Assessing Compliance

A sound records management program includes a mechanism for auditing compliance. A compliance review assesses adherence to University policy and may improve the overall efficiency of the department or office undertaking the review. Conducting regular reviews also provides an opportunity to identify and monitor areas in need of improvement. Department heads should set and follow a regular time frame for conducting reviews.

Records management has been identified as a key component of Emory's overall Compliance Program and is central to the University's ability to meet multiple elements of the program. Review the Emory University Compliance Program Manual (PDF) for more information.

Establishing a Compliance Review Program

Defining the Scope of a Compliance Review

Compliance Review Components

A compliance review should answer the following questions:

Are records management responsibilities clearly documented? A department or office that is successfully managing their records will have a designated records liaison with responsibilities clearly outlined in their job description and procedures in place for managing records.
Is records management education and training provided regularly? All staff and faculty are responsible for managing their records and being familiar with the University's policy and retention schedules. Having staff read and acknowledge the University’s policy or attend training offered by the University records manager both show support of this effort.
Is the records inventory up to date? All records created and maintained by the department or office, and their accompanying scheduled destruction dates, should be noted in the inventory.
Are all records captured using an appropriate system? It’s important to begin managing records at their creation in order to effectively manage them throughout their life cycle. The review should check that the department or office's procedures cover the capture, management, and secure storage of information, as well as whether those policies and procedures are being followed.
Are records stored properly? Storage facility conditions and security controls should be studied for potential risks. Current measures to protect records from water and fire damage, proper control of access, and other security threats should be evaluated.
Are records disposed of properly? The review should examine records disposal procedures and evaluate compliance with current retention schedules. Submission of properly completed Destruction Certificates (PDF) should also be reviewed.
Are electronic records being managed properly? The integrity and authenticity of records in electronic systems should be evaluated to help ensure that effective processes for accessing, maintaining, storing, and transferring electronic records are in place.
Are records securely managed? Records containing confidential information must be managed in a secure manner and disposed of properly. This portion of the compliance review should focus on security controls within electronic, paper, and any other media-based systems. The compliance review should discover whether confidentiality has been breached or put at risk through the deliberate misuse of systems or because of weak, nonexistent, or poorly applied procedures.

Reporting Compliance Review Findings