Before we get into how to perform an IT audit of your mobile environment, I'd like to remind you to read the previous article if you haven't already. 

Link: http://tokenterrace.com/eng/200 

In the previous article, I mentioned that you can perform an IT audit on a mobile device if it involves a business process that could impact your financial statements.

In addition, the following are typical IT risks that can occur in the mobile environment and the internal controls that companies should design are as follows.

1. Risk of unauthorized access and leakage of data

In systems developed with mobile, there is a risk of data leakage due to loss or theft of mobile devices. To prevent this, security measures such as access control and data encryption must be established.

2. Malware and hacking risks 

Security vulnerabilities are sometimes found in mobile operating systems, and there is a risk of malware or hacking that exploits them. To prevent this, you must establish security measures such as patching vulnerabilities and introducing security solutions.

3. Risk of installing illegal programs 

Mobile devices can install illegally downloaded apps. These apps may contain backdoors or malware, which can infiltrate the system. To prevent this, you need to establish a security policy for mobile devices and educate users.

4. Social engineering risks 

Mobile devices may receive fraudulent messages or links that utilize social engineering techniques, such as text or email. This can lead users to take actions such as downloading malware or entering personal information. To prevent this, you need to put security measures in place, such as educating users and implementing filtering solutions.

Let's get more specific.  

As mentioned earlier, working on a mobile device can introduce a variety of security vulnerabilities. Here are some ways you can review the security issues that arise from mobile devices. 

1. Access control controls 

Because mobile devices store credentials, you can design controls to prevent access by unauthorized users, including the following 

 - Validate that access controls are set up to ensure that only authorized users can access mobile devices.

 - Verify password policies and parameters to strengthen user authentication on mobile devices. 

 - Design controls to collect log data from mobile devices and monitor it so that you can take action when issues arise. 

2. Data Protection Controls 

To ensure the safety of data on mobile devices, you can design the following controls

 - Always apply encryption technology when storing data on mobile devices.

 - Verify that DLP, etc. is applied to prevent data generated by mobile devices from being leaked to the outside world. 

3. Network controls 

Analyze security vulnerabilities for data at rest on mobile devices and design controls to compensate for them on your network.

 - Ensure that corporate mobile apps are disabled for mobile devices that do not have data encryption policies in place.

 - Encrypt data in transit on mobile devices to keep it safe from security threats such as man-in-the-middle attacks on your network. 

 - Review the certificates and encryption methods used over the VPN when accessing corporate mobile apps from external networks to ensure that secure tunneling can be configured. 

You can use these review methods to review your mobile apps for security issues. This will help you identify various security issues that may arise when performing work on mobile devices, and suggest countermeasures to mitigate them. 

This article is from the perspective of an IT auditor, and in the next article, we'll look at how an organization should design its internal controls.