Magazine article Information Management

Designing a Records Audit: A Controls-Based Approach

Magazine article Information Management

Designing a Records Audit: A Controls-Based Approach

Article excerpt

Giving a deposition about an organization's information governance (IG) program in connection with litigation or a regulatory investigation can be a daunting experience. Opposing counsel may ask for evidence, such as policies and procedures documentation, retention schedules, and employee training, to show that the organization has an effective IG program.

More challenging, though, is if counsel also asks for proof that all members of the organization are being trained and that they are following the policies and procedures. Producing policies, procedures, and retention schedules is a great start, but their mere existence does not prove that they are being followed; the organization must have a way to show it is doing what it says it is doing.

Auditing as Evidence

Many organizations choose to audit their internal processes as a way to show that they are living up to the mandates set in their policies. But auditing IG - something that touches every member of the organization - can be challenging, and not all audits will satisfy a court.

For example, some organizations may "audit" by asking all employees to click an electronic check box or sign a statement to attest that they are in compliance with the organization's IG policies and procedures. This process is easy to set up and easy to get a majority of employees to respond to since it takes only a few seconds to check a box or sign a form.

This approach is useful for periodically reminding everyone in the organization about their need to comply with the policies and procedures. But, this is not an audit. And in all likelihood it will not satisfy opposing counsel or a judge.

The key to an effective audit is having the right controls, scope, and stakeholders. This article provides guidance for assembling these elements and building an audit that will enable an organization to show its IG program is legally defensible.

Going Beyond the Maturity Model

ARMA International's Generally Accepted Recordkeeping Principles® (Principles) includes the Principle of Accountability, which stipulates that practitioners must ensure program auditability; specifically, it dictates "Review/auditing of information governance policies and processes to monitor success and failure and to improve and update them proactively."

There are multiple ways to accomplish this. For example, ARMA created the Information Governance Maturity Model (Maturity Model), among other instruments, for organizations to use to benchmark their growth in accordance with the Principles. This is well and good; the Maturity Model is a useful tool for measuring an organization's IG profile at a high level. But, that is different from conducting a true audit.

Audits require a scientific inventory of current practices across the organization, its repositories, and its office locations. It may involve interviews, questionnaires, observation, or the collection of other evidence. This is often where practitioners become overwhelmed trying to determine where to start, what questions to ask, and what aspects to audit.

Using Control Standards

The key to a successful audit begins with a policy against which compliance can be measured. One way to make a policy auditable is to write it in the form of control standards, which, simply put, are binary, concise, numbered, unambiguous, easily referenced ways of stating and measuring compliance with policy. Controls are often used in the areas of IT, information security, or finance. One well-known example of this is the Sarbanes-Oxley Act, which requires certain internal controls for publicly traded companies.

Control standards should avoid ambiguity. Avoiding such qualifiers as "effectively," "timely," and "properly" will clarify the requirements and expectations, which will make the auditing process more straightforward. Often, policies are written in a narrative form instead, as shown in the left-hand box in Figure 1; it uses sentences and paragraphs to explain the roles and responsibilities of the organization's members. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.