Auditors are frequently requesting and receiving highly sensitive or confidential data and information from their clients, but what are their responsibilities for document and records management?

What is Records Management? Per ISO 15489-1:2001 “Information and Documentation – Records Management”, it is expected that organizations have effective controls for the creation, receipt, maintenance, use and disposition of records and documentation, in all formats.

The moment that the auditor receives audit documentation from their clients, they immediately take on the responsibilities as a data custodian to manage and control the risk of a data loss or breach to as minimal as possible, and must comply with the Records Management policies and procedures for the organization that is providing the audit documentation.

What is a Data Custodian? A Data Custodian is a person or group who is responsible for the receipt, transfer, accounting, safeguarding, and destruction of data in accordance with company policy, laws, or regulations.

In addition to abiding by the organizational Records Management policies and procedures, auditors must also comply with legal, regulatory, or industry standard requirements, depending on whether their role is as the internal or external auditor and what industry or regulatory body governs the data type.

Examples of common standard requirements for records management for internal and external auditors includes the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF), and the Public Company Accounting Oversight Board’s (PCAOB) Auditing Standards.

Citations from the examples are below:

The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF)

2330 – Documenting Information

2330.A2 – The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored.

2330.C1 – The chief audit executive must develop policies governing the custody and retention of consulting engagement records, as well as their release to internal and external parties.

https://na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf

The Public Company Accounting Oversight Board’s (PCAOB) Auditing Standards

AS 1215: Audit Documentation

The auditor must retain audit documentation for seven years from the date the auditor grants permission to use the auditor’s report in connection with the issuance of the company’s financial statements (report release date), unless a longer period of time is required by law. If a report is not issued in connection with an engagement, then the audit documentation must be retained for seven years from the date that fieldwork was substantially completed. If the auditor was unable to complete the engagement, then the audit documentation must be retained for seven years from the date the engagement ceased.

https://pcaobus.org/Standards/Auditing/Documents/PCAOB_Auditing_Standards_as_of_December_15_2017.pdf

Additionally, it’s important to understand the following footnote within AS 1215.

The SEC requires auditors to retain, in addition to documentation required by this standard, memoranda, correspondence, communications (for example, electronic mail), other documents, and records (in the form of paper, electronic, or other media) that are created, sent, or received in connection with an engagement conducted in accordance with auditing and related professional practice standards and that contain conclusions, opinions, analyses, or data related to the engagement. (Retention of Audit and Review Records, 17 CFR §210.2-06, effective for audits or reviews completed on or after October 31, 2003.)

https://pcaobus.org/Standards/Auditing/Documents/PCAOB_Auditing_Standards_as_of_December_15_2017.pdf

With strict requirements specific to the retention of audit data, auditors must also be diligent to ensure that records retain appropriate Confidentiality, Integrity, and Availability (CIA). The definitions of the the aforementioned terms per ISACA are as follows:

  • Confidentiality – Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information.
  • Integrity – The guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
  • Availability – Ensuring timely and reliable access to and use of information.

A means for most auditors to maintain appropriate CIA is through the use of Audit Management Software or a GRC Tool with an audit management module. The benefits of using industry leading audit management solutions is that they are built specifically for auditors, once the data and documentation is archived and locked down, the auditors should have confidence regarding the integrity and availability of the data, but additional internal controls and processes are necessary to maintain confidentiality of the documentation.

Why is Confidentiality Different than Integrity and Availability?

The reason why ensuring the confidentiality of audit documentation and records isn’t accomplished by simply using a well configured and controlled audit management tool is because of the difficulties that auditors have to completely delete the records from the various storage mediums used during the audit. Auditors will typically use their local drive, email, shared drives, and online storage services to receive and retain audit documentation until it’s ready to be archived. This is where the risk exists, it may be easy for an auditor to delete a SharePoint list, purge the files in a shared drive, erase the local files, and delete emails from their inbox. But validating that all auditors, who already struggle to find downtime as-is, have completely purged the records, deleted the data using a means to prevent it from being recovered, and deleted the records their sent mail is nearly an impossible task. The inability to validate that copies of records in the various storage mediums were completely and sufficiently deleted increases the risk of data loss or data retention non-compliance.

The difficulties to establish the necessary controls that give auditors a high degree of assurance that they are able to maintain document confidentiality when they become data custodians is one of the reasons why Craig Solowski founded Audit Suite. Audit Suite is a secure and central location for auditors to manage their PBC Request List, request and receive audit documentation, and exchange comments and questions with clients. By using Audit Suite, auditors can simply archive the project when the audit is complete, or delete the project if the records are archived in the audit management solution. The use of the innovative audit software increases confidence to the audit team that the audit records will not only retain integrity and availability, but also confidentiality.