Challenges For Auditors And Inspectors In The World Of Connected Devices
The day when you’ll see the everyday things- from phones, cars and doors, to lights, refrigerators and washing machines, connected to the internet is not very far. In fact there are over 13.4 billion connected devices already and it is expected that the number of internet-connected devices will reach 50 billion by 2020.
In spite of becoming an integral part of personal lives, the IoT will also bring major paradigm shifts at every phase of businesses. Many companies have already started adopting IoT and to plan their business around it. There are only two options- either get ready to embrace this revolution and stay on top, or face the consequences.
The manufacturing business will have to bring major changes to be in the game, around software, data and connectivity mainly. According to Gartner’s 2015 overview of manufacturing industries, business intelligence and performance management are the top priorities of manufacturing sector and both these areas are heavily dependent on software and data gathering. Hence, Manufacturing is in the top list of industries looking to hire data and software experts.
The software everywhere helps make all devices programmable and narrows the gap between digital and physical. While software everywhere redefines the manufacturing industry, it also redefines the scope for audits, inspections and compliance because it brings with it new challenges. Let us see some of the challenges the Internet of Things will pose to audit, inspection or compliance sector in detail.
Challenges for auditors dealing with software everywhere
Auditing is not a walk in the park when it comes to organizations adopting new technologies and automating tasks with software everywhere. While the Internet of Things brings many rewards, it also poses serious risks, which if not carefully dealt with, can lead to organizational disasters.
Technologies move very fast and manufacturers are under pressure to keep pace. Each passing day there arise new laws to which the businesses, organizations, industries and agencies should conform. Most often, there might be less thought devoted to the risks associated with certain deployments of technologies in businesses, and the manufacturer, law bodies and compliance bodies may not be aware of all the risks. The IT departments are generally the ones bearing the brunt of the storm, with a variety of auditing issues, which if not managed properly can spoil the compliance and security of even the most ambitious organizations. One of the biggest challenges for them is to make sure that all the technology and software deployed adhere to multiple compliance standards. The internal auditors should stay abreast of the new IoT developments to foresee these risks and controls in their business.
While software everywhere will ensure quick, flexible, easy and smart business processes, such flexibility can also be a loophole to circumvent compliance requirements. For instance, a machine or a device can be programmed to identify that it is being inspected or audited, the software can recognize the test pattern and it can then generate results, which appear to be compliant to the audit. One way to overcome this problem is to adapt smart auditing strategies like those used by quality assurance professionals, who constantly deal with such issues. For instance, auditors could use heuristic based techniques, where audit design and execution are combined and the auditor explores the system to identify non-conformance to high-level heuristics.
Another key aspect to consider in the area of software, is regarding ownership. The Digital Millennium Copyright Act (DMCA) makes it unlawful for independent auditors to look at the code that runs on a machine, thus making it easier to conceal intentional wrongdoings. Unfortunately, this law can punish users and auditors who try to understand whether their software or system are compliant, or can be manipulated in a manner that it will endanger the consumers of the product manufactured by these systems. Another important challenge for audit regulators is the need for effective reporting to their stakeholders regarding audit performance, and the efficient conduct of audit inspections, which requires coordination among varied regulators and compliance with differing laws and regulations.
However, the good news is that, changes shall happen over the year 2016 that will make it possible for such business to conduct audits much efficiently, to check if they are compliant to legal norms like FDA or EPA norms and other good manufacturing practices.
Challenges for auditors dealing with large amounts of data
Increased use of computerized systems, smart manufacturing and decreased storage costs have led to generation of large amounts of data that are aggregated, coded and classified to enable good decision making. Auditors can derive value from this data and ensure that decisions made are based on solid, quality information that is trustworthy and relevant. This big data enables root cause analysis in cases where noncompliance or failure is detected, and can be used to provide a near complete picture of the system state at the point of failure. The availability of such valuable data can enable quicker corrective actions. Non-compliance issues detected years after the production can be safely traced back with retrospective auditions.
However, the unstructured nature of big data poses big challenge for the auditors. There need to be a good standard of managing the generation, classification and storage of data, for it to prove useful in auditing or inspecting activities. Data processing standards today do not cover the governance processes for management, storage and expiration of data. However, changes are expected in 2016 that will address the present state of big data with respect to the audit environments.
Challenges for auditors dealing with storage and ownership of data
Image courtesy: Cloud Lounge
In production environments, the data produced by the equipment and system used in production line are mostly stored in clouds. In the cloud, these data may be stored on storage devices that may not even be owned by the manufacturers who generate data, but will be owned by third party service providers, like analytic provider or storage service provider (like amazon). In such cases, it is not the manufacturer but the third party, who gets the ownership of these data. In fact, data may not be even stored in the same country. Such a 3rd party doctrine complicates the issue when confidential transitional data is stored by cloud server providers and this raises more issues like confidentiality and contract, availability of data for audits, and liability issues.
Challenges for auditors dealing with Connectivity
The Internet of Things (IoT) as we have all heard of has been around for quite a while and this year we saw a large number of connected devices flood the market. This is only going to increase and by 2020, we are expected to have over 50 billion connected devices. The Internet of Things is not just connected cars, cameras, and doors. IoT also extends to heavy machinery, to jet engines, oil drills and to connected devices and equipment in manufacturing and production, as well. As smart manufacturing gains momentum, more and more machines on the production lines are connected and online. Machines are connected to each other to exchange data, and to servers in the cloud to enable machine learning, monitoring, forecasting preventive maintenance, etc. This ensures cycle time reductions for corrective and preventive actions post audits. Remote monitoring and diagnostics can ensure that the product complies with the legal requirements. Connectivity can help conduct remote inspections eliminating the need for people to travel to the locations to get the audits done.
While connectivity brings the above advantages, it brings with it, its share of challenges as well. Poor security, for example on connected equipments can make systems vulnerable to hacking and systems can be compromised without the hackers having direct access to the systems. As a matter of fact, vulnerabilities in any connected device can compromise an entire system. The security of connected equipment will soon be an area of compliance for audits and inspections across industry segments. With time, it can even enable production to happen at the supplier’s end or the consumer’s end, rather than at the factory, which can further increase the risks for auditors and inspectors. They will have to take into consideration the entire chain of equipment that communicate with each other, and modify their audit strategies accordingly.
Everyone, who are in the business of audit and compliance are impacted by the IoT and by the fact that all the equipment we use are connected online, is programmable and is generating enormous amount of data. The auditors, inspectors and all of us in the audit and compliance field need to learn about the new skills and competencies pertaining to the software deployment, vulnerability detection and software compliance. The good news is that there are established practices in the software QA (quality assurance) industry, which can provide good reference points for those who wants to upgrade their skills. However, the hardest part is to change the mindset and culture among auditors and inspectors to adapt to this new paradigm of Software Everywhere. We need to move faster to adopt practices, processes, and new mindset and to learn new skills that will enable us to do a better job in auditing, compliance and inspections for devices that are connected, generate lots of data and are managed by software!
View this webinar on the ubiquity of software in the compliance industry, by Deepu Prakash, Head of Process and Technology Innovation at Fingent Corp: