Does the thought of going through an audit scare you? What is an audit? According to The American Heritage Dictionary, an audit is – An examination of records or financial accounts to check their accuracy or confirm adherence to policy or regulation. And what does an auditor do? Performs verification and substantiation procedures. And what types of audits are there? Financial, compliance, internal, security and many more.
Audits are not something that most of us enjoy going through. Not for nefarious reasons, but mostly because of the extra time demands and that feeling of uncertainty about providing the required information. Your accounting system or ERP has been designed to collect and keep your transaction information. However, can your auditor verify and substantiate the transactions or adherence to policies by matching it to your supporting documentation? If not, you need to take a system of record approach to documentation and you’ll say “bring on the auditors”.
Let’s take the simple paid invoice as an example. In the accounting system there is a record of the invoice and a payment to a vendor for an amount. The auditor can verify the transaction by asking for a copy of the invoice, approval and bank statement to show it was actually due and paid. You can sleep easy if you can pull those documents together and can prove they were the final, unaltered copies. If you can’t produce that information, then you’re not following a system of record approach to document management.
Let’s take another example. Your ESG policy says you will perform quarterly tests of your hiring practices to ensure you are not discriminating. Your HR system can easily produce the report of new hires and relevant classifications. But where did you save the report for that quarter and the corresponding new hire applications? And where did you save the evidence that someone actually reviewed the information and confirmed the results met the policy? If you can’t do that, your methods are not part of a system of record.
A good system of record has the following characteristics. First, documents need to be easy to associate to the underlying data. For example, electronic invoicing systems keep the invoice image attached to the data throughout the process. Second, the documentation needs to be confirmed as final and valid, ie. who, what, where and when, otherwise known as logging. Third, the documentation needs to be protected for accidental or intentional deletion or alteration. Lastly, the documentation needs to show that it was actually reviewed and when and by whom, aka workflow.
If your document management system doesn’t have these characteristics, then it isn’t a system of record and it would explain why you are scared of audits. Storing files on a network drive or in a folder based system doesn’t meet these requirements. You could store the record copies of your important documents in locked file cabinets, but then you have to deal with auditors coming to your office and well, you’re still using file cabinets.