Transcript Document
Auditing RIM Programs for Improvement Helen Streck President/CEO Workshop Agenda Introductions Understanding Audits Lifecycle and Elements of an Audit Findings and Developing Initiatives 2 Introduction 3 Introduction Importance of Good Recordkeeping Values for a RIM Program Knowing Your Requirements 4 Strategic Review of Risks Drivers for Continuous Improvement Auditing’s Input Value of RIM IF - Information is a key asset to an organization then RIM Establishes the controls for compliance Improves efficiency Element of reasonableness Removes costs when value no longer exits Facilitates effective/efficient decision making Improves system performance 5 Knowing Your Requirements SEC 17-A, sections 3 & 4 Government Paperwork Elimination Act 6 NASD 3110 NASD 3010 Check 21 Gramm-Leach-Bliley Act Sarbanes-Oxley Act Drivers for Continuous Improvement Industry Competition Data Storage Costs Excessive Costs of eDiscovery – Obsolete Data Rising Costs of Human Labor “Personalization” of Information Increased Regulations and Inspections Over-Regulating 7 Using Audits for Improvement This session will focus on how to plan and use an Audit (Assessment) to aid a RIM Program in building the improved services that meet the needs for continuous improvement. 8 Understanding Audits 9 Defining an Audit A RIM audit is an independent, objective activity designed to “add value and improve” an organization’s operations for creating and managing information. 10 Understanding Audits Independent Objective Evaluation Provide Assurances Compliance Efficiencies Effectiveness Evaluates Governance Controls Processes Risk Management 11 Auditing Characteristics Holistic Approach Consistent with Org’s Mission and Goals Prioritized on a Risk-Based Approach Conducted Routinely Outside-Looking-In View 12 Audit’s Value Statement Proves controls via documentation and evaluation Checks for controls that reduce or eliminate unabated information growth Ensures the application of rules that eliminate obsolete information that may be discoverable Determines the effectiveness of procedures Identifies isolated instances of duplication 13 Risks with Poor RIM Programs Loss of Intellectual Property Delayed Decision-making/Filings Increased Technology Costs Increased eDiscovery Costs/Penalties Poor System/Operational Responsiveness Decreased Competitiveness Unmanaged Liability 14 Using Industry Standards Use industry standards and best practices to benchmark The Principles ISO and ANSI standards Best Practices Sedona Principles 15 Elements of Compliant Programs Accountability Integrity Information protection Compliance Information is available Retention Disposition Transparency 16 Generally Accepted Recordkeeping Principles www.arma.org Audit Lifecycle 17 Audit Cycle 1 Planning 5 Follow-up Follow-up Reporting 4 4 Reporting Reporting 1 Planning 5 2 4 3 Preparation 2 Preparation Performance 3 Performance 18 18 Steps in an Audit Planning Define purpose, scope, criteria and objectives Prioritize based on risk 19 The Purpose Start with defining the purpose of the audit – sets the tone Looking for mistakes Complying with requirements Seeking opportunities to improve Define the expected outcomes What are the actions to follow 20 The Purpose Why To meet regulatory requirements To verify the controls established to protect PHI To check the processes that document the use of public funds 21 Outcomes Report of evaluation and findings Findings are prioritized as high, medium or low the high being the most severe Actions Develop corrective plan (initiatives) with timelines Audit Objectives Relate the elements of your program to the Corporate goal Examples of objects include To determine the level of protection taken and routinely followed to protect paper records To assess management’s commitment by assignments and participation on the Steering Committee To measure the rate of the department’s completion of the RIM learning course 22 Set Criteria Ratings Next determine what you must have: What program elements are critical What program elements are important to have 23 What program elements are preferred but you could live without Set Criteria Ratings Important Critical Program has mission and vision statement Program mission and vision statement endorsed by executives Mission and vision statement are published for employees to access and see Preferred Program mission statement is included in business unit’s goals and mission 24 24 Program Element Documentation Available Principle Yes/No Policy – Sample Only Yes Criteria Last Revision Date C/I/P Accountability Critical Current Rating Un/NI/S/NA Mar-08 Needs Improvement Retention Schedule Procedures (sampling only) Transferring Hard Copy Records to Storage Information Disposition Procedure Decommissioning Plan/Procedure Exiting Employee Procedure System Taxonomy/File Plan Training Materials New Hire Training Slides Communication Website Glossary 25 Decide on Ratings Based on risk factors and known requirements how does the current documentation and practices measure up to the criteria? Satisfactory 26 Needs Improvement Unsatisfactory N/A Steps in an Audit Planning Define scope, criteria, and objectives Prioritize based on risk 27 Steps in an Audit Planning Define scope, criteria, and objectives Prioritize based on risk Preparation Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being audited 28 Steps in an Audit Planning Preparation Define scope, criteria, and objectives Prioritize based on risk Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being audited Performance Collect and review of physical and electronic recordkeeping documentation Conduct interview(s) with department(s) personnel as necessary 29 Steps in Performing an Audit Ask the Department to identify your contact – Records Coordinator, Management – someone who can answer questions Send checklist (what is being covered) in advance to contact Obtain the list of names of employees to interview in advance Schedule meetings with interviewees Prepare a list of documents you want the department to provide you for review 30 Steps in an Audit Planning Preparation Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being audited Performance Define scope, criteria, and objectives Prioritize based on risk Collect and review of physical and electronic recordkeeping documentation Conduct interview(s) with department(s) personnel as necessary Reporting Draft Findings Report Discuss steps for improvement Recommend Timelines – be realistic 31 Steps in an Audit Planning Preparation Collect and review of physical and electronic recordkeeping documentation Conduct interview(s) with department(s) personnel as necessary Reporting Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being audited Performance Define scope, criteria, and objectives Prioritize based on risk Draft Findings Report Discuss steps for improvement Recommend Timelines – be realistic Monitor the improvement steps 32 Using Audits for Improvement Reviewing the risk, compliance requirements Learning to rank initiatives Understanding the resource requirements needed Using a “Triage” approach 33 Using Findings to Create Initiatives 34 Triage Approach: General Description Develops a plan that prioritizes the most pressing matters so that they receive immediate attention. Places longer term goals on a drawing board to be reviewed with more analysis without pressure. Postpone tasks that are of low risk and not urgent for the last phase of the project. Triage approach prioritizes the needs and risks of the project into manageable groups. 35 Triage Approach: General Description Provides a means for “building onto” a Program by ensuring the correct components are done first. Allows the Program owner to measure success and “see” definable improvements and not wait on project completion to be successful. Separates project components based on risk and need so that items which are most critical get the immediate attention to reduce existing or potential risks. 36 Prioritize Like Emergency Room Stop The Bleeding RIM initiatives that address the immediate findings to achieve compliance 37 Levels of Process Improvements Stop the Bleeding RIM initiatives that address the immediate findings to achieve compliance Treat The Underlying Cause(s) Address the root symptoms 38 Levels of Process Improvements Stop the Bleeding Treat The Underlying Cause(s) RIM initiatives that address the immediate findings to achieve compliance Address the root symptoms Establish Preventive Measures Long-term initiatives and projects involving multiple stakeholders, resources and automation to prevent future problems 39 Levels of Process Improvements Stop the Bleeding Treat The Underlying Cause(s) Address the root symptoms Establish Preventive Measures RIM initiatives that address the immediate findings to achieve compliance Long-term initiatives and projects involving multiple stakeholders, resources and automation to prevent future problems Create Ongoing Efficiencies As systems are operating smoothly and consistently, opportunities for streamlining arise 40 Immediate Implementation (<6 mo.) Scheduled Implementation (4-12 mo.) Delayed Implementation (8-24 mo.) 41 Triage Immediate Implementation (<6 mos) Program governance Scheduled Implementation (6-15 mos) Phase in Program Governance to employees Delayed Implementation (15-24 mos) Records Management criteria for system designs Program assessment and strategy Create educational curriculum and course content Process to manage orphaned data Program infrastructure Data from departing employees. Create business case and workflow for RM S Communication plan and program toolkit Protocol for decommissioning systems Audit criteria 42 Immediate Project (<6 months) Description Program governance Revised global program policy Revise/consolidate records retention schedule Identify global processes and draft protocols Review and revise or create standards for archiving records and data Program assessment and Strategy Conduct program assessment Realign and revise vision and mission Create Program strategy and timeline Program Infrastructure Complete entity appointed Records Managers Refine roles and responsibilities Draft Executive Sponsorship oversight role Identify and formalize key partnerships (CCO, GC, CIO) Communication plan and toolkit Develop communication plan for build out Create tools and support communication for infrastructure Create communication templates Benefit Approach Clearly defined rules and Identify all associated expectations Developed center of expertise Policy simplification and alignment Flexible implementation policies/revise and align Review/collapse and reformat RRS Revise/create standards for archiving paper and electronic records Clearly articulated vision Conduct interviews Measurable and achievable action steps towards a mature program Identifiable resources & dependencies Strengthen knowledge base Distributed implementation involvement Executive sponsorship and support Concise and consistent messaging Increased employee awareness Support for entity Records Mgrs with identified key employees Assess current goals and roles and responsibilities Identify risks and conduct gap analysis of risk and service Define roles and responsibilities and support Engage entity senior management in selection and requirements Create Executive roles and responsibilities Cost 43 Scheduled Projects (6-15 months) Description Phase in Program Governance Create employee awareness Develop new hire orientation material Develop web page and includes links in governance documents Employee Education Create educational curriculum and strategy Identify all available modalities Draft course content for Program components and Benefit Assess current process and situation Partner with IT to determine employee data location and system requirements and controls Develop process for preserving data/records of departing staff to comply with legal holds and retention requirements Decommissioning Systems Draft decommissioning compliance requirement needs that need to be met Create decision tree Draft protocol for decommissioning systems Cost Ensure global awareness and feedback Awareness for new hires Provides point-in-time resource Improved program awareness Enable employee compliance 44 compliance requirements Exiting Employees Approach Risk avoidance of deleting litigation relevant data Inform supervisors of responsibility at point-in-time Ensures compliance with legal and RIM requirements Ensures preservation and required data Avoids over retention of obsolete data Reduces expenses Scheduled Projects (15-24 months) Description Phase in Program Governance Create employee awareness Develop new hire orientation material Develop web page and includes links in governance documents Employee Education Create educational curriculum and strategy Benefit Approach Cost Ensure global awareness and feedback Awareness for new hires Provides point-in-time resource Improved program awareness Enable employee compliance Identify all available modalities Draft course content for Program components and 45 compliance requirements Exiting Employees Assess current process and situation Partner with IT to determine employee data location and system requirements and controls Develop process for preserving data/records of departing staff to comply with legal holds and retention requirements Decommissioning Systems Draft decommissioning compliance requirement needs that need to be met Create decision tree Draft protocol for decommissioning systems Risk avoidance of deleting litigation relevant data Inform supervisors of responsibility at point-in-time Ensures compliance with legal and RIM requirements Ensures preservation and required data Avoids over retention of obsolete data Reduces expenses Make Audits Work for You! Audits of RIM Programs should be viewed as a mechanism for healthier programs Plan, prepare, evaluate and report Use the findings to create initiatives and identify needed resources Focus on continuous improvement 46 Thank You ! Helen Streck President/CEO Kaizen InfoSource