As a member of the ARMA Task Force being run by Carol Choksy and Jerry
Brandes on E-Storage I am examining the role of the Auditor in this
process. Under Sarbanes Oxley a vendor or outsource agent must be up
to the Standard.
As it was explained to me today, by a CPA, this requires that the
vendor's auditor provide an SAS 70 Opinion Letter that states that the
vendor can provide the level of service required under Sarbanes Oxley.
(or, based on client's Service Level Agreements that are equivalent to
, or exceed, the requirements within Sarbanes Oxley that demand
protection of media from destruction or spoliation.)
For example a recent change requires that the Board of Directors, not
just a selection committee, select new CEO's and they have specific
questions that the applicant must answer. One is essentially: "Are
you aware of the strict requirements within Sarbanes Oxley to
accurately report financial conditions and also provide constructive
proof of the financial reports?" and "Will you abide by these
requirements and protect the Directors and Shareholders of this
organization from exposure by failure to comply with Sarbanes Oxley?"
I need to supply real world case studies to document where proper
records management and protection preserved the image and financial
resources of a corporation or organization. I also need case studies
where events occurred that endangered the organization or created
enormous expenses. I need real world examples which can be used as the
empirical evidence to prove the value of protection of records, media
and processing platforms.
I have heard of case studies where mergers and consolidations have
created awkward risk exposures at best and at worst loss of records.
One case was where a Trust & Pension Fund developed a Business
Continuity Plan dependent on distributing their records across several
records centers in a large metropolitan area only to have one company
buy the other centers and consolidate all the records in one mega
center. This totally set aside their planning and hostage fees make
putting it back together as it was expensive.
In another case, a records center in a smaller market was purchased and
the media was moved to the closed large city for logistical purposes
and cost savings to the vendor. The clients now have their media 2 1/2
hour away in normal conditions but they are in a far northern climate
where snow conditions can make that route hours longer. Restoring
their data center is now at risk. They are forced to examine new
strategies to keep their system on line. Here the profits of the
vendor trump the business continuity efforts of the client.
How should an auditor review the data platform? What risks can they
avert by understanding real records management?
What losses have occurred due to media spoiling in improper storage
conditions, clumsy handling and what costs can we associate with this
failure?
What costs have occurred due to lost tapes? (Image, Identity Theft,
Restoration and Recovery costs?) Can we put dollar figures on these
events.
This may be of no interest to anyone but me so to begin with, send the
case studies to me, unless you think the List would be interested? In
some cases, you may not want to expose a certain company, if so refer
to the event as " A company in the Midwest, listed on the Fortune 500,
was required to convert to Encryption due to repeated exposures by
hackers and lost tapes and the cost estimate over a period of the
first three years was $1.5 million to secure the corporation.
Any examples, large or small, will be valued.
Just to prove this is a serious problem, a vendor at ARMA was selling a
program where for $12.00 per month, they would insure you would have no
Identity Theft but if you did, they would restore your credit, insure
your losses and even fight your court battles.
Our world is changing and we need to constantly re-evaluate how records
management fits into it. I have an Auditor/CPA that is willing to
develop a strategy based on what the real world events are. But I need
some case studies to show him. If you have actual experiences, that
would be more valuable. We are researching the internet for studies
but we want to know how protecting (or not protecting) your records,
and your media have created value (or losses) for the organization.
Our joint effort here might change the face of records management in
the future by creating a real liaison between RM and Auditors.
Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610) 756-4440 Fax (610) 756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|