LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Auditing Records Centers and Appropriate Case Studies
From:	Hugh Smith <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Thu, 26 Oct 2006 01:02:11 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (93 lines)

As a member of the ARMA Task Force being run by Carol Choksy and Jerry 
Brandes on E-Storage I am examining the role of the Auditor in this 
process.  Under Sarbanes Oxley a vendor or outsource agent must be up 
to the Standard.

As it was explained to me today, by a CPA, this requires that the 
vendor's auditor provide an SAS 70 Opinion Letter that states that the 
vendor can provide the level of service required under Sarbanes Oxley. 
(or, based on client's Service Level Agreements that are equivalent to 
, or exceed, the requirements within Sarbanes Oxley that demand 
protection of media from destruction or spoliation.)

For example a recent change requires that the Board of Directors, not 
just a selection committee, select new CEO's and they have specific 
questions that the applicant must answer.  One is essentially:  "Are 
you aware of the strict requirements within Sarbanes Oxley to 
accurately report financial conditions and also provide constructive 
proof of the financial reports?" and "Will you abide by these 
requirements and protect the Directors and Shareholders of this 
organization from exposure by failure to comply with Sarbanes Oxley?"

I need to supply real world case studies to document where proper 
records management and protection preserved the image and financial 
resources of a corporation or organization.  I also need case studies 
where events occurred that endangered the organization or created 
enormous expenses.  I need real world examples which can be used as the 
empirical evidence to prove the value of protection of records, media 
and processing platforms.

I have heard of case studies where mergers and consolidations have 
created awkward risk exposures at best and at worst loss of records.  
One case was where a Trust & Pension Fund developed a Business 
Continuity Plan dependent on distributing their records across several 
records centers in a large metropolitan area only to have one company 
buy the other centers and consolidate all the records in one mega 
center.  This totally set aside their planning and hostage fees make 
putting it back together as it was expensive.

In another case, a records center in a smaller market was purchased and 
the media was moved to the closed large city for logistical purposes 
and cost savings to the vendor.  The clients now have their media 2 1/2 
hour away in normal conditions but they are in a far northern climate 
where snow conditions can make that route hours longer.  Restoring 
their data center is now at risk.  They are forced to examine new 
strategies to keep their system on line.  Here the profits of the 
vendor trump the business continuity efforts of the client.

How should an auditor review the data platform?  What risks can they 
avert by understanding real records management?

What losses have occurred due to media spoiling in improper storage 
conditions, clumsy handling and what costs can we associate with this 
failure?

What costs have occurred due to lost tapes?  (Image, Identity Theft, 
Restoration and Recovery costs?)  Can we put dollar figures on these 
events.

This may be of no interest to anyone but me so to begin with, send the 
case studies to me, unless you think the List would be interested?  In 
some cases, you may not want to expose a certain company, if so refer 
to the event as "  A company in the Midwest, listed on the Fortune 500, 
was required to convert to Encryption due to repeated exposures by 
hackers and lost tapes and  the cost estimate over a period of the 
first three years was $1.5 million to secure the corporation.

Any examples, large or small, will be valued.

Just to prove this is a serious problem, a vendor at ARMA was selling a 
program where for $12.00 per month, they would insure you would have no 
Identity Theft but if you did, they would restore your credit,  insure 
your losses and even fight your court battles.

Our world is changing and we need to constantly re-evaluate how records 
management fits into it.  I have an Auditor/CPA that is willing to 
develop a strategy based on what the real world events are.  But I need 
some case studies to show him.  If you have actual experiences, that 
would be more valuable.  We are researching the internet for studies 
but we want to know how protecting (or not protecting)  your records, 
and your media have created value (or losses) for the organization.

Our joint effort here might change the face of records management in 
the future by creating a real liaison between RM and Auditors.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2

LISTSERV.IGGURU.US