Despite what anyone says, regulations will never completely go away and most of those regulations involve some form of documentation. Managing documentation is what the Information Governance Professional lives for! When the Auditor comes knocking it will not be the people in the Executive Suite that greets them, it will be someone in the Information governance department.
An audit can be one of the most intimidating things that can happen to any organization in the course of a normal work day. In many cases they are unannounced, and the auditor expects your complete attention and acceptance of whatever protocols they deem necessary to accomplish their agenda. I have been involved in many of these exercises over the years and have found most auditors to be real, caring individuals that just want to do their jobs – as long as you do things their way. Take my advice and do exactly what they say, it will go smoother for everyone.
This is one of those instances where it is absolutely essential to properly dispose of any outdated material in a timely manner. It is hard enough to keep track of the current stores of documentation without the additional time and expense of maintaining old material to the mix. Do yourself and the entire organization a favor and get rid of whatever you can per your retention schedule.
A key element in any regulatory audit is to demonstrate your organization has a methodology in place to comply with the targeted process. A “good faith effort” is more important in terms of mitigation in the assessment of any penalties than anything else. You must show that you have a documented process, you train all affected personnel on the process and you have an internal system to verify the process is followed. For the most part, if you follow these simple guidelines you should survive an audit with a minimum of outstanding issues. To put a finer point on this, it is important to note that the most important word in this entire paragraph is “documented”.
Have a fully documented process that ensures regulatory compliance so that you can demonstrate that everyone that needs to use the process is trained on it (have those training attendance sheets available if requested). Have a fully documented internal auditing procedure along with all logs and paperwork involved to demonstrate you periodically review the process to ensure compliance as well. Finally, have a copy of your organization’s retention schedule along with a fully documented disposition procedure along with all logs and paperwork involved to demonstrate you have properly disposed of any outdated process documentation.
Regulatory compliance is not as intimidating as many people think. If you ensure your organization has a process, trains on that process and verifies the process is followed you will do just fine. With these things in place, you will go a long way to making the auditor’s job as easy as it can be, which in turn makes for a better experience for everyone.