Designing a records audit: a controls-based approach: using a controls-based approach to auditing for IG program compliance can help ensure a focused scope, collaborative effort among appropriate stakeholders, quantifiable findings, and trackable remediation progress.

• Author: Altepeter, Andrew
• Position: Information governance

Giving a deposition about an organization's information governance (IG) program in connection with litigation or a regulatory investigation can be a daunting experience. Opposing counsel may ask for evidence, such as policies and procedures documentation, retention schedules, and employee training, to show that the organization has an effective IG program.

More challenging, though, is if counsel also asks for proof that all members of the organization are being trained and that they are following the policies and procedures. Producing policies, procedures, and retention schedules is a great start, but their mere existence does not prove that they are being followed; the organization must have a way to show it is doing what it says it is doing.

Auditing as Evidence

Many organizations choose to audit their internal processes as a way to show that they are living up to the mandates set in their policies. But auditing IG--something that touches every member of the organization can be challenging, and not all audits will satisfy a court.

For example, some organizations may "audit" by asking all employees to click an electronic check box or sign a statement to attest that they are in compliance with the organization's IG policies and procedures. This process is easy to set up and easy to get a majority of employees to respond to since it takes only a few seconds to check a box or sign a form.

This approach is useful for periodically reminding everyone in the organization about their need to comply with the policies and procedures. But, this is not an audit. And in all likelihood it will not satisfy opposing counsel or a judge.

The key to an effective audit is having the right controls, scope, and stakeholders. This article provides guidance for assembling these elements and building an audit that will enable an organization to show its IG program is legally defensible.

Going Beyond the Maturity Model

ARMA International's Generally Accepted Recordkeeping Principles[R] (Principles) includes the Principle of Accountability, which stipulates that practitioners must ensure program auditability; specifically, it dictates "Review/auditing of information governance policies and processes to monitor success and failure and to improve and update them proactively."

There are multiple ways to accomplish this. For example, ARMA created the Information Governance Maturity Model (Maturity Model), among other instruments, for organizations to use to benchmark their growth in accordance with the Principles. This is well and good; the Maturity Model is a useful tool for measuring an organization's IG profile at a high level. But, that is different from conducting a true audit.

Audits require a scientific inventory of current practices across the organization, its repositories, and its...