ISO 15489 (1:2001 Information and Documentation--Records Management--Part 1: General) is the first international standard devoted to records management. It was developed from the Australian standard (AS 4390.1--1996) and provides detailed specifications for the structure, content, and implementation of records management programs. The guidance it contains is applicable to records management for any organization and covers all media.
The standard is intended to provide a framework for planning and implementing a records management program. The comprehensive nature of the standard with regard to current and non-current records and the clear categorization of its requirements also makes it an obvious choice on which to base audits of records management programs.
A critical review of the standard as a basis for an audit is important. It is critical to walk through the preparation phases for the audit, including the development of assessment tools based on the standard, the audit process itself, and audit report writing. To ensure its newly implemented records management program complied with industry best-practices, one small European pharmaceutical company used ISO 15489 to help guide it through those critical processes. Examples from an actual audit of a newly developed records management program involving the pharmaceutical company's non-current, clinical trials department records provide many lessons for any organization that wants to use or test the standard in its own records management program.
Methodology, Background Research, and Scoping
The methodology for an audit has four main components:
1. Initial background research and scoping of project
2. Preparation, including familiarization with the company's records management program documentation, and development of audit tools to establish compliance with ISO 15489
3. Audit information gathering
4. Report writing
The first component involves dialog with the records manager to gather enough data to estimate the project's size and time requirements. The data required includes information about the company, its mission, and functions; the number of employees; details about the records management operation; and the context of the audit. This information is crucial to scoping the project, estimating time required, and allocating time to the various phases of the audit process.
In this instance, the audit scope contained:
* The records of one department of the organization (although there was a realization that good records management practices could be transferred to other parts of the company)
* The non-current phase of the records life cycle
* Paper records only, because the records management program did not yet include digital media
The audit context was:
* A young pharmaceutical company
* Limited functions to be considered
The records management system had not yet been implemented; consequently, the audit would not be large or lengthy, there would be few record series to cover, and there would be no user base to canvass. So why was the audit undertaken? There were two main reasons: the pharmaceutical company's records manager was new to records management and wanted to make sure she had set up a system that was compliant with accepted best practices; and the pharmaceutical industry's strong audit culture. The records manager intended to roll out the system to other areas and wanted to ensure that it was a good one before doing so.
Since the audit, the pharmaceutical company has been searching for a full-time qualified records manager--a need that was identified in the audit report as a result of the records manager only spending about 10 percent of her time on records management. That was not necessarily something the company expected to come out of the audit, but the company has since taken advantage of the findings to improve its records management program. …