We’ve spoken here before about the benefits of doing an audit on your records management program to ascertain whether your program is working as it should, and this month, I was able to ask some folks who have helped with an audit in their agencies about the details of the practice. Jerry Sorrells, Records Management Officer for the Texas State Technical College System, and Benito Ybarra, Chief Audit and Compliance Officer for the Texas Department of Transportation, were kind enough to answer some questions about how the audit process works in their respective agencies.
How are audits done in your agency? Are they performed by internal or external entities? Do you have a department devoted to audits?
Jerry Sorrells: Yes, my state agency (TSTC) has both an internal audit team and external audits. My agency does have an Internal Audit group dedicated to just our organization and performs annual internal audits.
Benito Ybarra: TxDOT has both an internal and external audit function. Internal Audit Division’s audits are performed on a quarterly basis at TxDOT based on an Annual Risk Assessment that determines the Annual Audit Plan. External Audit is a part of the Compliance Division.
What was your role in the audit? Were you a part of the auditing team? Or were you just brought in to answer questions from the person conducting the audit?
JS: The RMO is part of the Audit process. The Audit group handles the review and research of our processes, and then we answer any questions they might have. We do a quarterly review in-house of the records management program to ensure we stay in compliance. Any inquires or issues we handle in a timely manner and track those issues until compliance.
BY: The Internal Audit Division conducts the performance audits across the state. The Internal Audit Division does not have an individual solely devoted to records management on the team. Each team member learns the records management process specific to the audit engagement topic together or in regards to the source documentation of the audit.
Has records management always been a part of your auditing process? If not, how was it determined that RM needed to be a part of the audit?
JS: No, in the past it was reviewed yearly regarding issues, but not in-depth. In 2011, the Records Management team and Internal Audit began to work closely to identify RM areas of concern, issues and future challenges. We address current issues and implement internal controls to help identify areas that need to be ramped up or changed, and we created procedures for most functions while implementing a better tracking system. It was part of an overall review of how departments and RM work together.
BY: No, records management is not always part of our auditing process. Based on information learned within planning, the scoping of the engagement, or testing within fieldwork, records management may be included as part of the audit work program or management action plans.
If you were a part of the auditing team, what did you tell people to expect from the auditing process? Did you meet resistance or roadblocks when embarking on the process? How did you engage employees that were resistant or hesitant to assist with the audit?
JS: Being the lead on the audit for records management is a challenge. The needs to meet audit reviews and be compliant comes usually with a change of culture, cost or new approaches. To make change, the challenges to do things right, track results, and time to do the process will cost departments both manpower and money to implement. Therefore, we run into roadblocks where the department simply cannot do things the proper way at that time. Not so much resistance, but realization that the department has a hard time implementing change, so you have to make it part of a 1-3 year plan.
BY: Inherently, audits can be subject to resistance. Additionally, TxDOT has the added layer of complexity of the agency size and decentralization. Typically, our teams will make their best efforts to establish rapport with a client face-to-face to ease any trepidation of the audit process; however, our decentralization can pose a challenge to that. Resistance to the audits are typically overcome with more 1×1 conversations, facts, and more discussion on the risks which the audit is helping to provide assurance and possibly ease their day-to-day activities.
What did you find the most difficult part of the process and how did you approach it to make things easier?
JS: The cost of new systems to track and implement automated destruction of records once they are loaded to a system is the biggest challenge. The cost to purchase and have IT implement a program that includes a retention module is more than most management teams will be ready to spend. The other big hurdle is that management does not consider records management a high enough priority versus their main objectives. So, educating them of the impact to the bottom line is critical. We wrote an internal SOS that made the department heads responsible for records within their areas, and they are required to follow our records management program guidelines, including requiring signatures. The best approach is how it impacts the organization and bottom line, you can pay 31k now or 140k in 5 years to do things right after an audit.
BY: From an audit perspective, building the rapport with the client can move mountains. Better rapport will help to obtain documentation and allow for deadlines to be met. From a records management perspective, TxDOT faces three main challenges: 1. Decentralization and potentially 26 different methods/location of retaining records (25 districts and the overseeing division); 2. Not being able to locate records due to either the records being very manual (i.e. real estate deeds, etc.) or multiple records management systems housing the same information (i.e. contracts) and 3. Duplication (how to identify original versus copies of originals).
And finally, what advice would you give to someone who would like to do an audit in their agency or local government?
JS: Be honest, recognize the need to be transparent, and realize, no matter what, that your program will identify a lot of take-aways and to-dos. It will also give you a good report of the current program for upper management. Be prepared that your leaders may be slow to respond to all your needs or support spending money to correct any issues. It will be based on how you present it and what impact it will have to improve the bottom line of your organization.
BY: 1. Make sure to pressure test the population. Often the listing provided by the client is put together to the best of their knowledge, but there may be more out there that they are not aware of. 2. Make sure your criteria are the most up-to-date that exists. Working from outdated criteria will damage your credibility. 3. Don’t be afraid to challenge the records retention schedule. Do we need to retain all of that, or can we drive efficiencies or save server space?
Many thanks to Mr. Sorrells and Mr. Ybarra for sharing their insights on this important process! Get out there and start auditing!