Using ISO 15489 as an audit tool: ISO 15489, the first international standard devoted to records management, provides a comprehensive and practical basis for auditing full and partial records management programs.

• Author: Crockett, Margaret
• Position: Lessons Learned

ISO 15489 (1:2001 Information and Documentation--Records Management--Part 1: General) is the first international standard devoted to records management. It was developed from the Australian standard (AS 4390.1--1996) and provides detailed specifications for the structure, content, and implementation of records management programs. The guidance it contains is applicable to records management for any organization and covers all media.

The standard is intended to provide a framework for planning and implementing a records management program. The comprehensive nature of the standard with regard to current and non-current records and the clear categorization of its requirements also makes it an obvious choice on which to base audits of records management programs.

A critical review of the standard as a basis for an audit is important. It is critical to walk through the preparation phases for the audit, including the development of assessment tools based on the standard, the audit process itself, and audit report writing. To ensure its newly implemented records management program complied with industry best-practices, one small European pharmaceutical company used ISO 15489 to help guide it through those critical processes. Examples from an actual audit of a newly developed records management program involving the pharmaceutical company's non-current, clinical trials department records provide many lessons for any organization that wants to use or test the standard in its own records management program.

Methodology, Background Research, and Scoping

The methodology for an audit has four main components:

1. Initial background research and scoping of project

2. Preparation, including familiarization with the company's records management program documentation, and development of audit tools to establish compliance with ISO 15489

3. Audit information gathering

4. Report writing

The first component involves dialog with the records manager to gather enough data to estimate the project's size and time requirements. The data required includes information about the company, its mission, and functions; the number of employees; details about the records management operation; and the context of the audit. This information is crucial to scoping the project, estimating time required, and allocating time to the various phases of the audit process.

In this instance, the audit scope contained:

* The records of one department of the organization (although there was a realization that good records management practices could be transferred to other parts of the company)

* The non-current phase of the records life cycle

* Paper records only, because the records management program did not yet include digital media

The audit context was:

* A young pharmaceutical company

* Limited functions to be considered

The records management system had not yet been implemented; consequently, the audit would not be large or lengthy, there would be few record series to cover, and there would be no user base to canvass. So why was the audit undertaken? There were two main reasons: the pharmaceutical company's records manager was new to records management and wanted to make sure she had set up a system that was compliant with accepted best practices; and the pharmaceutical industry's strong audit culture. The records manager intended to roll out the system to other areas and wanted to ensure that it was a good one before doing so.

Since the audit, the pharmaceutical company has been searching for a full-time qualified records manager--a need that was identified in the audit report as a result of the records manager only spending about 10 percent of her time on records management. That was not necessarily something the company expected to come out of the audit, but the company has since taken advantage of the findings to improve its records management program.

Preparation

Preparation for auditing a records management program consists of:

* Reading and evaluating record management documentation provided by the records manager (See Table 1)

* Developing an evaluation tool that will map collected data to ISO 15489 (See Table 2)

Reading through the assembled records management program documentation has a dual purpose: it provides a complete overview of the program and its components, and it allows the auditor to assess the documentation for compliance.

Mapping audit findings to the standard can be done through use of a form or checklist designed for this purpose. Developing such a checklist, or audit assessment tool (AAT), involves turning the relevant requirements of ISO 15489 into a series of questions. The checklist or form will need to be modified to reflect what the records management program covers, whether the full records life cycle or only a segment of it. Do not underestimate the length of time this can take; allow at least two days.

The AAAT can be divided into two parts: the first focuses on assessing compliance with the standard proper in terms of records management; the second reflects the requirement for compliance with any relevant regulatory bodies' guidance on recordkeeping. The final product can be quite long and should be very detailed. Tables 2, 3, and 4 provide examples of an AAT developed for the audit undertaken. Comparison with ISO 15489 gives an idea of the tool's practical use (see "ISO 15489-1:2001 Sections Useful for Auditing" on page 52).

Auditing Regulatory Environment

Section 5 of the standard specifies recordkeeping practice. It deals with the regulatory environment, including those...