The Impact of Auditing on Records Management Risk and Compliance

Susan B. Whitmire, CRM, FAIManager, Enterprise Records and Information ManagementBlueCross BlueShield of Tennessee

Agenda

Definitions Risks Compliance Auditing

Records Management

Definitions Records and Information Management Generally Accepted Recordkeeping

Principles ISO 15489 Retention Schedule

Definitions - RIM

Records and Information Management Systematic control of all recorded information an

organization needs to do business. creation, maintenance, use, preservation, protection

and disposition information may reside on various forms of media

RIM is designed to support the records management requirements of business processes and to reduce risks associated with litigation, investigation or audit through the proper management, protection and retention of information.

Definitions – ISO 15489

This standard defines records management as "The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".

Definitions – Retention Schedule

An established timetable for maintaining an organization’s records Establishes uniform retention practices and avoids duplication of

effort Application of retention

Context Grouping of related documents = Record Typically not a single email, word document or excel

spreadsheet Folders provide context

Event Based Retention Closed + 5 years Superseded + 10 years

Why is it important?

Information is an asset; holds value for the organization

RIM ensures that needed information is retrievable, authentic and accurate, which requires: Setting and following organizational policies and best

practices Identifying who is responsible and accountable for

managing records Integrating best practices and process flows for

information management throughout the organization Creating, communicating and executing procedures

consistently

Records Management Risks

Risks Too long or too short Protection Security PrivacyWhere to look? Email Unstructured electronic information Content in systems and applications Back up and archive media

Records Management Risks

Keeping information too long or too short Consistent practices according to policy

(and retention schedule) Demonstration to regulatory authorities

Protection from accidental or intentional events Restoration

Records Management Risks

Security Access to information beyond system

access Privacy

Destruction standards Proper disposal of various forms of media

with content

Records Management Risks

Classifying and ranking records and information management risks

o Contento Policies and Controlso E-Discovery

o Generally Accepted Recordkeeping Principles (GARP) Maturity Model

GARP

Generally Accepted Recordkeeping Principles Accountability Integrity Protection Compliance Availability Retention Disposition Transparency http://www.arma.org/garp/garp.pdf

Records Management

Compliance Everyone is responsible for managing

records and information Creating, using, retrieving, and

disposing of records in accordance with the organization’s established policies and procedures

Records Management

Auditing Mitigate records management risks Compliance with policies and

procedures Compliance with the records retention

schedule ISO 15489

Questions?

Susan_whitmire@bcbst.com 423-535-3328