Assess and Prepare Before Audits Happen
An audit used to mean a financial review done by an accountant (or, disconcertingly, an IRS agent). Now this formal examination process applies to a broad spectrum of organizational activities — health, safety, security, environmental, performance, quality and many more. Add records management to that mix.
Auditing records management procedures is particularly common in highly regulated industries, such as pharmaceutical, chemical, food, medical device, manufacturing, health care and other enterprises. The federal rules and international standards are becoming more numerous and complicated. (Three examples: Sarbanes-Oxley, the Red Flags Rule, and ISO 15489.) Further, regulatory authorities are taking an increasingly rigorous look at whether organizations create and store records in compliance with legal and regulatory requirements and the company’s own internal policies. Noncompliance can have serious business, legal, reputational and financial implications.
But being audit-ready goes beyond keeping the regulators happy. An audit is an examination of systems and processes to ensure they are working, compliant and risk-free. A compliance program that meets or exceeds audit requirements is one that is thorough, consistently applied and effectively monitored.
Preparing for an audit should occur long before the team in suits turns up in your lobby. Here are some steps you can take to make your organization audit-ready:
- Know the relevant audit standards. There’s no room for guesswork. Everyone responsible for managing records must be well-versed in all of the regulatory agencies that oversee your organization — and the subsequent rules that apply. Also, educate employees about what is needed to comply with legal discovery requests (a byproduct of an increasingly litigious society). By scrutinizing what auditors inspect, you will know where improvements are needed, and can address issues before an audit happens or a summons arrives.
- Ensure your policies are clear, effective, documented and followed. Policies on records retention, security, access and disposal should be thorough and easy to understand. Make sure senior leadership supports those policies. Provide regular communication and training programs for all employees affected, and keep track of these activities so you can demonstrate adherence. Few red flags will put an organization in a bad light more quickly with auditors than having policies that are not followed or enforced.
- Audit yourself. The best way to prepare for an audit of your RIM program is to conduct your own, either with an internal team or, ideally, using an unbiased, outside resource. Pressure test every policy, process and technology, from how records are created and stored to how they are protected and destroyed — in short, a record’s entire life cycle. Document the results, any gaps identified, the actions required to address those gaps, and the timing and completion of those actions. Self-audits are most effective when done regularly and with the involvement of all employees with records responsibility.
Getting audit-ready can be time-consuming and resource-intensive. But this preparation pays off with the assurance that your records management systems are well designed, compliant and legally defensible.
# # #
Abraxas has extensive knowledge and experience in regulatory and legal compliance to ensure that our clients are audit-ready. We provide clients with tailored records and information management solutions, delivering the business intelligence that matters most — and we do it more efficiently and reliably than anyone else, particularly in highly regulated industries. To learn more, email firstname.lastname@example.org or call us: 866.535.0016 (toll-free) or 269.226.0016.