As client privacy requirements grow and as emerging technology presents new data protection challenges, proactive records management practices become good business. Auditing a records management program means examining a company's policies and comparing these to its practices, as well as examining the effectiveness of each.
Records Management Policies
An effective records management policy first fulfills any regulatory requirements, such as tax records retention or customer information access rules required by a credit card processor. Secondly, it serves as a starting point for a company's intent for records management performance. These aspects of the policy guide the auditing effort and scope, as the auditor matches first the points of law or agreements to ensure each is addressed before evaluating diligently a company follows its intended practice.
Retention and Disposal
Retaining records has both legal and operational considerations. The auditor will verify that a company meets Internal Revenue Service needs, generally seven years for most tax-related documents. Other timelines of records retention are compared to company policy provisions. This can take the form of simple date checks of archived material to ensure that the oldest records match policy requirements. Disposal practices are examined by the auditor to assure timely and proper destruction. The auditor will look for evidence that storage and disposal schedules are available to employees.
Retrieval and Access
Retained records are of little use if desired information can't be located in a timely fashion. The auditor will test access by requesting information and evaluating its retrieval efficiency. For example, the auditor might request utility invoices from March 2013 or cash register tapes from December 2011. Access to certain records is tested too. Credit card companies require that cardholder data is stored securely, with access restricted to people who need the information. An auditor may ask an unauthorized employee to retrieve credit card slips for a particular period, for example, to test the integrity of security.
Digital Records Management
With much business information now generated and stored in electronic form, the auditor will assess digital records management with an eye on the same principles of retention, indexing and access. Security of information portals such as email and websites will be examined for data encryption features. Network or cloud storage integrity and access are checked. Where digital records are created from scans of original paper documents, the auditor will ensure that verification procedures are in place before paper records are destroyed.
- Association of Corporate Counsel: Successful Records Management Programs
- Internal Auditor: Digital Records Management -- What Auditors Should Know
- Association of Records Managers and Administrators: Surviving a Records Audit -- 6 Steps to Prepare Your Organization
- Nolo Law: How Long Should You Keep Business Records?
- Visa: Card Acceptance Guidelines for Visa Merchants
- Photo Credit Pixsooz/iStock/Getty Images
How to Write Quality Management System Documents
Companies seeking certification by the International Organization for Standardization must ensure their workplace documentation meet ISO standards. Quality Management System documentation includes...
How to Audit a Management Information System
Audits provide companies with a review of their business or financial operations. An operational audit focuses more on the processes or activities...
Can the IRS Ask for Bank Records in an Audit of Deductions?
If the Internal Revenue Service suspects that your tax returns, either for personal or business tax, are not reflecting the reality of...
DOT Safety Audit Checklist
The Department of Transportation conducts safety audits or safety compliance reviews of any company that transports people or materials, but particularly hazardous...
How to Select a Good Mutual Fund
Selecting a good mutual fund is tricky, but as long as the fund has at least a five-year track record, that is...
Record Management Guidelines
Successful record management systems securely store records and create an organizational method for the creation, maintenance, usage and disposal of records. The...