This document is an HTML formatted version of a printed document.
The printed document may contain agency comments, charts, photographs,
appendices, footnotes and page numbers which may not be reproduced in this
electronic version. If you require a printed version of this document
contact the United States Securities and Exchange Commission, Office of
Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.
20549 or call (202) 942-4460.
Automation of Records Management
Audit Report No. 262
September 29, 1997
We found that for the most part, the Commission has adequate electronic records management policies and procedures. We are recommending several improvements, including coordinating records management with information resources management; establishing procedures to ensure proper disposition of unneeded electronic data; and performing periodic reviews of electronic records systems as required. The Office of Information Technology (OIT) and the Office of Filings and Information Services (OFIS) generally concurred with our findings and have already begun to implement our recommendations. Comments from OFIS are attached.
Objectives and Scope
Our objective was to determine if the Commission has established adequate policies and procedures for electronic records, and to identify possible enhancements to electronic records management.
During the audit, we reviewed available documentation, tested controls, and interviewed staff at the National Archives and Records Administration (NARA) and at Commission offices and divisions, especially the Offices of Filings and Information Services (OFIS) and Information Technology (OIT). The audit was performed in accordance with generally accepted government auditing standards between January and June, 1997.
In 36 Code of Federal Regulations 1234, "Electronic Records Management," NARA established requirements for the creation, maintenance, use, and disposition of electronic records. Also, the Office of Management and Budget (OMB) included records management in its Circular A-130 on information resources management.
At the Commission, the Office of Filings and Information Services has primary responsibility for implementing policies and procedures concerning electronic records management. Commission guidance includes Administrative Regulation SECR 7-6 for electronic records, and SECR 5-10 for electronic mail.
A recent amendment to the Freedom of Information Act requires that agencies make records created on or after November 1, 1996 available electronically.
We found that for the most part, the Commission has adequate policies and procedures for management of electronic records. However, we are recommending several enhancements, as discussed below.
Information Resources Planning and Development
Currently, electronic records management is not coordinated with OITís information resources management program. OIT does not have procedures to ensure consultation with OFIS on records management issues when application systems are developed and modified.
OMB and NARA both require the coordination of information resources management and records management. Adequate consideration of records management issues during systems development helps ensure that the systems provide adequate, cost-effective records which meet user needs and regulatory requirements.
In the past, the Commission did not view records management as part of information resources management. Records management was seen as mostly involved with paper files, while information resources were viewed as computer hardware, software, and data. Also, since different offices were involved (i.e.,OFIS and OIT), coordination of these functions was more difficult.
OIT should include records management in its information resources management planning.
In consultation with OFIS, OIT should develop procedures to ensure that records management issues (including recordkeeping requirements and disposition) are considered before approving new electronic records systems or enhancements to existing systems.
We reviewed a listing of records, that had not been used in at least three years, maintained on magnetic tape (tape) by OIT. Of the 12,300 records in this listing, 11,900 were designated as "permanent." Many of these records included systems monitoring information for which permanent retention is not necessary. In fact, many of these systems monitoring records appeared duplicative.
Examples of permanent records include registration statements and annual reports. NARA approves designations of permanent records. If records are not permanent, they are subject to disposition according to the applicable records retention schedules.
Inappropriate use of the "permanent" designation could result in unnecessary accumulations of records. The tapes on which these records are stored cost money to store and maintain, and occupy space that could be put to better use.
The users of the records requested permanent retention because they felt the information might be useful in the future, and did not want to delete the records. OIT had no procedures for periodic user verification of the continued need for records stored on tape.
Users are responsible for applying the appropriate retention schedules to their records. Deletions, additions, and modifications to these schedules must comply with NARA regulations.
During the audit, OIT identified and deleted many of its duplicative records stored on tape. It is continuing to delete unneeded records and to correct the cause of the duplication.
In consultation with OIT, OFIS should provide procedures and training to users for designating records as permanent.
OIT should generate a periodic list of records maintained on tape for each user. It should ask users to review the list, and to consult with OFIS on any actions taken concerning the records, to ensure compliance with NARA guidelines. OIT should research cost-effective ways to maintain the records.
NARA requires agencies to perform periodic reviews of their electronic records systems.
The reviews are to determine if applicable agency policies and procedures are followed,
and records have been properly identified and scheduled. Because of OFISís workload and
other priorities, OFIS has not performed the required reviews.
OFIS should perform periodic reviews of the Commissionís electronic records systems as required by NARA.
Electronic records management includes addressing records management requirements during development or enhancement of ADP systems and reviewing electronic systems for proper identification and scheduling of records. OFIS indicated that its records management staff has had basic electronic records management training (e.g., e-mail and EDGAR). However, to perform these functions, records management staff will need more extensive training.
OFIS should provide additional training in electronic records management to its staff as appropriate. The Office of Administrative and Personnel Management should provide the appropriate assistance to OFIS.