Internal process audits for recordkeeping

What is an internal process audit?

An internal process audit is an in-depth analysis of a process, program, system or service. It is essentially a structured review of an organisational process to determine its efficiency and effectiveness and identify where improvements can be made.

Internal process audits are a form of performance monitoring.

Why conduct an internal process audit of recordkeeping?

Monitoring of records and information management is a shared responsibility between State Records NSW and public offices.

In order to comply with monitoring requirements set out under the State Records Act 1998, public offices should conduct an internal process audit as part of its monitoring program to:

1. ensure that recordkeeping systems and processes are satisfactory
2. comply with the mandatory standards and the Code of Best Practice
3. verify that records are reliable and trustworthy¹
4. ensure that recordkeeping is meeting business needs.

Results of this audit can be used by a public office to support and inform their responses when completing the Records Management Assessment Tool (RMAT).

¹ See section 5.2.2 of AS ISO 15489.1: 2017 Information and documentation – Records management, Part 1: Concepts and principles for further information about the key characteristics of trustworthy records. AS ISO 15489.1:2017 has been issued as a Code of Best Practice under the State Records Act 1998.

What is involved in an internal audit process?

An internal audit process involves:

• Planning
  • developing the scope of the audit
  • criteria for assessment and the project plan
  • reviewing work process analysis
  • recordkeeping requirements
  • business rules documentation for the process/activity/system to be audited.
• Fieldwork
  • conducting interviews with business units and system owners and inspecting or examining documentation
  • verifying the creation and management of records as per the recordkeeping requirements and documented business rules for the process
  • verifying the implementation of appropriate controls on systems holding records to ensure that the records are reliable and trustworthy.
• Reporting
  • drafting a report of the findings
  • providing recommendations for corrective actions and improvement.

A public office can determine efficiency and effectiveness by:

• evaluating progress towards targets set in records and information management policies or strategies
• benchmarking against the Standard on records management, the Standard on the physical storage of State Records or AS ISO 15489
• using the Records Management Assessment Tool
• identifying risks.

For further information, see Performance Monitoring under Monitoring activities.

Resources are also available from other NSW Government entities:

• Performance Audit resources for State entities, Local Government and Universities (Audit Office of NSW)
• Internal Audit and Risk Management Policy for the General Government Sector (NSW Treasury)

Who should be conducting a process audit? Does it need to be a records and information management professional?

Ideally, the process should involve significant input from the records and information management team in the organisation. It will however likely be led by the audit and compliance team.

Seeking assistance from an independent or external auditor may provide further credibility and objectivity – or expertise should the organisation not have in-house records and information management specialists.’t go to the internal audit and risk management policy but rather the one for financial management.