Does Your Current Backup System Meet Federal Regulations?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, mandates that all covered entities fulfill certain requirements for data backup, storage, and recovery; the Sarbanes-Oxley Act (SOX) holds many publicly held companies and all Registered Public Accounting Firms to a rigorous set of standards.

These rules set guidelines for how data should be stored, accessed, and retrieved.

In response to an explosion of major corporate benefits and accounting scandals in recent years, Congress passed two laws regulating the storage and reporting of internal data. The first impact was felt in corporate America by the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996.

The Administrative Simplification (AS) provisions of HIPAA mandated national standards for electronic health care transactions and identifiers for providers, health insurance plans, and employers.

Under HIPAA, an IT audit most often is performed in conjunction with a financial statement audit or an internal audit. Evidence is collected and evaluated concerning an organization’s information systems, practices, and operations to determine whether those systems record and maintain accurate, reliable data.

An IT audit doesn’t focus on internal controls in the way a financial audit does. Rather, it seeks to determine risks relevant to information assets, and to assess whatever controls are in place to eliminate or reduce those risks. The focus of an IT audit is on evaluating a system’s availability, confidentiality and integrity.

The Sarbanes-Oxley Act of 2002 created (among other oversight regulations) the Public Company Accounting Oversight Board (PCAOB), which addresses the role IT plays in a company’s internal controls. The PCAOB’s “Auditing Standard 2″ states: “The nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting,” and its provisions are targeted toward seeing that those controls and reporting are legitimate and accurate.

Under this law, auditors audit key and general controls, with “key” controls being those that are key to ensuring that numbers shown on the company’s balance sheet are authentic. (For instance, there might be a trigger on a database table to ensure that adding any entry into the accounts receivable table automatically creates an entry into the general ledger.) The person held accountable for seeing that these regulations are met is the company’s Chief Information Officer (CIO).Given the breadth and complexity of current federal law governing storage and maintenance of IT data, prudent business owners will take whatever steps necessary to assure their IT systems and controls meet or exceed regulations. Taking the time today to ascertain that your online offsite backup system complies with federal regulations will save you countless intrusive and costly auditing headaches, down the road.