Records Management Feature: Auditing

I hope that the last few posts on various aspects of the "business side" of records management have been of value to everyone. In the next few posts, we're going to get back to introducing you to the Records Management features of Office SharePoint Server 2007. In this post, we're going to examine a critical capability for both records management and regulatory compliance -- Auditing.

For many organizations, especially those in regulated industries like the life sciences, records management requires more than just the long-term management of record "content"... they are also required to retain information about the lifecycle of those records, such as who contributed to the creation of each record, who approved or signed off on it, who viewed it before it was published, etc. And these requirements don't apply solely to regulated companies: "audit trails" about certain types of records may also be valuable for organizations if a record’s authenticity is ever challenged.

For these reasons, we've made the 2007 release of the Microsoft Office system an auditable system of record -- audit policies can be configured for documents and items in Office SharePoint Server 2007 to specify which events will be audited for each Content Type, via the Information Management Policy capabilities mentioned in our earlier posts.


As you can see in the image above, audit policies can be configured to automatically record user actions that affects the lifecycle of document & record content, such as when items are edited, viewed, versioned, published, and deleted. Additionally, custom solutions built on top of the Office SharePoint Server 2007 can also add relevant entries to the audit log, such as when an approval workflow is completed.

Office SharePoint Server 2007 can also be configured to automatically audit "site level" events that may be relevant for regulatory compliance, including searches queries made anywhere in the site, changes made to security settings, and changes made to the metadata schemas of document libraries and Content Types.

And while users of collaborative spaces can be given full rights to active content, the audit log is tightly restricted. Only administrators (or users who are granted sufficient privileges) are able to view the audit history, using Microsoft Office Excel-based reports. And no user can selectively edit or delete individual audit entries.

Auditing of the records management program

In addition to allowing records managers & administrators to specify how user actions on content will be audited, Office SharePoint Server 2007 also automatically audits the enforcement of the organization's records management program: events such as the disposition of content, the creation or modification of Information Management Policies, applying & managing holds, are always audited. So in the event that your records management processes are themselves ever disputed, there will be a reliable audit trail for those processes as well.

Thanks for reading,
- Ethan Gur-esh, Program Manager.