46 The Information Management Journal • July/August 2004LessonsLearnedtion and covers all media.The standard is intended to provide aframework for planning and implement-ing a records management program. Thecomprehensive nature of the standardwith regard to current and non-currentrecords and the clear categorization of itsrequirements also makes it an obviouschoice on which to base audits of recordsmanagement programs.A critical review of the standard as abasis for an audit is important. It is crit-ical to walk through the preparationphases for the audit, including thedevelopment of assessment tools basedon the standard, the audit process itself,and audit report writing. To ensure itsnewly implemented records manage-ment program complied with industrybest-practices, one small Europeanpharmaceutical company used ISO15489 to help guide it through thosecritical processes. Examples from anactual audit of a newly developedrecords management program involv-ing the pharmaceutical company’s non-current, clinical trials departmentrecords provide many lessons for anyorganization that wants to use or testthe standard in its own records manage-ment program.Methodology, BackgroundResearch, and ScopingThe methodology for an audit hasfour main components:1. Initial background research andscoping of project2. Preparation, including familiariza-tion with the company’s recordsmanagement program documenta-tion, and development of audit toolsto establish compliance with ISO154893. Audit information gathering4. Report writingThe first component involves dialogUsing ISO 15489as an Audit ToolISO 15489, the first international standard devoted to records management,provides a comprehensive and practical basis for auditing full and partialrecords management programsMargaret Crockett and Janet FosterAt the CoreThis article• examines using ISO 15489 as thebasis for auditing a records man-agement program• discusses complying with stan-dards and regulations whenauditing a records program• provides tips on audit informationgathering and report writingSO 15489 (1:2001 Informationand Documentation – RecordsManagement – Part 1: General) isthe first international standarddevoted to records management.It was developed from the Australianstandard (AS 4390.1 - 1996) and pro-vides detailed specifications for thestructure, content, and implementationof records management programs. Theguidance it contains is applicable torecords management for any organiza-I
July/August 2004 • The Information Management Journal 47with the records manager to gatherenough data to estimate the project’ssize and time requirements. The datarequired includes information aboutthe company, its mission, and func-tions; the number of employees; detailsabout the records management opera-tion; and the context of the audit. Thisinformation is crucial to scoping theproject, estimating time required, andallocating time to the various phases ofthe audit process.In this instance, the audit scopecontained:• The records of one department of theorganization (although there was arealization that good records manage-ment practices could be transferred toother parts of the company)• The non-current phase of therecords life cycle• Paper records only, because therecords management program didnot yet include digital mediaThe audit context was:• A young pharmaceutical company• Limited functions to be consideredThe records management system hadnot yet been implemented; conseq-uently, the audit would not be large orlengthy, there would be few record seriesto cover, and there would be no userbase to canvass. So why was the auditundertaken? There were two main rea-sons: the pharmaceutical company’srecords manager was new to recordsmanagement and wanted to make sureshe had set up a system that was compli-ant with accepted best practices; and thepharmaceutical industry’s strong auditculture. The records manager intendedto roll out the system to other areas andwanted to ensure that it was a good onebefore doing so.Since the audit, the pharmaceuticalcompany has been searching for a full-time qualified records manager – a needthat was identified in the audit report asa result of the records manager onlyspending about 10 percent of her timeon records management. That was notnecessarily something the companyexpected to come out of the audit, butthe company has since taken advantageof the findings to improve its recordsmanagement program.PreparationPreparation for auditing a recordsmanagement program consists of:• Reading and evaluating record man-agement documentation provided bythe records manager (See Table 1)• Developing an evaluation tool thatwill map collected data to ISO 15489(See Table 2)Reading through the assembledrecords management program docu-mentation has a dual purpose: it pro-vides a complete overview of the pro-gram and its components, and it allowsthe auditor to assess the documentationfor compliance.Mapping audit findings to the stan-dard can be done through use of a formor checklist designed for this purpose.Developing such a checklist, or auditassessment tool (AAT), involves turningthe relevant requirements of ISO 15489into a series of questions. The checklistTable 1:Checklist of Documentation Required for Records Management AuditRelevant organizational structure chartMission statements for organization and/or departmentRecords management mission statementRecords management policyRecords management procedures (might be a manual) used bythe records management team,including any in-house trainingmaterial or details of other trainingSpecifications for automated records management systems forpaper recordsSpecifications of records management systems for digital recordsRetention schedulesAccess authorizationsAccession recordsDocumentation on records destruction or contracted-out servicesWritten specifications for shelving,boxing,and storage facilitiesVital records inventoryVital records protection procedures,including recovery inevent of disasterBusiness continuity planAgreements with any third-party service providers forbusiness continuity servicesSurrogacy program (digitization or microfilm/fiching)documentationStaff job descriptions both within and outside recordsmanagement team
48 The Information Management Journal • July/August 2004or form will need to be modified toreflect what the records managementprogram covers, whether the full recordslife cycle or only a segment of it. Do notunderestimate the length of time thiscan take; allow at least two days.The AAT can be divided into twoparts: the first focuses on assessing com-pliance with the standard proper interms of records management; the sec-ond reflects the requirement for compli-ance with any relevant regulatory bod-LessonsLearnedies’ guidance on recordkeeping. Thefinal product can be quite long andshould be very detailed. Tables 2, 3, and4 provide examples of an AAT devel-oped for the audit undertaken.Comparison with ISO 15489 gives anidea of the tool’s practical use (see “ISO15489-1:2001 Sections Useful for Audit-ing” on page 52).Auditing Regulatory EnvironmentSection 5 of the standard specifiesrecordkeeping practice. It deals with theregulatory environment, including thoseregulatory obligations and standards ofpractice pertaining to the industry/sector,as well as national/international law, bestpractice,codes of conduct and ethics,andidentifiable community expectations.Because this is an international standardmeant to be applied globally, it does notgive detailed guidance on which legisla-tion or regulations have a bearing onrecords management,so research into therelevant regulatory environment will beneeded.It is useful to compile a list of leg-islation and regulations likely to pertainto the particular recordkeeping environ-ment in which the audit is operating.Thelist can be reviewed by the records man-ager and other interested colleagues, suchas the legal team and the quality controldepartment, so that their knowledge andexpertise can be fed into the AAT. The listfor the pharmaceutical industry, forexample, included items such as:• International law/agreements• European Union (EU) directives• National Archives law• National Freedom of Informationlegislation• Data protection legislation• Environmental legislation pertainingto recordkeeping• Legislation covering businesses andhow they are constituted and run• Industry-specific regulation (in thiscase, FDA regulations and the EUDirective 2001/83/EC relating tomedicinal products for human use)• Healthandsafetylegislation/regulationsOther factors considered included:• ISO 9000 registration• Electronic records management sys-tem specifications (such as the EU-funded Model Requirements)Table 2 shows the AAT section thatdeals with the regulatory environment.Table 2:SectionfromPart1oftheAuditAssessmentToolDealingwiththeRegulatoryEnvironmentStatutes,Case Laws,Standards Considerations• Records Any national archival law covering• Archives records,including storage standards• Access Any legislation governing access torecords• Privacy and data protection Concerned with records containingpersonal data• Evidence If required as evidence in court of law,are records available?Do they meet requirements to be usedas evidence? (Should be addressed laterin the AAT.)• Electronic commerce Do the records meet the requirements oflegislation pertaining to electroniccommerce?• Access to public information “Access to information”legislation that mayaffect the way records are kept andaccess obligations• Environmental recordkeeping Are records required by environmentallegislation legislation being created and retained?• Regulations governing What industry-specific regulations affectsector-specific environment recordkeeping?• Regulations governing general Health and safetybusiness environment• Mandatory standards of practice These could be industry-specific ordepartment-specific (for example,legalcounsels in the United Kingdom need tomaintain records of continuing professionaldevelopment)
50 The Information Management Journal • July/August 2004In an assessment tool tailored for aspecific organization, regulatoryrequirements should be listed withcross-references to other AAT sectionsregarding compliance. For example,“access” to records of certain industrysectors may be governed by regulation;environmental legislation might obligeorganizations to make records available;and the public may also have a right toaccess government information. Thatthe company provides appropriateaccess will be recorded in the standard’ssections dealing with access in detail,which are:7.2.5 Records management require-ments: characteristics of a record:usability8.3.6 Design and implementation of arecords system: designing andimplementing records systems:access, retrieval, and use9.7 AccessSection 9.2 of ISO 15489, “Deter-mining How Long to Retain Records,”outlines good practice with respect todevelopment of retention schedules.Not surprisingly, it does not stipulatewhat the retention schedule formatLessonsLearnedchecklist of required records and enablean assessment of the record creationphase of the records management pro-grams being audited. The pharmaceuti-cal industry, for example, must complywith FDA regulations and an EU direc-tive from the International Committeeon Harmonisation. The FDA Guide-lines for Good Clinical Practice Section8 sets out “Essential Documents for theConduct of a Clinical Trial.”The sectiongives detailed and stringent require-ments for the types of documents thatmust be created by both sponsors ofand investigators participating in clini-cal trials. The European Union, inDirective 2001/83/EC and “DetailedGuidelines on the Trial Master File andArchiving (2002),” adopts this defini-should be or give any detailed retentiondata. The standard’s guidance can beturned into a set of questions, as shownin Table 3.When it comes to assessing compli-ance with respect to records retention,the auditor needs to refer back to theregulatory environment and considergeneral business requirements as well asthe needs of individual record creatorsand users.Industry-Specific ComplianceAssessmentHeavily regulated industries have tocomply with very detailed specifica-tions for the types and content ofrecords to be created and kept. Suchspecifications provide the basis for aTable 3:Section from Part 1 of the Audit Assessment Tool Dealing with Retention• Is the retention schedule appropriate?• Is retention schedule compliant with legislation and regulation?• Are all stakeholders’needs met by retention schedule? (What are their needs?)• Are records of no continuing value being destroyed promptly?• Is how to properly destroy records properly documented in the manual/procedures?Table 4:Checklist of Required RecordsTitle of Document FDA Regulations/ICH Directive Sponsor’s file Investigator’s file Retention PeriodInvestigator’s brochure 8.2.1Signed protocol andamendments (if any)and sample case reportform (CRF) 8.2.2Information given totrial subject,includinginformed consent formadvertisement (if used) 8.2.3Financial agreement(s)between sponsor andinvestigator 8.2.4
July/August 2004 • The Information Management Journal 51tion of essential documents as its mini-mum. Therefore, only a detailed analy-sis of the FDA requirements would berequired, augmented by attention to theEU archiving requirements to create atable that• lists the documents to be created• references the regulation that requiresthem• specifies who should create them• notes any specified retention periodTable 4 (page 50) suggests a formatfor such an initial listing.From the table, it is possible toextrapolate two checklists of documentsto be created by sponsors and investiga-tors. The lists can be used to show thatthe clinical trial documentation beingcreated is compliant with FDA and EUGood Clinical Practice regulations gov-erning the sector as required by ISO15489. Furthermore, the analysis of reg-ulatory retention requirements and EUprocedural requirements for accession,tracking, and destruction of essentialdocuments provides a baseline that canbe used for observing whether theappropriate records are being retainedfor the required time and whether pro-cedures are in place to comply with theEU archiving requirements. Such com-parison highlights conformance withthe ISO requirement to observe the sec-tor-specific regulatory environment.Analyzing regulations to establish theessential foundation for sector-specificrecordkeeping is a time-consuming exer-cise. However, it greatly assists in under-standing the nature of the records in theprogram and provides useful checklistsfor auditors and audited alike. Suchchecklists can be an appendix to the finalreport and used for future reference.Audit Information GatheringThe audit itself can be divided intoseveral parts. First, the record manage-ment program documentation providedprior to the audit can be checked againstthe AAT.This is a two-way process,as thedocumentation provides answers to theaudit questions, and the AAT also listsprogram expectations. For example, thepolicy’s objective is to create and manageauthentic, reliable, useable records, capa-ble of supporting business functions andactivities for as long as required.Expectations include that the policy• is communicated to and implementedby the whole organization• is endorsed by high-level manager/committeeTable 5:AuditQuestionsfor StaffQuestions for records creators:Do you know about the records management policy? Yes NoHave you had records management training? Yes NoDo you have access to a manual or set of proceduresfor records management? Yes NoDescribe how you create records.Describe how you file records.Describe how you retrieve records.Describe how you review or destroy records.Do you know what records you are expected to createto comply with legislation? Yes NoDo you know what records you are expected to createto comply with industry regulations? Yes NoDo you know what records you are responsible formaking sure others (either within the organization oroutside contractors) create and retain? Yes NoDo you know what a retention schedule is and how to use it? Yes NoDo your records meet your requirements and needs? Yes NoQuestions for records management staff:Do you have enough authority? Yes NoDo you get enough support from management? Yes NoHow long have you been doing records managementwork in this organization?Have you had records management work experiencein previous employment? Yes NoWhat training have you had?What training (if any) do you feel you need?• has compliance responsibility assigned• includes a definition of legislation,regulation, and standards governingrecords management• makes provision for a review processThe second stage of the audit is a seriesof interviews with stakeholders in therecords management process. Thesemight include:• Senior manager• Records manager
52 The Information Management Journal • July/August 2004LessonsLearned• Records management staff member• Records creator• Representative from an interesteddepartment (e.g.,quality management)Table 5 (page 51) lists questions to askstaff as part of the audit. Questions canbe tailored to suit the particular legal andregulatory environment.Finally,the audit must involve observ-ing the processing and storage areas andusing the audit tool as a checklist toassess compliance with relevant sectionsof the standard.Report WritingStrictly speaking,the audit itself can bedocumented solely by the completedaudit tool form. However, this may notbe the most helpful way of communicat-ing to the operating staff what the audithas discovered, and it is always worthRecords management programs should encompass:• Setting policies and standards• Assigning responsibilities and authorities• Establishing and promulgating procedures and guidelines• Providing records management services• Designing,implementing,and administering specializedrecords management systems• Integrating records management into business systemsand processes• Appropriate staff trainingRegulatoryenvironmentsmustbeidentified,including:• National and international law and regulations• Sector-specific regulation• Standards and codes of best practiceMain principles of records management include:• Records are created to support business activity,provideaccountability,and comply with regulatory environments.• Records management rules should be embedded in allbusiness processes requiring documentation.• Business continuity should ensure identification andprotection of vital records.The characteristics of records as defined in thestandard:• Records should accurately reflect the communication,action,or decision.• Records need to be linked to metadata such as formatand business and documentary context.• Records should be authentic,reliable,usable,complete,and unaltered.Functionality and components of records systems:• Ability to document records transactions• Control of physical storage• Support of a range of distributed storage and custodyoptions• Facility for controlled conversion and migration of digitalrecords• Provision for controlled access,retrieval,and use• Facilitation and implementation of retention anddisposition decisionsRecords management processes and controls:• Determining records to be captured into the system• Specifying metadata that needs to be linked to orembedded in the records• Deciding how long to keep records (retention scheduledevelopment and operation)• Registration of records• Classification (within business context,vocabularycontrols,indexing and referencing.)• Storage and handling• Access• Tracking• Implementing retention and disposition• Documenting records management processesMonitoring and auditing should encompass:• Internal monitoring of system to ensure compliance withit as well as required outcomes• Internal or external audit• Appropriate modifications to system• Documentation of compliance,monitoring,and auditISO 15489-1:2001 Sections Useful for Auditing
July/August 2004 • The Information Management Journal 53Margaret Crockett and Janet Foster are freelance archivists and records managerswho are directors of the Archive-Skills Consultancy. The partnership is based in Londonand operates mainly in the United Kingdom, but has carried out a significant numberof projects overseas. They may be contacted at firstname.lastname@example.org email@example.com producing a report as well.This allows the auditors to makespecific recommendations, expand onaudit findings as necessary, and perhapsmost importantly, highlight good prac-tice that is already in place. The com-pleted AAT then has a context and theorganization receives some pointers asto ways forward.Examples of audit report contentbased on the standard include:• Introduction• Management Support• Role of Records Manager• Records Management Staff• Vital Records and Disaster Planning• Retention Scheduling• Record Transfer• Record Retrieval• Records Management Database• Box Labels• Location Register• Procedures and Documentation• Storage• Next Steps• Conclusion• Recommendations• AppendicesUsing the Standard as a Basis forAudit: Lessons LearnedThe AAT essentially turns the stan-dard’s requirements into a series ofquestions that are tailored to the partic-ular business sector as required. Inpractice, these questions cannot usuallybe satisfied by a “yes” or “no” option.Completion of the AAT, therefore,requires substantial interrogation of therecords management program docu-mentation, onsite inspection of proce-dures and processes, as well as face-to-face interviews in order to determineand document compliance with thestandard. Analysis of the records man-agement program documentation canbe done prior to the site visit, which willallow both assessment of compliance(with respect to documentation) andraise questions to be answered duringinterviews and in situ inspection.By its nature the standard is pitchedat a high level, but it is comprehensivein its coverage of requirements forrecords management systems and,therefore, provides a sound basis for anaudit. The standard’s only self-con-fessed omission is its lack of coveragefor those records selected as archives. Ifmanagement of records is to be totallyintegrated from conception to disposal,then the archive cycle must beincluded. This is especially relevant incountries where archive legislation is inplace.In order to use the standard as anevaluation tool, the auditor must beable to relate its specifications to thedetails of the records management pro-gram in question. The auditor must beable to analyze the findings as itemizedin the AAT and assess whether the pro-gram is compliant with the standard(or at least to what degree). Most auditsshould also include recommendationsof how the program might beimproved. The standard does not assistwith this step, as it provides definitionsand required elements rather thanstrategies and methodologies.For example, in the course of investi-gations, the auditor may learn that anew IT system is being piloted. Thismay not fit into the AAT frameworksuggested by the standard, but it mayimpact the records management pro-gram.An experienced records manager/auditor will realize the IT system’simportance and include analysis andrecommendations on its possible effectin the audit report. It is the auditor andthe records manager who are in a posi-tion to evaluate the context andspecifics of the individual RM programand develop plans for improvement.This small European pharmaceuticalcompany required the audit to validatethe policies, procedures, and operatingframework for a records managementprogram that, at the time of audit, cov-ered only the non-current paperrecords of one department. Therefore,issues of auditing digital records man-agement, current records, and wideruse of the AAT outside the recordsmanagement team cannot be discusseddirectly.For example, there was no opportu-nity to investigate and develop assess-ment criteria for the requirementsspecified in the standard relating tocharacteristics of electronic records,their authenticity, reliability, integrity,and usability. But it was possible todetermine whether records remainedcomplete in their non-current recordsmanagement regime. The question ofhow to test compliance with theserequirements for current recordsremains to be answered.Additionally, some records manage-ment activities had not yet beenrequired – for example, the destructionof documents at the end of the overallretention period – but the AAT willmeasure whether compliant proceduresare in place for activities that will beneeded in the future. The structure ofthe standard is such that it is easy toidentify sections that are directly rele-vant to the scope of an audit and thosesections that are not applicable.ISO 15489 provides a comprehensiveand practical basis for auditing both fulland partial records management pro-grams. Approaching the standard fromthis perspective and using it to developan AAT also provided the opportunity tothoroughly test the standard itself.