Records management programs are often neglected when internal auditors conduct their annual risk assessments. Consequently, many organizations are left more vulnerable to regulatory penalties, steep legal costs and faulty business decisions. To mitigate these risks, an organization must have a sound information governance program—a strategic framework comprising standards, processes, roles and metrics that hold the organization accountable for managing information in ways that align with its goals.
Driving the urgency for sound information governance—and, thereby, the urgency for measuring its success through audits – is the explosion in electronically stored information (ESI). According to StoredIQ, companies with annual revenues of at least a billion dollars typically spend between 2.5 million dollars and four million dollars a year on legal discovery of electronic files alone.
A records retention policy that prescribes when to dispose of records can help manage discovery costs and limit corporate liability. For example, Morgan Stanley agreed to pay 15 million dollars to settle a civil action brought by the US Securities and Exchange Commission (SEC) for failing to produce tens of thousands of emails requested during the SEC investigations from 2000 to 2005.
Adding to the challenges that stem from the explosive growth in records are the Federal Rules of Civil Procedure (FRCP) requirements for the production of ESI, as UBS Warburg learned when it was fined 29.2 million dollars for failing to produce all relevant ESI. In Zubulake v. UBS Warburg LLC, 217 F.R.D. 309, 312 (S.D.N.Y. 2003), what began as an employment discrimination action in federal court escalated after the defendant produced only 100 emails in response to the plaintiff’s request to produce “all documents concerning any communication by or between UBS employees concerning Plaintiff.” The plaintiff learned that UBS Warburg had not searched its back-up tapes containing archived emails, which provoked a long battle that resulted not only in monetary sanctions against UBS Warburg but also an "adverse inference" instruction at trial.
These few examples represent dozens, if not hundreds, of instances of the repercussions of poor information governance. It is incumbent, then, on internal auditors to be able to assure an organization that its recordkeeping processes are consistent across all business units and that records are secured consistent with its regulatory and policy requirements.
For more information on how to build a solid information governance program, visit ARMA International for their Generally Accepted Recordkeeping Principles® and Information Governance Maturity Model to assess records management programs and practices. Together, they will help internal auditors and others identify the gaps between an organization’s current practices and the desirable level of information governance maturity.