Literary Warrant for Functional Requirement #9c2
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation Department of Health and Human Services Food and Drug
Administration 21 CFR Part 11 [Docket No. 92N-0251] Electronic Signatures;
Electronic Records
Pages 11.10
Extract Controls for closed systems. Closed systems used to create, modify, maintain, or transmit
electronic records shall employ procedures and controls designed to ensure the authenticity, integrity,
and confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the
signed record as not genuine. Such procedures and controls shall include the following: (e) Use of
time stamped audit trails to document record changes, all write to file operations, and to independently
record the date and time of operator entries and actions. Record changes shall not obscure previously
recorded information. Such audit trail documentation shall be retained for a period at least as long as
required for the subject electronic documents and shall be available for agency review and copying.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Activity logging
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract The internal auditor should perform the following steps when reviewing controls over EDI
applications: * Verify that reconciliation/balancing and error detection/correction procedures are
adequate to ensure that processing is complete, accurate, and timely. * Review the adequacy of the audit
trail, including the completeness of activity logging and file retention requirements.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
9, Security, 1991
Pages 9-52
Extract The evaluation of all types of software should assure that the following objectives are met: * An
audit trail of all significant activity is maintained.