auditing rim programs for improvement helen streck president/ceo
TRANSCRIPT
Auditing RIM Programs for
Improvement
Helen StreckPresident/CEO
Workshop Agenda
2
Introductions
Understanding Audits
Lifecycle and Elements of an Audit
Findings and Developing Initiatives
3Introduction
Introduction
4
Importance of Good Recordkeeping
Values for a RIM Program
Knowing Your Requirements
Strategic Review of Risks
Drivers for Continuous Improvement
Auditing’s Input
Value of RIM
5
IF - Information is a key asset to an organization then RIM Establishes the controls for compliance
Improves efficiency
Element of reasonableness
Removes costs when value no longer exits
Facilitates effective/efficient decision making
Improves system performance
Knowing Your Requirements
6
SEC 17-A, sections 3 & 4
Government Paperwork Elimination Act
NASD 3010
FACTA
USA Patriot Act
Gramm-Leach-Bliley Act
NASD 3110
Sarbanes-Oxley Act
HIPAA
NYSE 342
Check 21
Drivers for Continuous Improvement
7
Industry Competition
Data Storage Costs
Excessive Costs of eDiscovery – Obsolete Data
Rising Costs of Human Labor
“Personalization” of Information
Increased Regulations and Inspections
Over-Regulating
Using Audits for Improvement
8
This session will focus on how to plan and use an Audit (Assessment) to aid a RIM Program in building the improved services that meet the needs for continuous improvement.
9Understanding Audits
Defining an Audit
10
A RIM audit is an independent, objective
activity designed to “add value and improve”
an organization’s operations for creating and
managing information.
Understanding Audits
11
Independent Objective Evaluation Provide Assurances
Compliance Efficiencies Effectiveness
Evaluates Governance Controls Processes Risk Management
Auditing Characteristics
12
Holistic Approach
Consistent with Org’s Mission and Goals
Prioritized on a Risk-Based Approach
Conducted Routinely
Outside-Looking-In View
Audit’s Value Statement
13
Proves controls via documentation and evaluation
Checks for controls that reduce or eliminate unabated information growth
Ensures the application of rules that eliminate obsolete information that may be discoverable
Determines the effectiveness of procedures
Identifies isolated instances of duplication
Risks with Poor RIM Programs
14
Loss of Intellectual Property
Delayed Decision-making/Filings
Increased Technology Costs
Increased eDiscovery Costs/Penalties
Poor System/Operational Responsiveness Decreased Competitiveness
Unmanaged Liability
Using Industry Standards
15
Use industry standards and best practices to benchmark The Principles ISO and ANSI standards Best Practices Sedona Principles
Elements of Compliant Programs
16
Accountability Integrity Information protection Compliance Information is available Retention Disposition Transparency
www.arma.org
Generally Accepted Recordkeeping
Principles
17Audit Lifecycle
Follow-up5
PerformancePerformance3
Follow-up Preparation
Reporting4
Planning1
Preparation2
Reporting4
18
1
2
34
5
Audit Cycle
18
Reporting
Planning
Preparation
Performance
Follow-up
Steps in an Audit
19
Planning Define purpose, scope, criteria and objectives Prioritize based on risk
The Purpose
20
Start with defining the purpose of the audit – sets the tone Looking for mistakes Complying with requirements
Seeking opportunities to improve
Define the expected outcomes
What are the actions to follow
The Purpose
21
Why To meet regulatory requirements To verify the controls established to protect PHI To check the processes that document the use of public
funds
Outcomes Report of evaluation and findings Findings are prioritized as high, medium or low the high
being the most severe
Actions Develop corrective plan (initiatives) with timelines
Audit Objectives
22
Relate the elements of your program to the Corporate goal
Examples of objects include To determine the level of protection taken and routinely
followed to protect paper records
To assess management’s commitment by assignments and participation on the Steering Committee
To measure the rate of the department’s completion of the RIM learning course
Set Criteria Ratings
23
Next determine what you must have:
What program elements are critical
What program elements are important to have
What program elements are preferred but you could live without
Set Criteria Ratings
24
Critical Program has
mission and vision statement
Program mission and vision statement endorsed by executives
Important Mission and
vision statement are published for employees to access and see
Preferred
24
Program mission statement is included in business unit’s goals and mission
25
Program Element Documentation Available Principle Criteria Last Revision
Date Current Rating
Yes/No C/I/P Un/NI/S/NA
Policy – Sample Only Yes Accountability Critical Mar-08 Needs Improvement
Retention Schedule
Procedures (sampling only)
Transferring Hard Copy Records to Storage
Information Disposition Procedure
Decommissioning Plan/Procedure
Exiting Employee Procedure
System Taxonomy/File Plan
Training Materials
New Hire Training Slides
Communication
Website
Glossary
Decide on Ratings
26
Based on risk factors and known requirements how does the current documentation and practices measure up to the criteria?
Satisfactory
Needs Improvement
Unsatisfactory
N/A
Steps in an Audit
27
Planning Define scope, criteria, and objectives Prioritize based on risk
Steps in an Audit
28
Planning Define scope, criteria, and objectives Prioritize based on risk
Preparation Create a checklist – what do you want them to produce
for you to review
What is required by law to have
Submit checklist, questions and document request to the group being audited
Steps in an Audit
29
Planning Define scope, criteria, and objectives Prioritize based on risk
Preparation Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being
audited
Performance Collect and review of physical and electronic
recordkeeping documentation
Conduct interview(s) with department(s) personnel as necessary
Steps in Performing an Audit
30
Ask the Department to identify your contact – Records Coordinator, Management – someone who can answer questions
Send checklist (what is being covered) in advance to contact
Obtain the list of names of employees to interview in advance
Schedule meetings with interviewees
Prepare a list of documents you want the department to provide you for review
Steps in an Audit
31
Planning Define scope, criteria, and objectives Prioritize based on risk
Preparation Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being
audited Performance
Collect and review of physical and electronic recordkeeping documentation
Conduct interview(s) with department(s) personnel as necessary
Reporting Draft Findings Report Discuss steps for improvement Recommend Timelines – be realistic
Steps in an Audit
32
Planning Define scope, criteria, and objectives Prioritize based on risk
Preparation Create a checklist – what do you want them to produce for you to review What is required by law to have Submit checklist, questions and document request to the group being
audited Performance
Collect and review of physical and electronic recordkeeping documentation
Conduct interview(s) with department(s) personnel as necessary Reporting
Draft Findings Report Discuss steps for improvement Recommend Timelines – be realistic
Monitor the improvement steps
Using Audits for Improvement
33
Reviewing the risk, compliance requirements
Learning to rank initiatives
Understanding the resource requirements needed
Using a “Triage” approach
34
Using Findings to Create Initiatives
Triage Approach: General Description
35
Develops a plan that prioritizes the most pressing matters so that they receive immediate attention.
Places longer term goals on a drawing board to be reviewed with more analysis without pressure.
Postpone tasks that are of low risk and not urgent for the last phase of the project.
Triage approach prioritizes the needs and risks of the project into manageable groups.
Triage Approach: General Description
36
Provides a means for “building onto” a Program by ensuring the correct components are done first.
Allows the Program owner to measure success and “see” definable improvements and not wait on project completion to be successful.
Separates project components based on risk and need so that items which are most critical get the immediate attention to reduce existing or potential risks.
Prioritize Like Emergency Room
37
Stop The Bleeding RIM initiatives that address the immediate findings to
achieve compliance
Levels of Process Improvements
38
Stop the Bleeding RIM initiatives that address the immediate findings to achieve
compliance
Treat The Underlying Cause(s) Address the root symptoms
Levels of Process Improvements
39
Stop the Bleeding RIM initiatives that address the immediate findings to achieve
compliance Treat The Underlying Cause(s)
Address the root symptoms
Establish Preventive Measures Long-term initiatives and projects involving multiple
stakeholders, resources and automation to prevent future problems
Levels of Process Improvements
40
Stop the Bleeding RIM initiatives that address the immediate findings to achieve
compliance Treat The Underlying Cause(s)
Address the root symptoms Establish Preventive Measures
Long-term initiatives and projects involving multiple stakeholders, resources and automation to prevent future problems
Create Ongoing Efficiencies As systems are operating smoothly and consistently,
opportunities for streamlining arise
41
ImmediateImplementation
(<6 mo.)
Scheduled Implementation(4-12 mo.)
Delayed Implementation
(8-24 mo.)
Triage
42
ImmediateImplementation
(<6 mos)
Scheduled Implementation(6-15 mos)
Delayed Implementation
(15-24 mos)
Program governance
Phase in Program Governance to employees
Records Management criteria for system designs
Program assessment and strategy
Create educational curriculum and course content
Process to manage orphaned data
Program infrastructure
Data from departing employees.
Create business case and workflow for RM S
Communication plan and program toolkit
Protocol for decommissioning systems
Audit criteria
Immediate Project (<6 months)
43
Description Benefit Approach Cost
Program governance Revised global program policy Revise/consolidate records retention schedule Identify global processes and draft protocols Review and revise or create standards for archiving records and data
Clearly defined rules and expectations Developed center of expertise Policy simplification and alignment Flexible implementation
Identify all associated policies/revise and alignReview/collapse and reformat RRS Revise/create standards for archiving paper and electronic records
Program assessment and Strategy Conduct program assessment Realign and revise vision and mission Create Program strategy and timeline
Clearly articulated vision Measurable and achievable action steps towards a mature program Identifiable resources & dependencies
Conduct interviews with identified key employees Assess current goals and roles and responsibilities Identify risks and conduct gap analysis of risk and service
Program Infrastructure Complete entity appointed Records Managers Refine roles and responsibilities Draft Executive Sponsorship oversight role Identify and formalize key partnerships (CCO, GC, CIO)
Strengthen knowledge base Distributed implementation involvement Executive sponsorship and support
Define roles and responsibilities and support Engage entity senior management in selection and requirements Create Executive roles and responsibilities
Communication plan and toolkit Develop communication plan for build out Create tools and support communication for infrastructure Create communication templates
Concise and consistent messaging Increased employee awareness Support for entity Records Mgrs
Scheduled Projects (6-15 months)
44
Description Benefit Approach Cost
Phase in Program Governance Create employee awareness Develop new hire orientation material Develop web page and includes links in governance documents
Ensure global awareness and feedback Awareness for new hires Provides point-in-time resource
Employee Education Create educational curriculum and strategy Identify all available modalities Draft course content for Program components and compliance requirements
Improved program awareness Enable employee compliance
Exiting Employees Assess current process and situation Partner with IT to determine employee data location and system requirements and controls Develop process for preserving data/records of departing staff to comply with legal holds and retention requirements
Risk avoidance of deleting litigation relevant data Inform supervisors of responsibility at point-in-time Ensures compliance with legal and RIM requirements
Decommissioning Systems Draft decommissioning compliance requirement needs that need to be met Create decision tree Draft protocol for decommissioning systems
Ensures preservation and required data Avoids over retention of obsolete data Reduces expenses
Scheduled Projects (15-24 months)
45
Description Benefit Approach Cost
Phase in Program Governance Create employee awareness Develop new hire orientation material Develop web page and includes links in governance documents
Ensure global awareness and feedback Awareness for new hires Provides point-in-time resource
Employee Education Create educational curriculum and strategy Identify all available modalities Draft course content for Program components and compliance requirements
Improved program awareness Enable employee compliance
Exiting Employees Assess current process and situation Partner with IT to determine employee data location and system requirements and controls Develop process for preserving data/records of departing staff to comply with legal holds and retention requirements
Risk avoidance of deleting litigation relevant data Inform supervisors of responsibility at point-in-time Ensures compliance with legal and RIM requirements
Decommissioning Systems Draft decommissioning compliance requirement needs that need to be met Create decision tree Draft protocol for decommissioning systems
Ensures preservation and required data Avoids over retention of obsolete data Reduces expenses
Make Audits Work for You!
46
Audits of RIM Programs should be viewed as a mechanism for healthier programs
Plan, prepare, evaluate and report
Use the findings to create initiatives and identify needed resources
Focus on continuous improvement
Thank You !
Helen StreckPresident/CEO
Kaizen InfoSource