As client privacy requirements grow and as emerging technology presents new data protection challenges, proactive records management practices become good business. Auditing a records management program means examining a company's policies and comparing these to its practices, as well as examining the effectiveness of each.
Records Management Policies
An effective records management policy first fulfills any regulatory requirements, such as tax records retention or customer information access rules required by a credit card processor. Secondly, it serves as a starting point for a company's intent for records management performance. These aspects of the policy guide the auditing effort and scope, as the auditor matches first the points of law or agreements to ensure each is addressed before evaluating diligently a company follows its intended practice.
Retention and Disposal
Retaining records has both legal and operational considerations. The auditor will verify that a company meets Internal Revenue Service needs, generally seven years for most tax-related documents. Other timelines of records retention are compared to company policy provisions. This can take the form of simple date checks of archived material to ensure that the oldest records match policy requirements. Disposal practices are examined by the auditor to assure timely and proper destruction. The auditor will look for evidence that storage and disposal schedules are available to employees.
Retrieval and Access
Retained records are of little use if desired information can't be located in a timely fashion. The auditor will test access by requesting information and evaluating its retrieval efficiency. For example, the auditor might request utility invoices from March 2013 or cash register tapes from December 2011. Access to certain records is tested too. Credit card companies require that cardholder data is stored securely, with access restricted to people who need the information. An auditor may ask an unauthorized employee to retrieve credit card slips for a particular period, for example, to test the integrity of security.
Digital Records Management
With much business information now generated and stored in electronic form, the auditor will assess digital records management with an eye on the same principles of retention, indexing and access. Security of information portals such as email and websites will be examined for data encryption features. Network or cloud storage integrity and access are checked. Where digital records are created from scans of original paper documents, the auditor will ensure that verification procedures are in place before paper records are destroyed.