AUDITING THE CONTROL OF ELECTRONIC RECORDS

Electronic records consist of the process output data combined with the electronic formats that house the data. These electronic formats range from simple spreadsheet documents to more complex database applications.

Auditors should be aware that the control elements that organizations establish for electronic forms are not necessarily the same as that which apply to electronic records. For example, with respect to “Identification”, in the case of electronic forms, the term refers to the nomenclature of the electronic form itself. When “Identification” is considered in the case of an electronic record, this refers to the unique use of the electronic form for a given data set.

Auditors should review the methods employed by the organization for capturing data, in order to ensure that data entry activities provide sufficient confidence in their accuracy.

When evaluating the organizations controls with regard to storage of records, auditors should verify if organizations have an understanding of their storage capacity versus:

• the rate of record generation,
• record retention policies and associated timeframes,
• the rate of record disposal,

as these factors may impact the proper functioning of the electronic-based QMS.

Given that the knowledge-base and the performance of the organization may be almost entirely in electronic records, auditors should review the organizations approaches for securing the information contained in electronic means. For more information on Information Security see ISO / IEC 17799.