Elements to Be Assessed in a RIM Audit ARMA International Standards Workgroup

Article excerpt

[ILLUSTRATION OMITTED]

The classic 20th century teachings of W. E. Deming, Ph.D., heralding the "plan-do-check-act" continuous feedback loop remain a bulwark of management science, despite the passing of many decades. Today, through the audit process, records and information management (RIM) professionals can heed Deming's imperative by monitoring the organization's compliance with RIM program policies and procedures. Opportunities for quality and performance improvement are brought to the fore, and the organization's risk exposure level is assessed. The RIM program and the organization can jointly benefit from these activities.

The Focus of the RIM Audit

In accordance with the approved RIM audit plan, data, documents, records, and other items are gathered during the course of the RIM audit. The audit should focus on an assessment of:

* The completeness of RIM policies and procedures with consideration of all records, regardless of format/ media, as managed throughout the lifecycle

* The currency of RIM policies and procedures per RIM standards and best practices

* The efficiency/effectiveness of RIM-related software/hardware/systems

* The organization's compliance with RIM policies and procedures and legal obligations

* The organization's RIM-related risk exposure

* Recommendations for areas possibly benefitting from changes/improvements

For the RIM program, these findings and quality-focused suggestions are essential facets of the audit, providing stepping stones to a higher level of functioning. At the audit's conclusion, all results (including findings and suggestions) are included in the written audit report.

Legal Considerations

Legal Requirements

An organization can be subject to many legal mandates relative to its RIM program, including laws, statutes, regulations, and ordinances. As a result, professional legal advice may be warranted prior to undertaking a RIM audit. While the audit cannot always determine whether an organization is compliant with all relevant legal requirements, it is an opportunity to make a "good faith effort" to identify such requirements and document the organization's attempts to fulfill its responsibilities. The audit should also assess the adequacy of the organization's mechanisms and protocols to monitor ongoing compliance with related processes, such as legal holds and e-discovery, in its day-to-day operations.

Sources of legal mandates affecting the RIM program may include, but are not limited to:

* International laws or treaties

* Federal law

* State, municipal, and/or local statutes, regulations, and ordinances

* Standards and best practices and/ or guidance advisories developed by certifying or licensing bodies and/or specific industry or sector-related groups

Other organizational departments are commonly affected by legal requirements, necessitating collaboration with RIM professionals to facilitate appropriate recordkeeping. As a result, representatives from diverse departments or units, such as those listed here, often participate in RIM audit activities:

* Accounting and Taxation

* E-commerce

* Finance

* Human Resources/Labor Practices

* Insurance/Risk Management

* IT (information technology security, privacy, and confidentiality)

* Legal and Compliance

* Physical Facilities/Environmental Management

Legal Holds. In the United States, when an organization faces potential litigation, preservation of appropriate paper and electronic records and nonrecords is an obligation per the Federal Rules of Civil Procedures (FRCP). Organizations should have legally defensible policies and procedures regarding legal holds and should monitor ongoing compliance. Failure to monitor and comply with a hold order can result in spoliation and/or sanctions ranging from monetary penalties to investigation by various government entities. …