Transcript Document
Auditing RIM Programs
for
Improvement
Helen Streck
President/CEO
Workshop Agenda
Introductions
Understanding Audits
Lifecycle and Elements of an Audit
Findings and Developing Initiatives
2
Introduction
3
Introduction
Importance of Good Recordkeeping
Values for a RIM Program
Knowing Your Requirements
4
Strategic Review of Risks
Drivers for Continuous Improvement
Auditing’s Input
Value of RIM
IF - Information is a key asset to an organization
then RIM
Establishes the controls for compliance
Improves efficiency
Element of reasonableness
Removes costs when value no longer exits
Facilitates effective/efficient decision making
Improves system performance
5
Knowing Your Requirements
SEC 17-A, sections 3 & 4
Government Paperwork
Elimination Act
6
NASD 3110
NASD 3010
Check 21
Gramm-Leach-Bliley Act
Sarbanes-Oxley Act
Drivers for Continuous Improvement
Industry Competition
Data Storage Costs
Excessive Costs of eDiscovery – Obsolete Data
Rising Costs of Human Labor
“Personalization” of Information
Increased Regulations and Inspections
Over-Regulating
7
Using Audits for Improvement
This session will focus on how to plan and use
an Audit (Assessment) to aid a RIM Program
in building the improved services that meet
the needs for continuous improvement.
8
Understanding Audits
9
Defining an Audit
A RIM audit is an independent, objective
activity designed to “add value and improve”
an organization’s operations for creating and
managing information.
10
Understanding Audits
Independent Objective Evaluation
Provide Assurances
Compliance
Efficiencies
Effectiveness
Evaluates
Governance
Controls
Processes
Risk Management
11
Auditing Characteristics
Holistic Approach
Consistent with Org’s Mission and Goals
Prioritized on a Risk-Based Approach
Conducted Routinely
Outside-Looking-In View
12
Audit’s Value Statement
Proves controls via documentation and
evaluation
Checks for controls that reduce or eliminate
unabated information growth
Ensures the application of rules that eliminate
obsolete information that may be discoverable
Determines the effectiveness of procedures
Identifies isolated instances of duplication
13
Risks with Poor RIM Programs
Loss of Intellectual Property
Delayed Decision-making/Filings
Increased Technology Costs
Increased eDiscovery Costs/Penalties
Poor System/Operational Responsiveness
Decreased Competitiveness
Unmanaged Liability
14
Using Industry Standards
Use industry standards and best practices
to benchmark
The Principles
ISO and ANSI standards
Best Practices
Sedona Principles
15
Elements of Compliant Programs
Accountability
Integrity
Information protection
Compliance
Information is available
Retention
Disposition
Transparency
16
Generally Accepted
Recordkeeping
Principles
www.arma.org
Audit Lifecycle
17
Audit Cycle
1
Planning
5
Follow-up
Follow-up
Reporting
4
4
Reporting
Reporting
1
Planning
5
2
4
3
Preparation
2
Preparation
Performance
3
Performance
18
18
Steps in an Audit
Planning
Define purpose, scope, criteria and objectives
Prioritize based on risk
19
The Purpose
Start with defining the purpose of the audit –
sets the tone
Looking for mistakes
Complying with requirements
Seeking opportunities to improve
Define the expected outcomes
What are the actions to follow
20
The Purpose
Why
To meet regulatory requirements
To verify the controls established to protect PHI
To check the processes that document the use of public
funds
21
Outcomes
Report of evaluation and findings
Findings are prioritized as high, medium or low the high
being the most severe
Actions
Develop corrective plan (initiatives) with timelines
Audit Objectives
Relate the elements of your program to the
Corporate goal
Examples of objects include
To determine the level of protection taken and routinely
followed to protect paper records
To assess management’s commitment by assignments
and participation on the Steering Committee
To measure the rate of the department’s completion of
the RIM learning course
22
Set Criteria Ratings
Next determine what you must have:
What program elements are critical
What program elements are important to have
23
What program elements are preferred but you
could live without
Set Criteria Ratings
Important
Critical
Program has
mission and
vision
statement
Program
mission and
vision
statement
endorsed by
executives
Mission and
vision
statement
are published
for
employees to
access and
see
Preferred
Program
mission
statement is
included in
business
unit’s goals
and mission
24
24
Program Element
Documentation
Available
Principle
Yes/No
Policy – Sample Only
Yes
Criteria
Last Revision
Date
C/I/P
Accountability
Critical
Current Rating
Un/NI/S/NA
Mar-08
Needs Improvement
Retention Schedule
Procedures (sampling only)
Transferring Hard Copy Records to Storage
Information Disposition Procedure
Decommissioning Plan/Procedure
Exiting Employee Procedure
System Taxonomy/File Plan
Training Materials
New Hire Training Slides
Communication
Website
Glossary
25
Decide on Ratings
Based on risk factors and known requirements how
does the current documentation and practices
measure up to the criteria?
Satisfactory
26
Needs Improvement
Unsatisfactory
N/A
Steps in an Audit
Planning
Define scope, criteria, and objectives
Prioritize based on risk
27
Steps in an Audit
Planning
Define scope, criteria, and objectives
Prioritize based on risk
Preparation
Create a checklist – what do you want them to produce
for you to review
What is required by law to have
Submit checklist, questions and document request to the
group being audited
28
Steps in an Audit
Planning
Preparation
Define scope, criteria, and objectives
Prioritize based on risk
Create a checklist – what do you want them to produce for you to
review
What is required by law to have
Submit checklist, questions and document request to the group being
audited
Performance
Collect and review of physical and electronic
recordkeeping documentation
Conduct interview(s) with department(s) personnel as
necessary
29
Steps in Performing an Audit
Ask the Department to identify your contact –
Records Coordinator, Management – someone who
can answer questions
Send checklist (what is being covered) in advance to contact
Obtain the list of names of employees to interview
in advance
Schedule meetings with interviewees
Prepare a list of documents you want the
department to provide you for review
30
Steps in an Audit
Planning
Preparation
Create a checklist – what do you want them to produce for you to
review
What is required by law to have
Submit checklist, questions and document request to the group being
audited
Performance
Define scope, criteria, and objectives
Prioritize based on risk
Collect and review of physical and electronic recordkeeping
documentation
Conduct interview(s) with department(s) personnel as necessary
Reporting
Draft Findings Report
Discuss steps for improvement
Recommend Timelines – be realistic
31
Steps in an Audit
Planning
Preparation
Collect and review of physical and electronic recordkeeping
documentation
Conduct interview(s) with department(s) personnel as necessary
Reporting
Create a checklist – what do you want them to produce for you to
review
What is required by law to have
Submit checklist, questions and document request to the group being
audited
Performance
Define scope, criteria, and objectives
Prioritize based on risk
Draft Findings Report
Discuss steps for improvement
Recommend Timelines – be realistic
Monitor the improvement steps
32
Using Audits for Improvement
Reviewing the risk, compliance requirements
Learning to rank initiatives
Understanding the resource requirements needed
Using a “Triage” approach
33
Using Findings to Create
Initiatives
34
Triage Approach: General Description
Develops a plan that prioritizes the most
pressing matters so that they receive immediate
attention.
Places longer term goals on a drawing board to
be reviewed with more analysis without
pressure.
Postpone tasks that are of low risk and not
urgent for the last phase of the project.
Triage approach prioritizes the needs and risks of
the project into manageable groups.
35
Triage Approach: General Description
Provides a means for “building onto” a Program
by ensuring the correct components are done
first.
Allows the Program owner to measure success
and “see” definable improvements and not wait
on project completion to be successful.
Separates project components based on risk
and need so that items which are most critical
get the immediate attention to reduce existing
or potential risks.
36
Prioritize Like Emergency Room
Stop The Bleeding
RIM initiatives that address the immediate findings to
achieve compliance
37
Levels of Process Improvements
Stop the Bleeding
RIM initiatives that address the immediate findings to achieve
compliance
Treat The Underlying Cause(s)
Address the root symptoms
38
Levels of Process Improvements
Stop the Bleeding
Treat The Underlying Cause(s)
RIM initiatives that address the immediate findings to achieve
compliance
Address the root symptoms
Establish Preventive Measures
Long-term initiatives and projects involving multiple
stakeholders, resources and automation to prevent
future problems
39
Levels of Process Improvements
Stop the Bleeding
Treat The Underlying Cause(s)
Address the root symptoms
Establish Preventive Measures
RIM initiatives that address the immediate findings to achieve
compliance
Long-term initiatives and projects involving multiple stakeholders,
resources and automation to prevent future problems
Create Ongoing Efficiencies
As systems are operating smoothly and consistently,
opportunities for streamlining arise
40
Immediate
Implementation
(<6 mo.)
Scheduled Implementation
(4-12 mo.)
Delayed
Implementation
(8-24 mo.)
41
Triage
Immediate
Implementation
(<6 mos)
Program
governance
Scheduled
Implementation
(6-15 mos)
Phase in Program
Governance to employees
Delayed
Implementation
(15-24 mos)
Records
Management
criteria for system
designs
Program
assessment and
strategy
Create educational
curriculum and course
content
Process to manage
orphaned data
Program
infrastructure
Data from departing
employees.
Create business
case and workflow
for RM S
Communication
plan and program
toolkit
Protocol for
decommissioning systems
Audit criteria
42
Immediate Project (<6 months)
Description
Program governance
Revised
global program policy
Revise/consolidate records retention schedule
Identify global processes and draft protocols
Review and revise or create standards for
archiving records and data
Program assessment and Strategy
Conduct program assessment
Realign and revise
vision and mission
Create Program strategy and timeline
Program Infrastructure
Complete
entity appointed Records Managers
Refine roles and responsibilities
Draft Executive Sponsorship oversight role
Identify and formalize key partnerships (CCO,
GC, CIO)
Communication plan and toolkit
Develop
communication plan for build out
Create tools and support communication for
infrastructure
Create communication templates
Benefit
Approach
Clearly defined rules and
Identify all associated
expectations
Developed center of expertise
Policy simplification and
alignment
Flexible implementation
policies/revise and align
Review/collapse and
reformat RRS
Revise/create standards
for archiving paper and
electronic records
Clearly articulated vision
Conduct interviews
Measurable and achievable
action steps towards a mature
program
Identifiable resources &
dependencies
Strengthen
knowledge base
Distributed implementation
involvement
Executive sponsorship and
support
Concise and consistent
messaging
Increased employee
awareness
Support for entity Records
Mgrs
with
identified key employees
Assess current goals and
roles and responsibilities
Identify risks and
conduct gap analysis of risk
and service
Define roles and
responsibilities and
support
Engage entity senior
management in selection
and requirements
Create Executive roles
and responsibilities
Cost
43
Scheduled Projects (6-15 months)
Description
Phase in Program Governance
Create employee
awareness
Develop new hire orientation material
Develop web page and includes links in governance
documents
Employee Education
Create educational curriculum and strategy
Identify all available modalities
Draft course content for Program components and
Benefit
Assess current process and situation
Partner with IT to determine
employee data location
and system requirements and controls
Develop process for preserving data/records of
departing staff to comply with legal holds and retention
requirements
Decommissioning Systems
Draft decommissioning
compliance requirement
needs that need to be met
Create decision tree
Draft protocol for decommissioning systems
Cost
Ensure global awareness
and feedback
Awareness for new hires
Provides point-in-time
resource
Improved
program
awareness
Enable employee
compliance
44
compliance requirements
Exiting Employees
Approach
Risk avoidance of deleting
litigation relevant data
Inform supervisors of
responsibility at point-in-time
Ensures compliance with
legal and RIM requirements
Ensures preservation
and
required data
Avoids over retention of
obsolete data
Reduces expenses
Scheduled Projects (15-24 months)
Description
Phase in Program Governance
Create employee
awareness
Develop new hire orientation material
Develop web page and includes links in governance
documents
Employee Education
Create educational curriculum and strategy
Benefit
Approach
Cost
Ensure global awareness and
feedback
Awareness for new hires
Provides point-in-time resource
Improved
program awareness
Enable employee compliance
Identify all available modalities
Draft course content for Program components and
45
compliance requirements
Exiting Employees
Assess current process and situation
Partner with IT to determine
employee data location
and system requirements and controls
Develop process for preserving data/records of
departing staff to comply with legal holds and retention
requirements
Decommissioning Systems
Draft decommissioning
compliance requirement
needs that need to be met
Create decision tree
Draft protocol for decommissioning systems
Risk avoidance of deleting
litigation relevant data
Inform supervisors of
responsibility at point-in-time
Ensures compliance with legal
and RIM requirements
Ensures preservation
and
required data
Avoids over retention of
obsolete data
Reduces expenses
Make Audits Work for You!
Audits of RIM Programs should be viewed as a
mechanism for healthier programs
Plan, prepare, evaluate and report
Use the findings to create initiatives and identify
needed resources
Focus on continuous improvement
46
Thank You !
Helen Streck
President/CEO
Kaizen InfoSource