Digital Accounting and Assurance Board

The Institute of Chartered Accountants of India

(Set Up by Act of Parliament)

20

21

1 | P a g e

INTRODUCTION

The Institute of Chartered Accountants of India

The Institute of Chartered Accountants of India (ICAI) is a statutory body established by an Act of Parliament,

viz. , The Chartered Accountants Act, 1949 (Act No.XXXVIII of 1949) for regulating the profession of Chartered

Accountancy in the country. ICAI is the one amongst accountancy bodies in the world, with a strong tradition of

service to the Indian economy in public interest.

Over a period of time, ICAI has achieved recognition as a premier accounting body not only in the country but

also globally, for maintaining highest standards in technical, ethical areas and for sustaining stringent examination

and education standards. Since 1949, the Chartered Accountancy profession in India has grown leaps and bounds

in terms of

• Members and student base.

• Regulate the profession of Accountancy

• Education and Examination of Chartered Accountancy Course

• Continuing Professional Education of Members

• Conducting Post Qualification Courses

• Formulation of Accounting Standards

• Prescription of Standard Auditing Procedures

• Laying down of Ethical Standards

• Monitoring Quality through Peer Review

• Ensuring Standards of performance of Members

• Exercise Disciplinary Jurisdiction

• Financial Reporting Review

• Input on Policy matters to Government

20

21

2 | P a g e

Digital Accounting and Assurance Board of ICAI

ICAI has constituted “Digital Accounting and Assurance Board” (DAAB) for fostering a cohesive global strategy

on aspects related to digital accounting and assurance, through sharing of knowledge and practices amongst the

members. DAAB is endeavouring to identify, deliberate and highlight on issues in accounting (including

valuation) and assurance (including internal audit) issues in the digital world.

DAAB is focusing on issues in accounting and assurance arising from the high pace of digitization, including use

of artificial intelligence in audit, big data analytics in audit, relevance of sampling, valuation of data as an asset,

impairment testing of digital assets, insurance of data - valuation and premium fixation, etc. The Board is taking

up initiatives to develop knowledge base through position papers and articles on issues relating to impact of

technology on accounting and assurance.

Initiatives to position the profession for opportunities in digital era are:

• Conducting Scalable, Employable and Updated Post Qualification Course on Information System Audit

(DISA)

• World Class Training to Members on Forensic Accounting and Fraud Detection (FAFD)

• Imparting Hands on Training through Forensic Labs

• Evolving firms into thriving digital practice by providing leading technology solutions

• Research on Emerging Technologies - Artificial Intelligence, Cloud Computing and Robotics

• Executive Development Program on “Blockchain Technology – Driver of Digital Era”

• Capacity building in digital ecosystem of stakeholders including banks, PSUs

• Mentoring of Technology Driven Startups by Chartered Accountants

• Team of Innovators for helping members navigate digital path

• Digital Competency Maturity Model for upgrading firms in digital landscape

• Incubation Centre for Blockchain Technology

• Webinars on strategies and approach to adopt technology in assurance services

• Research on embedding the understanding and use of technology in accounting and assurance services

3 | P a g e

Foreword

ICAI has played a pivotal role in developing a resilient reporting framework for sustained economic growth of

the nation in the last seven decades. The accountancy profession has endeavored to bring in the best global

practices and standards for a robust financial reporting and assurance framework, inspiriting trust and confidence

amongst the stakeholders. ICAI members have played a key role in the development of a robust Indian corporate

sector and its glorious prominence on the global horizons.

With the new technological advancements happening each day it is imperative for Chartered Accountants to

understand the fundamentals about the Internet of Things (IoT), how this is being used, the business emerging

models and various uses of this technology. It is also important for Chartered Accountants to understand how to

establish a governance process, identify risks and assess the controls to make this technology serve the intended

purpose.

As a knowledge-based institution, ICAI has always been striving for perfection, integrity and assurance which

make the word 'Chartered Accountant' synonymous with excellence in service. ICAI is continuously educating

its students and members in the field of Digital transformation and we are happy to bring before you a compilation

which is the first of its kind.

“A Guide to Internet of Things - Basics and Applications” issued by Digital Accounting and Assurance Board

(DAAB) of ICAI, is an endeavor to provide an overview of the concepts of IoT, how it has impacted business,

benefits and risks involved, auditing and the future of IoT. This is the new age technology which is being used to

help, manage and respond to COVID-19 holds the potential to spur and accelerate new opportunities to boost

organizational and individual resilience. Over the next few years, the implementation of a variety of new

technologies will likely increase the range, capabilities, and analytical sophistication of IoT.

I compliment CA. Manu Agrawal, Chairman, DAAB, CA. Dayaniwas Sharma, Vice-Chairman, DAAB, and other

members of the Board for taking up this initiative for the benefit of profession. I am confident that our members

would take benefit of this Concept paper, and will make tangible progress in embracing technology in their

professional work.

We, at ICAI, will continue to deliver many such initiatives that are meant to add to the capacity, capabilities, and

skills of our professionals with the overall objective of making them the best in the world.

Wish you a happy learning!

CA. Nihar N Jambusaria

President, ICAI

4 | P a g e

Preface

The term Internet of Things (IoT) describes several technologies and research disciplines that enable the Internet

to reach out into the real world of physical objects. A wide range of researchers from academia and industry, as

well as businesses, government agencies, and cities, are exploring the technologies comprising the Internet of

Things from three main perspectives: scientific theory, engineering design, and the user experience. The birth of

IoT has transformed businesses and led them to altogether new directions. Business models and ideas that

previously existed only in fiction can now become a reality using IoT devices.

With IoT assisted accounting, CAs would be able to automatically receive all associated data through a digital

system, which could help CAs gain access to real-time transactional data, along with many controls and exposures

in the existing operations, increasing the need for continuous auditing processes. This will also allow a wider and

more comprehensible risk evaluation, which will help to quicken issue assessment and remediation. It will also

offer real-time management which will enable businesses and CAs alike to respond to issues immediately.

Combined with machine learning and artificial intelligence, the Internet of Things, creates vast opportunity for

innovators, start-ups, and industries. From an accounting and auditing perspective, IoT has the potential to

revolutionize the way businesses gather data—and, in the process, transform many aspects of accounting and

auditing.

ICAI has leveraged technology and infrastructure to impart world class education, training and professional

development by introducing “A Guide to Internet of Things - Basics and Applications” which equip its members

with wide variety of skill sets and morph them into Indian multinational service providers. Apart from polishing

skills in the field of Digital Transformation that will enhance their competence, it will prepare students and

members to achieve their organizational and national objectives. This Concept paper outlines the importance of

IoT in today’s era, IoT Architecture, IoT Value Chain, risk involved in IoT and governance risk and compliance

(GRC) issues with IoT.

At this juncture, we wish to place on record sincere gratitude to CA. Narasimhan Elangovan for taking time out

of their pressing preoccupations and contributing in preparation of “A Guide to Internet of Things - Basics and

Applications”.

We would like express our gratitude to CA. Nihar N Jambusaria, President, ICAI and CA. (Dr.) Debashis Mitra,

Vice President, ICAI for their continuous support and encouragement to the initiatives of the Board. We also wish

to place on record our gratitude for all the Board members, Co-opted members and Special Invitees for providing

their invaluable guidance and support to various initiatives of the Board. We also wish to express our sincere

appreciation for CA. Amit Gupta, Secretary DAAB and the entire team of DAAB for once again coming up with

this wonderful Concept Paper for the benefits of the Members and leading the technological developments in

ICAI.

We urge all the students and members to educate themselves in the field of Technology essentials with an open

mind and a willingness to adapt and prosper.

Wish you a Happy Learning!

CA. Manu Agrawal CA. Dayaniwas Sharma

Chairman, DAAB Vice- Chairman, DAAB

5 | P a g e

Author’s Note

The world is increasingly getting connected day by day. Starting from wearables such as smart watches to devices

that can track industrial production in real time, everything today has started speaking with one another! This

growing range of smart devices have entered our homes, our streets, our factories, our offices and even the services

or products we procure. This popularly called “Smart” technology is technically known as “Internet of Things”.

In a lay man’s language, it is a technology which has sensors enabled which transmit information such as

temperature, proximity, motion detection, air pressure, location, heartbeat etc. Today using these technologies,

newer products and business models are being developed, to solve various challenges. From autonomous vehicles

to smart cities, from bike rental companies to aerial surveys using drones, Internet of Things has found a variety

of use cases.

Combined with machine learning and artificial intelligence, the Internet of Things, creates vast opportunity for

innovators, start-ups, and industries. From an accounting and auditing perspective, IoT has the potential to

revolutionize the way businesses gather data—and, in the process, transform many aspects of accounting and

auditing. As with cloud computing, accountants need to understand what is coming so that they can adapt to the

changes the IoT will bring, including new opportunities for advisory services in big data and analytics. IoT will

change the sources of transactional data flowing into billing, enterprise resource planning, and accounting

systems, it will alter the way audits of these transactions are carried out.

This has made it imperative for Chartered Accountants to understand the fundamentals about this technology,

how this is being used, the business emerging models and various use cases on this technology. It is also important

for Chartered Accountants to understand who to establish a governance process, identify risks and assess the

controls to make this technology serve the intended purpose.

This Guide to IoT covers the concepts of IoT, how it has impacted business, benefits and risks involved, auditing

and the future of IoT. Happy reading.

Remember, IoT- It is coming soon in a “THING” near you.”

6 | P a g e

Contents

The Institute of Chartered Accountants of India ..................................................................................... 1

Digital Accounting and Assurance Board of ICAI .................................................................................. 2

Foreword ................................................................................................................................................. 3

Preface ..................................................................................................................................................... 4

Author’s Note .......................................................................................................................................... 5

1. Introduction ..................................................................................................................................... 7

2. Key Concepts in IoT ...................................................................................................................... 10

3. IoT Architecture ............................................................................................................................ 11

4. How has it impacted personal life? ............................................................................................... 16

5. Use cases - Personal Life ............................................................................................................... 18

6. How has it impacted business? ...................................................................................................... 20

7. Industrial IoT ................................................................................................................................. 24

8. Business transformation strategies around IOT ............................................................................ 25

9. Smart Cities ................................................................................................................................... 27

10. IOT in the domain of finance .................................................................................................... 29

11. How has it impacted audit? ....................................................................................................... 31

12. Use cases in Audit ..................................................................................................................... 35

13. Risks involved in IOT ............................................................................................................... 36

14. OWASP Top 10 IoT Risks ........................................................................................................ 37

15. Privacy Issues / concerns ........................................................................................................... 40

16. Governance Risk and Compliance (GRC) issues with IOT ...................................................... 42

17. Auditing IoT .............................................................................................................................. 45

18. Audit Challenges ....................................................................................................................... 48

19. Future of IOT............................................................................................................................. 49

20. IoT Professional Opportunities.................................................................................................. 51

21. References ................................................................................................................................. 53

Annexure A - Case Studies .................................................................................................................. 54

a. Smart Farming (Precision Agriculture) ..................................................................................... 54

b. Smart Cold Chain Solution ........................................................................................................ 56

c. Smart Parking ............................................................................................................................ 56

7 | P a g e

1. INTRODUCTION

From Smart Phones to Smart Watches, from Smart bulbs to Smart refrigerators, the world around us is changing

fast. One such technology which is enabling this rapid change is the Internet of Things (IoT). The IoT is the

network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity,

which enables these objects to collect and exchange data. These devices / sensors are provided with

unique identifiers on the internet and the ability to transfer data over a network without the need for human-to-

human or human-to-computer interaction. The IoT has evolved from the convergence of multiple technologies

such as the wireless technologies, micro-electromechanical chips, and circuits, and most importantly the internet.

The definitions of IoT vary from perspective to perspective and from scenario to scenario. One perspective is that

IoT devices are those which communicate over the Internet or any network. An IEEE (Institute of Electrical and

Electronics Engineers, USA) special report states the following:

TechTarget defines IoT as:

The embedded computing elements in IoT objects control how the physical objects behave, the utility that

the objects provide to the end user and the way users interact with the objects. For instance, household appliances

are now available that can automatically schedule repairs or routine service with minimal (or no) user

intervention, wearable devices can track physical activity and automobiles have computerized navigation,

accident prevention and fuel efficiency features.

“The Internet of Things, “or “IoT”, which you probably have heard about with increasing frequency, is

not a second Internet. Rather, it is a network of items— each embedded with sensors—which are

connected to the Internet.”1

“The Internet of Things (IoT) is a scenario in which objects, animals or people are provided with

unique identifiers and the ability to transfer data over a network without requiring human-to-human or

human-to computer interaction.”1

8 | P a g e

While this transformative change may take a few more years to be fully realized, there is an increasing trend being

observed on the way in which IoT has been adopted by industries., The healthcare vertical has used embedded

connectivity and computing components for many years and the usage is only evolving day by day. For instance,

biomedical devices (including implantable devices), such as pacemakers and insulin pumps, and diagnostic

equipment, such as imaging equipment, have the capability to communicate with each other and the outside world,

in addition to having built-in computing elements to automate tasks.

With the reduction in cost of IoT technology, the number of possible use cases that integrate embedded

components have been on the rise and can be economically incorporated into more large appliances and vehicles,

and, ultimately, into smaller, lower-cost items, such as wearable objects. Importance of IoT in today’s era

There are more connected devices than people in the world, according to the World Economic Forum's State of

the Connected World report, and it is predicted that by 2025, 41.6 billion devices will be capturing data on how

we live, work, move through our cities and operate and maintain the machines on which we depend. Not just that,

it is worth to note the digital transformation that is taking place due to emerging technologies, including robotics,

the IoT and artificial intelligence, popularly known as the Fourth Industrial Revolution - and COVID-19 has

accelerated the use of these technologies.

It is also to be noted that COVID-19 has highlighted the essential role the internet of things (IoT) has come to

play in our lives. IoT applications such as connected thermal cameras, contact tracing devices and health-

monitoring wearables are providing critical data needed to help fight the disease. while temperature sensors and

parcel tracking will help ensure that sensitive COVID-19 vaccines are distributed safely.

Figure 1: How COVID-19 has sped up the adoption on IoT technologies

Source: World Economic Forum –

9 | P a g e

The “State of the Connected World - 2020 Edition” by the World Economic Forum further states that COVID-19

has accelerated the adoption of IoT and below are few findings as per their research:

Thus, Internet of Things has brought in many use cases which businesses are exploring extensively. This has

also resulted in newer services, products, and business models. Chartered Accountants by understanding the

landscape of this technology shall be better equipped to perform risks assessments, audits, and other value-

added services discussed in the subsequent sections.

IoT has introduced new use cases and applications,

bolstering, demand in select areas such as health

technology and the smart home.

The interoperability of systems and advancement

of global technology standards remain important

priorities for the continued development and

expansion of IoT.

IoT which is being used to help manage and

respond to COVID-19 hold the potential to spur and

accelerate new opportunities to boost organizational

and individual resilience.

Over the next few years, the

implementation of a variety of new technologies

will likely increase the range, capabilities and

analytical sophistication of IoT.

10 |

P a g e

2. Key Concepts in IoT

It is critical to understand the key concepts in IoT and how they are related. The below image explains the Key

Concepts:

Figure 2 - Key Concepts of IoT

Source: sciforce

11 |

P a g e

3. IoT Architecture

The IoT architecture is a fundamental way to design the various elements of IoT, so that it can deliver services

over the networks and serve the needs. In essence, IoT infrastructure and architecture consists of multiple

components. Below is the list of few of them:

Figure 3 - IoT Architecture

Source: scnsoft

12 |

P a g e

Sensors:

Popularly referred to as “thing” is an object equipped with sensors that gather data which will be transferred over

a network and actuators that allow things to act. For example, to switch on or off the light, to open or close a door,

to increase or decrease engine rotation speed and more. This concept includes fridges, streetlamps, buildings,

vehicles, production machinery, rehabilitation equipment and everything else imaginable.

Gateways:

Data goes from things to the cloud and vice versa through the gateways. A gateway provides connectivity between

things and the cloud part of the IoT solution, enables data pre-processing and filtering before moving it to the

cloud to reduce the volume of data for detailed processing and storing and transmits control commands going

from the cloud to things. Things then execute commands using their actuators.

Data lake:

A data lake is used for storing the data generated by connected devices in its natural format. When the data is

needed for meaningful insights, it is extracted from a data lake and loaded to a big data warehouse.

Big data warehouse:

Filtered and pre-processed data needed for meaningful insights is extracted from a data lake to a big data

warehouse. A big data warehouse contains only cleaned, structured and matched data in comparison to a data lake

which contains all sorts of data generated by sensors. Also, data warehouse stores context information about

things and sensors, for example, where sensors are installed, and the commands control applications.

Data analytics:

Data analysts can use data from the big data warehouse to find trends and gain actionable insights. When analysed

(and in many cases – visualized in schemes, diagrams, infographics) big data show, for example, the performance

of devices, help identify inefficiencies and work out the ways to improve an IoT system (make it more reliable,

more customer-oriented). Also, the correlations and patterns found manually can further contribute to creating

algorithms for control applications.

13 |

P a g e

Machine learning and the models ML generates:

With machine learning, there is an opportunity to create more precise and more efficient models for control

applications. Models are regularly updated (for example, once in a week or once in a month) based on the

historical data accumulated in a big data warehouse. When the applicability and efficiency of new models are

tested and approved by data analysts, new models are used by control applications.

Control applications which are capable of sending automatic commands and alerts to actuators, for

instance:

o Car Park Doors of a smart home can receive an automatic command when the car is arriving.

o Agriculture irrigation systems can start watering the plants when the soil is dry beyond a particular level.

o Preventive maintenance of Industrial equipment could be performed based on proactive alerts issued by

the sensors deployed in industrial equipment.

These commands sent by control apps to actuators could also be further analysed using analytics engine and data

driven models can be developed that could insights. This could provide many opportunities to analyse the data,

understand the challenges, investigate problematic cases etc. For instance, commands sent by the control app

which are not performed by actuators, could possibly be due to issues arising at the connectivity, gateways and

actuators. In addition, storage of such logs can enhance the security of the IoT System

User applications:

These are a software component of an IoT system which enables the connection of users to an IoT system and

gives the options to monitor and control their smart things (while they are connected to a network of similar

things, for example, homes or cars and controlled by a central system). With a mobile or web app, users can

14 |

P a g e

monitor the state of their things, send commands to control applications, set the options of automatic behaviour

(automatic notifications and actions when certain data comes from sensors). These coupled with measures such

as end to end encryption, and ensuring the required firewalls are in place shall ensure the security and integrity of

data.

Device management:

To ensure sufficient functioning of IoT devices, it is far not enough to install them and let things go their way.

There are some procedures required to manage the performance of connected devices (facilitate the interaction

between devices, ensure secure data transmission and more):

o Device identification to establish the identity of the device to be sure that it is a genuine device with

trusted software transmitting reliable data.

o Configuration and control to tune devices according to the purposes of an IoT system. Some parameters

need to be written once a device is installed (for example, unique device ID). Other settings might need

updates (for example, the time between sending messages with data).

o Monitoring and diagnostics to ensure smooth and secure performance of every device in a network and

reduce the risk of breakdowns.

o Software updates and maintenance to add functionality, fix bugs, address security vulnerabilities.

User management:

Alongside with device management, it is important to provide control over the users having access to an IoT

system.

User management involves identifying users, their roles, access levels and ownership in a system. It includes such

options as adding and removing users, managing user settings, controlling access of various users to certain

15 |

P a g e

information, as well as the permission to perform certain operations within a system, controlling and recording

user activities and more.

Security monitoring:

Security is one of the top concerns in the internet of things. Connected things produce huge volumes of data,

which need to be securely transmitted and protected from cyber-criminals. Another side is that the things

connected to the Internet can be entry points for villains. What is more, cyber-criminals can get the access to the

“brain” of the whole IoT system and take control of it.

To prevent such problems, it makes sense to log and analyse the commands sent by control applications to

things, monitor the actions of users and store all these data in the cloud. With such an approach, it is possible to

address security breaches at the earlies stages and take measures to reduce their influence on an IoT system (for

example, block certain commands coming from control applications).

Also, it is possible to identify the patterns of suspicious behaviour, store these samples and compare them with

the logs generated by an IoT systems to prevent potential penetrations and minimize their impact on an IoT

system.

16 |

P a g e

4. How has it impacted personal life?

From connected home hubs, smart thermostats to remote door locks, from smart Watch to Smart electronic

equipment, and various app-controlled appliances, IoT has already entered our everyday lives. The “Sensors” are

constantly collecting information and transmitting. These devices have intervened all aspects of our personal

lives. Below are a few such cases:

Smart home hubs (that control lighting, home heating and cooling, etc.)

Smart assistants (like Amazon Alexa or Apple’s Siri)

Fitness trackers, sleep trackers, and smart scales

Smarter homes and offices that can save energy costs, or modify the inner ambiance of a building to suit the

tastes and needs of the resident,

Better security by constant surveillance and taking proactive action (such as alerting the local police) in case

of security breach.

Reminders of mundane tasks such as payment of utility bills, parking meters

Smart automobiles that can summon assistance if required, assist in controlling vehicle speed based on traffic

and environmental conditions

Reducing traffic congestion; for example, routing cars away from an area where a major traffic accident has

just occurred

Smart city lighting will reduce energy consumption when no one is present.

The self-driving car (powered by Artificial Intelligence) may be the ultimate IoT device reshaping how we

use and own cars. Even today human driven cars are using IoT for navigation, safety, and infotainment.

17 |

P a g e

Figure 4 - Smart Home Infographic

18 |

P a g e

5. Use cases - Personal Life

Imagine an intelligent house, programmed to save energy, and make life more convenient. Alarm clocks will be

synced with traffic apps; heating systems will be synced with external temperature sensors, which will be synced

with cost evaluations; lighting will react as we enter a room, as might our coffee makers. With the seamless

integration of light, heat and air conditioning that reacts to a person, a lot of resources could be saved. These are

just a few illustrations and things can go beyond. For instance, anything a person does not eat in the fridge can be

recorded so a person can examine trends and patterns.

On the other end, they are smart enough to even remind if one left their house without taking their keys. The car

can perhaps anticipate the rider and open themselves via a sensor in our phones, or

keys. In addition, intelligent traffic detection powered by sensors can allow the car navigation system to speak

with the signals and drive through the shortest route to work or home.

Wearables on the other end can track much more, starting from sleeping patterns, nutritional balance, healthcare

checks and check-up schedules, exercise routine, etc. At the same time, to keep one safe, sensors around the city

could also enable citizens with potential dangers including traffic accidents, proximity alerts around vehicle, bad

weather, and more.

Not just that, on a tiring day from office, one can through a mobile phone application activate the oven,

refrigerator, and the air cooling at home to ensure things are perfectly set up when one enters his/her residence.

Voice Assistant powered Smart Lights, bulbs, fans and many more devices can get activated based on one’s voice

command. The above is just an illustrative case of how this has been used in our personal lives.

19 |

P a g e

Figure 5 - IoT architecture example – Intelligent lighting

Source: ScienceSoft

20 |

P a g e

6. How has it impacted business?

Just like how IoT has impacted our personal lives, it has also impacted the way business is done. More and more

organizations have adopted the use of various devices that utilize the great potential of IoT. IoT devices like

sensors are cost-effective and impactful, helping companies gather big data, monitor operations, predict

equipment breakdowns, and streamline operations. By gathering big data, IoT gives a birds-eye-view on business,

allowing it to become data-driven. IoT can provide greater visibility across the fulfillment process, enabling

retailers to track orders from the moment an order is placed until it reaches the consumer’s doorstep. Durable

goods manufacturers could leverage the connectivity to establish long-term relationships with consumers by

offering ancillary services like predictive maintenance and performance analytics. The number of connected

things also equates to more data from which marketers could gain insight into consumer behavior, leading to more

intuitive websites customized to the individual consumer.

On the other end, many startup companies are exploring the potential of such technology and are increasingly

being used in their innovative products and services they render. Once the business value of the IOT domain is

understood, new products, services and revenue models will emerge which will attract higher investments and

therefore create jobs in the domain of IOT.

Adoption of IOT will also give rise to adoption of big data and analytics technologies that can provide insight to

take meaningful decision. The large number of devices, coupled with the high volume, velocity, and structure of

IOT data, can creates opportunities especially in the areas of security, data, storage management, servers and the

data center network, data analytics and Big Data. This means skills such as knowledge of business analysis, math

and statistics, creative design for end user visualization, big data frameworks, programming and architecting large

scalable systems and knowledge of devices used in the IOT ecosystems will be in demand in addition to

understanding business specific usage patterns, customer behaviors and innovative marketing techniques.

21 |

P a g e

The below are Use Cases where Businesses can use IoT:

• Sensors imbedded in machinery and hardware can provide real time feedback about their current conditions and can send alerts when they need maintenance.

Predicting hardware

maintenance -

• Smart lighting, heaters etc. implanted in factories and business organizations can determine when they are in need and effectively conserve energy when not in use. Heaters can also be used in temperature sensitive rooms such as server rooms to ensure that no equipment damage occurs due to temperature fluctuations.

Optimizing energy consumptions

• Motion sensors and cameras connected to the internet can render business premises safer and more secure than ever before.

Enhancing security

• Smartphones and tablets, personal activity trackers and other wearables, smart home appliances and smart thermostats are already widely available and in use.

Consumer technology

• Smart grid technology are enabling distribution intelligence and providing a two-way opportunity to send electricity back to the grid, particularly during peak usage periods. Automatic detection of outages by smart meters can lead to faster repairs. Other IoT advancements, such as the ability to schedule smart home appliances to run during lower usage periods, are helping to reduce consumers’ energy consumption.

Electricity and utilities

• IoT technology is helping businesses in this sector to increase efficiency through advancements in pressure, temperature, and flow rate monitoring, as well as in the measurement of handoffs, volume, and pipeline integrity. Sensors in the field can enable smart forecasting and help companies optimize well production. By becoming “digital technology companies” oil and gas companies can further improve rig uptime and oil recovery rates, reduce oil spillage, boost employee productivity, shrink costs, and more.

Oil and gas

• Geospatial applications can alert drivers to potential severe weather events (e.g., hailstorms), helping them to avoid vehicle damage and the need to file an insurance claim. Environmental sensors in workplaces and other buildings and facilities are already being used to detect temperature, smoke, toxic fumes, mold, earthquake motion, and more.

Insurance

• Autonomous cars can help reduce traffic and increase road safety. Road sensors can alert drivers of sensor-equipped cars to rain, frost, and ice. Some road sensors also can measure the amount of stagnant water, thickness of ice etc. to analyze the makeup of chemicals on the road surface that have been used for deicing, and then report back to departments of transportation so they can improve their application of those chemicals.

Driverless / Autonomous Cars

• Patient care is an obvious application for IoT technologies — from scheduling appointments to monitoring conditions like diabetes to ensuring the proper dosage of medicine has been administered. Medical device downtime also can be reduced through remote monitoring and support. IoT technology is already helping hospitals optimize the supply chain while reducing risk:

Medical

• Supply cabinets with built-in RFID readers with antennas can record which staff members have accessed the inventory, what they took and when. It can also reduce the need for doing physical verification of inventory and doing reconciliation between physical stock and book records. In addition, proactive alerts can be designed to replenish stock.

Managing Inventory

• IoT can help Telecom sector in asset management and remote system monitoring. By using an IoT solutions, telecom companies can connect their diverse physical assets to the cloud and remotely manage their operations, investigate malfunctions, run firmware upgrades, and keep track of inventory.

Telecom Sector

22 |

P a g e

Figure 6 - IoT Impact on Business by 2020:

Source Brain & Company Research

23 |

P a g e

Companies using IoT

Using IoT for predictive maintenance can reduce maintenance costs and breakdowns. Water and gas utilities are

using sensors on pipes to detect and fix leaks. For instance, GE is using sensors in airplane parts and engines to

better maintain planes and have more available to optimize utilization and minimize airline delays.

Source: yourstory.com

Apache Corporation, an oil and gas exploration company are using IoT to help customers predict when oil pump

failures will happen. Just reducing these failures by 1 % for the global oil industry would add $19 Billion more

output per year. Michelin is using sensors in tires to gain insight to help truck fleet manager reduce fuel

consumption.

TagBox uses IoT automation and analytics as the foundation of its cold chain supply business. It helps clients create

reliable and sustainable cold chains through comprehensive solutions that use IoT, advanced analytics, as well as

automation and control, which gives real-time visibility of the entire cold chain (cold storage, cold transit, and retail

refrigeration). This helps reduce product spoilage, helps meet compliance requirements, cuts energy costs, prevents

theft and pilferage, decreases cargo insurance premiums, and optimizes transportation costs.

DeTect Technologies an IoT start-up, focuses on asset integrity management, especially in the conventional

oil and gas industry, and has built a unique, patented technology for pipeline condition monitoring in real-time

using a long-range ultrasonic sensor for temperatures of up to 350 degrees Celsius. The solution helps reduce

productivity losses due to a breach. The company also offers Noctuan intelligent solution for structural health

monitoring on hard-to-reach assets such as stacks, columns, pipe racks, vessels, tanks, boilers, chimneys etc,

and has several Fortune 500 companies as its clients.

24 |

P a g e

7. Industrial IoT

Industrial Internet of Things (IIoT) refers to the combination of IoT technology and data with manufacturing and

other industrial processes, often with the goal of increasing automation, efficiency, and productivity. This is where

IoT gets applied in practice at various industries, such as:

IIoT helps organizations leverage the power of data that their machines created over several years and use that

for real-time analytics to drive faster, more accurate business decisions.

Figure 7 - Various potential applications of Industrial IoT

01

Factory equipment,

machines, and

devices used in

manufacturing

02

Remote Health

monitoring,

equipment

maintenance in

healthcare

03

Sensors and

Supervisory Control

and Data Acquisition

(SCADA) systems in

oil and gas

production

04

Telemetry data

from autonomous

vehicles

25 |

P a g e

Business transformation strategies around IOT

The birth of IoT has transformed businesses and led them to altogether new directions. Business models and

ideas that previously existed only in fiction can now become a reality using IoT devices. An example of such a

device would be Amazon’s Alexa. The concept of a virtual home assistant was only heard of in science fictions

or movies until its introduction. Today Alexa has already transformed the way millions of people interact with

their home appliances and it is still in its naissance stage.

The application of IoT in the creation of new and innovative products has large scale implications on our lives

and the way we carry out day to day activities. IoT can also be used to revolutionize the way traditional businesses

are conducted. Heavy machinery imbedded with IoT can perform a large portion of their maintenance by itself

and provide regular updates about its condition to the foreman or manager. This frees up the foreman’s or

manager’s time and energy to focus on more important matters, thereby increase the quality of his/her

management. In Similar lines, IoT can bring great changes in the way both old and new business are carried out.

One can notice the power of IoT can either independently be harnessed to render newer services and products,

and thereby bring in newer business models or strategies surrounding this. Alternatively, this can be used to better

optimize or utilize the existing processes and resources to add more value-added insights.

26 |

P a g e

Figure 8 - Enablers of IoT Success

Source: Microsoft & BCG Research

27 |

P a g e

8. Smart Cities

As more and more people move into cities worldwide, there is increasing demand for water and energy, and an

increased potential for disease outbreak, pollution, traffic congestion, and crime. At the same time, most of the

developed world needs to deal with an aging population. By installing sensors in every building and road, the

government can construct a 3D virtual representation of the city to perform more in-depth analysis of the everyday

challenges that the city faces.

Ever since the concept of a smart city was introduced, IoT (Internet of Things) has been considered the key

infrastructure in a smart city. While the perspective of “smart city” differs from region to region and country to

country, it is generally understood as using information and communication technologies (ICT) to solve the

various urbanisation challenges starting from lighting, parking, traffic management, housing and urban

development, waste management, sewage treatment etc. It can be described in a wide sense as the convergence

of ICT, the ecological environment, energy technologies, and support facilities within urban and residential

environments.

Figure 9 - Few of the applications of IoT in Smart Cities

Source: Internet

28 |

P a g e

Overall, IoT-based smart cities use data and technology to create a more efficient and sustainable infrastructure

to manage the resources, traffic flow, population behavior, develop the local economy, and improve the quality

of life of residents. Smart cities will be able to deliver many benefits including:

Reducing traffic congestion; for example, routing cars away from an area where a major traffic accident has

just occurred.

An ambulance can go through the streets sounding an alarm which stops all other traffic by changing the

traffic lights. Additionally, a nearby connected hospital will be standing by to expect the arrival of the patient.

Smart parking can reduce a great deal of driving time and fuel while searching for a parking space during

busy times.

Smart city lighting will reduce energy consumption when no one is present.

Smart buildings can be stand-alone projects or part of a smart city, in which energy can be monitored during

peak usage hours to minimize brown outs.

Early warning systems can be installed in a smart city so when major accidents, earthquakes, or storms occur,

the nearby first responders, police and hospitals can be informed all at the same time.

Better waste and sewage management

IoT can provide sensors that collect information that can be used to predict maintenance needs before such

devastating events occur.

29 |

P a g e

9. IOT in the domain of finance

The Financial Services Industry, being a data-driven industry offering intangible products may not have a lot of

direct impact due to IoT, in contrast to say the retail industry. However, the indirect impact say in the form of

data from IoT devices is used to improve financial products and services, which will be far reaching.

IoT leads to a much more intense customer relation, as it allows business to develop value-added services on top

of their strategies. IOT as part of data strategy can do the following:

Delivery of new innovative products and services (personalization by the IoT delivered data)

Fine-tuning of Risk Management (e.g., improvement of fraud detection or improved quality checks and

follow-up of credit collaterals)

Improve the sales process of existing products (e.g., identification of cross-sell opportunities, more

personalized contextual messages) and the customer relationship (e.g., churn detection, more accurate

customer segmentation)

Execute payments, i.e., devices executing automated payments

Identification and authentication, i.e., use IoT devices to identify and authenticate a person more accurately

Improved Decision-Making to get data for various types of risk assessment including credit, underwriting etc.

Real-time Data Gathering is possible, with continuous data gathering enabled by IoT tools, attending to the

customers’ needs and requirements. IoT lets companies access real-time databases thus allowing them to

render services instantly.

Seamless Communication between Financial Devices with a wide range of applications. Leveraging IoT can

enable automated cashless payments, offer financial advice to the customers based on their spending habits

etc.

Smart IoT devices help the companies in rendering better security to their branches. By installing IoT driven

devices such as cameras, motion sensors and connecting them to the Internet, banking and financial

companies can prevent money losses.

30 |

P a g e

An interconnected network of IoT devices allows finance function to automate important business processes.

Specialized IoT applications help banking and financial institutions in automating financial requests handling,

transfer of ownership of a specific asset and other processes.

31 |

P a g e

10. How has it impacted audit?

As the IoT will change the sources of transactional data flowing into billing, enterprise resource planning, and

accounting systems, it will alter the way audits of these transactions are carried out. Auditors must still ensure

that transactions are properly monitored and controlled, but the methods and internal control design are changing.

Instead of going to the bookkeeper for client information, for instance, auditors will automatically receive data

from a digital system. Because the IoT provides real-time visibility into transactions, controls, and exposures in

processing systems, it will increase the need for continuous auditing. It will also allow for greater visibility into

risks, making for quicker assessment and remediation, and will require real-time interactions with management

throughout the year. If a sensor sends a warning or error message in real time, companies and their auditors can

respond immediately.

The IoT will also bring auditors new opportunities for client service in the areas of business process design and

data analysis. Clients will need auditors to help set up accounting and recording systems, such as dashboards that

aggregate data received from the IoT.

32 |

P a g e

The following are a few considerations for auditors:

With IoT assisted accounting, CAs would be able to automatically receive all associated data through a digital

system, which could help CAs gain access to real-time transactional data, along with many controls and

exposures in the existing operations, increasing the need for continuous auditing processes. This will also

allow a wider and more comprehensible risk evaluation, which will help to quicken issue assessment and

remediation. It will also offer real-time management which will enable businesses and CAs alike to respond

to issues immediately.

IoT makes it easier for organizations to keep tabs on their resources, in relation to Inventory and Assets, and

that has direct implications for the accountants who are responsible for overseeing the budget and its relation

to assets.

IoT also helps in reducing time lapse between an event and its recording for more timely decision making

and facilitating assessment of process-driven activities.

With IoT in place, there would be more data, more action, more observation, and reduction of immediate

direct human impact.

Technologies such as Drone can help gathering evidence to support assertions and perform audit much faster

and in fact in real time. This could be used for physical verification of inventory, assessing the mines and

quarries etc.

33 |

P a g e

IoT based automation and intelligent systems can ensure that the presence of personnel is detected, and their

physical appearance checked for ensuring the safety measures have been taken care by the worker, every

check conducted leaves an audit trail and if there are exceptions found and alarms raised with evidence. Also,

if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any

such evidence of compliance as the compliance is ensured automatically.

IoT cloud-based workplace and process enhancements will lead to ground-breaking transformations. The

workplace is now touted to be commonplace for humans as well as robots to work together. The raw materials

needed get demanded or pulled from the repositories or warehouses based on the jobs at hand and planned

for the day. The raw materials automatically routed to the place of work. Every step moved ahead in the

workflow gets detected or communicated to get additional inputs and take the outputs to the next step in the

process. This kind of a self-managed factory setup will have the all the statistics and logs around the process

already created and available.

34 |

P a g e

Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item

would have its own set of quality requirements embedded and would reach out to instruments which can

verify a specific parameter; thus, each product would have its size verified by a machine, based on the

specifications embedded.

The documentation is one thing that may be solved on its own since the workflow or process maps which

would be used for automation themselves are good enough documentation. Also, the need for documentation

now gets reduced from instructional purposes since it is the IoT data, which drives the processes.

35 |

P a g e

Use cases in Audit

The implementation of IoT devices can greatly facilitate the process of audit. Using the various IoT devices that

are available, an auditor can perform previously mundane and repetitive tasks with greater ease and flexibility.

For example, cash registers linked to the internet can provide real time data about the quantity and amount of

sales that take place within an organization regardless of its size. Such facilities enhance the capabilities of

auditors and allow them to deal with data of previously unfathomable quantities.

IoT provides the auditors with a plethora of information that was previously unavailable ignorer to give a clearer

picture about the organization and its current situation. Auditors can monitor the condition of inventory and

physical assets that are IoT imbedded ignorer to accurately determine their worth and condition. In similar lines,

IoT greatly simplifies the work of an auditor either by making previously difficult to obtain information easily

available or by making available entirely new information altogether.

• IoT based automation and intelligent systems can ensure that the presence of personnel is detected, and their physical appearance checked for ensuring the safety measures have been taken care by the worker, every check conducted leaves an audit trail and if there are exceptions found and alarms raised with evidence. Also, if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any such evidence of compliance as the compliance is ensured automatically and all evidence collected.

Security

• IoT cloud-based workplace and process enhancements will lead to groundbreaking transformations. The workplace is now touted to be commonplace for humans as well as robots to work together. The raw materials needed get demanded or pulled from the repositories or warehouses based on the jobs at hand and planned for the day. The raw materials automatically routed to the place of work. Every step moved ahead in the workflow gets detected or communicated to get additional inputs and take the outputs to the next step in the process. This kind of a self-managed factory setup will have the all the statistics and logs around the process already created and available and there is no need to present any evidence as they are all over the place.

Operational

•Now Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item would have its own set of quality requirements embedded and would reach out to instruments which can verify a specific parameter; thus, each product would have its size verified by a machine, based on the specifications embedded. Product would get each of its parameters auto verified.

Quality

• IoT powered drones can be used to audit places which are hard to reach or difficult to cover within the limited time. With advanced technologies such as artificial intelligence and data analytics, drones can be used for a variety of tasks in the audit. The images captured over the drone are subsequently converted into analysable data with the help of machine learning and image recognition protocols.

Drone Technology

36 |

P a g e

Risks involved in IOT

Although IoT can result in financial, health and safety, and quality-of-life benefits, IoT can also introduce new

risk. Any new technology, process or business method can increase risk, but IoT, because of its pervasiveness,

has the potential to increase risk significantly. Risk scenarios differ between enterprises that manufacture and sell

communication capable embedded systems and enterprises that are users of these devices. The following could

be the various categorization of risks which IoT may pose:

Business risk

• Health and safety

• Regulatory Compliance

• User privacy

• Unexpected costs

Operational risk

• Inappropriate access to

functionality

• Shadow usage

• Performance

Technical risk

• Device vulnerabilities

• Device updates

• Device management

37 |

P a g e

11. OWASP Top 10 IoT Risks

The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve the

security of software. Through community-led open-source software projects, hundreds of local chapters

worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP

Foundation is the source for developers and technologists to secure the web. The Open Web Application Security

Project (OWASP) has released Top 10 IoT vulnerabilities list, which are detailed below:

1. Weak, guessable, or Hardcoded Passwords

Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or

client software that grants unauthorized access to deployed systems.

2. Insecure Network Services

Unnecessary or insecure network services running on the device itself, especially those exposed to the internet,

that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized

remote control.

3. Insecure Ecosystem Interfaces

Insecure web. backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows

compromise of the device or its related components. Common issues include a lack of

authentication/authorization, lacking or weak encryption, and a lack of input and output filtering,

4. Lack of Secure Update Mechanism

Lack of ability to securely update the device. This includes lack of firmware validation on device; jack of secure

delivery (unencrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes

due to updates.

38 |

P a g e

5. Use of Insecure or Outdated Components

Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This

includes insecure customization of operating system platforms, and the use of third-party software or hardware

components from a compromised supply chain.

6. Insufficient Privacy

Protection user’s personal information stored on the device or in the ecosystem that is used insecurely, improperly,

or without permission

7. Insecure Data Transfer and Storage

Lack of encryption or access control of sensitive data anywhere within the ecosystem, Including at rest, in transit.

or during processing.

8. Lack of Management

Lack of security support on devices deployed in production, including asset management update management.

secure decommissioning systems monitoring, and response capabilities.

39 |

P a g e

9. Insecure Default Setting

Devices or Systems shipped with insecure default settings or lack the ability to make the system more secure by

restricting operators from modifying configurations.

10. Lack of Physical Hardening

Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a

future remote attack or take local control of the device.

40 |

P a g e

12. Privacy Issues / concerns

These systems are designed to protect the home and its inhabitants but can be vulnerable to wireless attacks that

violate privacy and security. Video baby monitors are often placed in a child’s bedroom, so that parents can check

on the child remotely, from almost anywhere. These monitors can broadcast to TVs, handheld receivers or

wirelessly to PCs or smartphones. Many incidents of intruders hacking into Internet-enabled video baby monitors

have been reported. Most monitors have security features, but parents are responsible for enabling these features

and setting a password. In 2009, an Illinois man sued a baby monitoring system manufacturer after discovering

that a neighbor, using the same system, could see into the baby’s room.

Not only human agents, i.e., attackers, can bring about these health and safety impacts; for example, malware can

infect a system with a critical safety role, such as a navigation system in an airplane, an automobile

braking system, or a smoke sensor.

In addition to health and safety risk, regulatory risk is also possible. Regulatory concerns can occur when

embedded computing components:

Regulatory mandates often apply to the communication enabled devices in the previous examples and others.

If regulatory mandates apply, the complexity of the regulated environment can be compounded because of

devices of this type. For example, a PoS system in a retail location may be built to conform to payment card

industry (PCI) requirements, but a smoke detector on the same network may not conform; or a magnetic resonance

imaging (MRI) machine may be built to comply with the Health Insurance Portability and Accountability Act

(HIPAA) technical requirements, but the thermostat in an operating theatre may not comply.

Devices that process the personal, private, or potentially sensitive information of customers (e.g., imaging

equipment in a healthcare context) have the potential to impact user privacy. Like compliance challenges, privacy

impacts should be evaluated prior to deployment.

Process potentially sensitive data (e.g., PoS systems that process payment information)

Intersect with regulatory-governed business processes (e.g., financial reporting for public companies or patient care in a clinical

environment)

Impact critical infrastructure (e.g., power, and industrial control systems)

41 |

P a g e

The following aspects of data should all be considered:

Understand the data that is being collected — some data is clearly more sensitivethan other data. Unique identifiers, such as uniquely personal information,increase the risk profile.

Data Collection

Understand who owns the data once it is gathered. Determining data ownershipis often not straightforward; a starting point might be with the question “Who isthe entity/individual who would answer to ramifications of data disclosure, were itto occur?”

Data Ownership

In many cases, the data owner is not responsible for safeguarding the data but isultimately responsible for any exposures. Programs to identify and monitor third-party providers who manage sensitive data are critical on several fronts, includingthe IoT.

Custodial Responsibility

Retention standards for IoT-type data may not be considered or may be considereddifferently than for other types of data. Processes around the disclosure of data,even, or especially, to law enforcement, is a hot topic. Mobile phones often serveas a hub for interconnected devices, and contain a treasure trove of data, includinglocations, call logs, search results, etc. Clear policies in that regard can help avoidambiguity and lawsuits.

Data Retention and Disclosure

42 |

P a g e

Governance Risk and Compliance (GRC) issues with IOT

The risk of an insecure IoT device is relative based on the domain in which it is operated and the jurisdiction in

which it thrives. For example, privacy is at utmost risk when the device handles protected health information

(PHI), compared to when it is in an industrial set up, in which the infrastructure or services are at risk. The

geography of where the IoT device operates also matters because the legal and regulatory bindings can differ

from place to place. The governance of IoT devices needs to be handled separately, but under the IT governance

umbrella. The four critical success factors that contribute to an effective IoT project are an efficient IoT project

management team, a project stakeholder who has the authority to drive the IoT project, data, and

telecommunication infrastructure to support IoT, and subject matter experts to maintain high data quality and

integration issues

At a project-management level, the eight steps that can help enterprises to put in place a sustainable IoT security

program are:

Identify information

Evaluate IoT access risk

Formulate a big data strategy to

manage the vast amount of IoT

data generated

Devise policies for privacy

of sensor data

Protect IoT devices

Prioritize the devices

Evaluate data loss risk

Perform IoT incident

response planning

43 |

P a g e

IoT solutions are complex. The integration of connected devices and IT services poses major challenges in

networking, communication, data volume, real-time data analysis, and security. IoT solutions involve many

different technologies and require complex development cycles, including significant testing and ongoing

monitoring.

To overcome these challenges, IT organizations must:

Define IoT

governance

processes and

policies

Develop required

skills to design,

develop, and deploy

the solution

Develop a reference

architecture for

their IoT solution

Develop a

comprehensive technical

strategy to address the

complexity

A

B

C

D

44 |

P a g e

IoT solution governance can be viewed as the application of business governance, IT governance, and enterprise

architecture (EA) governance. In effect, IoT governance is an extension to IT governance, where IoT governance

is specifically focused on the lifecycle of IoT devices, data managed by the IoT solution, and IoT applications in

an organization’s IT landscape. IoT governance defines the changes to IT governance to ensure the concepts and

principles for its distributed architecture are managed appropriately and can deliver on the stated business goals.

45 |

P a g e

13. Auditing IoT

One needs to admit that IoT is subject to numerous risks compared to the benefits they offer. Failure in

understanding these risks or understanding the environment under which they operate, or the applicable controls

can lead to disaster for the organization. Furthermore, given the rapid development and advancement of the IoT,

the associated risks and controls also are changing and evolving rapidly. auditors need to stay abreast of IoT

developments and advancements to be able to assess the risks and controls in their organization.

The first step for auditors is conducting a risk assessment of the IoT in use in their organization. Specific risks

will depend on the nature of the IoT systems the organization has deployed and the overall business process they

support. However, these key aspects would help in assessing the risks better:

Security: IoT systems are connected to the Internet, so they are prone to attacks from cyber criminals and

hacktivists. Among other information security audit procedures, IT auditors should perform a vulnerability

assessment of such devices and consider conducting penetration tests on those systems periodically. Results of

these procedures should be used to strengthen the security of IoT systems, where necessary. Auditors should

carefully consider where third parties are involved to support IoT systems and assess whether third parties have

adequate security controls in place to protect data residing in IoT systems. Furthermore, they should assess the

adequacy of the encryption IoT systems use for communication.

Resilience: IoT systems may support a business process that is critical or time-bound, such as the delivery of

perishable goods. IT auditors should assess whether controls are in place to recover IoT systems in the event of a

failure. Auditors should determine whether management understands the potential business impact of an IoT

system outage and whether appropriate and adequate policies, procedures, and processes are in place to recover

affected business processes timely in the event of an outage or disaster.

Health and Safety: Many of today's IoT systems can pose a serious threat to human life and safety. Examples

include implantable biomedical devices, such as pacemakers and defibrillators, and assembly line robots at a

46 |

P a g e

manufacturing facility. An important area internal auditor should assess is whether such IoT systems have

undergone sufficient testing using appropriate test cases before being deployed into production. Furthermore,

controls should be in place to ensure adequate testing is performed before upgrades, patches, and changes are

made to IoT systems where health and safety is a significant risk.

Monitoring: Like any other system, controls should be in place to monitor whether IoT systems are functioning

as intended. Internal auditors should assess whether adequate monitoring controls are in place and whether all

such controls have been operating effectively over time. Furthermore, auditors should assess whether exceptions

and failures that occur are logged appropriately and resolutions to incidents are recorded timely. Auditors also

should assess whether management has a process that takes recurring incidents into account and analyzes their

root causes.

Scoping of IoT systems: Because many vendors provided IoT systems can be simple to implement, some systems

may be deployed by business units without the IT department's involvement. For example, fire detection systems

in enterprise facilities may have IoT capability that the IT department does not know about and risk management

professionals and internal auditors may not notice. Auditors should be vigilant to see where and when IoT systems

are deployed by different departments at the organization and prioritize IoT systems audits according to their

criticality and sensitivity.

47 |

P a g e

Risk Assessment during Audit

It is to be noted that, the auditor, may want to assess the risks in using IoT and may consider using the below

indicative template, for risk assessment for the investment made by the organization in an IoT devices which is

under consideration:

IoT Device

Impact of

Device being

compromised

Financial

Impact

Impact to

Reputation

Impact on

Operations

Category of

Impact

IoT enabled

device XYZ

Direct impact:

- Loss of

Productivity

Indirect or

hidden

impacts:

- Customer

complaints

- Malware

Attacks

a. Above

INR 50 crore

- Need to

withdraw

Products or

services

- Breach of

regulation

Products and

outputs are

questioned and

suspected

High / Disastrous

b. INR 10 to

50 crore

- Loss of

customer trust

Crisis

management to

be in place

Medium /

Disruption

c. Less than

INR 10

crores

- May require

time to fix the

issue

- Beyond

normal

business

disruption

Low / damaging

48 |

P a g e

14. Audit Challenges

Even though the introduction of IoT has brought great advantages to the field of audit, it has also brought in some

limitations

Creation of new risks

A The implementation of IoTs has brought about the creation of risks that

did not exist in the previous regime. Data security and integrity has

become a luxury and something that needs continuous attention.

Need to develop new skills

B With the introduction of IoT and other related technologies, it has become

clear that auditors need to continuously update their skill sets to remain

relevant and competent.

Existence of unknown risks

C IoT being a very new phase in the technological revolution has

provided great opportunities but has also created many vulnerabilities.

A large portion of these vulnerabilities may still be unknown and

could surface as this technology becomes more widespread

Acceptability of evidence

D The introduction of IoT has made available a whole new set of information.

It is the duty of the auditor to determine which of this information is

acceptable and which is not. Care must be taken to not accept questionable

information to not impede the integrity of the audit

49 |

P a g e

15. Future of IOT

The range of potential IoT applications is "limited only by the human imagination" - and many of these

applications can benefit the planet, as well as its people. The IoT is not just a “What if?” scenario for the future; it

is already here and growing every day. Internal auditors need to be on the front lines along with management,

helping them prepare the organization to meet new challenges and risks resulting from this wave of disruptive

technological change. The good news is that many of the strategies for managing the challenge of the IoT already

exist and are deployed in managing other security and operational activities of the organization. The main

difference for internal audit may be in the reporting/aggregation of risks because of the volume and geographic

dispersion of the IoT.

With that in mind, internal audit, in collaboration with the business, should seek to answer these questions to

develop a better understanding of the IOT, and raise awareness throughout the organization about its potential

opportunities and risks:

How is the IoT deployed in our organization today? Who owns it, or its components? What is the potential

IoT inventory in the organization? For example, is IoT technology part of the products that the business sells,

is it installed internally to manage processes, or are third-party vendors deploying IoT technology within

the company’s solutions?

Have we considered the risks associated with our IoT presence? Have those risks been quantified or

controlled? Is the business actively including its IoT inventory in broader risk assessments? Does the business

consider the IoT when applying data and privacy policies and practices and evaluating security?

Do we know what data is collected, stored, and analyzed? Have we assessed related potential legal, privacy

and security implications? For example, if IoT technology is within the company’s solution offerings, is the

business certain that it follows customers’ agreements about disclosing the potential capture and sharing of

information?

Do we have contingency plans for internet connected things that are hijacked or modified for unintended

purposes? Has the business evaluated the use of IoT technology in its processes, and what the potential impact

would be if something were, or had to be, taken offline? Is the IoT considered in business

continuity management plans? And if the IoT is that important to the business, what procedures are in place

for recovery in the event of a catastrophic failure?

To what extent are third parties acting on our behalf with regard to IoT technology? Do we have appropriate

processes and service-level agreements (SLAs) in place to monitor them appropriately? As we continue to

push out our business processes to other service providers, are those providers using IoT technologies on our

behalf? If so, are we monitoring their usage? Are we aware of any components from an IoT perspective that

they may have added? Also, are we monitoring the data that we are capturing and delivering through

our third-party service providers?

What role does the IoT play in our current strategy as an organization? How are we measuring achievement

related to any goals associated with our strategic objectives? Do we have an IoT strategy? Has the board

evaluated the potential impact of the IoT to the business? What about our competitors? Where do they stand?

What is the risk of not considering or leveraging IoT possibilities? What is the risk if we ignore the IoT?

What if we do not take full advantage of data analytics capabilities in the IoT? Do we risk not meeting our

strategic objectives simply because we failed to recognize the evolution of a disrupted landscape? That last

50 |

P a g e

question is particularly important for internal auditors and their organizations to answer. Different businesses

use, benefit from or are affected by the IoT in different ways. To ensure they are meeting their responsibilities,

internal auditors must evaluate not only the risks posed by the IoT, but also the risk of failing to act to take

advantage of the IoT, in the context of the business, its competitors and its industry.

IoT Standards for Risk Management and Mitigation may soon come up in the pipeline which could address

the common risks and establish a governance framework to mitigate them.

51 |

P a g e

16. IoT Professional Opportunities

IoT will bring CAs new opportunities for client service in the areas of business process design and data analysis,

dashboards that aggregate data received from the IoT. Clients will need CAs to help set up accounting and

recording systems, such as dashboards that aggregate data received from the IoT.

CAs may also be hired to provide opinions on the security of the IoT. Consumers and industry want assurance

that information and systems will be private. When the IoT takes off, CAs will be asked to give their professional

opinions on the systems that third parties rely on, unlike today where we are only asked for assurance in special

circumstances. Further the need for independent audits on the technology and infrastructure may increase in the

near future.

IoT will change the sources of transactional data that flow into various accounting systems. This means that there

will be a larger influx of data that will need to be incorporated into reporting systems. Most of this data will also

be supplied in real-time and will be displayed on dashboards that aid in decision making and planning. This will

pave the way for more automation tools to help process and analyse the data.

The role of the accountant has shifted from providing manual services to expert advice on financial matters, like

tax planning, financial management, and analysis. IoT will put accountants in a stronger position to provide advice

by making client financials and financial activity increasingly visible. This data can help practitioners get a better

understanding of a client and, as a result, offer better advice.

Because the IoT provides real-time visibility into transactions, controls, and exposures in processing systems, it

will increase the need for continuous auditing. It will also allow for greater visibility into risks, making for

quicker assessment and remediation, and will require real-time interactions with management throughout the year.

This would mean that auditors should not only be having functional expertise of the process but a deep

understanding of technology to assist in auditing these applications and infrastructure for meeting the pre-defined

audit scope. In parallel auditors will have to equip themselves with skillsets to upgrade their knowledge on these

technologies and understand the key risks.

52 |

P a g e

Below are the lists of few opportunities available:

a. Evaluating problem statements and assessing how IoT can solve them

b. Assisting in Functional Design of IoT Systems and Architecture

c. Performing risk assessment of IoT systems

d. Assessing and addressing the privacy challenges and concerns of IoT

e. Giving an independent opinion on the entire IoT infrastructure

f. Assessing and testing the effectiveness of the controls

g. Preparing dashboards, KPIs and KRAs using results obtained from IoT

h. Analysing data on real time basis to provide management insights

i. Performing real time audits to give an assurance to the stakeholders

53 |

P a g e

17. References

• ISACA Publications: https://transformingaudit.isaca.org/iot

• https://www.scnsoft.com/blog/iot-architecture-in-a-nutshell-and-how-it-works

• Protiviti Report on The Internet of Things: What Is It and Why Should Internal Audit Care?

• https://www.engineering.com/IOT/ArticleID/18533/How-IoT-Will-Change-Our-Lives.aspx

• https://www.ics.ie/news/view/1729

• https://india.theiet.org/

• http://www3.weforum.org/docs/WEF_The_State_of_the_Connected_World_2020.pdf

54 |

P a g e

Annexure A - Case Studies

Source: The IET India

Below are a few illustrative case studies on the impact of deploying IoT to solve the business challenges across

different sectors in India.

a. Smart Farming (Precision Agriculture)

Background: Solution:

Farmers in Pune region of Maharashtra, India, want

to increase the quality of yield at a reduced cost

while also having insight of the irrigation, weather,

and crop-related pests and diseases. The major

challenges faced by the farmers include:

• Farmers do not have a clear understanding

of the soil moisture leading to loss of crops

• Lack of insight on weather patterns and

forecasts create issues for the planning of

crops and

seasonal impacts

• Farmers are unable to assess if pests and

diseases have started to spoil their crops

causing

loss in yield and revenue.

IoT powered solution was used to solve this challenge

and assist in the below manner:

• IoT system was deployed to monitor crop

related conditions

• The platform with integrated sensors, cameras,

and drones. Sensor were also deployed to

monitor the temperature, humidity, leaf

wetness and to send alerts on soil moisture and

weather forecast to the farmers on their phone.

• Transmission of data was also made via a

Wireless Mesh Network to measure real time

data of the climatological and other

environmental properties.

• The solution reduced the input cost by 20%.

The yield increased by 10% to 25% more.

55 |

P a g e

The below figure gives a few illustrative analytics which were provided to the end customer as part of the

Solution:

56 |

P a g e

b. Smart Cold Chain Solution

Background:

An e-commerce aggregator wanted to ensure compliance

with cold chain SOPs and guarantee quality of products

at delivery. They also wanted to have location visibility

of cold boxes for inventory management. The below

were the challenges they were subject to:

• Unable to determine if on-field staff are

following passive-cooling SOPs while packing

boxes.

• Quality of cold chain products, like dairy and

meat, is not consistent due to temperature

excursions.

• Cold Boxes are misplaced leading to order

fulfilment issues and missing assets

Solution:

The IoT solution adopted by the aggregator was able to

assist in the following:

• Deployment of temperature sensors and a

barcode for each cold box

• Integration done with customer’s ERP system

to capture order level temperature data in an

• analytics platform.

• Mobile to mobile Cellular and/or Wi-Fi

gateways were installed at customer

warehouses providing the connectivity for data

transmission from the sensors to the cloud.

• Mobile App was provided to the delivery

persons enabling real-time monitoring of

temperature during last mile delivery

• The solution had a 30% reduction in product

spoilage and 80% decrease in cold box loss.

c. Smart Parking

Background: Solution:

Smart city authorities wanted to reduce traffic

congestion at intersections where vehicles were

illegally parked. Smart city authorities want to send

automatic notifications to the police when a vehicle

has parked in a “No Parking” zone in real-time. The

following were the challenges faced:

• Police were unable to physically monitor

the illegal parking always

• Parking ticket issuance was not tracked

properly

• Existing illegal parking solutions were not

working to its fullest, or the ROI is not clear

The IoT solution adopted by the authorities was

able to assist in the below manner:

• Installed in-ground IoT parking sensors to

detect vehicle presence

• IoT Gateway was used to send data to

Cloud as and when data was received.

• Police receive real-time parking status

updates and notifications via mobile app

• Smart city authorities were able to have

immediate insight on illegal parking

activities

• Traffic congestion improvised over time

• The solution had around 30% return on the

investment deployed.

57 |

P a g e

•

The Institute of Chartered Accountants of India

Composition of Digital Accounting and Assurance Board 2021-22

Council Members

Chairman

CA. Manu Agrawal

Vice-Chairman

CA. Dayaniwas Sharma

CA. Nihar N Jambusaria, President

(Ex-Officio)

CA.(Dr.) Debashis Mitra, Vice

President (Ex-Officio)

CA. Anil S Bhandari

CA. Nandkishore C Hegde

CA. Dheeraj Kumar Khandelwal

CA. Durgesh Kumar Kabra

CA. Aniket S Talati

CA. G Sekar

CA. Rajendra Kumar P

CA. M P Vijay Kumar

CA. Ranjeet Kumar Agarwal

CA. Prakash Sharma

Shri Sunil Kanoria

Shri Chandra Wadhwa

CA. Kemisha Soni

CA. Satish Kumar Gupta

CA. Atul Kumar Gupta

CA. Pramod Jain

CA. Rajesh Sharma

Co-opted Members

CA. Deepak Kumar

CA Bhakti Dalbhide

CA. Beldi Sridhar

CA. Kunal Kumar Ghelani

CA. Payal Agarwal

CA. Gelli Dayakar

CA. Nikunj Shah

Special Invitees

CA. Aditya Maheshwari

CA. Sanjib Sanghi

CA. Harshita Choudhary

CA. Ashish Bansal

CA. Dhruv Seth

CA. Vipin Verma

CA. Abhishek Pruthi

Secretary, DAAB

CA. Amit Gupta

58 |

P a g e

DIGITAL ACCOUNTING AND ASSURANCE BOARD THE

INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA

(SET UP BY ACT OF PARLIAMENT)

ICAI Bhawan, Hostel Block, 7th Floor A-29,

Sector-62, Noida - 2013 09 INDIA

Tel (Direct) +91-120-3045 961 / 992 / 963

www.icai.org