Presentation on theme: "The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross."— Presentation transcript:
The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross BlueShield of Tennessee
Agenda Definitions Risks Compliance Auditing
Records Management Definitions Records and Information Management Generally Accepted Recordkeeping Principles ISO 15489 Retention Schedule
Definitions - RIM Records and Information Management Systematic control of all recorded information an organization needs to do business. creation, maintenance, use, preservation, protection and disposition information may reside on various forms of media RIM is designed to support the records management requirements of business processes and to reduce risks associated with litigation, investigation or audit through the proper management, protection and retention of information.
Definitions – ISO 15489 This standard defines records management as "The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".
Definitions – Retention Schedule An established timetable for maintaining an organizations records Establishes uniform retention practices and avoids duplication of effort Application of retention Context Grouping of related documents = Record Typically not a single email, word document or excel spreadsheet Folders provide context Event Based Retention Closed + 5 years Superseded + 10 years
Why is it important? Information is an asset; holds value for the organization RIM ensures that needed information is retrievable, authentic and accurate, which requires: Setting and following organizational policies and best practices Identifying who is responsible and accountable for managing records Integrating best practices and process flows for information management throughout the organization Creating, communicating and executing procedures consistently
Records Management Risks Risks Too long or too short Protection Security Privacy Where to look? Email Unstructured electronic information Content in systems and applications Back up and archive media
Records Management Risks Keeping information too long or too short Consistent practices according to policy (and retention schedule) Demonstration to regulatory authorities Protection from accidental or intentional events Restoration
Records Management Risks Security Access to information beyond system access Privacy Destruction standards Proper disposal of various forms of media with content
Records Management Risks Classifying and ranking records and information management risks o Content o Policies and Controls o E-Discovery o Generally Accepted Recordkeeping Principles (GARP) Maturity Model
Records Management Compliance Everyone is responsible for managing records and information Creating, using, retrieving, and disposing of records in accordance with the organizations established policies and procedures
Records Management Auditing Mitigate records management risks Compliance with policies and procedures Compliance with the records retention schedule ISO 15489