defined or aligned with overall supply-chain and business strategies. The alignment of strategies, policies, processes,
organizational skills, and related capabilities is a critical success factor when
reengineering processes and implementing any major new system or
technology. Information requirements
for decision-making, measurement, and
control, as well as supporting systems,
tools, and data are also important. As in
all major changes, the level of knowledge,
buy-in, and commitment of the human
participants determines most successes
or failures. Therefore, training and staff
acceptance are integral to the change-management effort.
In addition, strategy regarding controlled usage (all products/distribution
channels versus limited scope) may not be
effectively employed to balance infrastructure costs with associated revenue and
benefits. The value proposition and scope
of rollout or process automation may not
be appropriately balanced and understood.
Arguably, implications of RFID on the
IT world are among the most critical
because of the amount of data moving
between systems and partners. Long-term disruptions in information processing or data availability may occur.
Companies may be subject to unauthorized data access by third parties
and data protection issues. Support
processes, including job scheduling,
backup and recovery, continuity planning, and help desk services, may not
Also, the large volumes of data collected may not be effectively used to
INTERNAL AUDITOR APRIL 2005
create information relevant to manage
the business or be effectively shared. For
example, consider the number of discrete
items in a single Wal-Mart distribution
center and the points through which each
item is tracked throughout the supply
chain. Multiply that number by the number of Wal-Mart distribution centers in
the United States and the figure is in the
hundreds of millions of transactions.
That’s just one retailer.
The current 96-bit product codes,
which are stored on Class 1 EPC tags, can
uniquely identify more than 250 million
manufacturers, each with more than
1 million products and unique identifiers for every product. Multiplying that
out would result in transmissions of ter-abytes of data every day. Without relevant data mining, processing, and
analytics, the collected information
remains data, rather than information
an organization can leverage. Forrester
Research Inc., a technology research and
consulting firm, predicts 5 billion con-sumer-packaged goods will have RFID
tags by 2006.
Management of data capacity (data
warehousing), scalability of systems, integration, and compatibility with existing systems may be inadequate. Excessive
customization may be required of legacy
systems, which could affect their performance along with increasing their support costs, and resulting in an inability
to follow vendor upgrade schedules. System bandwidth may not be sufficient to
fully capture, process, and validate high
volumes of data.
Several of these risks are common to
any application implementation and may
be addressed by existing IT processes and
controls. However, with the magnitude
of change being brought about by RFID,
additional attention and controls may be
required. An organization’s internal audit
function can play a key role in this
process by developing internal audit
plans, capability assessments, project risk
assessments and systems, and process
reviews to ensure all identified risks are
evaluated, understood, and have adequate
mitigating controls in place.
PUTTING IT TOGETHER
Internal auditors need to combine an
understanding of the latest technologies
with the latest audit, risk, and capabilities assessment techniques to continue
to provide and improve risk evaluation
and control assessment, as well as process
Key questions the internal auditor
should consider in any RFID project
‡Have key business environment risks
been identified in the organization’s
decision to implement RFID, including payback, supply chain capability,
and customer capability?
‡Have key risks regarding network security been identified?
‡Have risks regarding data management
and integrity been identified?
‡Are organizational culture and change
management risks understood and
‡Have business processes been identified and positioned for backup or
exception process purposes?
‡Will additional financial controls need
to be in place for processing transactions directly to ledgers from networks
‡Are current business processes mapped
and understood prior to implementing
any changes made possible by RFID?
RFID is a promising technology that
provides many potential benefits for companies across different industries. There
are a variety of significant risks associated with RFID that need to be considered in any RFID endeavor. Internal
auditors can play a vital role in the identification of RFID issues, risks, and process
changes, ultimately impacting the technology’s success in an organization.
To comment on this article, e-mail the
authors at email@example.com.