trust verify information governanceWell, time marches on and your Information Governance program is humming along like the well-oiled machine that it is! You know this because things are getting filed, requests come in, orders go out and everyone’s questions have slowed to a bare trickle. A testament to your prowess at building and training the program! Right? Are you sure? Now is the perfect time to introduce another facet to the program: its time to talk about auditing.

I know. Nobody likes that word because it is usually stressful, means a lot of hassle to prove that you know what you are doing and almost everyone thinks it’s a huge waste of time. I get it, but in the Information Governance world auditing is an essential part of establishing a defensible program. In order to have a program that will hold up in a Court or qualify for any Industry Quality certification it must be fully documented, trained upon (documented there as well) and followed EVERY TIME. The only way to prove that is to do periodic audits, so buck up and let’s take a better approach — one that focuses not on a game of “Gotcha” with the staff, but on identifying additional training or process improvement needs in the program itself. That may sound rather soft, but it’s important to remember that the goal is to achieve a consistent process that meets the organization’s needs. It is quite possible that the process that was designed in committee doesn’t work in real life. These are the types of things you will find in an audit. It’s important to take the approach that an audit is just as much about process improvement as it is about compliance.

So lets talk about the audit process. The first step in developing an audit process is to develop a checklist of what you need to look for when you go out into the field. Keep in mind that this isn’t just a quick check to see if they’ve filed things in the right place. You want to understand everything involved with the program and how it works for the business.

The checklist should include such things as:

  • Relevant organizational structure chart
  • Records management policy
  • Records management procedures manual (Electronic and hardcopy)
  • Departmental File Plans
  • Retention schedules
  • Access authorizations
  • Documentation on records destruction or contracted-out services
  • Vital records inventory
  • Vital records protection procedures, including recovery in event of disaster (we’ll talk more about this one later)

Use this list as the basis for a conversation with the people you are working with to see how the program is followed and understand where and why it isn’t. In many cases, it is possible to accomplish this part of the audit with a questionnaire.  Here are some sample questions to get you started:

  • Do you know about the records management policy?
  • Have you had records management training?
  • Do you have access to a manual or set of procedures for records management?
  • Describe how you create records.
  • Describe how you file records.
  • Describe how you retrieve records.
  • Describe how you review or destroy records.
  • Do you know what records you are expected to create to comply with legislation?
  • Do you know what records you are expected to create to comply with industry regulations?
  • Do you know what records you are responsible for making sure others (either within the organization or outside contractors) create and retain?
  • Do you know what a retention schedule is and how to use it?
  • Do your records meet your requirements and needs?

While the questionnaire will give you a good view of the level of understanding the staff has and identify areas that may need more review, you’ll need to take the next step and look into the files. Remember the motto; “Trust but verify.” Select a project and dig in! Bring up the files, electronic and hard copy, to see if they have been filed correctly. Check the access logs to ensure on those individuals that need to know have access to the material they need. Most importantly, look for files that should have been destroyed.

Information Governance is a slow and tedious process

In the end you will have a better understanding of how well the program is working and where you need to focus your efforts on in the future. I won’t lie; auditing is not fun, but it is a vital part of any program. Good luck!

Pin It on Pinterest