Using ISO 15489 as an audit tool: ISO 15489, the first international standard devoted to records management, provides a comprehensive and practical basis for auditing full and partial records management programs.ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 15489 (1:2001 Information and Documentation--Records Management--Part 1: General) is the first international standard devoted to records management. It was developed from the Australian Australian pertaining to or originating in Australia. Australian bat lyssavirus disease see Australian bat lyssavirus disease. Australian cattle dog a medium-sized, compact working dog used for control of cattle. standard (AS 4390.1--1996) and provides detailed specifications for the structure, content, and implementation of records management programs. The guidance it contains is applicable to records management for any organization and covers all media. The standard is intended to provide a framework for planning and implementing a records management program. The comprehensive nature of the standard with regard to current and non-current records and the clear categorization of its requirements also makes it an obvious choice on which to base audits of records management programs. A critical review of the standard as a basis for an audit is important. It is critical to walk through the preparation phases for the audit, including the development of assessment tools based on the standard, the audit process itself, and audit report writing. To ensure its newly implemented records management program complied with industry best-practices, one small European European emanating from or pertaining to Europe. European bat lyssavirus see lyssavirus. European beech tree fagussylvaticus. European blastomycosis see cryptococcosis. pharmaceutical company used ISO 15489 to help guide it through those critical processes. Examples from an actual audit of a newly developed records management program involving the pharmaceutical company's non-current, clinical trials department records provide many lessons for any organization that wants to use or test the standard in its own records management program. Methodology, Background Research, and Scoping The methodology for an audit has four main components: 1. Initial background research and scoping of project 2. Preparation, including familiarization fa·mil·iar·ize tr.v. fa·mil·iar·ized, fa·mil·iar·iz·ing, fa·mil·iar·iz·es 1. To make known, recognized, or familiar. 2. To make acquainted with. with the company's records management program documentation, and development of audit tools to establish compliance with ISO 15489 3. Audit information gathering 4. Report writing The first component involves dialog with the records manager to gather enough data to estimate the project's size and time requirements. The data required includes information about the company, its mission, and functions; the number of employees; details about the records management operation; and the context of the audit. This information is crucial to scoping the project, estimating time required, and allocating time to the various phases of the audit process. In this instance, the audit scope contained: * The records of one department of the organization (although there was a realization that good records management practices could be transferred to other parts of the company) * The non-current phase of the records life cycle * Paper records only, because the records management program did not yet include digital media The audit context was: * A young pharmaceutical company * Limited functions to be considered The records management system had not yet been implemented; consequently, the audit would not be large or lengthy, there would be few record series to cover, and there would be no user base to canvass. So why was the audit undertaken? There were two main reasons: the pharmaceutical company's records manager was new to records management and wanted to make sure she had set up a system that was compliant with accepted best practices; and the pharmaceutical industry's strong audit culture. The records manager intended to roll out the system to other areas and wanted to ensure that it was a good one before doing so. Since the audit, the pharmaceutical company has been searching for a full-time full-time adj. Employed for or involving a standard number of hours of working time: a full-time administrative assistant. full qualified records manager--a need that was identified in the audit report as a result of the records manager only spending about 10 percent of her time on records management. That was not necessarily something the company expected to come out of the audit, but the company has since taken advantage of the findings to improve its records management program. Preparation Preparation for auditing a records management program consists of: * Reading and evaluating record management documentation provided by the records manager (See Table 1) * Developing an evaluation tool that will map collected data to ISO 15489 (See Table 2) Reading through the assembled as·sem·ble v. as·sem·bled, as·sem·bling, as·sem·bles v.tr. 1. To bring or call together into a group or whole: assembled the jury. 2. records management program documentation has a dual purpose: it provides a complete overview of the program and its components, and it allows the auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. to assess the documentation for compliance. Mapping audit findings to the standard can be done through use of a form or checklist designed for this purpose. Developing such a checklist, or audit assessment tool (AAT Alpha-1-antitrypsin (AAT) A blood component that breaks down infection-fighting enzymes such as elastase. Mentioned in: Chronic Obstructive Lung Disease ), involves turning the relevant requirements of ISO 15489 into a series of questions. The checklist or form will need to be modified to reflect what the records management program covers, whether the full records life cycle or only a segment of it. Do not underestimate the length of time this can take; allow at least two days. The AAAT AAAT American Academy of Addiction Psychiatry AAAT American Association for the Advancement of Technology AAAT Army Advanced Aviation Technology AAAT Advanced All Analysis Training can be divided into two parts: the first focuses on assessing compliance with the standard proper in terms of records management; the second reflects the requirement for compliance with any relevant regulatory reg·u·late tr.v. reg·u·lat·ed, reg·u·lat·ing, reg·u·lates 1. To control or direct according to rule, principle, or law. 2. bodies' guidance on recordkeeping. The final product can be quite long and should be very detailed. Tables 2, 3, and 4 provide examples of an AAT developed for the audit undertaken. Comparison with ISO 15489 gives an idea of the tool's practical use (see "ISO 15489-1:2001 Sections Useful for Auditing" on page 52). Auditing Regulatory Environment Section 5 of the standard specifies recordkeeping practice. It deals with the regulatory environment, including those regulatory obligations and standards of practice pertaining per·tain intr.v. per·tained, per·tain·ing, per·tains 1. To have reference; relate: evidence that pertains to the accident. 2. to the industry/sector, as well as national/international law, best practice, codes of conduct and ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a , and identifiable community expectations. Because this is an international standard meant to be applied globally, it does not give detailed guidance on which legislation or regulations have a bearing on records management, so research into the relevant regulatory environment will be needed. It is useful to compile To translate a program written in a high-level programming language into machine language. See compiler. a list of legislation and regulations likely to pertain to pertain to verb relate to, concern, refer to, regard, be part of, belong to, apply to, bear on, befit, be relevant to, be appropriate to, appertain to the particular recordkeeping environment in which the audit is operating. The list can be reviewed by the records manager and other interested colleagues, such as the legal team and the quality control department, so that their knowledge and expertise can be fed into the AAT. The list for the pharmaceutical industry, for example, included items such as: * International law/agreements * European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community (EU) directives * National Archives National Archives, official depository for records of the U.S. federal government, established in 1934 by an act of Congress. Although displeasure concerning the method of keeping national records was voiced in Congress as early as 1810, the United States continued law * National Freedom of Information legislation * Data protection legislation * Environmental legislation pertaining to recordkeeping * Legislation covering businesses and how they are constituted and run * Industry-specific regulation (in this case, FDA FDA abbr. Food and Drug Administration FDA, n.pr See Food and Drug Administration. FDA, n.pr the abbreviation for the Food and Drug Administration. regulations and the EU Directive (European Union Directive) A set of privacy requirements that took effect in 1998 and ordered European member nations to enact compliant legislation. It deals with the establishment of Data Protection Authorities, people's rights to personal information and enforcement. 2001/83/EC relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc medicinal products medicinal product, n a substance administered to humans or animals through injection, application, oral ingestion, inhalation, and so forth, whose purpose is to ultimately restore health or eliminate disease in an individual. for human use) * Health and safety legislation/regulations Other factors considered included: * ISO 9000 registration * Electronic records management system specifications (such as the EU-funded Model Requirements) Table 2 shows the AAT section that deals with the regulatory environment, In an assessment tool tailored for a specific organization, regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. should be listed with cross-references to other AAT sections regarding compliance. For example, "access" to records of certain industry sectors may be governed gov·ern v. gov·erned, gov·ern·ing, gov·erns v.tr. 1. To make and administer the public policy and affairs of; exercise sovereign authority in. 2. by regulation; environmental legislation might oblige organizations to make records available; and the public may also have a right to access government information. That the company provides appropriate access will be recorded in the standard's sections dealing with access in detail, which are: 7.2.5 Records management requirements: characteristics of a record: usability How easy something is to use. Both software and Web sites can be tested for usability. Considering how difficult applications are to use and Web sites are to navigate, one would wish that more designers took this seriously. See user interface and usability lab. 8.3.6 Design and implementation of a records system: designing and implementing records systems: access, retrieval, and use 9.7 Access Section 9.2 of ISO 15489, "Determining How Long to Retain Records;' outlines good practice with respect to development of retention schedules. Not surprisingly, it does not stipulate stip·u·late 1 v. stip·u·lat·ed, stip·u·lat·ing, stip·u·lates v.tr. 1. a. To lay down as a condition of an agreement; require by contract. b. what the retention schedule format should be or give any detailed retention data. The standard's guidance can be turned into a set of questions, as shown in Table 3. When it comes to assessing compliance with respect to records retention, the auditor needs to refer back to the regulatory environment and consider general business requirements as well as the needs of individual record creators and users. Industry-Specific Compliance Assessment Heavily regulated industries have to comply with very detailed specifications for the types and content of records to be created and kept. Such specifications provide the basis for a checklist of required records and enable an assessment of the record creation phase of the records management programs being audited. The pharmaceutical industry, for example, must comply with FDA regulations and an EU directive from the International Committee on Harmonisation Noun 1. harmonisation - a piece of harmonized music harmonization musical harmony, harmony - the structure of music with respect to the composition and progression of chords . The FDA Guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. for Good Clinical Practice Section 8 sets out "Essential Documents for the Conduct of a Clinical Trial." The section gives detailed and stringent requirements for the types of documents that must be created by both sponsors of and investigators participating in clinical trials. The European Union, in Directive 2001/83/EC Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community code relating to medicinal products for human use. The Directive dealt with the disparities between certain national provisions, in particular between provisions relating to and "Detailed Guidelines on the Trial Master File and Archiving (2002)" adopts this definition of essential documents as its minimum. Therefore, only a detailed analysis of the FDA requirements would be required, augmented by attention to the EU archiving requirements to create a table that * lists the documents to be created * references the regulation that requires them * specifies who should create them * notes any specified retention period Table 4 (page 50) suggests a format for such an initial listing. From the table, it is possible to extrapolate extrapolate - extrapolation two checklists of documents to be created by sponsors and investigators. The lists can be used to show that the clinical trial documentation being created is compliant with FDA and EU Good Clinical Practice regulations governing gov·ern v. gov·erned, gov·ern·ing, gov·erns v.tr. 1. To make and administer the public policy and affairs of; exercise sovereign authority in. 2. the sector as required by ISO 15489. Furthermore, the analysis of regulatory retention requirements and EU procedural requirements for accession Coming into possession of a right or office; increase; augmentation; addition. The right to all that one's own property produces, whether that property be movable or immovable; and the right to that which is united to it by accession, either naturally or artificially. , tracking, and destruction of essential documents provides a baseline The horizontal line to which the bottoms of lowercase characters (without descenders) are aligned. See typeface. baseline - released version that can be used for observing whether the appropriate records are being retained for the required time and whether procedures are in place to comply with the EU archiving requirements. Such comparison highlights conformance con·for·mance n. Conformity. Noun 1. conformance - correspondence in form or appearance conformity agreement, correspondence - compatibility of observations; "there was no agreement between theory and with the ISO requirement to observe the sector-specific regulatory environment. Analyzing regulations to establish the essential foundation for sector-specific recordkeeping is a time-consuming time-con·sum·ing adj. Taking up much time. time-consuming Adjective taking up a great deal of time Adj. 1. exercise. However, it greatly assists in understanding the nature of the records in the program and provides useful checklists for auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together and audited alike. Such checklists can be an appendix to the final report and used for future reference. Audit Information Gathering The audit itself can be divided into several parts. First, the record management program documentation provided prior to the audit can be checked against the AAT. This is a two-way process, as the documentation provides answers to the audit questions, and the AAT also lists program expectations. For example, the policy's objective is to create and manage authentic, reliable, useable records, capable of supporting business functions and activities for as long as required. Expectations include that the policy * is communicated to and implemented by the whole organization * is endorsed by high-level manager/ committee * has compliance responsibility assigned as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. * includes a definition of legislation, regulation, and standards governing records management * makes provision for a review process The second stage of the audit is a series of interviews with stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. in the records management process. These might include: * Senior manager * Records manager * Records management staff member * Records creator * Representative from an interested department (e.g., quality management) Table 5 (page 51) lists questions to ask staff as part of the audit. Questions can be tailored to suit the particular legal and regulatory environment. Finally, the audit must involve observing the processing and storage areas and using the audit tool as a checklist to assess compliance with relevant sections of the standard. Report Writing Strictly speaking Adv. 1. strictly speaking - in actual fact; "properly speaking, they are not husband and wife" properly speaking, to be precise , the audit itself can be documented solely by the completed audit tool form. However, this may not be the most helpful way of communicating to the operating staff what the audit has discovered, and it is always worth considering producing a report as well. This allows the auditors to make specific recommendations, expand on audit findings as necessary, and perhaps most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , highlight good practice that is already in place. The completed AAT then has a context and the organization receives some pointers as to ways forward. Examples of audit report content based on the standard include: * Introduction * Management Support * Role of Records Manager * Records Management Staff * Vital Records and Disaster Planning disaster planning - disaster recovery * Retention Scheduling * Record Transfer * Record Retrieval * Records Management Database * Box Labels * Location Register * Procedures and Documentation * Storage * Next Steps * Conclusion * Recommendations * Appendices ap·pen·di·ces n. A plural of appendix. Using the Standard as a Basis for Audit: Lessons Learned The AAT essentially turns the standard's requirements into a series of questions that are tailored to the particular business sector as required. In practice, these questions cannot usually be satisfied by a "yes" or "no" option. Completion of the AAT, therefore, requires substantial interrogation interrogation In criminal law, process of formally and systematically questioning a suspect in order to elicit incriminating responses. The process is largely outside the governance of law, though in the U.S. of the records management program documentation, onsite inspection of procedures and processes, as well as face-to-face (jargon, chat) face-to-face - (F2F, IRL) Used to describe personal interaction in real life as opposed to via some digital or electronic communications medium. interviews in order to determine and document compliance with the standard. Analysis of the records management program documentation can be done prior to the site visit, which will allow both assessment of compliance (with respect to documentation) and raise questions to be answered during interviews and in situ In place. When something is "in situ," it is in its original location. inspection. By its nature the standard is pitched at a high level, but it is comprehensive in its coverage of requirements for records management systems and, therefore, provides a sound basis for an audit. The standard's only self-confessed self-con·fessed adj. According to one's own admission: a self-confessed plagiarist. self-confessed Adjective according to one's own admission: omission omission n. 1) failure to perform an act agreed to, where there is a duty to an individual or the public to act (including omitting to take care) or is required by law. Such an omission may give rise to a lawsuit in the same way as a negligent or improper act. is its lack of coverage for those records selected as archives. If management of records is to be totally integrated from conception to disposal, then the archive cycle must he included. This is especially relevant in countries where archive legislation is in place. In order to use the standard as an evaluation tool, the auditor must be able to relate its specifications to the details of the records management program in question. The auditor must be able to analyze the findings as itemized in the AAT and assess whether the program is compliant with the standard (or at least to what degree). Most audits should also include recommendations of how the program might be improved. The standard does not assist with this step, as it provides definitions and required elements rather than strategies and methodologies. For example, in the course of investigations, the auditor may learn that a new IT system is being piloted. This may not fit into the AAT framework suggested by the standard, but it may impact the records management program. An experienced records manager/ auditor will realize the IT system's importance and include analysis and recommendations on its possible effect in the audit report. It is the auditor and the records manager who are in a position to evaluate the context and specifics of the individual RM program and develop plans for improvement. This small European pharmaceutical company required the audit to validate To prove something to be sound or logical. Also to certify conformance to a standard. Contrast with "verify," which means to prove something to be correct. For example, data entry validity checking determines whether the data make sense (numbers fall within a range, numeric data the policies, procedures, and operating framework for a records management program that, at the time of audit, covered only the non current paper records of one department. Therefore, issues of auditing digital records management, current records, and wider use of the AAT outside the records management team cannot be discussed directly. For example, there was no opportunity to investigate and develop assessment criteria for the requirements specified in the standard relating to characteristics of electronic records, their authenticity The correct attribution of origin such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named. Authenticity is one of the six fundamental components of information security (see Parkerian Hexad). , reliability, integrity, and usability. But it was possible to determine whether records remained complete in their non-current records management regime. The question of how to test compliance with these requirements for current records remains to be answered. Additionally, some records management activities bad not yet been required--for example, the destruction of documents at the end of the overall retention period--but the AAT will measure whether compliant procedures are in place for activities that will be needed in the future. The structure of the standard is such that it is easy to identify sections that are directly relevant to the scope of an audit and those sections that are not applicable. ISO 15489 provides a comprehensive and practical basis for auditing both full and partial records management programs. Approaching the standard from this perspective and using it to develop an AAT also provided the opportunity to thoroughly test the standard itself.
Table 1:
Checklist of Documentation Required for Records Management Audit
Relevant organizational structure chart
Mission statements for organization and/or department
Records management mission statement
Records management policy
Records management procedures (might be a manual) used by
the records management team, including any in-house training
material or details of other training
Specifications for automated records management systems for
paper records
Specifications of records management systems for digital records
Retention schedules
Access authorizations
Accession records
Documentation on records destruction or contracted-out services
Written specifications for shelving, boxing, and storage facilities
Vital records inventory
Vital records protection procedures, including recovery in
event of disaster
Business continuity plan
Agreements with any third-party service providers for
business continuity services
Surrogacy program (digitization or microfilm/fiching)
documentation
Staff job descriptions both within and outside records
management team
Table 2:
Section from Part 1 of the Audit Assessment Tool Dealing with the
Regulatory Environment
Statutes, Case Laws, Standards Considerations
* Records Any national archival law covering
* Archives records, including storage
standards
* Access Any legislation governing access
to records
* Privacy and data protection Concerned with records containing
personal data
* Evidence If required as evidence in court
of law, are records available?
Do they meet requirements to be
used as evidence? (Should be
addressed later in the AAT.)
* Electronic commerce Do the records meet the
requirements of legislation
pertaining to electronic
commerce?
* Access to public information "Access to information"
legislation that may affect the
way records are kept and access
obligations
* Environmental recordkeeping Are records required by
legislation environmental legislation being
created and retained?
* Regulations governing What industry-specific regulations
affect sector-specific environment
recordkeeping?
* Regulations governing general Health and safety
business environment
* Mandatory standards of practice These could be industry-specific or
department-specific (for example,
legal counsels in the United
Kingdom need to maintain records
of continuing professional
development)
Table 3:
Section from Part 1 of the Audit Assessment Tool Dealing with Retention
* Is the retention schedule appropriate?
* Is retention schedule compliant with legislation and regulation?
* Are a stakeholders' needs met by retention schedule? (What are their
needs?)
* Are records of no continuing value being destroyed promptly?
* Is how to properly destroy records properly documented in the manual/
procedures?
Table 5:
Audit Questions for Staff
Questions for records creators:
Do You know about the records management policy? [] Yes [] No
Have you had records management training? [] Yes [] No
Do you have access to a manual or set of procedures
for records management?
Describe how you create records.
Describe how you file records.
Describe how you retrieve records.
Describe how you review or destroy records.
Do you know what records you are expected to create
to comply with legislation? [] Yes [] No
Do you know what records you are expected to create
to comply with industry regulations? [] Yes [] No
Do you know what records you are responsible for
making sure others (either within the organization or
outside contractors) create and retain? [] Yes [] No
Do you know what a retention schedule is and how to
use it? [] Yes [] No
Do your records meet your requirements and needs? [] Yes [] No
Questions for records management staff:
Do you have enough authority? [] Yes [] No
Do you get enough support from management? [] Yes [] No
How long have you been doing records management
work in this organization?
Have you had records management work experience
in previous employment? [] Yes [] No
What training have you had?
What training (if any) do you feel you need? [] Yes [] No
ISO 15489-1:2001 Sections Useful for Auditing Records management programs should encompass: * Setting policies and standards * Assigning as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. responsibilities and authorities * Establishing and promulgating procedures and guidelines * Providing records management services * Designing, implementing, and administering specialized spe·cial·ize v. spe·cial·ized, spe·cial·iz·ing, spe·cial·iz·es v.intr. 1. To pursue a special activity, occupation, or field of study. 2. records management systems * Integrating records management into business systems and processes * Appropriate staff training Regulatory environments must be identified, including: * National and international law and regulations * Sector-specific regulation * Standards and codes of best practice Main principles of records management include: * Records are created to support business activity, provide accountability, and comply with regulatory environments. * Records management rules should be embedded Inserted into. See embedded system. in all business processes requiring documentation. * Business continuity should ensure identification and protection of vital records. The characteristics of records as defined in the standard: * Records should accurately reflect the communication, action, or decision. * Records need to be linked to metadata (1) (meta-data) Data that describes other data. The term may refer to detailed compilations such as data dictionaries and repositories that provide a substantial amount of information about each data element. such as format and business and documentary context. * Records should be authentic, reliable, usable USable is a special idea contest to transfer US American ideas into practice in Germany. USable is initiated by the German Körber-Stiftung (foundation Körber). It is doted with 150,000 Euro and awarded every two years. , complete, and unaltered. Functionality and components of records systems: * Ability to document records transactions * Control of physical storage * Support of a range of distributed storage Storing data in multiple computers or in computers that are geographically dispersed. This was an early term for storage that evolved into SANs and storage virtualization. See SAN and storage virtualization. and custody options * Facility for controlled conversion and migration of digital records * Provision for controlled access, retrieval, and use * Facilitation Facilitation The process of providing a market for a security. Normally, this refers to bids and offers made for large blocks of securities, such as those traded by institutions. and implementation of retention and disposition decisions Records management processes and controls: * Determining records to be captured into the system * Specifying metadata that needs to be linked to or embedded in the records * Deciding how long to keep records (retention schedule development and operation) * Registration of records * Classification (within business context, vocabulary controls, indexing and referencing.) * Storage and handling * Access * Tracking * Implementing retention and disposition * Documenting records management processes Monitoring and auditing should encompass: * Internal monitoring of system to ensure compliance with it as well as required outcomes * Internal or external audit * Appropriate modifications to system * Documentation of compliance, monitoring, and audit At the Core This article * examines using ISO 15489 as the basis for auditing a records management program * discusses complying with standards and regulations when auditing a records program * provides tips on audit information gathering and report writing Margaret Margaret, 1930–2002, British princess, second daughter of King George VI and sister of Queen Elizabeth II, b. Glamis, Scotland. In 1960 she married a commoner, the photographer Antony Armstrong-Jones, who was created earl of Snowdon in 1961. Crockett and Janet Janet: see Clouet, Jean. JANET - Joint Academic NETwork Foster are freelance archivists and records managers who are directors of the Archive-Skills Consultancy. The partnership is based in London London, city, Canada London, city (1991 pop. 303,165), SE Ont., Canada, on the Thames River. The site was chosen in 1792 by Governor Simcoe to be the capital of Upper Canada, but York was made capital instead. London was settled in 1826. and operates mainly in the United Kingdom, but has carried out a significant number of projects overseas. They may be contacted at margaret@archive-skills.com or janet@archive-skills.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion