Audit Pins & Needles

"SOX will be expanded to include private companies within five years," predicted a storage user at last week's Interop conference.

Vegas delusions or insider wisdom?

Either way, the prediction underscored an aspect of data management and compliance: There's no real roadmap for what regulators are looking for today, much less five years from now.

When I asked a couple of users if they build audit logs a certain way or follow any sort of template, they essentially shrugged. Unlike with tax returns or quarterly filings, there are no "generally accepted accounting principles" where Sarbanes-Oxley, HIPAA, or SB 1386 are concerned.

Efforts are underway to streamline SOX reporting and help companies focus more on ledger fraud and accounting irregularities than backup issues. (See New Rules May Ease SOX Audits.) But this is unlikely to mute the complaints about the additional expense SOX and other compliance reporting imposes on companies, public or private.All the same, I get the sense that enterprises are shooting in the dark when it comes to demonstrating compliance or heading off an audit. The most common statement I heard at Interop was that users think regulators want to see consistent, detailed logs. Fair enough. Is that for both the ERP servers that handle orders and inventory and generate invoices, and for the email servers that deliver them? One retailer I talked to said email servers aren't material because they're more of a pipe than an actual system that requires monitoring.

While I find the logic there a bit dubious, I guess as long as it's consistently applied, it works. I suppose it's about as logical as this statement from the real estate agent who sold me my first house: "The IRS targets schoolteachers and clergy for auditing because they know they'll talk about them publicly and discourage others who might be tempted to cheat on their taxes," said the realtor (and former teacher).

Suburban legend or grounded in fact? Who knows. But it strikes me that data center professionals (and plenty of storage vendors) are on pins and needles, wondering where auditors and regulators are going to draw a line, any line. So-called experts like to point to the $15 million fine Morgan Stanley drew for its inability to produce archived emails in a timely manner. (See A Fine Mess.)

Was this the Martha Stewart case of storage compliance? It was headline getting; and to my realtor's point, it certainly got people talking. Was it the last big case? No, especially if privately-held companies get to join in the compliance fun.

— Terry Sweeney, Editor in Chief, Byte and Switch0