How much effort is required to undertake a self-audit?

It is anticipated that the self-audit process will take approximately 24-30 hours (or, at six hours per day, four to five days).

Each individual task is allocated an estimated effort requirement, although, depending upon the scale and scope of repository operations, and the degree of scrutiny with which the assessment is conducted, this may vary, occasionally substantially.

In reality, the core activity, the conception and management of an organisational risk register, is something that is never finalised, and requires reassessment over time to ensure its ongoing relevance and applicability. Nevertheless, the initial 'first-run' breakdown might be expressed as follows:

Stage 1: Identify organisational context

(approximately 3 hours of effort required)

The level of detail and granularity of the answers within this stage determines to a significant extent the quality of risk identification and assessment at subsequent stages of the self-audit. Greater investment at this point is likely to contribute to a reduction of the effort required during subsequent stages. Pre-audit effort should be spent aggregating the documentation necessary to complete this stage of the self-audit process, and engaging with repository staff to determine the extent of organisational objectives, activities and, ultimately, risks.

Stage 2: Document policy and regulatory framework

(approximately 2-3 hours of effort required)

The time required to complete this stage will depend on the auditor's general knowledge of the repository's legal and regulatory context, knowledge of and access to contractual agreements, and knowledge of standards that may apply to the repository. The list of all legal, regulatory and contractual obligations and strategic policy documents should be presented with rich details and appropriate references. The primary time investment is expected to go into finding and analysing the documentation and sources to form the list of relevant regulatory requirements. Once these lists are compiled the organisation should undertake to keep them up-to-date, as they will provide a valuable resource for responding to the frameworks in which the organisation exists and will be required for future audits.

Stage 3: Identify activities, assets and their owners

(approximately 2-4 hours of effort required)

The time allocated to this stage should be used to identify the repository's activities and to consider its activities, assets and staff as an interlinked organism. Unless existing and up-to-date business classification schemes and inventories of assets and technology are available, these will have to be created as part of this stage.

Before starting Stage 3, auditors should:

  • have a general understanding of the organisation and the contexts within which it operate
  • obtain managerial support to undertake the analysis of business activity
  • acquire a list of repository staff and their responsibilities
  • determine whether the organisation has previously analysed and documented its activities and work processes

If the repository has been analysed for other purposes it may be possible to draw on the results of such work, rather than starting from scratch. Projects that may involve an analysis of activities include:

  • business process re-engineering
  • imaging and work flow automation
  • activity-based costing or management
  • business classification development
  • quality accreditation
  • system implementation

If the analysis arising from such projects is available, auditors will need to consider how, why and when the projects were undertaken to determine whether their findings are applicable to the audit exercise. Lists, registers or inventories of assets and technology may have been compiled for various purposes during analyses of business, compliance studies, audits or contingency planning exercises. Most organisations maintain an inventory of IT hardware, software and their licenses and of other tangible assets; these may be attainable from relevant sections within the organisation. Before starting moving to the next stage, auditors should engage with appropriate repository colleagues to seek an endorsement of the completeness and correctness of identified activities and assets.

Stage 4: Identify risks

(approximately 4-6 hours of effort required)

The straightforwardness with which risks can be derived will be strongly influenced by the degree of granularity with which the auditor has already defined activities and assets. Risks might be derived more efficiently from a greater number of finely defined activities than from a handful of broadly stated examples. DRAMBORA provides a list of example 'off the shelf' risks from which auditors can choose those that are relevant to their own repository, facilitating and expediting this initial stage of risk register development. During this stage, auditors should solicit suggestions from appropriate repository colleagues of pertinent risks, classified according to their association with particular activities and assets and refer to the results of any risk-assessment exercises that have already been undertaken within the organisation, or to any continuity plans already conceived.

Stage 5: Assess risks

(approximately 4 hours of effort required)

In order to complete this stage, auditors will need access to policy documentation that describes risk avoidance and treatment mechanisms; internally or externally generated documentation that provides an evidence base or justification for probability or potential impact values; relevant external documents and sources, such as legislation, standards, codes of practice; and additional repository personnel with knowledge of risks associated with particular aspects of the repository.

Stage 6: Manage risks

(approximately 4 hours of effort required)

Although the identified risks will determine the number of times the risk mitigation measures have to be considered, the type, severity and ease of treatment of risks have a significant impact on how much effort has to be invested here. Ultimately, the time required to complete this stage depends on how seriously the repository and its senior management are prepared to undertake the risk management exercise. Time spent considering, planning, and deciding how to address the identified risks can only benefit the repository and protect its business activities in the longer term.