Page 1

Audits and Your eDiscovery Provider Trust but Verify

203501.indd 1

12/31/12 10:46 AM


Audits and Your eDiscovery Provider Trust but Verify

By Tom MacKenzie – Vice President, Client Services

Stuff happens … especially in the world of eDiscovery. Volumes are growing, deadlines are shrinking and processing has become more advanced and complex. With this growing complexity comes an increase in the chances that something will go wrong. In short, identifying and processing relevant data keeps a host of eDiscovery professionals awake at night.

eDiscovery blunders have one thing in common: they can usually be traced back to a breakdown in a process or a control. No matter how much you’d like to watch everything your service providers do, you just can’t.

We’ve all heard or read about high-profile eDiscovery blunders that resulted in embarrassing and costly outcomes. They happen far too often and can leave a swath of havoc in their path. Even the “small” blunders that don’t make the headlines can be very expensive and waste precious time. Big or small, eDiscovery blunders have one thing in common: they can usually be traced back to a breakdown in a process or a control. More than ever, eDiscovery service providers have a tremendous responsibility for the accuracy and timeliness of the ultimate document production. No matter how much you’d like to watch everything your service providers do, you just can’t. You need to be able to trust that they know what they’re doing and that they do the right things consistently and accurately.

How do you do that? How can you be sure that an outsourced provider is doing what they promised? Former President Reagan may have come up with the answer … something he said often about U.S. relations with the Soviet Union: “Trust, but verify.” In essence, require that your eDiscovery service providers conduct independent audits that attest to the fact that they have relevant and sound processes and controls in place … and proof that they effectively and consistently follow them.

Square Peg In a Round Hole For more years than most of us can remember, the most common and respected audit performed and touted has been the Statement of Auditing Standards No. 70 (SAS 70), an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). The SAS 70 audit originally was designed to focus on financial controls; however, because of the needs of service organizations to demonstrate a broader range of risk management activities, SAS 70 has often taken on the expanded role of auditing non-financial operational controls. While some service organizations have claimed to be SAS 70 “Certified” or SAS 70 “Compliant,” truthfully,

©2013, Technology Concepts & Design, Inc.

203501.indd 1

1

12/31/12 11:17 AM


there is no such thing. Regardless, SAS 70 audits have tried to serve a purpose for which they were never intended or designed, and somehow we all got comfortable with that.

The New Rules of Service Provider Audits There is good news. In an effort to provide users of outsourced services with relevant information regarding entity controls within the service organizations they use, the AICPA has developed a new series of reporting options that represent the evolution of SAS 70. These three new reports are called Service Organization Control Reports, or “SOC” reports, and they provide more appropriate assurances to the people and organizations that use them. To help eliminate SAS 70 misunderstandings and to better conform U.S. standards to international standards, the AICPA’s Auditing Standards Board issued a new attestation standard called the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). An audit report issued in accordance with SSAE 16 is known as a SOC 1 report and requires auditors to obtain the same level of evidence and assurance on the service organization’s financial controls as in previous SAS 70 engagements.

The SOC Reports at-a-Glance SOC 1: Requires auditors to obtain the same level of evidence and assurance on the service organization’s financial controls as in previous SAS 70 engagements. SOC 2, Type 1: Provides broad information and assurance about the controls affecting security, availability, processing integrity, confidentiality and privacy of information. SOC 2, Type 2: Provides broad information and assurance about the controls affecting security, availability, processing integrity, confidentiality and privacy of information, plus a description of the auditor’s tests and test results. SOC 3: Focuses on the non-financial controls that affect security, availability, processing integrity, confidentiality and privacy of information. Not as detailed as SOC 2 reports and do not attest to the adherence of controls.

But you say you don’t rely on your eDiscovery provider for financial reporting and you’re more interested in how they manage and handle your data? That’s where SOC 2 and SOC 3 come in. SOC 2 and SOC 3 reports are issued under the Attestation Standards section 101 (AT 101), which is a series of general provisions and requirements that provide guidance for auditing professionals who assess service organizations. SOC 2 reports are intended to provide broader information and assurance about controls that affect the security, availability, processing integrity, confidentiality and privacy of information managed by a service provider organization. There are two types of SOC 2 engagements: a SOC 2 Type 1 report provides a description of the processes and controls in place in a service organization; the SOC 2 Type 2 report

2

203501.indd 2

©2013, Technology Concepts & Design, Inc.

12/31/12 11:23 AM


provides the same description of the processes and controls in place but also contains a description of the auditor’s tests and test results covering a defined period of time. Since the Type 2 report confirms that your service provider has the appropriate controls in place and proof that they are adhering to them, the Type 2 report should be considered the more telling of the two reports. The Type 2 report should be considered the more telling of the two reports.

SOC 3 reports are intended for more general use, but they also focus on the non-financial controls that affect security, availability, processing integrity, confidentiality and privacy of information managed by service organizations. SOC 3 reports, however, are shorter and contain less detail than SOC 2 reports; they also do not have a Type 2 report option attesting to the adherence of controls. As a general-use report, however, SOC 3 reports can be broadly and publicly distributed.

Not All eDiscovery Providers are Created Equal There is a long list of eDiscovery service providers currently in the market … all of whom are trying to convince clients that their services not only are the best on the market, but tried, tested and unshakeable. However, that may not be the reality. A service provider is entrusted with a tremendous amount of responsibility when engaged in an eDiscovery project. As a client, you trust that they have the right knowledge, processes and controls in place to perform their duties in a sound (defensible) and consistent (reproducible) manner. If so, the result will be a complete and accurate final production; if not, your data, your production and possibly your career are at risk. Either way, the client is ultimately responsible for the quality of that service provider’s work and for the final production that someone else will be certifying. Remember former President Reagan’s advice? “Trust, but verify.” The best and most efficient way to verify is not complicated; nor is it a mystery. In truth, it’s quite simple: request audits of any service provider with whom you plan to do business. Period. An independent audit is a great look under the hood to ensure things are as they should be. It’s a component of due diligence that should not be discounted. And, if you find yourself involved in discovery about discovery, the 30(b)(6) deposition may deal with a lot of questions covered in a thorough independent audit.

Request audits of any service provider with whom you plan to do business. Period.

So, What Should You Know About Their Services? There is a very broad range of services for which an independent audit would provide great insight and peace of mind. Hosted providers tend to attract a lot of scrutiny because clients turn over data to house and manage through some very critical processes that will eventually end in the official production.

©2013, Technology Concepts & Design, Inc.

203501.indd 3

3

12/31/12 11:29 AM


When evaluating a service provider, you want to know: • Does this service provider properly hire, train and supervise the people that work on your project? • During the collection of data, are appropriate processes and software used to ensure the level of forensic defensibility the case requires? • Are there chain-of-custody controls in place that include documentation of all process and quality control steps?

What about the processing of your data? • Do technicians follow established guidelines that account for the specific project requirements for the culling, filtering and full processing of the data involved? • Are processes followed for the management of errors and exceptions, and is your provider appropriately tracking, reporting and resolving any anomalies? • Was all the data you sent accounted for within the culling and processing phase? • Was everything loaded to the review database that should have been, and is there evidence that proper quality control confirms it?

What about ongoing monitoring of hardware and software … or even the system performance itself? • Are there appropriate redundancies to reduce network connectivity, hardware, power-source and server failures? • Are there procedures in place that will prevent the accidental or intentional destruction of data? • Are backup and recovery procedures appropriate and tested?

What about the logical and physical security of your data? • What physical security and environmental controls has your provider implemented to protect your data? • What kind of provisions do they have in place that provide logical access security only by authorized persons? • Is the fire wall configuration protecting your data from unauthorized access coming in from the Internet as well as unauthorized access from within your provider’s network? • Is there adequate protection against unauthorized access, alteration or manipulation of the network or database? • Are there processes and systems in place for intrusion detection, or better yet, intrusion prevention? • And, if a data breach should occur, are there procedures in place that assure appropriate incident response and resolution? 4

©2013, Technology Concepts & Design, Inc.


What about the software used on your data? • Does your provider develop and maintain the software used on your data? If so, what controls are in place for the life-cycle management of that software? • Is the software developed using secure application development standards? • Is the code peer reviewed, documented and when complete, maintained in a code repository? • What is the process for “Hot Changes” or emergency fixes? • And, what is the process for reporting and tracking the resolution of software “bugs” and the software versions in which the bug patches were installed?

This may seem like a lot of questions; in truth, it may only represent the tip of the iceberg. With an infinite number of critical moving parts throughout the course of an eDiscovery project, the door is wide open to mistakes. Stuff happens. There’s no way to be 100% certain that your eDiscovery service provider will operate flawlessly. One key measure to ensure that breakdowns in processes, procedures and infrastructure remain at a minimum is partnering with an eDiscovery provider who is focused on understanding and helping you manage your risks. A critical part of their ability to demonstrate such focus and attention is through independent audits and assessments of their organization. With proof that your service provider has the proper controls in place and that those controls are being followed, you have a much better chance of having the kind of experience that leads to sleeping well at night.

ABOUT THE AUTHOR: Tom MacKenzie, TCDI, Vice President of Client Services is responsible for providing strategic and operational direction to TCDI’s Project Management Teams as they establish and maintain long-term client engagements and partnerships. Tom also serves as a member of TCDI’s Product Planning and Product Management teams, providing insight and direction to the featureenhancement efforts of TCDI products. Tom holds a Bachelors degree from the University of Colorado with educational focus in Behavioral Development and Business. He also holds the Certified eDiscovery Specialist (CEDS) designation, a program of study and examination sponsored by the Association of Certified eDiscovery Specialists (ACEDS). ABOUT TCDI: Since 1988, TCDI® has partnered with large corporations and law firms to provide advanced litigation support software and services for eDiscovery, hosted Review & Production, and large-scale Litigation Case-File Management. The company combines advanced technology and automation with superior client partnerships and has been a technology partner in some of the largest litigation in U.S. history. To learn more about TCDI’s commitment to reducing client risk through standards, controls and the SOC 2 audit process, visit us at tcdi.com/about-us/risk-reduction.

©2013, Technology Concepts & Design, Inc.

5


tcdi.com

888.823.2880

Audits and Your eDiscovery Provider  
Read more
Read more
Similar to
Popular now
Just for you