Assessing Compliance

A sound records management program includes a mechanism for auditing compliance. A compliance review assesses adherence to University policy and may improve the overall efficiency of the department or office undertaking the review. Conducting regular reviews also provides an opportunity to identify and monitor areas in need of improvement. Department heads should set and follow a regular time frame for conducting reviews.

Records management has been identified as a key component of Emory's overall Compliance Program and is central to the University's ability to meet multiple elements of the program. Review the Emory University Compliance Program Manual for more information.

Establishing a Compliance Review Program

The success of a compliance review hinges on planning, execution, and results reporting. Successful reviews should be highly structured, which will help ensure that:

  • Responsibilities are defined, including establishing a review team and project timeline.
  • Scope and methodology of the review are clear. The review should consider both paper and electronic records across all storage platforms, both on-site and off-site.
  • Resources, such as staff time, meeting space, and funding to review off-site records, are identified and available. 
  • Disruption to services is minimized. For instance, staff may be more readily available over the summer months.
  • Findings are identified and communicated to all staff.
  • Necessary improvements are documented and made. Conducting regular reviews will help assess how well changes are adapted.

Defining the Scope of a Compliance Review

Compliance reviews should focus broadly, then use findings to narrow in on those areas where non-compliance poses the most pressing liability issues. Records liaisons should then direct resources to areas where there are known problems. Areas of potential risk include the inability to recover essential records from a disaster in order to resume operations and the protection and disposition of confidential records. Use this checklist as a starting point to identify areas of non-compliance.

The project scope should also identify which areas will be reviewed in whole and which will be sampled. A sample review of Destruction Certificates may reveal if that requirement is generally being met, while other areas may require more thorough examination, such as records storage and the safety of confidential records. Time constraints and record volume will directly affect sample sizes and the choice between the use of sampling and a more complete examination.

Compliance Review Components

A compliance review should answer the following questions:

  • Are records management responsibilities clearly documented? A department or office that is successfully managing their records will have a designated records liaison with responsibilities clearly outlined in their job description and procedures in place for managing records.
  • Is records management education and training provided regularly? All staff and faculty are responsible for managing their records and being familiar with the University's policy and retention schedules. Having staff read and acknowledge the University’s policy or attend training offered by the University records manager both show support of this effort.
  • Is the records inventory up to date? All records created and maintained by the department or office, and their accompanying scheduled destruction dates, should be noted in the inventory
  • Are all records captured using an appropriate system? It’s important to begin managing records at their creation in order to effectively manage them throughout their life cycle. The review should check that the department or office's procedures cover the capture, management, and secure storage of information, as well as whether those policies and procedures are being followed.
  • Are records stored properly? Storage facility conditions and security controls should be studied for potential risks. Current measures to protect records from water and fire damage, proper control of access, and other security threats should be evaluated.
  • Are records disposed of properly? The review should examine records disposal procedures and evaluate compliance with current retention schedules. Submission of properly completed Destruction Certificates should also be reviewed.
  • Are electronic records being managed properly? The integrity and authenticity of records in electronic systems should be evaluated to help ensure that effective processes for accessing, maintaining, storing, and transferring electronic records are in place.
  • Are records securely managed? Records containing confidential information must be managed in a secure manner and disposed of properly. This portion of the compliance review should focus on security controls within electronic, paper, and any other media-based systems. The compliance review should discover whether confidentiality has been breached or put at risk through the deliberate misuse of systems or because of weak, nonexistent, or poorly applied procedures.

Reporting Compliance Review Findings

Compliance review findings should be reported to the appropriate director or program chair. Information learned from the compliance review, such as potential process improvements, should be communicated throughout the department or office. Any changes made as a result of a compliance review should be clearly communicated to staff and incorporated into the department or office's procedures.