IP risks: controlling and auditing

In the previous post, we have talked about the main risks around Intellectual Property and its management from different points of view,  as well as present the main characteristics of each one. In this post, continuing from the last presented content, we are going to present the appropriate controls and auditing to be applied to the mentioned risks.

First of all, let’s consider the necessity of the auditor and her/his paper in IP risk detection and controlling. In my opinion, the necessity of IP risk audition in this field is totally obvious, as the problems that may generate a bad management of the IP risks can finish even with our company. The paper of the auditor in this case is detecting the possible problems that can occur related with IP, both with IP inside our company and in relation with other companies’ IPs. So, it is supposed that we should have an auditor for this task, who has the necessary knowledge in this field: IP risks, copyright laws, controls to be applied, good practices…

As learned in previous posts, the importance of IPs in industry and the necessity to protect them, as well as to respect them, is increasing every year. Because of this fact, the importance of auditing IP risks and applying the proper controls to the organization is increasing too[1], and becoming more and more necessary inside the company. So, on the one hand, the auditor has to care about the patents, copyrights and trade secrets that must be protected inside the company[2], as well as the management and protections that are being applied to them. On the other hand, the auditor must not forget about respecting other companies IPs too, in order to avoid legal problems.

So, the audition team have to analyse the actual state of the company in relation with IPs: list of protected IPs, how they are protected, which controls are followed to ensure that continue being protected, where are applied the laws with which are protected, which problems have been previously with patents violations from the company and from others to ours… They are a lot of tasks to be performed by the audition team regarding IPs risks, but, essentially, as in other type of auditions, it is based in analysing the actual state, analysing the risks and proposing controls in order to solve the problems and prevent risks, avoiding damages for the company and the consequent loss of money[3].

I am not really interested in listing tens or hundreds of controls and auditing steps, as we can find a lot of examples in documents like Intellectual Property Process Audit Report[4]. So, I am going to present some controls that the audition team of a company should propose for the risks presented in the previous post:

 

Risk Description Control
1 Lose a good idea with potential to become a business due to ignorance
  • Detect the actual IPs, list them and analyse their value and potential, in order to apply the proper protection.
  • Analyse the way in which they are developed the products and are documented the ideas, as well as how it is analysed the value of each one in order to detect possible business.
  • Analyse the actual patenting process, and consider if it should be improved in order to be faster and ensure the protection of the IPs.
2 Lose money or not earn as much as possible due to bad protection of IPs
  • Look at the laws and ways of protection that the company is following actually for their IPs, how strong they are..
  • Analyse how the company manage their protected IPs in terms of time referring the dates in which the protected IPs should be reviewed and the protection renewed.
3 Loss of information related with IPs from inside the company due to lack of regulations or good practices and low security
  • How are being the IPs protected from internal attacks?
  • How is being performed the detection of information stealer inside the company?
  • Which are the access privileges provided to each employee?
  • Which practices are being followed to ensure the integrity of the information in relation with developing of products and ideas?
  • How is it being controlled the access to DBs and other infrastructures that contains sensitive information?
4 Loss of information related with IPs from outside the company due to low security or bad management of the information Controls related with IT security and good practices for the sensitive information treatise:

  • Where is stored the sensitive information? How is being protected?
  • Which IT security standards are being followed?
5 Violation of other companies’ patents or protected products by copyright laws
  • Is developed any plan to deal with patent violation problems?
  • Is being applied any practice to detect possible patent violation cases when developing a product or idea?
  • Is designed any plan to change the direction of projects when they can be violated IPs protecting laws?


This is just an example of how should an audition team work when dealing with risks. But, my main intention is to understand the general overview. In the field of IP risks, an auditor must focus mainly in
confidentiality, integrity and availability[5], as they are the supports of the security], while knowing and understanding the surrounding legal scope. So, the auditor should analyse and act around topics related with IPs like policies, procedures and records, the responsible team for IP protection in the company, management of IPs and risks, security and confidentiality management, training and capacity, monitoring and measurement and frameworks for corrective actions and improvements[6].

In conclusion, as in other IT auditings, the knowledge and capacity to detect risks and propose the necessary controls is essential, and in the case of IPs, it must be considered a priority to audit the company in relation with that field, as for a lot of companies the own ideas and the originality of their products is the key of their business, so its analysis and protection is essential.

 


 

References:

[1] https://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/QUIntellectualPropertyRisk

[2] https://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/ChecklistsGuidesProtectingIntellectualPropertyAssets

[3] http://www.wipo.int/sme/en/documents/ip_audit_fulltext.html

[4] https://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/auditreportintellectualpropertyprocess

[5] Information Technology Risk and Controls. The Institute of Internal Auditors.

[6] http://www.rmmagazine.com/2013/10/01/understanding-the-risks-eight-elements-of-an-effective-ip-protection-program/