The best Information Management policies and practices in the world will not protect an organization unless they have the means to find out if employees are in fact complying with those directives. Auditing and monitoring allow organizations to understand where their Information Management program is succeeding and where it is failing, and correct any compliance problems before they blossom into full-fledged disasters.
Auditing and monitoring programs are required by law in some instances. Taxpayers wishing to keep records in electronic form must meet the requirements of IRS Revenue Procedure 97-22, which explicitly requires Information Management style controls and audits. The National Association of Securities Dealers, in conjunction with the Securities and Exchange Commission, regulates the securities industry, and has promulgated Conduct Rule 3010, which requires members to “establish and maintain a system to supervise the activities [of employees] that is reasonably designed to achieve compliance with applicable securities laws and regulations.”
Organizations should also consider the role of independent third parties in auditing and monitoring activities, particularly those in highly regulated industries. Such audits can be very formal and involve multiple steps, including a complete review of Information Management documentation, employee interviews, or examination of “live” processes and technology in action. On the other hand, such audits can also be less formal, and limited to an offsite review of specific policies and procedures, for example.
Learn more about auditing and monitoring processes in the second edition of Information Nation, available from John W. Wiley & Sons. For more information, see www.informationnationbook.com.
Comments? Contact the author at email@example.com.