Records Management Audits... the Who, What, When, Where and Why

I had the pleasure of presenting a session on this topic to the ARMA Houston Chapter's 2018 Spring Conference, themed "Ambitions Realized. Milestones Achieved." Entitled "It’s gotta be 5 O’clock somewhere… Do you know what shape your program is in?" The session was intended to be generic in nature, as there are lots of resources and specifics available at the Association of Records Managers and Administrators (ARMA), the Records Management Listserv and on the Internet. However, I did cover definitions as related to records management program audits, and then reviewed the framework of an audit: Plan for it; Perform it; and Report on it.

Plan for it - Why conduct an audit?

Audits are generally conducted to monitor compliance with your records management program’s policies and procedures. Audits also allow for opportunities to improve your records management program and to identify and fix risk from noncompliance. And then there's ARMA’s Generally Accepted Recordkeeping Principles® which includes the Principle of Accountability. This Principle addresses the need for executive management oversight that stipulates that practitioners must ensure the records management program's audit ability.

Perform it

Determining who, what and how to audit can be a little tricky. Audits will take an inventory of your organization’s current records management practices using interviews, sampling, testing, checklists, questionnaires, surveys and observation. Figuring out where to start, what questions to ask and what aspects to audit can be overwhelming, so … get commitment and support from senior management; develop a list of objectives and a communications strategy/plan; determine what tools/resources are to be used to collect audit data; and identify two or three “quick wins” to start with and build momentum.

In performing a records management audit, keep the records lifecycle in mind: Creation ---> Classify ---> Use ---> Retention ---> Disposition

Once retention requirements are determined, do a risk assessment to determine the right retention period for each record type. Retention periods are documented on a records retention schedule as organizational policy, and approved by senior management. Retention decision makers know that the presence or absence of information can be helpful or harmful to the organization. Minimizing risks and costs associated with retention can be gained by simply implementing and following your records retention schedule consistently.

Report it - Documentation

Remediate non-compliance is key! Prioritize and select suitable remediation/improvement strategies and processes. Assign accountability to roles within the organization so success in those strategies and processes is attainable. Design a way to ensure continuous improvement through routine monitoring, periodic assessments, and additional audits.

The fact finding sheet is used to share audit findings as soon as possible with the auditee during the audit, and should include: Criteria, Condition, Cause, and Effect.

The purpose of the exit meeting is to summarize the audit findings and the recommended solutions to resolve the issues. Findings discussed should never be a surprise for those audited, and is a test for auditors to be sure they were not mistaken when identifying issues or interpreting criteria. Final agreement on how remediation should occur here.

The audit report will be read by a variety of people. It may include an executive summary; recommendations for remediation; and an action sheet with target dates as agreed upon. Be sure to follow up on remediation efforts of audit recommendations. 

Survey results (unscientific)

Using Survey Monkey, I developed a 10-question survey to find out what my records management colleagues were-or were not doing with regard to records management audits. Here are some of the [interesting] results:

• 64% of respondents audit physical records (paper) only; 44% only audit electronic records; 12% audit microforms (yes, they still exist); and 32% audit all of the above
• 28% conduct an audit every 2-3 years while 24% of records managers audit either annually or every 5+ years. Other responses include never or as time permits
• 64% of respondents audit internally; 4% audit externally and 32% do both
• 84% of records managers do not use a 3rd party to [perform or assist with records management program audits, while 16% do
• 40% of survey responders report that only Records Management review audit results; 8% share results with either Legal, and/or IT, and/or Compliance, and/or executive management; and 40% share results with all of the above (Records Management, Legal, IT, Compliance and executive management) or have other responses
• Demographics include three categories: Experience (20% of respondents have 1-3 years of experience, 12% have 4-7 years of experience, and a whopping 68% of records managers are seasoned with 7+ years of experience; Company size: 20% work for companies that have 500 employees or fewer, anther 20% work for companies with 501-1000 employees, and 48% have 1000+ co-workers; Industry: 12% work in the energy/utilities sector, 24% are in the banking/finance/insurance arena, 4% in the healthcare field, 32% work for the government and 28% work in "other" industries
• With regard to having a records management policy in place that addresses audits; 28% have a policy with audits addressed in it; 58% have a policy but does not address audits; 4% of respondents do not have records management policies but audits are addressed elsewhere; 4% have neither policies nor are audits addresses; and 8% provided "other" responses
• When asked whether an audit checklist and or audit reports are used, 16% do not use a checklist but do produce an audit report; 20% - yes to checklist but no to audit reports; 28% - no checklist nor audit report; and 36% yes to both checklists and audit reports

So, It’s gotta be 5 O’clock somewhere… Do you know what shape your [records management] program is in?