To ensure compliance, a Records Management program will undergo periodic audits. Sometimes the audits will be internal and other times they will be external.
For internal audits, a best practice is either to perform frequent limited-scope audits or to conduct periodic full audits that examine all aspects of the system. The more routine and commonplace the practice of conducting internal audits become for your organization, the easier it will be when it becomes necessary to go through an external audit.
The reasons for conducting an audit include the following:
- To ensure that the agreed upon practices and policies are being adhered to, and to provide proof of that fact
- To ensure that the program is complying with the requirements of regulatory and oversight bodies
- To ensure that records are legally defensible
- To improve the Records Management process
Regular internal audits are also good tests to ensure that your organization is prepared for any sort of external audit. External audits, requested, for example, by regulatory agencies, may need to be conducted sometimes with as little as a one week prior notice.
The actual approach selected for the audit should be designed for your organization to ensure that it is appropriate and effective. Planning for the audit is critical to ensure that it is successful.
It should be determined early on who has the overall responsibility for carrying out the audit and what will be the roles and responsibilities for those who participate in the audit.
It should also be made clear exactly what is the scope and methodology that will be used for conducting the audits. If there are to be different types of audits, they should also be identified.
It is also important to appropriately schedule the time needed for any resources that will participate in the audit to ensure that disruption to normal work will be minimized.
Ideally, the process for the audit should be formally drawn up and agreed to, well before the audit is undertaken. Getting everything on paper early helps ensure the success of the audit. It also helps make the process repeatable.
When the process is written, it also allows for easy annotation and changes so that future audits can be improved on the next go-around when the steps of the written process are followed. Seeing the whole plan on paper also makes it possible to identify any gaps in the process or potential duplication of effort.
Compliance with internal policies and regulatory bodies often require that the disposition schedules that have been implemented are consistent with the requirements. This entails carefully reviewing all disposition schedules in the system.
If your organization is subject to review from regulatory bodies, it is important to understand which groups could potentially request an external audit. Review authority documents to understand what aspects of your records system or process could potentially be reviewed for compliance.
While it is important to review all aspects of the records system, it often makes sense to define a scope to the audit with a special focus on areas where non-compliance with policies is most risky or that could be most damaging to the organization.
Prior to the audit, it is also useful to review the results of any previous audits and to note problems that have been uncovered in the past. These also are areas that should receive focus during the next audit review.
Much of what an audit tries to do is to compare actual results versus expected results.
Any review of the records system needs to consider the following:
- Are the current retention periods used in the disposition appropriate?
- Are the record activities over the period since the last review consistent with the expected filings and system usage?
- Are activities being completed within the required dates?
- Is there any reason to revise the instructions for any of the dispositions, to clarify or to make them more consistent with stated policies?
- Does the structure of the File Plan continue to be relevant? Do some Series or Categories need to be added or made obsolete?
- Is there any reason to believe that not all records are being filed? If so, which record Categories seem to be lacking? Which groups in the organization are most out of compliance?
- Is there any reason to believe that some users have permissions to access parts of the system that they should not have access to?
Generally, the audit is not interested in the actual content of the records themselves, but in some cases, content is also checked, especially if the records audit includes inspection of financial information. A variety of universal standards may need to be complied with, for example, such as GAAP (generally accepted accounting procedures). In that case, the way in which financial data is recorded in the records themselves may also be included as part of the review audit.
At the end of the audit, a report is created that estimates compliance percentage, record activities, and any suggestions for changes or improvements.
Once the report is completed, it should be made available and signed-off by members of the Records Management steering committee and key stakeholders. Audit sign-off can be done informally, but it is best if there is a formal process that includes a sign-off sheet where each person who has reviewed the report signs the sheet to indicate their review.
The audit report should be treated as a record. It should be filed and maintained in the records system.
Audits make sure that processes are running as intended. Regular audits promote good business practices. An audit typically highlights areas of the business where improvements to processes can be made.
If any shortcomings are identified in the audit, they should be prioritized by their severity and urgency, and should be addressed accordingly. Another benefit of the audit is that very often, totally outside of the records management process, the report uncovers aspects of business processes that could also be improved.
If appropriate, it is often useful to communicate findings from the audit across the whole organization when there is information in the results that the organization can use to improve and learn.