Literary Warrant for Functional Requirement #2a
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation Department of Health and Human Services Food and Drug
Administration 21 CFR Part 11 [Docket No. 92N-0251] Electronic Signatures;
Electronic Records
Pages 11.10
Extract Controls for closed systems. Closed systems used to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the authenticity, integrity,
and confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the
signed record as not genuine. Such procedures and controls shall include the following (k) Use of
appropriate systems documentation controls including: (i) Adequate controls over the
distribution, access to, and use of documentation for system operation and maintenance. (ii)
Records revision and change control procedures to maintain an electronic audit trail that documents
time-sequenced development and modification of records.
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 30
Extract Assessing control risk at below the maximum level involves - Identifying specific internal control
structure policies and procedures relevant to specific assertions that are likely to prevent or detect
material misstatements in those assertions. Performing tests of controls to evaluate the effectiveness of
such policies and procedures.
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Independent checks on performance and proper valuation of recorded amounts, such as
clerical checks, reconciliation, caparisons of assets with recorded accountability, computer-programmed
controls, management review of reports that summarize the detail of account balances (for example, an
aged trial balance of accounts receivable),and user review of computer-generated reports.
Citation 36 CFR Part 1234 -- Electronic Records Management. Subpart C -- Standards for
the Creation, Use, Preservation, and Disposition of Electronic Records
Pages 1234.20
Extract (b) Agencies shall maintain adequate and up-to-date technical documentation for each electronic
records system that produces, uses, or stores data files. Minimum documentation required is a narrative
description of the system; physical and technical characteristics of the records, including a record layout
that describes each field including its name, size, starting or relative position, and a description of the
form of the data (such as alphabetic, zoned decimal, packed decimal, or numeric), or a data dictionary
or the equivalent information associated with a data base management system including a description of
the relationship between data elements in data bases; and any other technical information needed to read
or process the records.
Citation Quality systems - Model for quality assurance in design/development, production, installation and
servicing. IS0 9001: 1987.
Pages 4.16
Extract The supplier shall establish and maintain procedures for identification, collection, indexing, filing,
storage, maintenance and disposition of quality records.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit. Appendix A
Pages .5
Extract These methods affect the understanding of reporting relationships and responsibilities established
within the entity. Methods of assigning authority and responsibility include consideration of
...Computer systems documentation indicating the procedures for authorizing transactions and approving
systems changes.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit. Appendix A
Pages .6
Extract Management Control Methods. These methods affect management's direct control over the
exercise of authority delegated to others and its ability to effectively supervise overall company
activities. Management control methods include consideration of ...Establishing and monitoring policies
for developing and modifying accounting systems and control procedures, including the development,
modification, and use of any related computer programs and data files.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-11
Extract AUDIT CONSIDERATIONS. The internal auditor should examine the systems planning process
and obtain reasonable assurance that the following objectives are met: There are defined and
implemented standards, procedures, and policies for developing and maintaining data and
applications.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-103,4
Extract Controls include the following: * Documentation - Maintenance of on-line documentation of
operating system configuration tables, written procedures, guidelines, etc. - Comprehensive
documentation of operating system and other systems software exists and modifications -
Comprehensive documentation of the contingency plan and the disaster recovery process -
Comprehensive documentation of systems software output that can be used for review and that provides
an audit trail
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-108
Extract Determine whether current and comprehensive documentation of the systems software environment
exists.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-108
Extract Determine whether documentation of the systems software environment is reviewed on a periodic
basis and updated as changes occur.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-47
Extract CHANGE Management Change management is defined as the process by which changes in a
system are approved, developed, tested, and documented. User requests to change the network
configuration or access level authorization should be supported by well-documented change management
procedures.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Adequate system and user documentation
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 142
Extract DOCUMENTATION STANDARDS System and program documentation serves as a means of
communication among project team members during systems development. Adequate documentation
also facilitates the development effort and provides the information needed for the system to be used
effectively. In addition, documentation is essential for program maintenance and modifications and for
auditing.
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 5
Extract 2.2.4 Quality Assurance, Maintenance, and Audit Support. Those charged with maintaining the
system and with assessing how well the system performs require program descriptions, testing and
evaluation plans, standards of quality against which to measure the system, and clear descriptions of
what the system is expected to do and how it is supposed to do it. Test plans and procedures must be
created and results of tests reported. Security controls, calculation and check-digit routines, and other
control techniques must be described and evaluated. Such documents supply maintenance, quality
assurance, and auditing personnel with the information they need to perform their tasks.
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 7
Extract 2.4.2 Typical Development Documents Development documents include: -Feasibility studies
and initiation requests -Definitions of responsibilities -Requirements and functional specifications (what
the system does) -Design specifications, including data storage and programming specifications -
Development plans -Schedules for each phase and records of schedule changes -Test and implementation
plans -Quality assurance plans, standards, and schedules -Security and control information -Memoranda
or change control forms that record agreed changes to the system as it develops. (The information in
these memos should also be reflected in updated development documents.)
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 7
Extract 2.5 Product Documentation While development documentation is essential as a management tool
for tracking the progress of the project, product documentation provides the information necessary for
the effective use, operation, maintenance, conversion, and transfer of the software system. A program
product or software product is a well-tested set of computer programs fully documented and supported
by a responsible organization. The product may be commercially available, or it may be produced by a
non-commercial source, but it is intended for wide application and use.
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 8
Extract 2.5.2 Programmer Documentation. Programmers charged with maintaining or enhancing an
existing software program require information that describes what the program is supposed to do and
when it is doing it. They need illustrations and descriptions of program logic, final data storage design
specifications, and functional descriptions.
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 16
Extract 5. This Guideline identifies software documentation as a critical element in the development of
computer software. If documentation is inaccurate, missing, or incomplete, the development effort is
damaged, perhaps beyond repair.
Citation "`GOSIP' Government Open Systems Interconnection Profile" `NVLAP' National Voluntary
Laboratory Accreditation Program (U.S. Department of Commerce/Technology Administration and
National Institute of Standards and Technology, NIST Handbook 150-12)
Pages 8
Extract There must be procedures and documentation for all computer equipment and communications
connectivity in use.
Citation "Procedures and General Requirements" `NVLAP' National Voluntary Laboratory Accreditation
Program (U.S. Department of Commerce/Technology Administration and National Institute of Standards
and Technology, NIST Handbook 150)
Pages 21-22
Extract The quality manual, and related documentation, shall state the laboratory's policies and operational
procedures established in order to meet the requirements of these procedures. The quality manual and
related quality documentation shall also contain: (iv) procedures for control and maintenance of
documentation; (vi) identification of the laboratory's approved signatories; (xiv) reference to verification
practices including interlaboratory comparisons, proficiency testing programs, use of reference materials
and internal quality control schemes; (xv) procedures to be followed for feedback and corrective action
whenever discrepancies are detected, or departures from documented policies and procedures occur;
(xvii) procedures for protecting confidentiality and proprietary rights..
Citation "Procedures and General Requirements" `NVLAP' National Voluntary Laboratory Accreditation
Program (U.S. Department of Commerce/Technology Administration and National Institute of Standards
and Technology, NIST Handbook 150)
Pages 26,27
Extract The laboratory shall have documented instructions on the use and operation of all relevant
equipment, on the handling and preparation of items and for calibration and/or testing, where the
absence of such instructions could jeopardize the calibrations of tests. All instructions, standards,
manuals and reference data relevant to the work of the laboratory shall be maintained up- to-date and be
readily available to the staff.
Citation "Procedures and General Requirements" `NVLAP' National Voluntary Laboratory Accreditation
Program (U.S. Department of Commerce/Technology Administration and National Institute of Standards
and Technology, NIST Handbook 150)
Pages 27
Extract The laboratory shall have documented procedures for the receipt, retention or safe disposal of
calibration or test items, including all provisions necessary to protect the integrity of the laboratory.
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 5
Extract Development Documenation. The documents that describe a system's development specify what
users need and what the system's computer programs do. Development documentation also specifies
how programs should be constructed, how they should be tested, and how their quality is to be
assured.
Citation "`GOSIP' Government Open Systems Interconnection Profile" `NVLAP' National Voluntary
Laboratory Accreditation Program (U.S. Department of Commerce/Technology Administration and
National Institute of Standards and Technology, NIST Handbook 150-12)
Pages 8
Extract The quality system must provide for routine checks of the competence of the staff involved in the
conduct and evaluation of tests. The quality manual must contain a detailed test plan for the conduct of
U.S. GOSIP conformance testing and describe how he laboratory assures the accuracy and consistency
of its results. Records must be kept of all quality system activities.
Citation "Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 142
Extract A. Stringent security procedures for entry into the immediate environment in which the
computerized medical data base is stored and/or processed or for otherwise having access to confidential
information should be developed and strictly enforced so as to prevent access to the computer facility by
unauthorized personnel.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems: "Part I: Performance Guideline for Admissibility of Records Produced by Information
Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and
Image Management.
Pages 6
Extract Of particular importance in fending off these assaults is to assure the existence of up-to-date
documentation that fully and accurately describes the procedural controls employed in producing the
records.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems: "Part II: Performance Guideline for the Acceptance by Government Agencies of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1993; Association
for Information and Image Management.
Pages 11
Extract If the records were produced on the current or a very similar system, access to the system by
government representatives must be provided to enable them to process independent test data and review
the hardware, software and data. If the system used to produce the records no longer exists, existing
documentation describing the above operations must be made available. Failure to produce pertinent
documentation may jeopardize the acceptance of the records if their trustworthiness cannot otherwise be
established.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems:"Part III: Implementation of the Performance Guideline for the Legal Acceptance of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1994; Association
for Information and Image Management.
Pages 3
Extract ...val ID documentation of these descriptions are invaluable in supporting system integrity in the
event of a government audit. They are also useful for preparing a witness to testify as to the accuracy
and reliability of the system or process in laying a foundation for admissibility of records as evidence in
litigation.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems:"Part III: Implementation of the Performance Guideline for the Legal Acceptance of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1994; Association
for Information and Image Management.
Pages 6
Extract Effective system procedures reflect the detailed steps to be followed when creating, modifying,
duplicating, destroying, or otherwise managing records. They provide for consistent quality control
activities, problem resolution approaches and other functions that might otherwise be subject to
inconsistent action, multiple interpretation, or misinterpretation.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems:"Part III: Implementation of the Performance Guideline for the Legal Acceptance of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1994; Association
for Information and Image Management.
Pages 6
Extract Documentation should be regularly updated to reflect any changes This provides new employees
with a credible reference for uderstanding the system, isolating and solving problems, and rcording
subsequent modifications. However, documentation is also important if the documented procedure is
ever questioned in court.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems:"Part III: Implementation of the Performance Guideline for the Legal Acceptance of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1994; Association
for Information and Image Management.
Pages 6
Extract For purposes of laying a foundation for the admissibility of records in evidence, actual system
procedures followed during the period the records in question were produced should be documented in
sufficient detail to allow a qualified witness (e.g., the records custodian) to depend on the documentation
in describing the process or system to the court. The documentation should include an explanation of
deviations from established procedures.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems: "Part I: Performance Guideline for Admissibility of Records Produced by Information
Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and
Image Management.
Pages 10-11
Extract Established procedures demonstrate what an organization plans to do in managing and controlling
the process or system--as opposed to what it actually does. The trustworthiness of an organization's
records offered in evidence might well be judged by the established procedures and how closely they are
followed. Deviations can be expected to be closely scrutinized, especially if the deviations are from
legally required procedures.
Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems:"Part III: Implementation of the Performance Guideline for the Legal Acceptance of Records
Produced by Information Technology Systems;" Technical Report ANSI/AIIM TR31-1994; Association
for Information and Image Management.
Pages 3
Extract An initial task in a self-assessment procedure is to update or verify the accuracy of existing
documentation that describes the system environment in terms of the organizational structure, functions
and responsibilities, and system processes. Updated documentation should include descriptions of the
elements listed.
Citation Wright, B. The law of electronic commerce. 1991.
Pages 89
Extract Many controls could enhance record credibility: 1. Written policies and routines could be
developed with the help of independent accountants.
Citation Wright, B. The law of electronic commerce. 1991.
Pages 85
Extract Electronic records can be fabricated. ... One practical solution ... is to appoint a trusted
recordkeeper--an entity insulated from the incentive and ability to falsify its records.
Citation United States v. Scholle, , 553 F2d 1109 (8th Cir. 1977)
Pages 1125
Extract Even where the procedure and motive for keeping business records provide a check on their
trustworthiness..., The complex nature of computer storage calls for a more comprehensive foundation.
Assuming properly functioning equipment is used, there must be not only a showing that the
requirements of the Federal Business Records Act have been satisfied, but in addition the original source
of the computer program must be delineated, and procedures for input control including tests used to
assure accuracy and reliability must be presented.