I can hear some of you saying: “Did you really have to go there? I cannot stand audits. They are time consuming, expensive and the business just won’t tolerate the intrusion for Information Governance (IG) and Records and Information Management (RIM)”. Sorry, the answer is yes. Without auditing, you are not able to assure that the workforce is actually doing what they are required to do.
I digress but back in my youth there was a popular cartoon character named Mr. Magoo (you can still watch him on You Tube) with very bad eyesight (although he thought it was perfect) and was therefore always mistaking his surrounding into his own alternate reality. He happened to have a bald head and one day he walks into a barber shop and requests a haircut. When he takes his hat off, the barber finds a single hair standing up in the middle of his bald head. The barber dutifully clacks the scissors over his head – forward, backward, left, right, and finally after some period of time actually cuts the single hair on his head. He then pronounces the haircut complete. Mr. Magoo pays him and walks out, believing that he has had a full haircut.
For IG/RIM we cannot live in our own little world, our own reality, thinking that the workforce has performed activities to become and maintain compliance when it is possible (perhaps even likely) that they are not compliant. Audits help to assure we are all in the same reality, actually accomplishing and performing as required.
The good news is that the audit for IG/RIM does not have to follow the traditional path of financial audits. If fact, if you do, you may once again find yourself in your own reality like Mr. Magoo, because you are getting a representative view – not a comprehensive view. You are not just looking for evidence of processes and the performance of those processes, you are looking for evidence that each individual from the executive suite to individual contributor (employees and contractors) across the company, are actually doing what your policy and procedures say they are to do. This is good news because you do not need to engage in time consuming interviews to establish a view of workforce compliance. What is needed is to develop a list of the IG/RIM requirements of each individual to each individual, turn them into questions, and have them respond – Yes, No, or In Process. This list of questions will need to be tailored based on area of responsibility and level of responsibility, and there needs to be departmental questionnaires as well. This does require some good work upfront to identify the requirements and turn them into questions, but to the workforce, the questionnaire they are required to answer is minimally intrusive – resulting in minimal pushback. This is simple, straightforward, and very powerful. (For more information on this technique see “Who Needs Auditing to Do an Audit?” and “IG Solutions – Comprehensive Information Governance Auditing Made Easy”.)
So where do these IG/RIM requirements come from? Your policies and procedures. That is why it is important that your policies and procedures have “requirements language” such as must, shall, and will. Using words like should, might, or could provide the opportunity for variation of activity, including no activity at all. You don’t want to spend any time on non-productive discussions on definition and intent. Much better to preclude all of that with clear, non-negotiable requirements language.
How do you develop the questions? Each requirement from the policies and procedures should be the subject matter for at least one detailed compliance question. Not so much “Are you aware of the policy for the disposal of Confidential Records?” but rather “At the proper time, do you dispose of all Confidential Records in the Shred Bins or by shredding yourself? The answers are multiple choice: Yes, No, or In Process.
Yes means yes, the department or individual is in compliance.
No is a red flag, it means there is a problem. The department or individual is non-compliant and doesn’t intend to become compliant.
In Process means the department or individual is not yet compliant, but is committed to becoming compliant and is working on it.
Those are all the answers you need to develop a comprehensive view of compliance!
Clearly once you have taken the survey, your work isn’t over, it is always an ongoing process. You will need to follow up with those who say “No” (and also potentially their management) to help them change their answer to “Yes” or “In Process”. For the “In Process” answers, you will want to do some analysis. Are there questions for which there was an “epidemic” of “In Process” responses, indicating a need for a deeper dive and possible corrective action? Or, is it that they just need a little more time before they can say “Yes”? You always have the option of following up at any time.
What about evidence of compliance and interviews? For evidence, use the “Trust but Verify” approach. Let the user respond without producing evidence, but be on notice that the evidence may be required at any time. That way the user is responsible for having evidence, but you only request it as situations warrant. Interviews are also important, but conducted only on an as needed basis as the data identifies a need for follow-up. Therefore the intrusions into the business are kept to a minimum and only occur as driven by the data. This technique may be unconventional, but it provides a lot of information with minimal investment, provides for comparative analysis of progress with subsequent audits, and provides flexibility in how and when to conduct follow-ups.
Regardless of the technique you choose for performing an audit, performing an audit will energize compliance. People respond to actions more than words, and holding individuals accountable by checking their IG/RIM performance with an audit will not only energize compliance it will provide valuable feedback for improvements and modifications to your program.
The audit is such a strong energizer for compliance that actually even the notice of a coming audit will energize compliance. Give the workforce advance notice of the audit, even to the point of sharing the audit questions in advance, and your audit results will be better for it. After all, your objective is compliance, not to identify those who may otherwise have overstated their performance.
Yes, you really want and need to do this.