The Mobility Shift
This article is reproduced with the permission of CAmagazine, published by the Canadian Institute of Chartered Accountants, Toronto.
By Guy-Marie Joseph + Pascale Dominique
New technologies have not only redefined the traditional mobile employee but have also brought economic advantages
Over the past few decades, the world of information technology has seen some radical changes. In addition to the constant evolution of technology, we have had to deal with the arrival of mobility in daily operations. This mobility goes beyond simply receiving messages on a personal digital assistant (PDA). That is all in the past.
The recent innovations in the field of mobility, or “mobility 2.0,” impact internal controls and can create difficulties for information systems auditing teams. The difficulties are primarily due to a lack of understanding of these technologies, which complicates the implementation of adequate controls.
What is mobility 2.0?
The traditional mobility model is that of a user equipped with one or more devices such as a portable computer; a wireless stick for Internet connection (in certain cases); a cellular telephone; and a PDA.
Traditionally, these users were on the road and only returned to the office once or twice a week to perform administrative tasks. They didn’t have an office but shared common areas with their peers. Their work consisted of updating the company’s internal systems such as customer relationship management (CRM), checking their customers’ orders, submitting proposals to customers and preparing their expense accounts. This was the typical profile of company representatives and salespeople.
However, this profile no longer fits the reality of the new millennium. More and more companies have employees who work from home and who have a home office. In emergencies or unforeseen events, these employees need to work from their homes. Moreover, some cost-conscious companies no longer provide office space for those employees who are constantly on the road. It is clear that total access is not just desired, it’s required. Employees need to be able to communicate with their company at all times and optimize their free time when on the road. Typical employees now need to be equipped with devices that allow them to access the company’s systems and applications and to update the data in these systems. They need to access everything from e-mail to more critical applications such as enterprise resource planning (ERP) and CRM.
What has changed and what has caused these changes? What are the elements that redesigned the profile of the traditional mobile user?
Convergence of voice and data is one of the main causes of these changes.
Today, the use of so-called “smartphones,” such as the iPhone, BlackBerry, Windows Phone and the Droid, makes it possible to access applications that go beyond electronic messaging. In addition to making it possible to send voice and data over the same connection, the implementation of IP telephony systems in place of traditional telephone systems has promoted transparency. For example, telecommuters receive calls as if they were in the office, and the management of infrastructures and internal systems is simplified given that the telephone system becomes an extension of corporate applications.
Fixed mobile convergence (FMC) systems have pushed this mobility up a notch by making it possible to replace the office telephone with a PDA-type cellular phone. These multifunctional devices connected to a company’s IP telephony system can, at the same time, use the frequencies of the company’s wireless network infrastructure. Within a few months, these dual-mode phones will make it possible to use both systems (wired and wireless). Once connected, using the available network, users will be able to switch at any time from one network to the other without interruption of the communication and with an identical quality of service. This means they will now need only one phone, one phone number and one voice mailbox. From a single peripheral device, these users will be able to pick up messages left in their voice mailbox, receive e-mail and even participate in a videoconference for example.
The latest arrival in voice-data convergence is 4G, which stands for fourth generation wireless telephony, the successor of 3G. The 4G network brings together a number of performance criteria such as an actual data rate for the consumer in the order of 1 Mb/s and quality of service. Even though 4G is not yet available everywhere, its objective is to ensure maximum mobility for the user. The network will improve FMC systems since, for companies, the advantages of 4G are clear: it offers access to a growing number of multimedia services as well as increased mobility and accessibility (multiple internetwork access points).
Another cause of change is cloud computing or software as a service (SAAS). Although the concept has been around for several years, hosting systems at a supplier site was surely the precursor. It differs from this supplier in that companies can purchase only the services they need, change these services as they evolve and pay for what they use.
Other important change factors include devices such as the iPad (barely 9 inches by 7 inches with all the peripherals — keyboard, screen, central processing unit — of a traditional computer integrated into a single portable unit), which have become multipurpose tools that are changing the way users work; more secure wireless networks that are now used throughout companies; and the arrival of the “N” protocol (802.11n) for wireless networks is ensuring improved network performance.
All these new technologies have redefined the profile of the traditional mobile employee and have brought about considerable economic advantages.
The convergence of voice and data will make it possible to reduce infrastructure costs. There are users who will only need some type of smartphone rather than a computer and traditional telephone.
Being able to access the company’s critical applications at any time translates into better customer service, improved response time to client requests and a reduction in the duplication of data entry. Such improvements result in increased revenue for the company and a reduction in operating costs, thereby creating a competitive advantage and an increase in employee productivity and efficiency.
When companies opt for a cloud-computing environment such as SAAS, they no longer need to keep their internal systems available on a 24-hour-a-day, seven-day-a-week basis, or to provide personnel to manage these systems. Cloud computing is different from traditional hosting as it is sold according to demand, generally by the minute or by the hour. It is elastic in that users can access one or several services at a given moment. The outsourced service is managed entirely by the supplier and only requires a computer and Internet access. The supplier provides the hardware and software infrastructure and interacts with the user via an entry-level portal. Services vary from Web-based e-mail to inventory control and database processing.
For example, Microsoft and Google are now offering e-mail software directly in SAAS mode and are extending their offering to office automation applications. Since the provider of these services is hosting both the application and the data, end users are free to access the service from anywhere.
As did convergence of voice and data, cloud computing is reducing the acquisition cost of equipment, licences and infrastructure maintenance. Furthermore, the need to continue to provide secure remote access through a virtual private network to internal systems is reduced to only those applications that are not part of cloud computing, since users can connect to these systems in complete security from wherever they may be.
The security of wireless infrastructure has improved with the new 802.11n protocol, the implementation of WPA2 with AES encryption, and the use of PKI systems for access between mobile units and corporate networks. The extended validation secure socket layer (SSL) protocol is more expensive than traditional SSL certificates, but it offers a higher level of security when necessary.
Despite the advantages resulting from these new technologies, we need to be aware of the risks they present. Companies keep fewer critical systems on site. Identifying these assets and their location to protect their contents is key to sound management. It is essential, therefore, that the risks associated with mobility be clearly identified and evaluated and that the controls to deal with any eventuality be implemented by organizations. Internal policies need to be established for the use of peripheral devices and employees need to be made aware of the risks associated with the use of such tools.
Wireless networks are proliferating. Such networks are deployed throughout organizations and the focus must be on the protection of data, internal or external. Controls that ensure confidentiality, authenticity, integrity and availability of data are crucial to the installation of wireless networks. Auditors need to be aware of technologies that make it possible to implement secure wireless networks to ensure that appropriate policies and procedures are put in place to mitigate risks.
Finally, cloud computing-type environments offer numerous advantages, but they raise questions that managers and auditors need to answer. The financial viability of the supplier, data ownership, access to confidential corporate information and compliance with relevant laws are but a few of these questions.
While they may be similar to traditional methods, risk management and the implementation of internal controls require IT auditing teams to have a solid understanding of these new technologies.
In a follow-up article, the risks will be examined in more detail, as well as the internal controls that need to be implemented in order to ensure new technologies provide the anticipated advantages to organizations, while reducing the associated risks.