Audit compliance: Definition and what it means for the cloud

Storing information in electronic form is now the order of the day for many companies. The paperless office is becoming increasingly popular. However, there are all sorts of things to consider when it comes to digital archiving. For example, documents that are to be stored long-term must be secured in an audit-proof manner in the digital storage space. Find out what that means.

The term audit compliance refers to complying with the best practices for secure data storage in electronic form. This process is also referred to as audit-proof archiving. Originally, the method concerns data that must be retained or is otherwise important to retain in the area of commercial and tax law. Archiving systems must also meet various requirements. In addition to various commercial and tax law requirements, audit-proof information retention is based on the following guidelines:

• The Sarbanes-Oxley Act of 2002 (SOX or Sarbox), which is a US law originally established to protect against financial fraud in corporations. However, it also has implications for how electronic data such as emails and social media data is stored in a company. Its sections address the deliberate alteration of records, record retention periods, and definition of documents that are relevant to an audit or review.
• The principles of proper electronic record management.

Now, audit compliance or audit-proof archiving has become a topic outside the world of commerce and taxation. The term is being used more frequently, for example, to denote tamper-proof and long-term storage of electronic information.

Generally, there are 10 features of audit compliance:

1. Completeness: no document shall be lost on the way to the archive.
2. Immutability: all documents are archived unchanged and unchangeably.
3. Regularity: each document must be kept in accordance with legal and organizational guidelines.
4. Retrievability: all information must be retrievable, for example via indexing using metadata.
5. Use only by authorized persons: all information must be archived in such a way that it can only be viewed by authorized persons.
6. Protection against loss: data security must be guaranteed at all times.
7. Respecting retention periods: a document may only be deleted from the archive once its retention period has expired.
8. Documentation: detailed documentation of the archiving process is mandatory, for example to enable smooth migration of the archive.
9. Traceability: all changes to the archive must be recorded so that they can be traced, and restoration is possible.
10. Verifiability: an audit-proof archiving system must be verifiable by a third-party expert at any time.

A digital archive that meets the requirements of audit compliance as described above can pay off for a variety of reasons. On the one hand, an audit-proof archive helps to optimize business processes. Appropriate search mechanisms and an improved information structure ensure that desired documents are available at short notice, so that customer queries can be answered faster, for example.

On the other hand, audit compliance minimizes errors when handling important data or documents. Audit-proof electronic archiving ensures that multiple copies of a single document do not exist, and that information is not accidentally deleted.

In general, companies can prevent financial damage and image loss as a result of lost documents or unauthorized access by implementing an audit-proof archiving system.

Anyone who sets up and uses an audit-proof system for the digital storage of documents will likely score points with customers and partners. Certificates that confirm audit security establish trust and are in demand not only to persuade new customers, partners, and investors, but also as a basis for long-term cooperation.

Typically, audit compliance of electronic archiving systems is certified by state-appointed auditors. The Public Company Accounting Oversight Board trains auditors on SOX audits and its standards are in turn informed by those set forth by the Committee of Sponsoring Organizations. Businesses can also consult experts to certify their audit-proof archiving of digital data and address permission issues.

The advantages of cloud computing have made working in the cloud indispensable for many companies. Storing and archiving files and documents in a cloud storage system is particularly popular with SMEs.

But similar to data protection, audit security tends to be addressed differently by providers of cloud market solutions. In particular, there is broad divergence in the awareness of data protection-compliant and audit-proof storage of information between providers in the US and Europe. An important point of reference for users is therefore whether a cloud service not only observes the GDPR, but also implements the aforementioned basics of record management.

The typical features for audit compliant archiving can be transferred to an audit-proof cloud almost one-to-one. Therefore, the following also apply to cloud storage of data:

• The immutability of stored information must be guaranteed. Providers can achieve this by, among other things, automating the versioning of all cloud data.
• Auditability can be realized in the cloud through a protected activity log that captures all file transfers as well as modifications and deletion processes.
• Securing against file loss is an important point. Cloud providers promise high data security and rely on geo-redundant hardware, encryption, and powerful security software, for example. For audit-proof archiving, the option of an additional backup system should not be forgotten.
• Integrated search functions ensure that cloud storage also fulfills the “retrievability” factor.
• To prevent unauthorized access, cloud storage systems can be equipped with appropriate access management. Based on these management tools, responsible parties can create and assign user roles so that each cloud user can only see, open, and edit documentation that corresponds to their status in the company.