When It’s Time for an Audit, Will You Be Ready?

Download PDF

If an auditor comes to call, will your offsite data be able to make the appointment? A smart backup plan keeps you in sync with ever-changing regulatory requirements—and gets you and your vital data to that meeting on time.

Taking Inventory of Your Audit Process

What are your biggest concerns as you create a data backup and recovery system that includes the right audit and accountability features?

  • Understanding the audit and accountability requirements specific to your industry
  • Establishing procedures and empowering personnel to manage vital data accordingly
  • Complying with strict audit standards, especially those in financial industries
  • Preparing a fast and accurate response whenever an audit comes along

Spend a little time contemplating “the regulatory landscape” of your industry and you may just want to take the rest of the day off. Regulations, compliance and audits are an unavoidable reality in many sectors—most notably in the healthcarefinancial and legal arenas—and they require that you back up data with an approach that provides fast and easy access when questions arise.

So are you ready? You may think you have achieved compliance today, but tomorrow the regulatory landscape could change, at least a bit. You must act proactively to maintain compliance by continually paying attention to the changing rules and by conducting frequent internal audits of your existing backup systems.

Audit and accountability form two pillars of a complete data backup and recovery program. As you design your plan, you should build in accountability to make sure there is clear ownership of responsibilities throughout your business. It’s equally essential to develop policies and procedures that encourage employee involvement and compliance across your entire enterprise.

Think of it in terms of these three steps:

  • Step 1: Evaluate your current practices.
  • Step 2: Update your policies and procedures as regulations for your industry change.
  • Step 3: Include communication and training activities in your implementation to encourage employee participation.

That last step is especially important. A compliant data management program is incomplete—and frequently at risk of noncompliance—if employees aren’t accountable for following the policies. The staff responsible for the auditing process should be clearly documented. Only through updating your program and the roster of management on a consistent basis can you be assured that your organization will be ready when an auditor shows up.

The Path to Compliance

When you’re developing ironclad audit capabilities, what is it that you’re really trying to accomplish? You need to:

  • Demonstrate good faith efforts and progress toward compliance.
  • Build an effective audit infrastructure.
  • Meet regulatory obligations.
  • Strengthen your accountability by measuring corporate, departmental and individual performance against audit metrics.

Do all that, and you’ll ease the burden of responding to external audits and regulatory assessments whenever they arise.

If the process sounds intimidating, it’s good to know that you don’t have to go it alone. A trusted partner that specializes in data backup and recovery can guide you in creating a solid audit and accountability program. Experts can help you develop detailed audit metrics to get you through the audit process, provide remediation recommendations if they find areas of noncompliance, and show you how to incorporate audits of your data management program into your corporate internal audit process.

The SEC Is (Always) Watching

If you work in the financial industry and have anything to do with data backup and recovery, then you’re well aware of SEC rule 17a-4, which dictates how data must be stored so that it is easily recoverable in an audit scenario. As per this rule, firms must preserve electronic records in a non-rewriteable and non-erasable format (most businesses use WORM drives), and they must also create a duplicate copy on any type of media. The rule also requires written and enforceable retention policies, a searchable index of all data stored, viewable and readily retrievable data, and offsite storage of data.

If you think this is a pretty stringent set of criteria, there’s one more piece of it to tackle: the designation of a third party requirement. To make sure that a broker’s or dealer’s information is easily accessible to regulators, the broker or dealer must designate a third party as a data custodian. Failure to designate an independent third party makes you noncompliant, and if you are noncompliant on this front, it can only open you up to further scrutiny.

Luckily, a good data backup and recovery partner can offer a designated third party (D3P) service, providing that important audit and accountability role. Bringing in such a service will provide the proof regulators demand when they investigate to determine whether you are in compliance.

Safety, security, cost-effectiveness, compliance and peace of mind. That’s what you’re aiming for when you design and implement a smart audit and accountability program. Get it started, get it automated, and you can spend less time worrying and more time focusing on your business’s core mission.

Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Iron Mountain Suggests: Be Ready for Anything

  • Learn the regulatory requirements of your industry, and set up a system to keep track of ongoing changes.
  • Analyze your audit and accountability needs in the context of your entire data management strategy, looking for ways to integrate compliant data backup and recovery into your master plan.
  • Work with a trusted partner to guide you through the maze of regulations in your industry. This partner should also be qualified to help you craft an appropriate backup and recovery strategy, and act as a designated third party for your compliance process.

Related Content

The Lowdown on Compliant Data Storage

Take the Fast Track to Archived Data Access

Tape Archiving: The Classic Choice that Keeps on Going