WARRANT

Literary Warrant for Functional Requirement #4

This requirement derives from the law, customs, standards and professional best practices accepted by society and codified in the literature of different professions concerned with records and recordkeeping. The warrant is as follows:

Citation Department of Health and Human Services Food and Drug Administration 21 CFR Part 11 [Docket No. 92N-0251] Electronic Signatures; Electronic Records
Pages 11.10
Extract Controls for closed systems. Closed systems used to create, modify, maintain, or transmit electronic records shall employ procedures and controls ... Such procedures and controls shall include the following (h) Use of device (e.g., terminal) location checks to determine, as appropriate, the validity of the source of data input or operational instruction.

Citation 36 CFR Part 1234 -- Electronic Records Management. Subpart C -- Standards for the Creation, Use, Preservation, and Disposition of Electronic Records
Pages 1234.24
Extract Electronic records may be admitted in evidence to Federal courts for use in court proceedings (Federal Rules of Evidence 803(8)) if trustworthiness is established by thoroughly documenting the recordkeeping system's operation and the controls imposed upon it. Agencies should implement the following procedures to enhance the legal admissibility of electronic records. (a) Document that similar kinds of records generated and stored electronically are created by the same processes each time and have a standardized retrieval approach.

Citation Electronic Industry Data Exchange. ASC 12 Convention : Version 3 : Electronic Industry Data Guidelines. Washington Publishing Co., 1994.
Pages 8
Extract By creating mechanized trend or exception reports which compare current data with those of a past period, significant variances can be detected.

Citation Statements on Auditing Standards 53. The Auditor's Responsibility to Detect and Report Errors and Irregularities
Pages .12
Extract The auditor should assess the risk of management misrepresentation by reviewing information obtained about risk factors and the internal control structure. Matters such as the following may be considered... Are there indications of a lack of control over computer processing, such as ..high levels of processing errors, or unusual delays in providing processing results and reports.

Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report. Module 2 Audit and Control Environment
Pages 2-3
Extract [T]he proper mix of controls is implemented to ensure that data are accurately captured and that users have the ability to control the completeness, accuracy and proprietary of processing (control procedures).

Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report. Module 2 Audit and Control Environment
Pages 2-13
Extract Application controls, whether they address input, processing, or output, can be used to prevent, detect, and correct errors and irregularities as transactions flow through the system:...Output controls ensure that a complete and accurate audit trail of the results of processing is reported to appropriate individuals for review.

Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55. Consideration of the Internal Control Structure in a Financial Statement Audit
Pages .52
Extract [F]or a control procedure performed by a computer program, the auditor may test the operation of the control at a particular point in time to obtain evidential matter about whether the program executes the control effectively. The auditor may then perform tests of controls directed toward the design and operation of other control procedures pertaining to the modification and the use of that computer program during the audit period to obtain evidential matter about whether the programmed control procedure operated consistently during the audit period.

Citation American Institute of Certified Public Accountants. Statements on Auditing Standards. 65 Analytic Procedures.
Pages .16
Extract The following factors influence the auditor's consideration of the reliability of data for purposes of achieving audit objectives:...Whether the data was developed under a reliable system with adequate controls.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 10, Contingency Planning, 1991.
Pages 10-11
Extract Plan Maintenance. The contingency plan should be flexible and maintainable. This requires adequate update procedures and formal document control and management procedures.

Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts: Artech House 1993)
Pages 98, 99
Extract 8.5 THE ADMISSIBILITY OF ELECTRONIC RECORDS To demonstrate to a court that a computer-originated document is admissible evidence, taxpayers (or their representatives) must fulfill four requirements. They must prove 1. That the document in question is of a type that was regularly processed and stored on the computer; 2. That, at the time the transaction was finalized and a record of it was created, the computer on which the work was performed was used regularly for processing and storing information; 3. That the computer was working properly all the time or, if it was not working properly, that any breakdowns could not have affected the accuracy of the document; 4. That the system was reliable enough to ensure accurate and complete recall of finalized documents and, in particular, that there was no possibility that the document could have been tampered with after finalization. (There is always the possibility that documents have been tampered with and, therefore, it is important to prove that they have not.)

Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.: The Institute of Internal Auditors 1991)
Pages 286
Extract The key is to have stringent edit checks in place and to ensure that these checks are fully tested. It is also advisable to have reasonableness checks in the processing and reporting sections of the system to track resulting situations that theoretically cannot happen, or that seem suspect.

Citation "Part I: Performance Guideline for Admissibility of Records Produced by Information Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and Image Management.
Pages 3
Extract Much of the need for evidence rules equating products of specified technologies to originals can be eliminated by focusing instead on the reliability and accuracy of the process or system used to produce the records in question.

Citation "Part I: Performance Guideline for Admissibility of Records Produced by Information Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and Image Management.
Pages 3
Extract Federal Rules of Evidence. 901(b) lists examples of authentication requirements. Of particular notes regarding computer evidence is example (9): Evidence describing a process or system used to produce a result showing that the process or system produces an accurate result. This would seem to particularly include evidence describing a computer "process" or "system" to show that a computer printout is accurate.

Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology Systems: "Part I: Performance Guideline for Admissibility of Records Produced by Information Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and Image Management.
Pages 5
Extract ...[T]he foundation for admission of (computerized records) consists of showing the input procedures used, the test for accuracy and reliability and the fact that an established business relies on the computerized records in the ordinary course of carrying on its activities. The (opposing) party then has the opportunity to cross-examine concerning company practices with respect to the input and as to the accuracy of the computer as a memory bank and retriever of information....[T]he court (must) "be satisfied with all reasonable certainty that both the machine and those who supply its information have performed their functions with utmost accuracy."...[T]he trustworthiness of the particular records should be ascertained before they are admitted and...the burden of presenting an adequate foundation for receiving the evidence should be on the parties seeking to introduce it rather than upon the party opposing its introduction.... [United States v. Russo, supra, at 1241, citing De Georgia, supra. See also, United States v. Weatherspoon, 581 F.2d 595, 598 (7th Cir. 1978).]

Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology Systems: "Part I: Performance Guideline for Admissibility of Records Produced by Information Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and Image Management. Pages 8
Extract 3.2.1.2 Uniform Rules of Evidence This law provides for the admissibility in evidence of both original and duplicate records. Records will be admissible contingent on "...evidence sufficient to support a finding that the matter in question is what its proponents claim..." such as by "...evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result...."

Citation Performance Guideline for the Legal Acceptance of Records Produced by Information Technology Systems: "Part I: Performance Guideline for Admissibility of Records Produced by Information Technology Systems as Evidence;" Technical Report AIIM TR31-1992; Association for Information and Image Management.
Pages 6
Extract Common assaults on the integrity of computer-based technologies include challenges to: a: the source of the input data and the process for transcribing it to machine-readable form; b. the process that creates, edits and updates the files; c. the process that produces the output or retrieves the records; and d. the reliability of the equipment and vendor supplied software that systematically manages the internal system processes.

Citation Wright, B. The Law of electronic commerce. 1991.
Pages 169
Extract ... internal control over computer systems relies on such devices as system access barriers and the professional development, testing, maintenance, and backup of software.

Citation Federal Rules of Evidence.Article IX Authentication or Identification Rule 901.
Extract Requirement of Authentication or Identification. (a) General provision. The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims. (b) Illustrations. By way of illustration only, and not by way of limitation, the following are examples of authentication or identification conforming with the requirements of this rule: ... (9) Process or system. Evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.

Citation United States v. Russo, 480, F2d 1228 (6th Cir. 1973)
Extract The foundation for admission of (computerized records) consists of showing the input procedures used, the tests for accuracy and reliability and the fact that an established business relies on the computerized records in the ordinary course of carrying on it activities. ....[T]he court (must) "be satisfied with all reasonable certainty that both the machine and those who supply its information have performed their functions with utmost accuracy."...[T]he trustworthiness of the particular records should be ascertained before they are admitted and...the burden of presenting an adequate foundation for receiving the evidence should be on the parties seeking to introduce it rather than upon the party opposing its introduction....