Published OnAugust 25, 2015I can hear some of you saying: “Did you really have to go there? I…
I can hear some of you saying: “Did you really have to go there? I cannot stand audits. They are time consuming, expensive and the business just won’t tolerate the intrusion for Information Governance (IG) and Records and Information Management (RIM)”. Sorry, the answer is yes. Without auditing, you are not able to assure that the workforce is actually doing what they are required to do.
I digress but back in my youth there was a popular cartoon character named Mr. Magoo (you can still watch him on You Tube) with very bad eyesight (although he thought it was perfect) and was therefore always mistaking his surrounding into his own alternate reality. He happened to have a bald head and one day he walks into a barber shop and requests a haircut. When he takes his hat off, the barber finds a single hair standing up in the middle of his bald head. The barber dutifully clacks the scissors over his head – forward, backward, left, right, and finally after some period of time actually cuts the single hair on his head. He then pronounces the haircut complete. Mr. Magoo pays him and walks out, believing that he has had a full haircut.
For IG/RIM we cannot live in our own little world, our own reality, thinking that the workforce has performed activities to become and maintain compliance when it is possible (perhaps even likely) that they are not compliant. Audits help to assure we are all in the same reality, actually accomplishing and performing as required.
The good news is that the audit for IM/RIM does not have to follow the traditional path of financial audits. If fact, if you do, you may once again find yourself in your own reality like Mr. Magoo, because you are getting a representative view – not a comprehensive view. You are not just looking for evidence of processes and the performance of those processes, you are looking for evidence that each individual from the executive suite to individual contributor (employees and contractors) across the company, are actually doing what your policy and procedures say they are to do. This is good news because you do not need to engage in time consuming discussions to establish a view of workforce compliance. What is needed is to develop a list of the IG/RIM requirements of each individual to each individual, turn them into questions, and have them respond – Yes, No, or In Process. This list of questions will need to be tailored based on area of responsibility and level of responsibility, and there needs to be departmental questionnaires as well. This does require some good work upfront to identify the requirements and turn them into questions, but to the workforce, the questionnaire they are required to answer is minimally intrusive – resulting in minimal pushback. This is simple, straightforward, and very powerful. (For more information on this technique see “Who Needs Auditing to Do an Audit?
Regardless of the technique you choose for performing an audit, performing an audit will energize compliance. People respond to actions more than words, and holding individuals accountable by checking their IG/RIM performance with an audit will not only energize compliance it will provide valuable feedback for improvements and modifications to your program.
The audit is such a strong energizer for compliance that actually even the notice of a coming audit will energize compliance. Give the workforce advance notice of the audit, even to the point of sharing the audit questions in advance, and your audit results will be better for it. After all, your objective is compliance, not to identify those who may otherwise have overstated their performance.
Yes, you really want and need to do this.