Best Practices for Energy Price Indices © Copyright 2003, CCRO. All rights reserved. 10 3.2.6 Ascertain Sufficient Protection against Data Release or Misuse at All Levels Data providers should implement sufficient technical (IT, data security), organizational and procedural protection against data release or misuse by their employees. The level of protection should be a function of the commercial sensitivity of the data submitted the highest level of protection should apply if counterparty name and buy/sell indicator are submitted. 3.2.7 Conduct an Independent Audit An independent (internal or external) audit group should review the data gathering and submission process at least annually, verifying the proper implementation of and adherence to the data gathering and submission process that the company has established. This audit should be conducted at the expense of the data provider by a qualified individual, i.e., Certified Public Accountant or Certified Internal Auditor. The pass/fail results of the audit should be made available to the index developers upon request. In the event of a failed audit, the data provider should be able to reaudit once appropriate process changes are made.