An Overview of a Records Management Audit Procedure
Auditing for Beginners
It’s important to audit your records management process to ensure your organization meets legal and regulatory requirements. The audit process may also provide insight into the operational effectiveness of your organization. Most audits follow a similar framework, typically focusing on ensuring that your business follows the procedure for records management (RM) as defined by regulation and operational requirements.
You and/or your auditor must decide how much or and what is to be audited. In this case, it could mean auditing the entire set of records management policies and procedures or a sample. Auditing your entire system could be time-consuming, sometimes it is the only practical approach. However, if you are conducting the audit to confirm compliance you can simply audit a sample.
Simply put, the audit reviews the procedures your organization uses to create, manage, secure and store a record. First, your auditor reviews the record inventory—both digital and physical—of the records your organization keeps. This inventory provides a sense of the type and volume of records you manage. Also, under review will be how your organization determines what to keep and how it communicates this information and processes internally. Next, the auditor reviews how your records age—do you archive records or destroy them. Either way, the policies are evaluated to determine what records you keep, for how long, and how records are destroyed. If records are stored, the database or secure facility is examined. If records are destroyed, the procedures for destruction are reviewed. Typically, this includes how the security of the records is ensured during the destruction process. Additionally, the auditor may go through the process of record creation to assess reliability.
Digital records management (DRM) is very efficient, but depending on the setup or which technology the organization has implemented, it can be prone to issues with security and access. This tends to be the case when the record contains sensitive health, legal or financial information. The record audit reviews how your organization control who can retrieve or change the record. For records that require more security, the auditor may review whether the DRM uses encryption, and what the procedures call for when transmitting the encrypted record using the internet.
Reporting and Outcome
An audit is finalized with a report that includes the audit scope, findings, and areas that require attention. Often the report lists the objective of each RM procedure and its audit outcome. If your processes are working as defined, your staff and policies are meeting the objectives set forth in the policies. However, if processes are only working partially then other actions are often required. For example, this can occur when staff only follows part of the procedure to manage a record but do not do exactly as the policy states. The auditor also includes a date for follow-up. Management should review the report and make the required changes. Finally, the auditor will return to review whether the issues are addressed in their entirety.
If the aforementioned steps seem complex, they can be, but we are here to help, please contact us.