On the Road to E-discovery Compliance
Data discovery best practices can provide organizations with a winning strategy for handling requests for electronically stored information.
Sridhar Sambasivam, CIA, CA
Senior Project Manager
Although use of electronic media, such as e-mails, external flash drives, and instant messaging software, is enabling organizations to have ready access to all kinds of information, many companies worry about the legal ramifications of storing sensitive and confidential data that could be used against them in a court of law. In the United States, recent amendments to the U.S. Federal Rules of Civil Procedure (FRCP) require organizations to look at the ability to respond in a legally defensible manner to data discovery requests. In addition, as organizations expand globally, they need to be ready at all times to provide information that could be requested as evidence in a legal proceeding. As part of their work, internal auditors are in the best position to recommend policies and best practices that can prepare organizations to respond to a data discovery request. But first, auditors need to have a basic understanding of what constitutes e-discovery and how it can impact their organization.
E-discovery costs can be daunting, especially if potential penalties for violating FRCP requirements are added to the equation. When organizations use a reactive approach, such as waiting until discovery is required, compliance efforts can turn into a time-consuming and costly endeavor. As a result, organizations need to take a closer look at the volume and file sizes of currently used and stored information, the data's ease of transmission, any information redundancies and formats, and the data retrieval methods in use.
What Is E-discovery?
E-discovery is the overall process of retrieving, collecting, and producing electronically stored information (ESI) that can be used during a legal proceeding. The American Bar Association defines ESI as any information that is created, stored, or best used with any kind of computer technology.
Common types of ESI information include e-mail and e-mail attachments, text documents, word processing documents, presentations, PDF documents, spreadsheets, Web pages, graphics, images, voice mail, fax documents, and cell phone data. Sources of active and archived ESI include information stored on e-mail servers as well as:
- Computer networks.
- Enterprise resource planning (ERP) applications.
- Voice mail applications.
- Backup tapes and flash drives.
- Individual laptops, desktops, and wireless devices, such as personal digital assistants, pagers, and cell phones.
Instead of taking a reactive approach, internal auditors can help organizations by providing recommendations that enhance existing e-discovery policies or address key e-discovery concerns as identified by the organization's legal, compliance, and IT staff. Examples of e-discovery activities auditors can recommend include:
Forming an e-discovery response team that consists of the organization's legal, IT, and internal audit staff, and representatives from key business groups.
Preparing an e-discovery policies and procedures document that educates staff on how to safeguard and produce relevant e-discovery data.
Centralizing, simplifying, and reviewing backup, retention, and data destruction policies by identifying the location of relevant data sources, their owners, and the activities that are taking place (e.g., configuration changes and backup schedules).
Identifying whether data retention and destruction policies comply with local laws and regulations and are communicated to all business units and divisions.
Mapping and grouping related documents as clusters and keeping data in its original format to limit conversion costs.
Analyzing documents to determine the data's relationship and relevance to the case.
Reviewing and finalizing data formats to produce relevant data based on the formats agreed by the parties involved in the legal case. For example, relevant electronic information may be requested in a hard copy, PDF, or XML format.
To become an even more active part of the e-discovery process, auditors can help management determine the organization's compliance with backup, retention, and destruction policies and whether appropriate approvals exist for policy changes. In addition, auditors can review retention policies to identify whether policy changes meet business needs and follow established change management channels. This, in turn, highlights any risks the organization might face due to noncompliance with legal requirements.
Furthermore, auditors can review IT mapping documentation on servers, applications, and processes to assess critical servers and changes that are relevant to litigation. Reviewing IT mapping documentation also enables auditors to assess whether expiration dates on retention media comply with retention and data destruction policies and the steps taken to prevent accidental data damages or losses. Finally, auditors can identify the organization's level of compliance with recovery policies by reviewing documentation of recovery tests from backup media and performing periodic reviews of off-site storage media inventories, their availability, and the controls to prevent accidental losses of backup data.
THE ROLE OF AUDITORS
For the e-discovery plan to be effective, electronically stored information (ESI) policies and procedures must be incorporated that address the organization's discovery needs. To this end, internal auditors should:
Periodically review backup, retention, and data destruction policies. These policies affect all records produced in the course of normal business operations. During this process, auditors should document any gaps that exist between the retention policy and actual compliance with the policy, such as reviewing retention schedules, tape rotations, and off-site inventories of monthly backup tapes. At the same time, it is important to determine whether media expiration dates conform to approved retention policies and identify who approves the configuration, change, and override of backup and retention policies to ensure appropriate security procedures are followed.
Document the organization's IT environment. Auditors need to review information residing in all business locations, including critical servers, as well as the kinds of information stored and generated, how much information is stored and backed up, how long backup tapes are kept, and who owns the data. To perform this last step, auditors need to document the contact information of those responsible for the data along with information on the key applications and process flow maps on each critical server. Furthermore, auditors need to interview key personnel to determine whether they are using storage methods other than those used by the IT department. This exercise will help the e-discovery response team identify ESI sources and have up-to-date documentation to readily respond to e-discovery requests.
Determine the effectiveness of the organization's e-discovery communication plan. When the organization becomes aware of possible litigation, it is the legal department's duty to notify employees of their obligation to preserve data. More specifically, employees should be informed periodically of the possible litigation, the business areas and categories of documents that could be subject to litigation requests, and the requirements to preserve relevant documentation.
When a litigation hold is issued, auditors need to review compliance with document destruction procedures. In particular, employees need to suspend all data destruction activities that would take place absent of the litigation. Document destruction procedures include modified retention policies and media expiration dates. Auditors need to closely monitor litigation holds because failure to produce active or archived data relevant to the case can result in fines or sanctions on the organization.
During litigation, determine whether employees are preserving the integrity of relevant material (i.e., is relevant data being altered, deleted, or destroyed?). To ensure the integrity of requested information, auditors can recommend that organizations explain the consequences of noncompliance with litigation holds, including negative sanctions against the employee and the company. Auditors also could randomly interview employees regarding their awareness of existing litigation holds and recommend that the e-discovery response team review the applications used to manage electronic data and the systems or data that are not in use, as dormant systems may become active as part of the discovery process. Because regular communication between the response team and IT team is vital to data preservation, auditors need to determine if IT processes deal with litigation holds as well.
Recommend that legal and IT staff understand the format in which electronic data is to be produced and whether existing software can perform this task. To this end, auditors need to review IT general controls over computer operations, backups, data access, and program changes to monitor compliance and ensure data integrity. In addition, auditors need to determine whether IT managers are providing guidance on the process needed to obtain requested electronic information and if safeguards exist on IT assets to protect sources of relevant data.
Recommend that legal staff pay close attention to hidden document information or meta data that might be relevant to the e-discovery request. For example, Microsoft Word documents typically include the user's name, comments, and tracked changes that are not displayed, while Excel worksheets could include hidden columns, embedded objects, and notes. Because the discovery request might require that documents be provided in their native format, it is possible for the documents to contain confidential information. Auditors can work closely with legal counsel to help the company minimize the risk of disclosing confidential information.
Document the steps that will be taken to respond to e-discovery requests and the results of recovery tests. Identifying this information will enable auditors to determine what can and cannot be accomplished in-house given existing resources and the budget impacts resulting from data preservation requirements, such as using additional IT servers, adding disk space, or hiring new employees and consultants.
Review existing backup controls, reports, and inventories of media stored off site. This will help auditors determine the effectiveness of backup operations and better understand the entire data's life cycle — from its creation to its processing, storage, and destruction.
MORE THAN COMPLIANCE
Failing to prepare for an e-discovery request can result in high fines and sanctions against the organization and its employees. As a result, organizations need to have a process in place to preserve potentially relevant information. Auditors can play a vital role in managing litigation risks and help organizations take a proactive approach to e-discovery by recommending strategies that address key data retention, storage, destruction, and recovery concerns. Regular audits of backup and retention policies will provide information on the organization's efforts to preserve electronic information and the effectiveness of electronic information systems. More important, audit information can help organizations implement an e-discovery process that provides a winning strategy for handling ESI in a coordinated and effective manner.
Sridhar Sambasivam, CIA, CA, is a senior project manager with Midas International's IT department, where he works on strategy, governance, risk, and compliance services issues. Sridhar has more than 15 years' experience in information systems operations and management and oversees audits of IT general controls for Midas.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>