Published OnJune 27, 2017The 2012 Iron Mountain Compliance Benchmark Report identifies that only 15% of companies have a…
The 2012 Iron Mountain Compliance Benchmark Report identifies that only 15% of companies have a regular Records and Information Management (RIM) audit process. Is this because they are having difficulty getting support from their Auditing department? There seems to be a widely held belief that a company’s Auditing department needs to conduct all of a company’s internal audits including RIM audits. Not only is that not true, but there are distinct advantages in not having the Auditing department conduct the internal RIM audit.
Internal Audit’s typical investigative audit process is labor intensive and creates a major time requirement for the processing and analysis of the information received from the audit. Unlike the audits they normally conduct, the RIM audit is not limited to the performance of business processes, but includes the actions of every individual who creates or receives records. Commonly, the Auditing department simply does not the resources required to comprehensively audit RIM.
There is an effective and efficient way to conduct the RIM audits without interviews and without allowing narrative responses. Ask questions that determine, for a given requirement, are you in compliance? “Yes” or “No”. It is also helpful to allow for an “In Process” answer, and also allow for an estimated date of compliance achievement. But no narrative. You are not interested in reasons or excuses (at least not yet) or debating the validity of the audit question. What is needed is an audit that requires a “Yes”, “In Process”, or “No” response from everyone in the company who creates or receives Records. It only takes one individual retaining records or information that should have been disposed of, or disposing of records or information that should be retained, to sink the ship. Full compliance is the requirement. Surprisingly, it doesn’t have to be expensive to conduct, analyze and report a full RIM audit. Guided by the existing RIM staff, the audit would be a great project for summer students, temporary help, or an external provider. So what is needed for the RIM team to conduct and manage an audit?
Let’s call these “Key Success Factors”:
Horsepower – Visible support and emphasis by Senior and local leadership for both the RIM team resource requirements and the “interviewees” time requirements. Did I mention including a budget?
Communication – Clear communication on the purpose of the audit, the timing of the audit, the expectations of the audit, and where to go for help. The objective for all involved is No Surprises.
Compliance Questions – Detailed RIM compliance questions traceable to requirements in established policies and procedures. Not so much “Are you aware of the policy for the disposal of confidential Records” but rather “At the proper time, do you dispose of all confidential Records in the Shred Bins or by shredding yourself? Each established requirement should be the subject matter for at least one compliance question.
Questionnaire – The data form (an Excel form facilitates efficient processing) with all of the compliance questions that obtains the “Yes”, “No” or “In Process” information from each RIM compliance question. Commonly the first questionnaire asks all of the Compliance Questions to establish a baseline and provide prioritized direction on the areas that should be the focus for improvement.
Processing – The data needs to be collected and analyzed. Typically the results are processed for three views: work groups, departments, and the company as a whole.
Reporting – The summary of the data is presented for each of the three views noted above, identifying patterns showing strengths and weaknesses and recommending prioritized next steps for corrective action and improvement.
Corrective Action – Specific steps are developed and taken to address areas of weakness as identified through the audit. If you don’t believe you will be able to take corrective actions – you might want to reconsider collecting the data in the first place. It is likely not in your best interest to identify weaknesses and ignore them.
Can I share some summarized insights that I will talk more about another time?
– No need to collect compliance evidence – use a “Trust but Verify” approach minimizing resource requirements for both the RIM team and the interviewees.
– Graciously receive requests for exceptions and work with the requestor to develop and agree to an appropriate exception determined by their circumstance. It may sound crazy but it actually works to your advantage to establish and implement an exception process and agree to exceptions for the program. Look for a future blog about the “Psychology of Records Management”.
– Use of the term “audit” for your audit is not necessary and can be counterproductive. It may unnecessarily create an atmosphere that is not helpful and it may be a source of irritation and resistance with your Auditing department and others. Consider alternate terms like check-up, assessment, review or evaluation. You will have your audit, but very possibly with much less resistance