Audit com­pli­ance: De­f­i­n­i­tion and what it means for the cloud

Storing in­for­ma­tion in elec­tron­ic form is now the order of the day for many companies. The paperless office is becoming in­creas­ing­ly popular. However, there are all sorts of things to consider when it comes to digital archiving. For example, documents that are to be stored long-term must be secured in an audit-proof manner in the digital storage space. Find out what that means.

The term audit com­pli­ance refers to complying with the best practices for secure data storage in elec­tron­ic form. This process is also referred to as audit-proof archiving. Orig­i­nal­ly, the method concerns data that must be retained or is otherwise important to retain in the area of com­mer­cial and tax law. Archiving systems must also meet various re­quire­ments. In addition to various com­mer­cial and tax law re­quire­ments, audit-proof in­for­ma­tion retention is based on the following guide­lines:

• The Sarbanes-Oxley Act of 2002 (SOX or Sarbox), which is a US law orig­i­nal­ly es­tab­lished to protect against financial fraud in cor­po­ra­tions. However, it also has im­pli­ca­tions for how elec­tron­ic data such as emails and social media data is stored in a company. Its sections address the de­lib­er­ate al­ter­ation of records, record retention periods, and de­f­i­n­i­tion of documents that are relevant to an audit or review.
• The prin­ci­ples of proper elec­tron­ic record man­age­ment.

Now, audit com­pli­ance or audit-proof archiving has become a topic outside the world of commerce and taxation. The term is being used more fre­quent­ly, for example, to denote tamper-proof and long-term storage of elec­tron­ic in­for­ma­tion.

Generally, there are 10 features of audit com­pli­ance:

1. Com­plete­ness: no document shall be lost on the way to the archive.
2. Im­mutabil­i­ty: all documents are archived unchanged and un­change­ably.
3. Reg­u­lar­i­ty: each document must be kept in ac­cor­dance with legal and or­ga­ni­za­tion­al guide­lines.
4. Re­triev­abil­i­ty: all in­for­ma­tion must be re­triev­able, for example via indexing using metadata.
5. Use only by au­tho­rized persons: all in­for­ma­tion must be archived in such a way that it can only be viewed by au­tho­rized persons.
6. Pro­tec­tion against loss: data security must be guar­an­teed at all times.
7. Re­spect­ing retention periods: a document may only be deleted from the archive once its retention period has expired.
8. Doc­u­men­ta­tion: detailed doc­u­men­ta­tion of the archiving process is mandatory, for example to enable smooth migration of the archive.
9. Trace­abil­i­ty: all changes to the archive must be recorded so that they can be traced, and restora­tion is possible.
10. Ver­i­fi­a­bil­i­ty: an audit-proof archiving system must be ver­i­fi­able by a third-party expert at any time.

A digital archive that meets the re­quire­ments of audit com­pli­ance as described above can pay off for a variety of reasons. On the one hand, an audit-proof archive helps to optimize business processes. Ap­pro­pri­ate search mech­a­nisms and an improved in­for­ma­tion structure ensure that desired documents are available at short notice, so that customer queries can be answered faster, for example.

On the other hand, audit com­pli­ance minimizes errors when handling important data or documents. Audit-proof elec­tron­ic archiving ensures that multiple copies of a single document do not exist, and that in­for­ma­tion is not ac­ci­den­tal­ly deleted.

In general, companies can prevent financial damage and image loss as a result of lost documents or unau­tho­rized access by im­ple­ment­ing an audit-proof archiving system.

Anyone who sets up and uses an audit-proof system for the digital storage of documents will likely score points with customers and partners. Cer­tifi­cates that confirm audit security establish trust and are in demand not only to persuade new customers, partners, and investors, but also as a basis for long-term co­op­er­a­tion.

Typically, audit com­pli­ance of elec­tron­ic archiving systems is certified by state-appointed auditors. The Public Company Ac­count­ing Oversight Board trains auditors on SOX audits and its standards are in turn informed by those set forth by the Committee of Spon­sor­ing Or­ga­ni­za­tions. Busi­ness­es can also consult experts to certify their audit-proof archiving of digital data and address per­mis­sion issues.

The ad­van­tages of cloud computing have made working in the cloud in­dis­pens­able for many companies. Storing and archiving files and documents in a cloud storage system is par­tic­u­lar­ly popular with SMEs.

But similar to data pro­tec­tion, audit security tends to be addressed dif­fer­ent­ly by providers of cloud market solutions. In par­tic­u­lar, there is broad di­ver­gence in the awareness of data pro­tec­tion-compliant and audit-proof storage of in­for­ma­tion between providers in the US and Europe. An important point of reference for users is therefore whether a cloud service not only observes the GDPR, but also im­ple­ments the afore­men­tioned basics of record man­age­ment.

The typical features for audit compliant archiving can be trans­ferred to an audit-proof cloud almost one-to-one. Therefore, the following also apply to cloud storage of data:

• The im­mutabil­i­ty of stored in­for­ma­tion must be guar­an­teed. Providers can achieve this by, among other things, au­tomat­ing the ver­sion­ing of all cloud data.
• Au­ditabil­i­ty can be realized in the cloud through a protected activity log that captures all file transfers as well as mod­i­fi­ca­tions and deletion processes.
• Securing against file loss is an important point. Cloud providers promise high data security and rely on geo-redundant hardware, en­cryp­tion, and powerful security software, for example. For audit-proof archiving, the option of an ad­di­tion­al backup system should not be forgotten.
• In­te­grat­ed search functions ensure that cloud storage also fulfills the “re­triev­abil­i­ty” factor.
• To prevent unau­tho­rized access, cloud storage systems can be equipped with ap­pro­pri­ate access man­age­ment. Based on these man­age­ment tools, re­spon­si­ble parties can create and assign user roles so that each cloud user can only see, open, and edit doc­u­men­ta­tion that cor­re­sponds to their status in the company.