Manual for the Design and Implementation of Recordkeeping Systems (dirks)

Вид материалаДокументы

Содержание


Investigation into the conduct of officers and students at University of Technology, Sydney, Australia
Подобный материал:
1   ...   24   25   26   27   28   29   30   31   ...   71

Why should you do Step D?


Step D is the step where you get a concrete understanding of how business is transacted in your department/section and where you determine whether documentation of business transaction is adequate to meet your recordkeeping requirements.  

By completing an assessment of your existing business information systems you will develop:
  • an understanding of the strengths and weaknesses of your department/section's existing business information systems in terms of their recordkeeping capacities
  • an appreciation of your department/section's potential exposure to business and accountability risks (in relation to the performance of your existing systems), and
  • an informed basis for developing strategies to address your agreed recordkeeping requirements.

Using this knowledge, Step D will help you to determine whether existing business information systems, as whole or in part, need replacement or redevelopment to help you achieve your business needs. 

Case study


The following information comes from an Australian Independent Commission Against Corruption (ICAC) report, ^ Investigation into the conduct of officers and students at University of Technology, Sydney, Australia. It helps to illustrate the types of issues you may identify in your Step D research. 

ICAC was investigating alleged improper use of a computerized student record system. A key business requirement in the university environment identified by ICAC is to ensure the integrity of university academic results. This means that records must provide an accurate representation of student results and be protected against alteration or unauthorised deletion. ICAC's investigations revealed that the business information system used to manage student results was not able to meet these key recordkeeping requirements. 

Although not an example of a full DIRKS analysis, ICAC used system analysis techniques, similar to those outlined in Step D, to determine weaknesses or gaps in student record systems used across universities in NSW. The weaknesses included:
  • absence of full audit trails
  • infrequent checks that access levels are appropriate
  • exception reports, which alert administrators to system breaches, are not being generated or used adequately
  • too many staff with access to 'modify/create' records
  • failure to check for and remove 'modify/create' access following staff resignation/changed duties
  • failure to automatically remove 'modify/create' access when casual/temporary employment ceases
  • students employed by the university having 'modify/create' access to student records

These gaps in the system meant that record integrity could not be assured and therefore this business system was not meeting one of the University's key objectives. The gaps also meant that significant fraud could, and in some instances did, occur. Undertaking a system analysis, based on knowledge of what you know systems should be capable of, will allow you to prevent similar inappropriate action in your department/section and will enable you to ensure that records and the systems that create and manage them, are actually meeting your business requirements and needs. 

The example provided in the ICAC report also demonstrates the different types of issues you may identify in the course of your Step D analysis. Some may identify issues applying to the technical applications that are being used, but others will apply to the policy and procedural framework that support the system. For example, ensuring that business rules to remove the rights of former employees from the system are policed would have circumvented many of the issues identified in the ICAC report. [1]

Relationship to other steps

Steps A and B


You may have completed all or parts of Steps A, B and C before undertaking your Step D research. If you have completed these earlier steps they will help you to:
  • understand how your department/section operates, and
  • understand your business operations

This is important context for your assessment of business information systems. 

Step C and an understanding of recordkeeping requirements


Having an understanding of your department/section's recordkeeping requirements is crucial to your Step D analysis. Recordkeeping requirements, as discussed in Step C, are identified needs for evidence and information, derived from internal and/or external sources. Recordkeeping requirements can be satisfied through recordkeeping actions, such as record creation, capture, management and use. 

If you have not conducted the earlier steps, you will need to have a good knowledge of your department/section's business needs and the requirements for evidence and information that are derived from this business.

If you have a good idea of the recordkeeping requirements in your department/section, you can use this step as the initial starting point of your DIRKS project, to help you establish a business case for a more extensive recordkeeping project that will result in the redesign of business systems.

Steps E, F and G


Step D is a crucial step if you wish to redesign business systems or develop new recordkeeping systems. You should undertake Step D to have an awareness of your current capacities or issues that relate to your current recordkeeping practices, before you embark upon Steps E, F and G of the methodology. 

Undertaking Step D in conjunction with other steps


As has been stated, the DIRKS methodology does not need to be undertaken in a linear way. Therefore it may be feasible for you to undertake Step D in conjunction with your Step A preliminary analysis and organizational assessment. If you are doing a small-scale DIRKS project, you may also wish to merge your Step D and E analysis and combine your system assessment with an identification of appropriate strategies for remediation.