IT Audit How to conduct an IT audit for a mobile environment (Part 1. Understanding IT risks in a mobile environment)
23-03-07
본문
Some enterprises have gone mobile with some of their systems, making corporate information accessible on mobile.
But unless you're just adding simple viewing permissions to this information on mobile, you may want to consider whether there are risks that could affect the accuracy and completeness of your data on mobile.
In this article, we'll take a look at when you should audit your mobile applications or systems and what you need to do to do it successfully.
When is it necessary to IT Audit a mobile application or system?
There are two main instances when you should audit a mobile application or system.
1) When mobile allows users to enter or modify data that could impact the financial statements.
- In this context, data that can impact financial statements means data that goes beyond the scope of work performed by finance or accounting and is produced by a wide range of company-wide departments, such as sales. This is important because errors in financial data can result in inaccurate financial statements, which can have legal implications.
2) Areas performed as part of internal controls are performed on mobile
- Internal controls are ultimately aimed at transparency in financial statements, but when they are performed on mobile, vulnerabilities such as security on mobile can lead to errors in financial statements.
It's not uncommon for mobile environments to be included in the scope of an IT Audit.
If you're in-charge of conducting an IT Audit of these environments, you may find that people below you are looking to you for help. Or maybe you're stumped yourself.
In order to design controls for how to audit in this unique situation, it's important to understand the IT risks that mobile can present.
1. Risk of unauthorized access and exfiltration of data:
In systems developed on mobile, there is a risk of data leakage due to loss or theft of mobile devices.
2. Malware and hacking risks:
Security vulnerabilities can be found in mobile operating systems, and illegally downloaded apps can be installed. In these environments, there is a risk of infiltration or hacking through backdoors or malware.
3. Social engineering risk:
Mobile devices can also carry phishing risks, such as fraudulent messages or links that utilize social engineering techniques via text or email. This can lead to users downloading malware, gaining access to company systems, entering personal information, etc.
Designing controls in the unique context of auditing mobile environments requires the IT auditor to use their professional judgment to design controls based on the risk management strategy. IT audit frameworks can provide guidance in designing controls.
Examples include ISACA's COBIT framework and the NIST framework.
While it's good to know as much as possible, let's get to the nitty-gritty so you can get started in the least amount of time.
1. Make sure your organization has assessed the IT risks of mobile and has a plan in place to address them.
2. Ensure controls exist to collect, analyze, and monitor log data from mobile.
3. verify that the number of people authorized to work on mobile is considered to be the minimum number of employees due to the special circumstances that necessitate the need to work on mobile.
4. apply encryption technology when entering, modifying, or deleting data by performing work on mobile.
Now that you have an understanding of the IT risks of mobile, let's get more practical in the next article.