Audit compliance: Definition and what it means for the cloud

Storing information in electronic form is now the order of the day for many companies. The paperless office is becoming increasingly popular. However, there are all sorts of things to consider when it comes to digital archiving. For example, documents that are to be stored long-term must be secured in an audit-proof manner in the digital storage space. Find out what that means.

The term audit compliance refers to complying with the best practices for secure data storage in electronic form. This process is also referred to as audit-proof archiving. Originally, the method concerns data that must be retained or is otherwise important to retain in the area of commercial and tax law. Archiving systems must also meet various requirements. In addition to various commercial and tax law requirements, audit-proof information retention is based on the following guidelines:

• The BS ISO 15489-1:2001 or BS ISO 15489-1:2016 since it was revised in 2016, is a framework for storing digital records in a company. It offers guidance on storing systems and monitoring processes, training for record management and maintaining the associated metadata. When adopting the standards set out within, companies can be assured they are following the General Data Protection Regulation (GDPR). The GDPR which came into effect in 2018 makes it vital for companies to safely store the personal data of living persons. Otherwise, businesses could be facing hefty fines.
• The principles of proper electronic record management.

Now, audit compliance or audit-proof archiving has become a topic outside the world of commerce and taxation. The term is being used more frequently, for example, to denote tamper-proof and long-term storage of electronic information.

Generally, there are 10 features of audit compliance:

1. Completeness: no document shall be lost on the way to the archive.
2. Immutability: all documents are archived unchanged and unchangeably.
3. Regularity: each document must be kept in accordance with legal and organisational guidelines.
4. Retrievability: all information must be retrievable, for example via indexing using metadata.
5. Use only by authorised persons: all information must be archived in such a way that it can only be viewed by authorised persons.
6. Protection against loss: data security must be guaranteed at all times.
7. Respecting retention periods: a document may only be deleted from the archive once its retention period has expired.
8. Documentation: detailed documentation of the archiving process is mandatory, for example to enable smooth migration of the archive.
9. Traceability: all changes to the archive must be recorded so that they can be traced, and restoration is possible.
10. Verifiability: an audit-proof archiving system must be verifiable by a third-party expert at any time.

A digital archive that meets the requirements of audit compliance as described above can pay off for a variety of reasons. On the one hand, an audit-proof archive helps to optimise business processes. Appropriate search mechanisms and an improved information structure ensure that desired documents are available at short notice, so that customer queries can be answered faster, for example.

On the other hand, audit compliance minimises errors when handling important data or documents. Audit-proof electronic archiving ensures that multiple copies of a single document do not exist, and that information is not accidentally deleted.

In general, companies can prevent financial damage and image loss as a result of lost documents or unauthorised access by implementing an audit-proof archiving system.

Anyone who sets up and uses an audit-proof system for the digital storage of documents will likely score points with customers and partners. Certificates that confirm audit security establish trust and are in demand not only to persuade new customers, partners, and investors, but also as a basis for long-term cooperation.

In the UK, tax auditors, experts and tax officials may check whether archived documents are stored in an audit-proof manner and traceable after several years still. Generally, IT departments or those tasked with document management are responsible for storing digital document in a safe manner that adheres to the GDPR. Ultimately, every single employee in a company may be responsible for overseeing document control and archiving.

The advantages of cloud computing have made working in the cloud indispensable for many companies. Storing and archiving files and documents in a cloud storage system is particularly popular with SMEs.

But similar to data protection, audit security tends to be addressed differently by providers of cloud market solutions. In particular, there is broad divergence in the awareness of data protection-compliant and audit-proof storage of information between providers in the US and Europe. An important point of reference for users is therefore whether a cloud service not only observes the GDPR, but also implements the aforementioned basics of record management.

The typical features for audit compliant archiving can be transferred to an audit-proof cloud almost one-to-one. Therefore, the following also apply to cloud storage of data:

• The immutability of stored information must be guaranteed. Providers can achieve this by, among other things, automating the versioning of all cloud data.
• Auditability can be realised in the cloud through a protected activity log that captures all file transfers as well as modifications and deletion processes.
• Securing against file loss is an important point. Cloud providers promise high data security and rely on geo-redundant hardware, encryption, and powerful security software, for example. For audit-proof archiving, the option of an additional backup system should not be forgotten.
• Integrated search functions ensure that cloud storage also fulfils the ‘retrievability’ factor.
• To prevent unauthorised access, cloud storage systems can be equipped with appropriate access management. Based on these management tools, responsible parties can create and assign user roles so that each cloud user can only see, open, and edit documentation that corresponds to their status in the company.