“You’re being audited.” That’s a pretty scary sentence for just about anyone. But it doesn’t have to be! At the annual ARMA Houston 2015 conference earlier this year, I attended no less than three presentations about performing audits on your records management program – and with no IRS required! The three presentations I attended were, “Auditing your Records Program” by Glen Sanderson, “Compliance Site Assessments & Audits” by Lisa Blackwell, and “Applying the ARMA Principles® to the City of Austin: Measuring Success Using a Custom Survey” by Jessica Higgins and Bob Guz at the City of Austin. Drawing from all three sessions, let’s walk through the process of assessing your records management program.

Why perform an audit?

There are several reasons that you might want to do an audit on your records management program. Overall, it helps you analyze how your records management program is doing. Is it actually working the way it should be? Where can you improve? Does your program comply with policies and procedures, regulatory requirements, and retention schedules? Identifying gaps between how your policies should work and how they’re actually working can help you increase efficiency, reduce costs, and manage information more effectively. Basically, an audit is like a health check for your RM program. In fact, one audience member said that’s what her organization would call an audit – because a “health check” sounds much less threatening and more proactive than an audit.

Preparing for an audit

Planning an audit is probably the most arduous step in the audit process.

• Plan who you will talk to and what departments you will visit.
• Determine what you will be auditing format-wise – will you just look at paper, or only electronic records, or both?
• If you are conducting interviews, ask the interviewees when they want you to come. Remember that you are there to help them, so try to accommodate their schedules.
• Figure out what kind of answers you are seeking. Do you need to ask more specific questions, or will specific questions exclude some departments? If you ask open-ended questions, how will you assess them?
• Look at standards for records management and information governance. These include The Principles and the Information Governance Maturity Model. Translate those standards into language that is easy for your employees to understand. You can also look into assessment tools available for purchase – you might find them beneficial, if the cost is something you can spare.
• Do your homework. Gather information about the workflow in your organization, what software applications employees use, how information moves through your organization, and whether there’s a disaster recovery or business continuity plan in place. A department website might be a good place to start finding this information.
• If you’re doing a site assessment, find out as much as you can about the site as you can before getting there. Speaking of site assessments…

Logistics for Site Assessments

A subpart of planning an audit is being prepared for audit logistics, particularly when it comes to site assessments. Some sites are not going to be your average office area, and it’s important to prepare for those visits.

• First – how do you access the site? If you have to go into the field to conduct a site assessment, your phone and its GPS might not have reliable directions about where to go. Your GPS might not be able to tell you, “Go left at the red light next to the red barn.” Make sure you get specific directions from your contact at the site.
• You should also keep contact information in your phone of people who you’re meeting with. You probably have their office phone number, but what if you get lost and they’re out to lunch? Their cell phone number would come in real handy then!
• Know their dress code. You are going into their space, and should try to match your style to theirs. If they’re business casual, and you go to the site in a three-piece suit, they might not trust you because you’re “from corporate.” On the flip side, if you need fire-resistant clothing or steel-toed shoes, bring your own – don’t assume that they’ll provide you with those items.

A pair of steel-toe boots.

• On a related note, check the weather for the site and dress accordingly. Warehouses are not always climate controlled or may be undergoing repairs.
• Take supplies with you. Again, don’t rely on the site to provide you with everything you need.

Performing an audit

At this point, you’ve planned and prepared extensively. So now you can go out into the field (even if the field is the department next door) to actually carry out the audit. One-on-one sessions can be helpful in order to ask questions, or to watch processes as an employee moves them. It can also give you the chance to start testing processes or products. Or, you may choose to distribute a survey based on one of the standards that you looked up in your preparation.

Professional auditors prepare something called audit work papers while they conduct an audit. This documents all the work that an auditor did during the audit. It helps verify results, and can be useful in the future if someone wants to perform a follow-up audit. It also provides accountability for the auditors themselves, to make sure they did an adequate job with the audit. While you may not have professional auditors coming to assess your program, it wouldn’t hurt to take a page from their book and thoroughly document your audit.

 Reporting on an audit

• After you’ve finished the audit, plan a closing meeting. This is where auditors get together with whoever they’ve audited and formally communicate their findings. It’s also a chance for the auditors and departments to work on a plan for going forward and improving problem areas.
• When organizing your report, focus on the high-risk findings first, followed by the medium-risk issues. If you documented the low-risk issues in your audit documentation, then it’s not necessary to include them in the final report.
• Make sure there is some provision for how management or departments should follow up to report on their progress. Timelines or checklists can be helpful tools for this.

 After the audit

An audit can be very informative, but it’s rather pointless if there’s no effort to effect change afterwards. A few months after the report is issued, go ahead and follow up with managers and staff to see if they’ve been able to start implementing changes. And make sure that the change is documented. It’s really impressive to be able to quantify the positive change that you’ve made, and you want to be able to show that off. Those numbers might come in handy if you find yourself asking for more staff or equipment down the line. You can say, “Our audit told us we needed to reach x goal, and we tried to reach that goal. However, we were only able to achieve 60% of our goal. With additional staff, we will be able to reach 100% of our goal.” The documentation also helps communicate the organization’s process to staff. Employees want to know what steps are being taken to improve processes, and if they brought up any concerns during the audit, they will want to know how their concerns are being addressed.

After a few years, it will be time to start getting ready for another audit. One presenter recommended having a follow-up audit no later than 4 years after the initial audit. You may want to simply audit the same things that you audited in your initial audit. Or you may decide it’s time to take a look at a different aspect of your records management program. Either way, the audit is sure to be a productive exercise that will undoubtedly lead to positive change in your program.