The principles and external audits.
| Author | Gable, Julie |
| Position | THE PRINCIPLES |
External audits depend on documentation, and that can make them stressful, time-consuming, and psychologically draining for records and information management (RIM) professionals who have to produce the documentation quickly. Learn how to prepare and respond to an audit and how basing your RIM program on the Generally Accepted Recordkeeping Principles[R] can reduce the strain and deliver good results even when under intense scrutiny.
Third-party audits are a fact of life for organizations large and small. Some audits are limited in scope. A U.S. Department of Labor audit, for example, reviews employee job classifications and wage rates. Tax audits, on the other hand, encompass all income and all expenses and are generally broad in scope. Even non-profits are subject to audits by grant-makers who want to ensure that their funds are well spent.
Regardless of type, third-party audits have several aspects in common. The auditors must form an opinion of how, and how well, an organization conforms to the laws or standards that govern it. Auditors rely on direct observations, overall impressions, and first-hand inspections during onsite visits that can last from days to weeks. While on the premises, auditors test an organization's compliance or non-compliance by gathering evidence in the form of records and documentation. In the process, every principle of good recordkeeping will come under scrutiny.
Even though the outcome of an external audit is a judgement on company-wide compliance, the audit processes themselves are often the ultimate test of an information governance (IG) program. As the examples will show, this is particularly true for audits conducted in regulated industries. (See sidebar "SEC, FDA Regulatory Audits.")
Timing Is Everything
Though regulatory audits may be purely routine, they may be triggered by newspaper headlines, litigation, consumer complaints, or wrongdoing by other organizations in the same sector.
Audits may also be a surprise. At best, the U.S. Securities and Exchange Commission (SEC) gives a two-week notice for an impending visit. The U.S. Food and Drug Administration (FDA) may give no notice at all and simply appear at the reception desk. Like pop quizzes, external audits, even expected ones, are measures of what has been done to date.
An IG program based on the Generally Accepted Recordkeeping Principles[R] (Principles) and the Information Governance Maturity Model (IGMM) goes a long way to show that the organization takes its information management responsibilities seriously. Used well, these comprehensive tools guide in developing and sustaining an IG program that delivers reliably during even the pickiest inspections.
Work guided by the Principles also provides a number of spillover benefits that become very handy during the audit process. Finally, understanding the Principles can also uncover potential problems, which are best handled before an audit occurs.
IG Bedrock Principles
The Principles of Compliance, Accountability, and Transparency are the bedrock of the IG program and the backdrop against which audit scenarios unfold. In industries where information is a crucial part of the company's end product--financials and pharmaceuticals, for example --what affects IG affects the overall entity, as shown below.
Compliance
IG compliance requires the organization to review all applicable laws, regulations, codes of conduct, and ethics that apply to it. An organization makes and maintains records to prove that it does business in accord with these, and its policies reflect how it interprets them in their operations.
These internal policies impose...
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
