|
Records management is one of those functions that demand consistency throughout an organization. In order to maintain a database of company records and to make sure they can be retrieved and destroyed, employees need to follow basic procedures. When employees make up their own recordkeeping rules, it is difficult to find documents to support business operations and to respond to litigation. Since all records are evidence, companies without controls in place are at risk in court or in regulatory compliance settings.
Despite the enormous liability at stake, records management is often conspicuously absent from the internal audit process. In many companies, insufficient or out of date policies make audit impossible. Other companies do not consider records management “audit worthy” because they fail to associate records management with compliance, quality and risk management. Lastly, there are companies that attempt to audit records management but simply focus on the wrong issues.
The question is what should be audited and how can it be done? For starters, the audit should focus on the litigation-related risks that surface when records cannot be provided as required by a court order, or when evidence is turned over to the opposing party. First, companies must verify that the quality of their inventory is accurate enough to enable the location and retrieval of desired records. Second, companies must destroy documents as soon as they are legally able. In the event of litigation, all company records are discoverable. Reduction of the records inventory will minimize document production costs and eliminate excessive risk.
For their own protection, companies need to audit both the quality of their records inventory and the consistency of their destruction review process. With respect to inventory quality, a records management audit must verify that the records inventory is accurate, and that all required information is captured. As part of this evaluation, the audit must ensure that all records are scheduled for destruction or final disposition. Specifically, this means that all cartons in the inventory systems are “tagged” with destruction dates that are consistent with the company's retention policies.
The audit should also assess the records destruction process itself. It is not enough to schedule the records for destruction, they still must be destroyed regularly and consistently across the company. In this respect, the audit process needs to ensure that records legally eligible are being routinely destroyed in accordance with the company's retention schedule. Additionally, the audit must verify that records required for litigation are being flagged and held from destruction. The courts look favorably upon companies that destroy records as a regular business practice rather than as an ad hoc event. At the very least, quality control in these two areas can minimize litigation risk
Records management is no different from other corporate programs requiring consistency. If companies expect records to be easily retrieved and appropriately destroyed, they must inspect the health of their records inventory system and the processes supporting timely records destruction.
|
with the lock icon requires a
one-time registration for use.
