Information audit and compliance audit: two concepts which should not be confused
Print
Thursday, 27 October 2011 22:20

Preparing different materials on the series of standards ISO 30300-Management systems for records, in whose implementation (as in all management systems) the audit process is a key, I've noticed that among information and documents management professionals sometimes the term audit is used to name different processes and activities which is better not to confuse.

auditsInformation audit has been defined and explained by many authors. It is a Wikipedia entry, and among the best specialists it is the Spaniard Cristina Soy who has written a book on the subject as well as various articles. Information audit is defined as a tool for systematic analysis of the use of resources and information flows in order to establish the extent to which they are contributing to organizational goals. It is a powerful tool for information system design and implementation of information, documents and evidence management projects within organizations. When an information audit is initiated the fie¡¡irst goal is to identify the information resources.


The findings of an information audit can be useful for different contexts such as the creation or evaluation of an information service, the implementation of an intranet or any other information management system or to define information management strategy and even to meet one of the operational requirements of the ISO 30301 (A.1.1.) " All operational, reporting, audit and other stakeholders’ needs for information (captured as records with appropriate metadata) about the organization’s processes shall be identified, and documented systematically".

But internal audit established in the framework of management systems (as in the ISO 30301), it is not the same type of audit. These audits of management systems could be called compliance or conformity audits and its main purpose is to verify compliance with requirements previously established (in the standards). The main action is checking one by one the requirements established in a previous list. If one of the requirements is not satisfied non-conformity is produced. The non-conformity should be eliminated through corrective action.


In compliance audits of the 30301 both requirements on management system processes and requirements records processes need to be checked.

Both types of audits are different methodologies, sharing their most basic purpose: improving the organization effectiveness to meet its objectives.

Last Updated on Thursday, 27 October 2011 22:35