plethora of information that was previously unavailable ignorer to give a clearer
picture about the organization and its current situation. Auditors can monitor the condition of inventory and
physical assets that are IoT imbedded ignorer to accurately determine their worth and condition. In similar lines,
IoT greatly simplifies the work of an auditor either by making previously difficult to obtain information easily
available or by making available entirely new information altogether.
• IoT based automation and intelligent systems can ensure that the presence of personnel is detected, and their physical appearance checked for ensuring the safety measures have been taken care by the worker, every check conducted leaves an audit trail and if there are exceptions found and alarms raised with evidence. Also, if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any such evidence of compliance as the compliance is ensured automatically and all evidence collected.
Security
• IoT cloud-based workplace and process enhancements will lead to groundbreaking transformations. The workplace is now touted to be commonplace for humans as well as robots to work together. The raw materials needed get demanded or pulled from the repositories or warehouses based on the jobs at hand and planned for the day. The raw materials automatically routed to the place of work. Every step moved ahead in the workflow gets detected or communicated to get additional inputs and take the outputs to the next step in the process. This kind of a self-managed factory setup will have the all the statistics and logs around the process already created and available and there is no need to present any evidence as they are all over the place.
Operational
•Now Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item would have its own set of quality requirements embedded and would reach out to instruments which can verify a specific parameter; thus, each product would have its size verified by a machine, based on the specifications embedded. Product would get each of its parameters auto verified.
Quality
• IoT powered drones can be used to audit places which are hard to reach or difficult to cover within the limited time. With advanced technologies such as artificial intelligence and data analytics, drones can be used for a variety of tasks in the audit. The images captured over the drone are subsequently converted into analysable data with the help of machine learning and image recognition protocols.
Drone Technology
36 |
P a g e
Risks involved in IOT
Although IoT can result in financial, health and safety, and quality-of-life benefits, IoT can also introduce new
risk. Any new technology, process or business method can increase risk, but IoT, because of its pervasiveness,
has the potential to increase risk significantly. Risk scenarios differ between enterprises that manufacture and sell
communication capable embedded systems and enterprises that are users of these devices. The following could
be the various categorization of risks which IoT may pose:
Business risk
• Health and safety
• Regulatory Compliance
• User privacy
• Unexpected costs
Operational risk
• Inappropriate access to
functionality
• Shadow usage
• Performance
Technical risk
• Device vulnerabilities
• Device updates
• Device management
37 |
P a g e
11. OWASP Top 10 IoT Risks
The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve the
security of software. Through community-led open-source software projects, hundreds of local chapters
worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP
Foundation is the source for developers and technologists to secure the web. The Open Web Application Security
Project (OWASP) has released Top 10 IoT vulnerabilities list, which are detailed below:
1. Weak, guessable, or Hardcoded Passwords
Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or
client software that grants unauthorized access to deployed systems.
2. Insecure Network Services
Unnecessary or insecure network services running on the device itself, especially those exposed to the internet,
that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized
remote control.
3. Insecure Ecosystem Interfaces
Insecure web. backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows
compromise of the device or its related components. Common issues include a lack of
authentication/authorization, lacking or weak encryption, and a lack of input and output filtering,
4. Lack of Secure Update Mechanism
Lack of ability to securely update the device. This includes lack of firmware validation on device; jack of secure
delivery (unencrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes
due to updates.
38 |
P a g e
5. Use of Insecure or Outdated Components
Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This
includes insecure customization of operating system platforms, and the use of third-party software or hardware
components from a compromised supply chain.
6. Insufficient Privacy
Protection user’s personal information stored on the device or in the ecosystem that is used insecurely, improperly,
or without permission
7. Insecure Data Transfer and Storage
Lack of encryption or access control of sensitive data anywhere within the ecosystem, Including at rest, in transit.
or during processing.
8. Lack of Management
Lack of security support on devices deployed in production, including asset management update management.
secure decommissioning systems monitoring, and response capabilities.
39 |
P a g e
9. Insecure Default Setting
Devices or Systems shipped with insecure default settings or lack the ability to make the system more secure by
restricting operators from modifying configurations.
10. Lack of Physical Hardening
Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a
future remote attack or take local control of the device.
40 |
P a g e
12. Privacy Issues / concerns
These systems are designed to protect the home and its inhabitants but can be vulnerable to wireless attacks that
violate privacy and security. Video baby monitors are often placed in a child’s bedroom, so that parents can check
on the child remotely, from almost anywhere. These monitors can broadcast to TVs, handheld receivers or
wirelessly to PCs or smartphones. Many incidents of intruders hacking into Internet-enabled video baby monitors
have been reported. Most monitors have security features, but parents are responsible for enabling these features
and setting a password. In 2009, an Illinois man sued a baby monitoring system manufacturer after discovering
that a neighbor, using the same system, could see into the baby’s room.
Not only human agents, i.e., attackers, can bring about these health and safety impacts; for example, malware can
infect a system with a critical safety role, such as a navigation system in an airplane, an automobile
braking system, or a smoke sensor.
In addition to health and safety risk, regulatory risk is also possible. Regulatory concerns can occur when
embedded computing components:
Regulatory mandates often apply to the communication enabled devices in the previous examples and others.
If regulatory mandates apply, the complexity of the regulated environment can be compounded because of
devices of this type. For example, a PoS system in a retail location may be built to conform to payment card
industry (PCI) requirements, but a smoke detector on the same network may not conform; or a magnetic resonance
imaging (MRI) machine may be built to comply with the Health Insurance Portability and Accountability Act
(HIPAA) technical requirements, but the thermostat in an operating theatre may not comply.
Devices that process the personal, private, or potentially sensitive information of customers (e.g., imaging
equipment in a healthcare context) have the potential to impact user privacy. Like compliance challenges, privacy
impacts should be evaluated prior to deployment.
Process potentially sensitive data (e.g., PoS systems that process payment information)
Intersect with regulatory-governed business processes (e.g., financial reporting for public companies or patient care in a clinical
environment)
Impact critical infrastructure (e.g., power, and industrial control systems)
41 |
P a g e
The following aspects of data should all be considered:
Understand the data that is being collected — some data is clearly more sensitivethan other data. Unique identifiers, such as uniquely personal information,increase the risk profile.
Data Collection
Understand who owns the data once it is gathered. Determining data ownershipis often not straightforward; a starting point might be with the question “Who isthe entity/individual who would answer to ramifications of data disclosure, were itto occur?”
Data Ownership
In many cases, the data owner is not responsible for safeguarding the data but isultimately responsible for any exposures. Programs to identify and monitor third-party providers who manage sensitive data are critical on several fronts, includingthe IoT.
Custodial Responsibility
Retention standards for IoT-type data may not be considered or may be considereddifferently than for other types of data. Processes around the disclosure of data,even, or especially, to law enforcement, is a hot topic. Mobile phones often serveas a hub for interconnected devices, and contain a treasure trove of data, includinglocations, call logs, search results, etc. Clear policies in that regard can help avoidambiguity and lawsuits.
Data Retention and Disclosure
42 |
P a g e
Governance Risk and Compliance (GRC) issues with IOT
The risk of an insecure IoT device is relative based on the domain in which it is operated and the jurisdiction in
which it thrives. For example, privacy is at utmost risk when the device handles protected health information
(PHI), compared to when it is in an industrial set up, in which the infrastructure or services are at risk. The
geography of where the IoT device operates also matters because the legal and regulatory bindings can differ
from place to place. The governance of IoT devices needs to be handled separately, but under the IT governance
umbrella. The four critical success factors that contribute to an effective IoT project are an efficient IoT project
management team, a project stakeholder who has the authority to drive the IoT project, data, and
telecommunication infrastructure to support IoT, and subject matter experts to maintain high data quality and
integration issues
At a project-management level, the eight steps that can help enterprises to put in place a sustainable IoT security
program are:
Identify information
Evaluate IoT access risk
Formulate a big data strategy to
manage the vast amount of IoT
data generated
Devise policies for privacy
of sensor data
Protect IoT devices
Prioritize the devices
Evaluate data loss risk
Perform IoT incident
response planning
43 |
P a g e
IoT solutions are complex. The integration of connected devices and IT services poses major challenges in
networking, communication, data volume, real-time data analysis, and security. IoT solutions involve many
different technologies and require complex development cycles, including significant testing and ongoing
monitoring.
To overcome these challenges, IT organizations must:
Define IoT
governance
processes and
policies
Develop required
skills to design,
develop, and deploy
the solution
Develop a reference
architecture for
their IoT solution
Develop a
comprehensive technical
strategy to address the
complexity
A
B
C
D
44 |
P a g e
IoT solution governance can be viewed as the application of business governance, IT governance, and enterprise
architecture (EA) governance. In effect, IoT governance is an extension to IT governance, where IoT governance
is specifically focused on the lifecycle of IoT devices, data managed by the IoT solution, and IoT applications in
an organization’s IT landscape. IoT governance defines the changes to IT governance to ensure the concepts and
principles for its distributed architecture are managed appropriately and can deliver on the stated business goals.
45 |
P a g e
13. Auditing IoT
One needs to admit that IoT is subject to numerous risks compared to the benefits they offer. Failure in
understanding these risks or understanding the environment under which they operate, or the applicable controls
can lead to disaster for the organization. Furthermore, given the rapid development and advancement of the IoT,
the associated risks and controls also are changing and evolving rapidly. auditors need to stay abreast of IoT
developments and advancements to be able to assess the risks and controls in their organization.
The first step for auditors is conducting a risk assessment of the IoT in use in their organization. Specific risks
will depend on the nature of the IoT systems the organization has deployed and the overall business process they
support. However, these key aspects would help in assessing the risks better:
Security: IoT systems are connected to the Internet, so they are prone to attacks from cyber criminals and
hacktivists. Among other information security audit procedures, IT auditors should perform a vulnerability
assessment of such devices and consider conducting penetration tests on those systems periodically. Results of
these procedures should be used to strengthen the security of IoT systems, where necessary. Auditors should
carefully consider where third parties are involved to support IoT systems and assess whether third parties have
adequate security controls in place to protect data residing in IoT systems. Furthermore, they should assess the
adequacy of the encryption IoT systems use for communication.
Resilience: IoT systems may support a business process that is critical or time-bound, such as the delivery of
perishable goods. IT auditors should assess whether controls are in place to recover IoT systems in the event of a
failure. Auditors should determine whether management understands the potential business impact of an IoT
system outage and whether appropriate and adequate policies, procedures, and processes are in place to recover
affected business processes timely in the event of an outage or disaster.
Health and Safety: Many of today's IoT systems can pose a serious threat to human life and safety. Examples
include implantable biomedical devices, such as pacemakers and defibrillators, and assembly line robots at a
46 |
P a g e
manufacturing facility. An important area internal auditor should assess is whether such IoT systems have
undergone sufficient testing using appropriate test cases before being deployed into production. Furthermore,
controls should be in place to ensure adequate testing is performed before upgrades, patches, and changes are
made to IoT systems where health and safety is a significant risk.
Monitoring: Like any other system, controls should be in place to monitor whether IoT systems are functioning
as intended. Internal auditors should assess whether adequate monitoring controls are in place and whether all
such controls have been operating effectively over time. Furthermore, auditors should assess whether exceptions
and failures that occur are logged appropriately and resolutions to incidents are recorded timely. Auditors also
should assess whether management has a process that takes recurring incidents into account and analyzes their
root causes.
Scoping of IoT systems: Because many vendors provided IoT systems can be simple to implement, some systems
may be deployed by business units without the IT department's involvement. For example, fire detection systems
in enterprise facilities may have IoT capability that the IT department does not know about and risk management
professionals and internal auditors may not notice. Auditors should be vigilant to see where and when IoT systems
are deployed by different departments at the organization and prioritize IoT systems audits according to their
criticality and sensitivity.
47 |
P a g e
Risk Assessment during Audit
It is to be noted that, the auditor, may want to assess the risks in using IoT and may consider using the below
indicative template, for risk assessment for the investment made by the organization in an IoT devices which is
under consideration:
IoT Device
Impact of
Device being
compromised
Financial
Impact
Impact to
Reputation
Impact on
Operations
Category of
Impact
IoT enabled
device XYZ
Direct impact:
- Loss of
Productivity
Indirect or
hidden
impacts:
- Customer
complaints
- Malware
Attacks
a. Above
INR 50 crore
- Need to
withdraw
Products or
services
- Breach of
regulation
Products and
outputs are
questioned and
suspected
High / Disastrous
b. INR 10 to
50 crore
- Loss of
customer trust
Crisis
management to
be in place
Medium /
Disruption
c. Less than
INR 10
crores
- May require
time to fix the
issue
- Beyond
normal
business
disruption
Low / damaging
48 |
P a g e
14. Audit Challenges
Even though the introduction of IoT has brought great advantages to the field of audit, it has also brought in some
limitations
Creation of new risks
A The implementation of IoTs has brought about the creation of risks that
did not exist in the previous regime. Data security and integrity has
become a luxury and something that needs continuous attention.
Need to develop new skills
B With the introduction of IoT and other related technologies, it has become
clear that auditors need to continuously update their skill sets to remain
relevant and competent.
Existence of unknown risks
C IoT being a very new phase in the technological revolution has
provided great opportunities but has also created many vulnerabilities.
A large portion of these vulnerabilities may still be unknown and
could surface as this technology becomes more widespread
Acceptability of evidence
D The introduction of IoT has made available a whole new set of information.
It is the duty of the auditor to determine which of this information is
acceptable and which is not. Care must be taken to not accept questionable
information to not impede the integrity of the audit
49 |
P a g e
15. Future of IOT
The range of potential IoT applications is "limited only by the human imagination" - and many of these
applications can benefit the planet, as well as its people. The IoT is not just a “What if?” scenario for the future; it
is already here and growing every day. Internal auditors need to be on the front lines along with management,
helping them prepare the organization to meet new challenges and risks resulting from this wave of disruptive
technological change. The good news is that many of the strategies for managing the challenge of the IoT already
exist and are deployed in managing other security and operational activities of the organization. The main
difference for internal audit may be in the reporting/aggregation of risks because of the volume and geographic
dispersion of the IoT.
With that in mind, internal audit, in collaboration with the business, should seek to answer these questions to
develop a better understanding of the IOT, and raise awareness throughout the organization about its potential
opportunities and risks:
How is the IoT deployed in our organization today? Who owns it, or its components? What is the potential
IoT inventory in the organization? For example, is IoT technology part of the products that the business sells,
is it installed internally to manage processes, or are third-party vendors deploying IoT technology within
the company’s solutions?
Have we considered the risks associated with our IoT presence? Have those risks been quantified or
controlled? Is the business actively including its IoT inventory in broader risk assessments? Does the business
consider the IoT when applying data and privacy policies and practices and evaluating security?
Do we know what data is collected, stored, and analyzed? Have we assessed related potential legal, privacy
and security implications? For example, if IoT technology is within the company’s solution offerings, is the
business certain that it follows customers’ agreements about disclosing the potential capture and sharing of
information?
Do we have contingency plans for internet connected things that are hijacked or modified for unintended
purposes? Has the business evaluated the use of IoT technology in its processes, and what the potential impact
would be if something were, or had to be, taken offline? Is the IoT considered in business
continuity management plans? And if the IoT is that important to the business, what procedures are in place
for recovery in the event of a catastrophic failure?
To what extent are third parties acting on our behalf with regard to IoT technology? Do we have appropriate
processes and service-level agreements (SLAs) in place to monitor them appropriately? As we continue to
push out our business processes to other service providers, are those providers using IoT technologies on our
behalf? If so, are we monitoring their usage? Are we aware of any components from an IoT perspective that
they may have added? Also, are we monitoring the data that we are capturing and delivering through
our third-party service providers?
What role does the IoT play in our current strategy as an organization? How are we measuring achievement
related to any goals associated with our strategic objectives? Do we have an IoT strategy? Has the board
evaluated the potential impact of the IoT to the business? What about our competitors? Where do they stand?
What is the risk of not considering or leveraging IoT possibilities? What is the risk if we ignore the IoT?
What if we do not take full advantage of data analytics capabilities in the IoT? Do we risk not meeting our
strategic objectives simply because we failed to recognize the evolution of a disrupted landscape? That last
50 |
P a g e
question is particularly important for internal auditors and their organizations to answer. Different businesses
use, benefit from or are affected by the IoT in different ways. To ensure they are meeting their responsibilities,
internal auditors must evaluate not only the risks posed by the IoT, but also the risk of failing to act to take
advantage of the IoT, in the context of the business, its competitors and its industry.
IoT Standards for Risk Management and Mitigation may soon come up in the pipeline which could address
the common risks and establish a governance framework to mitigate them.
51 |
P a g e
16. IoT Professional Opportunities
IoT will bring CAs new opportunities for client service in the areas of business process design and data analysis,
dashboards that aggregate data received from the IoT. Clients will need CAs to help set up accounting and
recording systems, such as dashboards that aggregate data received from the IoT.
CAs may also be hired to provide opinions on the security of the IoT. Consumers and industry want assurance
that information and systems will be private. When the IoT takes off, CAs will be asked to give their professional
opinions on the systems that third parties rely on, unlike today where we are only asked for assurance in special
circumstances. Further the need for independent audits on the technology and infrastructure may increase in the
near future.
IoT will change the sources of transactional data that flow into various accounting systems. This means that there
will be a larger influx of data that will need to be incorporated into reporting systems. Most of this data will also
be supplied in real-time and will be displayed on dashboards that aid in decision making and planning. This will
pave the way for more automation tools to help process and analyse the data.
The role of the accountant has shifted from providing manual services to expert advice on financial matters, like
tax planning, financial management, and analysis. IoT will put accountants in a stronger position to provide advice
by making client financials and financial activity increasingly visible. This data can help practitioners get a better
understanding of a client and, as a result, offer better advice.
Because the IoT provides real-time visibility into transactions, controls, and exposures in processing systems, it
will increase the need for continuous auditing. It will also allow for greater visibility into risks, making for
quicker assessment and remediation, and will require real-time interactions with management throughout the year.
This would mean that auditors should not only be having functional expertise of the process but a deep
understanding of technology to assist in auditing these applications and infrastructure for meeting the pre-defined
audit scope. In parallel auditors will have to equip themselves with skillsets to upgrade their knowledge on these
technologies and understand the key risks.
52 |
P a g e
Below are the lists of few opportunities available:
a. Evaluating problem statements and assessing how IoT can solve them
b. Assisting in Functional Design of IoT Systems and Architecture
c. Performing risk assessment of IoT systems
d. Assessing and addressing the privacy challenges and concerns of IoT
e. Giving an independent opinion on the entire IoT infrastructure
f. Assessing and testing the effectiveness of the controls
g. Preparing dashboards, KPIs and KRAs using results obtained from IoT
h. Analysing data on real time basis to provide management insights
i. Performing real time audits to give an assurance to the stakeholders
53 |
P a g e
17. References
• ISACA Publications: https://transformingaudit.isaca.org/iot
• https://www.scnsoft.com/blog/iot-architecture-in-a-nutshell-and-how-it-works
• Protiviti Report on The Internet of Things: What Is It and Why Should Internal Audit Care?
• https://www.engineering.com/IOT/ArticleID/18533/How-IoT-Will-Change-Our-Lives.aspx
• https://www.ics.ie/news/view/1729
• https://india.theiet.org/
• http://www3.weforum.org/docs/WEF_The_State_of_the_Connected_World_2020.pdf
54 |
P a g e
Annexure A - Case Studies
Source: The IET India
Below are a few illustrative case studies on the impact of deploying IoT to solve the business challenges across
different sectors in India.
a. Smart Farming (Precision Agriculture)
Background: Solution:
Farmers in Pune region of Maharashtra, India, want
to increase the quality of yield at a reduced cost
while also having insight of the irrigation, weather,
and crop-related pests and diseases. The major
challenges faced by the farmers include:
• Farmers do not have a clear understanding
of the soil moisture leading to loss of crops
• Lack of insight on weather patterns and
forecasts create issues for the planning of
crops and
seasonal impacts
• Farmers are unable to assess if pests and
diseases have started to spoil their crops
causing
loss in yield and revenue.
IoT powered solution was used to solve this challenge
and assist in the below manner:
• IoT system was deployed to monitor crop
related conditions
• The platform with integrated sensors, cameras,
and drones. Sensor were also deployed to
monitor the temperature, humidity, leaf
wetness and to send alerts on soil moisture and
weather forecast to the farmers on their phone.
• Transmission of data was also made via a
Wireless Mesh Network to measure real time
data of the climatological and other
environmental properties.
• The solution reduced the input cost by 20%.
The yield increased by 10% to 25% more.
55 |
P a g e
The below figure gives a few illustrative analytics which were provided to the end customer as part of the
Solution:
56 |
P a g e
b. Smart Cold Chain Solution
Background:
An e-commerce aggregator wanted to ensure compliance
with cold chain SOPs and guarantee quality of products
at delivery. They also wanted to have location visibility
of cold boxes for inventory management. The below
were the challenges they were subject to:
• Unable to determine if on-field staff are
following passive-cooling SOPs while packing
boxes.
• Quality of cold chain products, like dairy and
meat, is not consistent due to temperature
excursions.
• Cold Boxes are misplaced leading to order
fulfilment issues and missing assets
Solution:
The IoT solution adopted by the aggregator was able to
assist in the following:
• Deployment of temperature sensors and a
barcode for each cold box
• Integration done with customer’s ERP system
to capture order level temperature data in an
• analytics platform.
• Mobile to mobile Cellular and/or Wi-Fi
gateways were installed at customer
warehouses providing the connectivity for data
transmission from the sensors to the cloud.
• Mobile App was provided to the delivery
persons enabling real-time monitoring of
temperature during last mile delivery
• The solution had a 30% reduction in product
spoilage and 80% decrease in cold box loss.
c. Smart Parking
Background: Solution:
Smart city authorities wanted to reduce traffic
congestion at intersections where vehicles were
illegally parked. Smart city authorities want to send
automatic notifications to the police when a vehicle
has parked in a “No Parking” zone in real-time. The
following were the challenges faced:
• Police were unable to physically monitor
the illegal parking always
• Parking ticket issuance was not tracked
properly
• Existing illegal parking solutions were not
working to its fullest, or the ROI is not clear
The IoT solution adopted by the authorities was
able to assist in the below manner:
• Installed in-ground IoT parking sensors to
detect vehicle presence
• IoT Gateway was used to send data to
Cloud as and when data was received.
• Police receive real-time parking status
updates and notifications via mobile app
• Smart city authorities were able to have
immediate insight on illegal parking
activities
• Traffic congestion improvised over time
• The solution had around 30% return on the
investment deployed.
57 |
P a g e
•
The Institute of Chartered Accountants of India
Composition of Digital Accounting and Assurance Board 2021-22
Council Members
Chairman
CA. Manu Agrawal
Vice-Chairman
CA. Dayaniwas Sharma
CA. Nihar N Jambusaria, President
(Ex-Officio)
CA.(Dr.) Debashis Mitra, Vice
President (Ex-Officio)
CA. Anil S Bhandari
CA. Nandkishore C Hegde
CA. Dheeraj Kumar Khandelwal
CA. Durgesh Kumar Kabra
CA. Aniket S Talati
CA. G Sekar
CA. Rajendra Kumar P
CA. M P Vijay Kumar
CA. Ranjeet Kumar Agarwal
CA. Prakash Sharma
Shri Sunil Kanoria
Shri Chandra Wadhwa
CA. Kemisha Soni
CA. Satish Kumar Gupta
CA. Atul Kumar Gupta
CA. Pramod Jain
CA. Rajesh Sharma
Co-opted Members
CA. Deepak Kumar
CA Bhakti Dalbhide
CA. Beldi Sridhar
CA. Kunal Kumar Ghelani
CA. Payal Agarwal
CA. Gelli Dayakar
CA. Nikunj Shah
Special Invitees
CA. Aditya Maheshwari
CA. Sanjib Sanghi
CA. Harshita Choudhary
CA. Ashish Bansal
CA. Dhruv Seth
CA. Vipin Verma
CA. Abhishek Pruthi
Secretary, DAAB
CA. Amit Gupta