Safeguarding documents: to mitigate risks to sensitive corporate data, internal auditors must pay close attention to controls at the document level

Internal Auditor, April, 2007 by John Landwehr

MUCH ATTENTION IS GIVEN TO THE need to manage and secure information stored in an organization's enterprise systems. Although this is critical, it is only half the story. The reality is that as soon as business information is put into documents--product development plans, internal financial analyses, and other confidential materials--it is at risk of being mismanaged or divulged to the wrong people. Disgruntled staff, competitors, and others all pose threats to business processes and information.

Ideally organizations should give authorized employees and business partners access to business documents where and when they need them, while controlling who views documents and how they are used at all times. This is easier said than done. It is one thing to prevent unauthorized access to internal information systems, and quite another to control information that moves freely inside and outside of an organization.

To address this risk, organizations need to better manage documents and attach controls to them. For internal auditors, these types of controls are critical to restricting the circulation of work performed under attorney-client privilege or to securing documents as part of requirements to establish internal control over end-user computing environments for the U.S. Sarbanes-Oxley Act of 2002. For instance, because many financial documents vital to financial reporting are created or updated outside of an enterprise resource planning system, auditors need to know who has access to these documents and what they can do with them. Otherwise, control processes can break down.

CONFIDENTIALITY

The basic idea behind document-level security is that sensitive materials stay confidential and are managed in highly structured workflows at all times. In the past, organizations have tried passwords and other protections to control documents, but once the file was open, there was little control over what happened to it, who printed it, and who else received it. Document-level security attaches controls that move with a document inside and outside of a corporate firewall. No matter where documents are, managers can specify recipients' access rights and revoke or revise access after documents have been issued. They can also restrict printing, copying, or saving, as well as monitor access and usage history with a complete audit trail.

In addition, documents can be assigned predetermined workflows, helping ensure that materials are routed to the appropriate people in the correct sequence. When users attempt to open protected files or if documents travel outside of intended workflows, Internet-connected client machines automatically check with servers for process verification. Processes resume only after successful validation, and then only in accordance with the permissions granted. If the sequence is interrupted, executives have immediate insight into what happened.

MULTIPLE FORMATS, SYSTEMS, AND PARTNERS

Businesses rely on a wide range of processes and document types, including spreadsheets, engineering designs, product plans, forms, and other materials incorporated into workflow systems. Effective processes have to support confidentiality, integrity, and other protections in a variety of dynamic, auditable documents. Limiting workflows and security to documents created in one type of software application leaves most of an organization's other processes and critical information vulnerable.

Equally challenging is responding to changing business requirements and protecting information as it moves through its life cycle. Information distributed at one time may not be valid three months or even three weeks later. At the same time, organizations depend on a wide network of consultants and suppliers, so security must be maintained across intranets, extranets, and the Web. This is particularly true for internal audit shops that frequently use third-party contractors to augment their teams during busy times, such as during Sarbanes-Oxley or year-end audits. Audit departments may need to implement document-level security to ensure that audit contractors do not misuse access to sensitive documents, including audit programs, workpapers, and evidence.

Recently, a large oil and gas exploration company was having difficulty managing its processes for bringing on new vendors. The company received repeated warnings during audits because its internal control processes needed to be improved. The problems resulted largely from the organization's reliance on outdated processes for approving new vendors. Typically, requests to add vendors required staff to complete Microsoft Excel spreadsheets, Word documents, and other materials that were e-mailed to several managers for review. In many cases, paper forms were routed, making review cycles even more time-consuming and harder to track. Further complicating the process, new vendor request forms were often missing critical data, requiring procurement managers to continually circulate materials for additional input.