Business Matters

Driving Quality Improvement
Through Audits

While an audit remains an important organizational process, it is also one of the more complex activities facing managers in non-profit, for-profit, and government settings. The term can take on a variety of meanings. And, audits may be initiated for many reasons.

Nancy Dupre Barnes, Ph.D., CRM, CA, and Nicholas R. Barnes, CPA

The consequences of such audits can be far-reaching and more than a little sobering, producing some measure of fear and loathing in those being audited. For example, an audit by the U.S. Internal Revenue Service (IRS) is usually not welcomed by U.S. taxpayers.

However, records and information management (RIM) practitioners with a forward-looking orientation can move beyond the negative connotations often associated with audits and capitalize upon opportunities for RIM program improvement by embracing the evaluative benefits inherent to the audit process.

Audit Defined and Explained

While audits of various types have been conducted for hundreds of years, it was not until the advent of the Industrial Revolution that the concept of audit as a means to detect fraud or assess financial viability became popular.

Moving beyond the world of accountancy, the twentieth century witnessed the emergence of business management initiatives, where audit is integral to the “plan-do-check-act” cycle of quality improvement popularized by E. W. Deming. Business consultants and researchers have continued the quest for knowledge in that area into the current era.

Recognizing the vast array of audit types and purposes, as well as the diverse contexts within which audits can be conducted, this article homes in on select features of audit initiatives with particular interest to RIM professionals.

Internal vs. External Audits

At a high level, audits can be viewed as one way to measure a component (or components) of an organization’s managerial well-being. Audits can be internal or external to an organization. An internal audit is a way for an organization to self-monitor its process-related effectiveness. Internal audits can be isolated to specific organizational functions or systems – for instance, a RIM professional may engage in an internal audit to assess the RIM function, as a system or series of processes within the organization.

Alternatively, external audits are conducted by an entity outside the organization. Commonly recognized examples are tax audits conducted by the IRS or audits conducted by an accrediting body to monitor compliance with formalized processes, policies, and procedures. For instance, every five years, each accredited U.S. standards developing organization is subject to an audit by the American National Standards Institute (ANSI).

Regulatory and Legal Mandates for Auditing

The passing of the Sarbanes-Oxley Act in 2002 cast a new light on auditing. That act highlights the need for rigorous codification of organizational policies and procedures and the benefits of standardization of processes, while providing the statutory clout to engender compliance.

Besides Sarbanes-Oxley, there are other legal and regulatory mandates by which organizations are required to undergo periodic audits. Such audits can document the organization’s ability to fulfill its obligations and yield appropriate outcomes for multiple stakeholders in a diverse society.

Evaluation Defined and Explained

The Merriam-Webster online dictionary defines the verb evaluate as “to determine the significance, worth, or condition of usually by careful appraisal and study.” This definition reflects the relationship between audit (a type of careful appraisal and study) and evaluation (a determination of significance, worth, or condition).

Evaluation is more often characterized by planning and forethought, rather than spur-of-the-moment, ad hoc types of efforts. Value-laden determinations arise from evaluations, and they may be conducted in highstakes settings where individuals, teams, programs, etc., may be retained or released as a consequence of those evaluations. So, serious attention is warranted and expected. Given the socio-cultural milieu of recent decades, where competition for limited funding and/or resources is often in play, evaluation efforts have become more commonplace within all manner of organizations and for a fairly broad set of purposes.

Evaluation Outcomes

In business management settings, evaluation is crucial. It creates the opportunity for organizational improvement. Evaluation can take the form of a research effort by which an aspect of organizational effectiveness can be assessed, such as a cost-benefit study or a customer satisfaction survey. Evaluation can also be outcomes-based. The latter occurs quite frequently as part of an employee’s quarterly, semi-annual, or annual job performance report.

Evaluation metrics can be complex, with gradations of success marked by position on a five-point scale, for instance. Or, metrics can be dichotomous scale designs using simple “pass” or “fail” classifications.

Objective vs. Subjective Evaluation

Evaluation can be objective, with quantitative evidence supporting outcomes. As well, it might be subjective (i.e., qualitative), whereby opinion, perception, or belief drive the final reporting results. Sometimes, both objective and subjective methods are utilized in a single evaluation effort. In high-stakes settings where crucial decision making is spurred by evaluation results, multiple metrics are often utilized. This is important in that subjective evidence can be inaccurate, untrue, or motivated by extraneous factors rooted in malice, revenge, or even psychopathy.

Context is a key consideration. As social psychologists have discovered, individuals’ behavior in the organizational setting can be extremely complex – and the human element can be the most vexing component to interpret. Accordingly, sole reliance upon subjective data can be counterproductive and, possibly, damaging to the organization. A bit of “detective work” is often necessary when incorporating subjective perspectives, recognizing that additional questioning and investigation may be needed to produce more complete information sets for critical decision making.

Using ISO Standards for Audits

Audit and evaluation are essential components of the quality-focused publications of the International Organization for Standardization’s (ISO) publications, including those discussed below.

ISO 9000 Standards

Outside the unique realm of archives/records management, one of the most well-known areas within which the audit process is addressed is the ISO 9000 family of quality system standards, which advocates well respected management practices.

Created by a delegation of international experts from more than 80 countries, this series of standards enjoys global recognition and respect. This set of guidance documents provides advice for both public and private organizations in the establishment and maintenance of a quality management system. All aspects are addressed, including vocabulary, fundamentals, training, and economic considerations. The quality improvement cycle (plan-do-check-act) is a bedrock concept upon which this process model is based.

Within the ISO 9000 family of standards, ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing is the publication devoted specifically to audit.

ISO 15489-1, ISO/TR 15489-2

Unique to RIM, ISO 15489-1 Information and documentation – records management – Part 1: General and ISO/TR 15489-2 Information and documentation – records management – Part 2: Guidelines state the importance of auditing. RIM professionals already familiar with ISO 15489-1 and ISO/TR 15489-2 recognize the audit specifications within those benchmark international standards.

Recommended Audit Activities

Within the aforementioned ISO documents, selected audit-related activities recommended include:

• Compliance monitoring of records management policies and procedures to determine if outcomes are appropriate
• Solicitation of feedback to determine if users are satisfied with the records management system
• Modification of processes, as needed, to obtain desired outcomes
• Documentation of monitoring/auditing activities and maintenance of such documentation
• Provision of evidence that the records system’s design is comprehensive, encompassing the care and security of records
• Recognition of the need for a longrange perspective by instituting a records system design that will remain in compliance with internal and external requirements, regardless of staffing transitions (e.g., attrition, retirements

Auditing and the RIM Professional

RIM professionals can capitalize upon the opportunity for improvement inherent to the audit process. ARMA International’s Generally Accepted Recordkeeping Principles® (GARP®) Principle of Accountability reinforces this position, stating, “Auditability is the process designed to prove the program is accomplishing its goals, while seeking areas for improvement to further protect the organization and its records.”

Certainly, in this context, auditing provides a quality improvement opportunity. And, evaluation of the records management program, occurring within the final audit report, aids records management practitioners in their desire to identify areas for change and development. In keeping with the GARP® Principle of Auditability and the advice contained in ISO 15489, RIM practitioners are strongly advised to incorporate audit into their organization’s policies and procedures and capitalize upon its evaluative nature.

One way to develop an auditing mindset is to explore the generally accepted auditing standards of the American Institute of Certified Public Accountants (AICPA). While the entire set of standards may be viewed on the Institute’s website, the first three standards are universal in applicability, and their usefulness extends beyond the public accounting venue. Regardless of the type of audit, these key concepts bear recognition by the RIM professional:

• The auditor must have adequate technical training and proficiency to perform the audit.
• The auditor must maintain independence in mental attitude in all matters related to the audit.
• The auditor must exercise due professional care in the performance of the audit and the preparation of the report.

Developing an Audit Agreement

Another recommendation worth considering is the written audit agreement. This document serves to outline the audit procedure. RIM professionals can use it as a platform within which expectations, objectives, and other related issues pertaining to an audit are detailed in writing.

In their 2010 publication, CPA Exam Review, 37th Ed., authors O. Ray Whittington and Patrick R. Delaney describe elements of the audit agreement. Below, these components have been annotated for application in a records and information management environment:

Objectives of the audit – Within the context of records management, what does the audit seek to achieve? Objectives should be succinctly described.

Management’s responsibilities during the audit – Management should be informed regarding the types of documents, files, and data that will be accessed as part of the audit. Obtain management approval for all aspects of the audit including time, personnel, fiscal, and other resources to be utilized. Wherever the records management function resides within the organization, it is crucial to obtain executive management’s buy-in for the audit.

The auditor’s responsibilities – What activities will the auditor undertake to conduct the audit? What type of final report will be created, and in what physical and/or electronic format will it be maintained?

Limitations of the audit – What activities will be excluded from the audit? State the limitations arising from legal, regulatory, or statutebased requirements, if applicable. If the records management audit will not be comprehensive, list the exempt records series.

Timeline of activities – Create a project timeline for the audit with clearly indicated dates and deliverables.

Involvement of other specialists, external and/or internal to the organization (if applicable) – List the specialists (e.g., temporary or contract workers, information technology professionals) and their roles, if those services are required to undertake the audit.

Costs and/or fees incurred by the audit (if applicable) – Describe all costs associated with the audit, per the organization’s accounting requirements and policies.

Regulatory requirements impacting the audit (if applicable) – State the unique, sector-specific regulatory requirements and their impact on the audit, where appropriate. Certain sectors – such as financial services and healthcare organizations – will be more heavily affected by a records management audit.

Liability issues (if applicable) – Investigate and describe legal liability issues, as appropriate to the conduct of the audit. Consultation with legal services may be required in order to assess risk in this area.

Access to audit materials by members of the organization – Audit-related work materials, including the final report, should be accessed per the organization’s policies. Comply with the organization’s retention schedule.

Taking the Lead in Quality Improvement

Auditing holds great potential as an evaluative aid in the organizational setting. As a logical endproduct of the audit process, evaluation provides the evidence by which modifications to policies, processes, and/or procedures can be recommended for implementation. While it may be a daunting undertaking, an audit provides a unique vehicle for RIM professionals to further validate their own leadership roles while driving quality improvement throughout the organization.

Download the complete PDF version here.

Nancy Dupre Barnes, Ph.D., CRM, CA, and Nicholas R. Barnes,CPA, may be contacted at ndbarnes@ymail.com.

From January - February 2012