In the Sarbanes Oxley, Rule 25, ESI requirements, I interpret a need
for a Type 2 Audit Statement from the vendors to be provided to the
companies they server in records management and media vaulting.
Some of the offsite storage companies are being proactive in putting
their version of the Type 2 Audit out there. There are two problems
with this: 1) The Auditors receive it and pass it on and no one reads
it. ( I am assuming part of the problem is that it does not flow down
stream from Audit and Legal to the records managers who can determine
if what is being provided really works.
2) The proactive companies providing the Audit Statement requirement
are not really adhering to any high level of performance but are
merely stating what they offer with no caveat of protection just
storage.
So my question to you is: Have any of you seen a Type 2 Audit
Statement from a vendor? Have any of you read it? Have you commented
back to Audit about any concerns you have, based on your needs?
I believe that a Records Manager has the right to request these from
their service providers in the offsite arena. Has anyone done so?
Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610) 756-4440 Fax (610) 756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance