Warning Letter: Failure to exercise sufficient controls (ucm502347)

Failure to exercise sufficient controls over computerized systems to prevent unauthorized access or changes to data, and to provide adequate controls to prevent omission of data.

Our investigator found that your [redacted] system used for [redacted] and [redacted] testing lacked access controls and audit trail capabilities. For example, all employees had administrator privileges and shared one user name, so actions could not be attributed or traced to specific individuals. This exposed your electronic data to manipulation and/or deletion without traceability.

Our investigator also noted that your firm copied raw data to a CD [redacted], and then deleted the data from the [redacted] system to free space on the hard drive. Files copied to the CD were selected manually; the selection process was not supervised. Without audit trail capabilities or supervised file selection, there was no assurance that all raw data files were copied to the CD before they were permanently deleted from the system.

View the original warning letter.