Audits and Accountability: Keys to Records Management Excellence
Even with clear policies and procedures, catching errors in your RIM program will be tough—that is, unless your company conducts periodic information audits and makes fixes as needed. Here’s how to do it.
FAST FACT: Companies studied in the latest Iron Mountain compliance benchmark report continued to report deficiencies in audit and accountability best practices.
Part of your work as a manager at Southwestern Widgets and Wing Nuts Inc.* is to “strategize and innovate.” So you have lots of meetings with whiteboards, easels and videoconferencing, and eventually a great plan comes to fruition, one that’s based on computerizing the entire widget supply chain. This strategy may one day make you an historic figure in the widgets and wing nuts industry.
What’s next, after the congratulatory emails stop flooding in? That’s right: building a unified records management program that’s as sophisticated as your new computerized inventory system. After that, the priority is monitoring the program to keep it running smoothly. Less fun, less glory. But you know what? Whether it’s wing nut strategies or records management on the table, the best-laid plan is only as successful as the audit trail you’ve put in place to monitor and fix problems, and to update procedures as needed.
Despite this reality, only 15 percent of organizations surveyed in A View Into Unified Records Management: The Iron Mountain 2012 Compliance Benchmark Report audit their policies and procedures regularly, review findings with senior management, or respond with a formal remediation.
Internal Compliance Can Improve External Audit Results
Although 15 percent is certainly a sobering minority, it also constitutes a small group of records management heroes—your true managerial role models. Incorporating an internal records-management audit can improve records handling, and that can help during an external audit.
Want to become a widgets and wing nuts superhero, too? Get out your cape and then take some notes. Preparing for an internal audit parallels the prep process for an external audit. Here’s what to do:
1. Know your demons.
Your company may be subject to many types of audits, depending upon your industry. For example, the financial services and pharmaceutical industries have many audit processes exclusive to these areas. Take time to:
- Define the audit requirements
- Establish the deliverables you’ll be expected to provide
- Adapt your policies and practices to ensure speedy compliance with these requirements
2. Invest in some good housekeeping.
A robust set of records management policies will undoubtedly ease the audit process. Be sure to provide for solid best practices in:
- Retention and disposition
- Records access and security
- Frequency requirements—set timing for regular internal evaluations and audits based on previous due diligence on real-world audit requirements
- Training—if you’re a healthcare provider, for example, you must train employees on HIPAA requirements
3. Get management buy-in.
You need management to support your program. Specifically, you should all agree that:
- Records management is a core business requirement like human resources, sales or any other key function
- Management is required by law to take direct responsibility for meeting all records reporting and compliance requirements
- Managers at the highest level must acknowledge the costs and penalties of noncompliance with audit requests
4. Take stock of your current systems and technologies.
Your RIM systems and technologies should support your basic internal and external compliance requirements. They should:
- Provide ways to track and audit retention management
- Automate and enforce records destruction policies
- Enforce security requirements such as access control and tracking
- Establish recording and audit policies for both physical and electronic records
- Integrate tracking with security for modification and deletion rights
5. Take notes—and get ready to share them.
You should always be ready to show just how you’re enacting retention, disposition, security and other records best practices. Be prepared to document your internal compliance policies—and the extent to which you comply.
6. Record the process.
Document your actual audit process, including participants’ roles and responsibilities, and integrate the audits into your overall records-management best practices. It’s wise to follow an adaptation of the journalist’s basic questions—who, what, when, where, why and how (the “why” part we already know!):
- Who’s responsible for conducting audits?
- What types of documents and records must be produced?
- When will this occur?
- How will this team produce the information?
Internal Audits Improve Records Management
Once you take these six steps, you should be able to answer the following questions:
- Are records complete? Often, records management audits reveal that individuals responsible for creating records are not conforming to your records management policies.
- Did your internal audits identify security breaches in your records management policies? If so, address those breaches.
Like proper training and consistently applied policies, the audit process is essential for any successful records- and information-management program.
*A wholly fictional entity created for illustrative purposes
Iron Mountain Suggests: The Best Insurance? Audit Yourself.
A self-audit can go a long way toward ensuring you don’t get stung by an outside audit or legal action. But consider the additional benefits you’ll reap, as reported in a recent Iron Mountain study on audit procedures.
- Save space. Audits may reveal that you’re preserving data you no longer need. Destroying unneeded records frees you to save on storage costs.
- Increase efficiency. When employees can access records more quickly, they can work more efficiently. Consider not just which records are stored but also how you’re storing them.
- Boost security. Companies may discover lax security during an audit, possibly preventing data breaches in the future. Be sure you’re limiting access to sensitive information to authorized personnel only.
- Satisfy your customers. When your employees can access data more quickly, your customers are almost always better served. Look for ways to speed up retrieval and spur staff productivity.
Do you have questions about information management? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Information Management team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.
Retention Schedules: The Golden Thread of Compliant Information Management
Records Management: Bridging the Execution Gap
Repaving Your Rocky Road to Ultimate Preparedness