control, and governance
Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
Nowadays, it is not uncommon for a lot of the paper that is produced to be in electronic form somewhere else, comments Steven Jameson, chief internal audit and risk officer for Community Trust Bancorp. In fact, according to Carol Beaumier, managing director of Protiviti's financial services and regulatory risk consulting practices, there's been an increased use and acceptance of digital records in organizations worldwide: "More and more records that historically might have been in paper are now in electronic form." In the United States alone, there is a major initiative under way to make all patient health records available online through an Internet-based architecture by 2014. And according to the U.S. Centers for Disease Control and Prevention, 25 percent of U.S. physicians use electronic records. As more organizations continue to digitize existing information, internal auditors need to consider the impact an increased reliance on digital data will have on the IT infrastructure and understand the key aspects necessary for an effective digital records management program.
DIGITAL DATA: KEY CONSIDERATIONS
Digitizing data has its advantages. "Storage is no longer an issue, because automated data is easier to move around, and there's less physical space required to contain data," explains Jameson. However, the same things that make digitized data easier to work with can create new security problems. As Jameson illustrates, with a physical document companies can put the file in a cabinet, lock the cabinet, and place the cabinet in a locked room that is secure. With electronic data, companies have to worry about who has access to the document; how the document is shared or moved from person to person — via diskette or a removable thumb drive, for instance; and whether the data is compiled or downloaded. "There are more ways to move information around when it is digitized, which creates additional security concerns," Jameson adds.
Before a company begins to transition to a paperless, digital environment, internal auditors should recommend that organizations consider the different aspects of this change. "Most records are now created, maintained, and distributed in an electronic format," says Frank Wu, managing director in Protiviti's business risk consulting practice. "From a management standpoint, companies should establish the appropriate policies, procedures, technology, and training environment necessary to have an effective electronic records management program."
Policies and Procedures
The consequences of poor digital records management can be devastating. Lax records management policies and procedures of any kind can erode an organization's accountability and enhance its potential for corruption, as well as undermine the confidence of stakeholders and trustworthiness of the company's records. When transitioning from a paper-based system to a digital records system, auditors could recommend that existing policies and procedures be updated. "Record policies need to ensure that they account not just for the paper side, but also the electronic end," explains Wu, who has helped companies map record management processes to specific risk areas. "These policies need to state how digital records will be created, maintained, and managed."
A key aspect organizations need to keep in mind is the use of security access controls for all electronic data, such as determining who is going to be allowed access to the data and under what circumstances. Companies also need to determine how they are going to store the data once it is digitized, as well as how they are going to transfer or transport the data within and outside the organization. Questions internal auditors can recommend organizations ask include:
In addition to storing digital data, companies need to retain the original paper records. "Original documents need to be retained for an appropriate time period to allow for the quality control on the back end to have occurred and until the data conversion project is concluded successfully," Jameson explains. "In some industries, such as the financial services industry, companies may digitize or create electronic images of trust files, but choose to retain those original source documents for as long as the account is open or for some appropriate period of time." The length of time depends on the industry the company works in, the purpose of the information, and the company's legal and regulatory responsibilities.
Besides determining how digital data will be secured and stored, auditors can recommend that companies look at their access and change management policies. As Jameson explains, determining who will have access to electronic data is important, because once data is digitized, "the new medium creates an opportunity for something else to happen with the data or for somebody who ordinarily should not have access to the information to get access to it."
Questions organizations can ask to determine the necessary change management policies and procedures that need to be implemented include:
Technology and Training
Once policies are established, organizations need to determine if current processes or procedures are well supported. "New processes may require new technology tools or an expansion of the existing technology infrastructure to support the electronic record management system," says Wu. "Once a company has the necessary policies, processes, and technologies in place, they have to deal with the people side." This includes the implementation of training and awareness programs to educate employees on how the new record management system is to be used.
Training and awareness also serve another role — they enable employees to adhere to company policies and procedures. "Having a new records management system is more than just a quick installation or buying a software tool — it's establishing a compliance program that encompasses the entire aspect of records management," Wu adds.
Training programs can be geared to employees who will have access to the system, while awareness programs, which may discuss other corporate issues, can be geared to all company staff, regardless of job function or title. In addition, these programs need to have management support and buy-in. This will enable the company to create a compliance environment that is advocated from the top levels of the organization and that permeates throughout the rest of the organization.
In terms of technology, auditors need to recommend that organizations purchase a vendor application or implement an in-house system that:
Furthermore, companies need to consider the lifespan of the data management application. Once a record is digitized, the technology used to manage or store the record may become obsolete. This may create potential problems, especially if the application needs to be updated to meet new business needs and the product is no longer supported. If a new digital records management system is purchased to replace an existing one, auditors should remind companies that there might be compatibility issues between the old data and the new system.
Besides reviewing the organization's policies and procedures, current technology infrastructure, and training opportunities, internal auditors should pay close attention to the actual conversion process. For instance, auditors might want to find out if the information in the paper record was entered manually into the record management database or whether imaging equipment was used to transform documents into an electronic file that was then archived. "If an imaging system is used, the equipment may get out of adjustment and the images may become blurred," explains Jameson. "The paper record also could have been fed into the machine incorrectly, causing the image to be partially captured, or the imaged document may be mislabeled or miscoded and, therefore, filed in the wrong electronic location." Jameson recommends that auditors advise organizations to keep the following key issues in mind when using imaging technology:
RECORDS MANAGEMENT RESOURCES
As organizations move forward with their data conversion processes, auditors may be asked to recommend the best courses of action to ensure the new management system is effective and secure. Recently, the International Records Management Trust (IRMT) developed a series of tools senior executives, record managers, and developers of IT systems can use to become familiar with record management best practices. Based in London, IRMT works with policy makers and records professionals to develop new strategies for managing public-sector records. The tools developed by the Trust consist of a management brief, guide, and gap analysis assessment. Although developed for companies in the finance sector, the tools can be a resource to any organization that is implementing a digital records management system for the first time.
The tools also can serve as a checklist that enables internal auditors to determine the scope of their audit efforts. As IRMT Project Director Anne Thurston explains, internal and external audit efforts are affected when paper and digital records are managed inappropriately. "To maintain a complete audit trail, it's important that paper records are well managed before, during, and after they are integrated into a management information system," she says. "This is the only way the system can work as a whole." The tools, she explains, can help auditors identify the different areas and best practices organizations should focus on during the digital conversion process.
Each of the IRMT's tools was developed with a different audience in mind, notes Michael Hoyle, a private record and archive management consultant for the Trust. The management brief describes a high-level, risk analysis assessment that executives can perform to determine the state of their information management systems and records, while the guide is intended primarily for people who plan, design, test, implement, and manage information systems. Finally, the gap analysis tool provides a means for organizations to assess the degree to which existing information management systems meet the management requirements presented in the guide.
To download a copy of the management brief, guide, and gap analysis tools, visit the IRMT's Web site,www.irmt.org.
Other records management resources available include:
Another factor companies must keep in mind is the timeliness of the data conversion project. Jameson recommends that organizations take into consideration how long the project will take and have a plan of action that outlines what to do when existing data needs to be updated or new documents need to be created as the conversion project takes place. For instance, companies need to consider how updates and new documents will be catalogued. "Updating information after it has been added to a new system may pose a challenge when trying to keep a good record or track files that have already been converted," Jameson adds. This leads into two other considerations discussed previously — what needs to be done with the paper record once it has been converted digitally and the amount of time the original document should be retained.
Moving from a paper-based process to a digital records management system creates opportunities and challenges for internal auditors. "Certainly any new information management system will have inherent risks and practical limitations," Wu comments. "As companies digitize their records, internal auditors will have to effectively assess and rely on these systems and, more important, align the scope of their audit work plan to the key business and technical objectives of these new systems."
According to Beaumier, having an effective audit function is critical for a new records management system to work. Internal auditors play a key role in the records management process by monitoring whether records management programs are enforced consistently through the use of controls. "I've seen records management programs fall apart in companies that invested a lot of time and energy to develop nice policies and procedures, but the enforcement wasn't there. As a result, employees started disregarding their own policies and procedures over time," she explains.
A key control Jameson recommends is the validation of electronic data. "Just because somebody hands you an electronic file and tells you 'here are the documents' doesn't mean you should not verify that the electronic file includes the documents needed for the audit," comments Jameson. "The auditor may have to ask how the data was generated, whether the files are a standard system report or special report, and what parameters were used to generate the data."
In addition, Wu recommends that auditors pay attention to the company's overall regulatory requirements. "In any information management system, auditors need to determine whether the new technology implemented addresses the needs of the organization and whether it meets the legal and regulatory requirements in the areas of records management," explains Wu. Because for some auditors this may be a different or new area, they may need to leverage the knowledge and involvement of the IT department. For instance, auditors might need to understand where the organization is along the conversion process and get to know how the new systems operate so they can determine which areas to monitor, assess, or review as part of their work program.
Jameson sees the digital push as an opportunity for internal auditors. "I think it's possible for auditors to perform more comprehensive tests, like running an interest calculation test on the whole population as opposed to a sample," he explains. "The ease of dealing with, evaluating, and manipulating electronic data has definite advantages for auditors in that they can expand their scope, cut travel time and costs, and put in place more continuous monitoring of data, as opposed to having to deal with hard copy records that require an on-site visit."
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.