In the previous post, we have talked about the main risks around Intellectual Property and its management from different points of view, as well as present the main characteristics of each one. In this post, continuing from the last presented content, we are going to present the appropriate controls and auditing to be applied to the mentioned risks.
First of all, let’s consider the necessity of the auditor and her/his paper in IP risk detection and controlling. In my opinion, the necessity of IP risk audition in this field is totally obvious, as the problems that may generate a bad management of the IP risks can finish even with our company. The paper of the auditor in this case is detecting the possible problems that can occur related with IP, both with IP inside our company and in relation with other companies’ IPs. So, it is supposed that we should have an auditor for this task, who has the necessary knowledge in this field: IP risks, copyright laws, controls to be applied, good practices…
As learned in previous posts, the importance of IPs in industry and the necessity to protect them, as well as to respect them, is increasing every year. Because of this fact, the importance of auditing IP risks and applying the proper controls to the organization is increasing too, and becoming more and more necessary inside the company. So, on the one hand, the auditor has to care about the patents, copyrights and trade secrets that must be protected inside the company, as well as the management and protections that are being applied to them. On the other hand, the auditor must not forget about respecting other companies IPs too, in order to avoid legal problems.
So, the audition team have to analyse the actual state of the company in relation with IPs: list of protected IPs, how they are protected, which controls are followed to ensure that continue being protected, where are applied the laws with which are protected, which problems have been previously with patents violations from the company and from others to ours… They are a lot of tasks to be performed by the audition team regarding IPs risks, but, essentially, as in other type of auditions, it is based in analysing the actual state, analysing the risks and proposing controls in order to solve the problems and prevent risks, avoiding damages for the company and the consequent loss of money.
I am not really interested in listing tens or hundreds of controls and auditing steps, as we can find a lot of examples in documents like Intellectual Property Process Audit Report. So, I am going to present some controls that the audition team of a company should propose for the risks presented in the previous post:
|1||Lose a good idea with potential to become a business due to ignorance||
|2||Lose money or not earn as much as possible due to bad protection of IPs||
|3||Loss of information related with IPs from inside the company due to lack of regulations or good practices and low security||
|4||Loss of information related with IPs from outside the company due to low security or bad management of the information||Controls related with IT security and good practices for the sensitive information treatise:
|5||Violation of other companies’ patents or protected products by copyright laws||
This is just an example of how should an audition team work when dealing with risks. But, my main intention is to understand the general overview. In the field of IP risks, an auditor must focus mainly in confidentiality, integrity and availability, as they are the supports of the security], while knowing and understanding the surrounding legal scope. So, the auditor should analyse and act around topics related with IPs like policies, procedures and records, the responsible team for IP protection in the company, management of IPs and risks, security and confidentiality management, training and capacity, monitoring and measurement and frameworks for corrective actions and improvements.
In conclusion, as in other IT auditings, the knowledge and capacity to detect risks and propose the necessary controls is essential, and in the case of IPs, it must be considered a priority to audit the company in relation with that field, as for a lot of companies the own ideas and the originality of their products is the key of their business, so its analysis and protection is essential.
 Information Technology Risk and Controls. The Institute of Internal Auditors.