Is Your Records Management Program Audit-Ready?

Contact Us for Your Free Quote!
Newsletter Sign Up

Get the latest industry tips and offers.

  • This field is for validation purposes and should be left unchanged.

If your business maintains Personally Identifiable Information (PII) or Protected Health Information (PHI) of any kind, hopefully, you are always prepared for an unexpected event. One day, one of those unexpected events may be an audit. Audits are designed to ensure that you are fulfilling your legal obligation of keeping your documents properly organized and secure. Are you prepared for an auditor to unexpectedly show up at your business? Here, we’ll share ways to help you be prepared, so you don’t get a nasty surprise.


  1. File Indexing and Inventory

Good file indexing and inventory involves knowing the content of every file, in every box, and being able to quickly and easily retrieve it. Your auditor will want to be able to call for specific file content and confirm it is easily accessible. Ask yourself:

    • Are your records tracked with bar codes?
    • Are they sorted by file type, department, or retention period?
    • Are the files available 24/7? Impress your auditor with a well-organized file system and it will likely make the process much smoother.
  1. File Retention Periods

An auditor will expect your retention dates to be closely monitored and files to be promptly destroyed immediately following their expiry dates. An auditor wants to make sure you are reducing the risk of an information breach. They will check that when documents are disposed of, secure collection containers are made available where documents remain secure until they are shredded. The lifecycle of your files from cradle to grave should also be well-documented and available for the auditor’s examination.

  1. Chain of Custody

It’s clear that a well-defined paper trail of the life of your documents is required. From the moment information is created until the time it is destroyed, all of the changes and uses of the information should be documented, including a Certificate of Destruction at the end of the lifecycle. Well-documented processes are an indication of attention given to security and organized records management.

  1. Regulation Compliance

Are all of your practices lining up with the requirements of these laws that mandate the secure destruction of PII and PHI?

    • The Health Insurance Portability and Accountability Act (HIPAA)
    • The Fair and Accurate Credit Transaction Act (FACTA)
    • The Gramm-Leach-Bliley Act (GLBA)


Your goal for an audit is to have your records management plan in place to give the auditor full confidence that your company has a compliant and organized records management system. Neglecting to do so will make the audit process more stressful and may result in legal fines.


Some companies that handle their own records must have dedicated staff who are trained in records management and committed to maintaining a compliant, perpetually audit-ready system. Depending on the size and type of business you operate, this may be an added cost and process you can’t afford to maintain.

One solution is to utilize the knowledge and trained personnel of a professional off-site document storage company. They can ensure your organization is compliant, organized, legal and ready for a surprise audit. Better yet, a records management company which also offers shredding services will ensure your expired files are destroyed on site, greatly reducing costly data breach risks.

CI Information Management is NAID AAA Certified and provides records and information management services, including secure shredding and destruction, to most of Southeastern and Central Washington State and Northeast Oregon. To make sure you are always ready for a records management audit, give us a call at 509-586-6090 or complete the form on this page.