The Sarbanes-Oxley Act (SOX) forever changed the way organizations must save and use their files in order to be compliant with auditors. SOX requires companies to retain records and provide a new kind of audit information, as well as requiring the following of specific processes and systems to verify they’ve compiled. In short, SOX demands that both organizations and auditors offer proof that they’re in compliance and makes auditors responsible for the information they report. As a result, auditors have taken steps to ensure the veracity of their audit. One part of that is using versioning file systems.
Everyone Requires Strong Audit Trails
Since the implementation of Sarbanes-Oxley, both sides are requiring strong audit trails on all electronic records—including both auditors and organizations. The provisions included in SOX apply both to digital documents and paper documents. Most experts agree that a strong audit trail consists of a record that is both verifiable and consistent, and that shows how and when data was changed in a particular record.
Systems organizations use to comply with SOX may meet the requirements for record retention as set out for audit trails, but they can’t be used for purposes of verification. However, technologies like temporal databases and continuous versioning file systems can be used to construct and test data history. With these programs, every change made to data is recorded and the system utilizes a time-oriented file system interface, or a temporal query language. A key component is that all versions of data must not be changeable. Though changes may be made to the current version of data, the version history must remain intact.
Understanding the World of Digital Audits
Most everyone in the business world is now comfortable using technology, dealing with paperless work spaces, and accessing the internet. However, digital audits are still new to some firms. It parallels paper audits in both process and incentives, though some companies are behind the times when it comes to retaining the electronic information they need.
To be specific, companies must retain data for a specific period of time. The audit process in and of itself doesn’t ensure that the data is accurate or authentic, and it doesn’t prevent the data from being destroyed. Instead it simply verifies that the data has been retained, it hasn’t been modified, and it’s accessible with the organization’s system.
If an organization fails a digital audit, that doesn’t mean there was necessarily wrongdoing. Though it does have limits, the audit process has the same benefits when done via paper or electronically—assuming it’s done correctly. The consequences for failing external audits can be significant and include fines, prison time, and civil liability.
There is a system of verification of version histories in various file systems that’s based on creating message authentication codes, otherwise known as MACs. They save versions and archive them with a third party. This system commits to a version history when it presents the MAC to the third party in question. At a future date, a version history can then be verified by an auditor. The system used to store files is then challenged to produce data that matches these message authentication codes, which ensures the system’s data hasn’t been altered.
Automatic Audit Trails
Versioning is an interesting aspect of preparing for external auditors to assure compliance with Sarbanes-Oxley. Another option is document management software like eFileCabinet, which utilizes audit trails. While it’s not the exact same concept, it is similar and has comparable benefits. Essentially, audit trails create an automatic history of when a document was accessed, who accessed it, and what was changed, if anything. This has many implications beyond preparing organizations for meetings with an auditor.
Any company with more than a few employees working on the same file has come across this issue: someone made changes to a document and no one knows who or why. This can be frustrating for a number of reasons, including the fact that it’s impossible to know if the changes were valid without knowing why it was changed, and the company losing accurate information when there’s no record of what was changed.
This issue causes some companies to have strict policies about who can edit and access information. In theory this can be a good idea, but often the ways in which an organization implements this control wastes precious time. For example, some companies have a single computer that can edit documents and employees must log in when using it, which means only one employee can be working on these files at a time, while other companies require a manager to sign off on changes before they can be saved, which wastes the time of upper management that could certainly find a better way to spend their time.