Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, begin your free, no obligation 5-day trial.

Auditing Records Management

Dan Swanson | November 6, 2007

In a column at the start of the year, I contended that auditing records management programs should be one of your top dozen priorities for 2007. This month’s column explores that important subject in more detail.

Auditing a records management program in many ways should follow the traditional program audit. To wit, review the program’s goals and objectives; assess what has been implemented to achieve them; identify opportunities for improvement; evaluate program performance; and report your audit analysis and recommendations.

In particular, however, records management includes maintaining your compliance records. Many companies have compliance policies but do not understand why this area is so important; that is, they do not monitor compliance and record the effectiveness of that compliance. Such sloppy recordkeeping can leave companies exposed. Waiting until a lawsuit strikes is not a good time to determine if your records management policy is being followed.

Engagement Planning

Defining the audit objectives is the first and one of the most critical steps in setting the audit direction. This step should include understanding the company policy, goals, and objectives for records management and understanding who owns the process, how compliance is monitored, and how best practices are determined. This step also defines the level of assurance the board and management will be provided. Internal audit teams should discuss that with management and the board, to understand just how much assurance they want. The audit should also review both paper records and electronic records, as each have different risk profiles, and you’ll need to explore the assurances wanted for each.

Some possible audit objectives include:

  • Determine if the records management program is documented, in place, and appropriately resourced to meet the organization’s needs.

  • Determine if the program is in keeping with current good practice based on size and complexity of the organization.

  • Determine whether any other audit objectives as needed by the board, a board committee, or management, are being met.

The nature of the organization affects the nature of the audit. A large multinational organization has different business issues and challenges than a small business. As such, the generic audit procedures provided below must be “customized” to fit the organization’s environment and the assurance needs of the board, management, and other stakeholders.

The general steps in the internal audit process include:

  • Define the scope, goals, and objectives of the evaluation.

  • Define the organization’s assurance needs.

  • Identify the evaluation team and skills required.

  • Develop the evaluation plan.

  • Perform an evaluation of the design’s adequacy.

  • Perform an evaluation of operational effectiveness.

  • Communicate evaluation results and ensure follow-up to address issues.

The planning phase defines the components of the audit project plan and includes developing the:

  • Purpose of the audit

  • Description of the program (i.e., the entity to be audited)

  • Audit scope and scope exclusions

  • Audit objectives and approach

  • High-level audit schedule and detailed audit timeline.

  • Necessary skills and the internal audit team

  • Other resources as required

Engagement Testing

The audit itself can involve a wide range of tests. For example, look at the consistency and integration of records management among business units within the enterprise. Do they all follow the same policies? Do they all train compliance officers in the business units with the same goals and policies in mind? Do they all produce the same sort of measurable results?

Other avenues of testing might be to explore:

  • The coordination between the central office and individual business units on records management.

  • Confidentiality of the information handled by the records management staff.

  • The use of emerging technologies and other best practices in meeting today’s (or better yet, tomorrow’s) records management needs. For example, new rules for e-discovery in civil litigation impose tough new expectations that companies will be able to identify and procure relevant records in short order. Can you do that?

  • Coordination between records management overseers and other departments that might need access to the company’s whole realm of data, such as the legal department putting a “hold” request on certain e-mail messages relevant to a lawsuit.

The audit team should evaluate the records management efforts regarding its effect on organizational performance, scope and strategy, structure and resources, management of policies and training, and ongoing improvement efforts.

The auditor should ensure there is an up-to-date understanding of the records retention requirements of all localities where the auditor operates. For example, can documents be retained in electronic form? Special attention should be given to the approvals for destruction of documents. Special attention (perhaps very special attention, depending on your industry or company history) should also be given to the retention of documents that are or may be involved in litigation.

Engagement Reporting

Among the primary purposes of internal auditing is to provide the board and management with objective assessments about the design and operation of management practices, control systems, and information. To accomplish this objective, internal audit must effectively communicate audit conclusions and recommendations.

Throughout the audit, the internal auditor should discuss findings and potential recommendations with management. This helps to ensure that the auditor has considered pertinent information when forming conclusions and provides an opportunity for the internal auditor and management to develop effective solutions for identified deficiencies.

At the end of the audit, this informal communication process is formalized through closing/exit meetings and written reports. The reporting phase of the audit project includes debriefing management, drafting the audit report, issuing initial and subsequent drafts, reviewing management action plans, preparing the summary report for the audit committee, and distributing the final audit report. Put another way, tell them what you did, what you found, and what management intends to do going forward.

A records management program must meet the organization’s needs and the growing regulatory requirements. Compliance requirements are becoming a greater driver and people are not investing to keep up with the risk. Auditing the program provides an opportunity to complete a comprehensive review of today’s program and provide management with an analysis of the key opportunities for improvement. Management and auditors must survey emerging practices constantly, to ensure their organizations are adapting new and better practices regularly.

For many industries as a whole, and for pieces of virtually all industries (such as the tax department), records retention and retrieval is a legal requirement; you want to ensure the organization is meeting these requirements.

Finally, for most organizations, how and when you destroy records is vital. Think of Arthur Andersen, and remember: Record destruction should be a part of every records management audit.