Last night speaking at the DFW Audit SIG one of the topics I wished I had gone a little deeper on were controls, and how to gauge their strength.
As I am preparing to interview candidates for a records management position, I thought I would flesh out controls specific to the storage of and access to completed or archived paper records, such as forms, as an example.
These controls are applied at the record or system level and are meant to prevent a potential data integrity issue from occurring.
Generation and Reconciliation of Documents
| Data Criticality | |||
| High | Medium | Low | |
| Unique identifier | For each record | No | No |
| Who performs controlled issuance | Individuals authorized by quality unit from designated unit (limited, centralized) | Individuals authorized by quality unit from (limited, decentralized) | Anyone (unlimited, decrentalized), often user of record |
| Reconciliation | Full reconciliation of record and pages based on unique identifier | Full reconciliation of records and pages based on quantity issued | No reconciliation |
| Controlled print | Yes | Yes | No |
| Bulk printing | No | Yes, by controlled process | Yes |
| Destruction of blank forms | Performed by issuing unit, quality oversight required (High level of evidence) | Performed by the operating or issuing unit, quality unit oversight required | Performed by the individual, quality unit oversight required (periodic walk throughs, self-inspections and audits) |
Storage and Access to completed and archived paper records
| Data Criticality | |||
| High | Medium | Low | |
| Where Stored | Climate-controlled room | Climate-controlled room | Office retention location |
| How Removed & Returned | Limited conditions for removal (e.g. regulatory inspections) method of recording the removal and return of the record(e.g. archive management system, logbook). Most use of documents either in controlled reading area or by scans. | Method of recording the removal and return of the record(e.g., archive management system, logbook). | Method (e.g. logbook) recording of documents checked-in/checked-out |
| Access Control | Card key access with entry and exit documented. | Card key access with entry and exit documented. | Limited key access |
| Periodic User Access Review | Annually | Annually | Every 2 years |
There are also the need to consider controls for paper to electronic, electronic to paper and my favorite beast, the true copy.
For paper records a true copy of a picture of the original that keeps everything – a scan. The regulations state that you can get rid of the paper if you have a true copy. Many things called a true copy are probably not a true copy, to ensure an accurate true copy add two more controls.
| Data Criticality | |||
| High | Medium | Low | |
| Review requirements | Documented review by second person from the quality unit for legibility, accuracy, and completeness | Documented review by second person (not necessarily from the quality unit) for legibility, accuracy, and completeness | Documented verification by person performing the scan for legibility, accuracy, and completeness |
| Discard of original allowed | Yes, as defined by quality unit oversight, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. | Yes, performed by the operating unit, unless there is a seal, watermark, or other identifier that can’t be accurately reproduced electronically. Quality unit oversight required | Yes, individual can discard original Quality unit oversight required |
Investigations of a Dog 
4 thoughts on “Data Integrity for Record Management”