Content and scope of Step D

• Overview
• Summary of Step D
• Why should you do Step D?
• Case study - issues identified in Step D assessment
• Relationship to other steps

Overview

This section is an introduction to Step D: Assessment of existing systems. This section:

• outlines the aim of Step D, and what it can help you to achieve
• summarises the major elements of Step D
• explains why it is important to undertake Step D for particular DIRKS projects, and
• shows how Step D relates to the other steps in the DIRKS methodology.

Summary of Step D

Step D is the benchmarking step of the methodology.

In Step D you:

• assess all relevant business information systems
• determine whether these systems are in fact recordkeeping systems, capable of meeting your organisation's requirements for record creation and management
• identify the gaps that may exist between your desired or required practice and your actual system operations

This requires you to have a good understanding of your organisation's recordkeeping requirements and to be able to identify and examine current business information systems.

Example: System assessment

In your organisation you have identified that it is necessary for your system to:

• maintain a history of past transactions that can be accessed as evidence of its business activities
• employ recordkeeping controls to facilitate management of this evidence through time.

If your system is not designed to do this, or cannot be modified to do so, your organisation may expose itself to business and accountability risks. You need to assess this system to ensure it is capable of meeting your recordkeeping requirements.

Why should you do Step D?

Step D is the step where you get a concrete understanding of how business is transacted in your organisation and where you determine whether documentation of business transaction is adequate to meet your recordkeeping requirements.

By completing an assessment of your existing business information systems you will develop:

• an understanding of the strengths and weaknesses of your organisation's existing business information systems in terms of their recordkeeping capacities
• an appreciation of your organisation's potential exposure to business and accountability risks (in relation to the performance of your existing systems), and
• an informed basis for developing strategies to address your agreed recordkeeping requirements.

Using this knowledge, Step D will help you to determine whether existing business information systems, as whole or in part, need replacement or redevelopment to help you achieve your business needs.

Case study - issues identified in Step D assessment

The following information comes from an ICAC report, Investigation into the conduct of officers and students at University of Technology, Sydney. It helps to illustrate the types of issues you may identify in your Step D research when assessing your existing systems.

ICAC was investigating alleged improper use of a computerised student record system. A key business requirement in the university environment identified by ICAC is to ensure the integrity of university academic results. This means that records must provide an accurate representation of student results and be protected against alteration or unauthorised deletion. ICAC's investigations revealed that the business information system used to manage student results was not able to meet these key recordkeeping requirements.

Although not an example of a full DIRKS analysis, ICAC used system analysis techniques, similar to those outlined in Step D, to determine weaknesses or gaps in student record systems used across universities in NSW. The weaknesses included:

• absence of full audit trails
• infrequent checks that access levels are appropriate
• exception reports, which alert administrators to system breaches, are not being generated or used adequately
• too many staff with access to 'modify/create' records
• failure to check for and remove 'modify/create' access following staff resignation/changed duties
• failure to automatically remove 'modify/create' access when casual/temporary employment ceases
• students employed by the university having 'modify/create' access to student records

These gaps in the system meant that record integrity could not be assured and therefore this business system was not meeting one of the University's key objectives. The gaps also meant that significant fraud could, and in some instances did, occur. Undertaking a system analysis, based on knowledge of what you know systems should be capable of, will allow you to prevent similar inappropriate action in your organisation and will enable you to ensure that records and the systems that create and manage them, are actually meeting your business requirements and needs.

The example provided in the ICAC report also demonstrates the different types of issues you may identify in the course of your Step D analysis. Some may identify issues applying to the technical applications that are being used, but others will apply to the policy and procedural framework that support the system. For example, ensuring that business rules to remove the rights of former employees from the system are policed would have circumvented many of the issues identified in the ICAC report. [1]

Relationship to other steps

Steps A and B

You may have completed all or parts of Steps A, B and C before undertaking your Step D research. If you have completed these earlier steps they will help you to:

• understand how your organisation operates, and
• understand your business operations

This is important context for your assessment of business information systems.

Step C and an understanding of recordkeeping requirements

Having an understanding of your organisation's recordkeeping requirements is crucial to your Step D analysis. Recordkeeping requirements, as discussed in Step C, are identified needs for evidence and information, derived from internal and/or external sources. Recordkeeping requirements can be satisfied through recordkeeping actions, such as record creation, capture, management and use.

If you have not conducted the earlier steps, you will need to have a good knowledge of your organisation's business needs and the requirements for evidence and information that are derived from this business.

If you have a good idea of the recordkeeping requirements in your organisation, you can use this step as the initial starting point of your DIRKS project, to help you establish a business case for a more extensive recordkeeping project that will result in the redesign of business systems.

Steps E, F and G

Step D is a crucial step if you wish to redesign business systems or develop new recordkeeping systems. You should undertake Step D to have an awareness of your current capacities or issues that relate to your current recordkeeping practices, before you embark upon Steps E, F and G of the methodology.

Undertaking Step D in conjunction with other steps

As has been stated, the DIRKS methodology does not need to be undertaken in a linear way. Therefore it may be feasible for your organisation to undertake Step D in conjunction with your Step A preliminary analysis and organisational assessment. If you are doing a small scale DIRKS project, you may also wish to merge your Step D and E analysis and combine your system assessment with an identification of appropriate strategies for remediation.

Footnotes

[1] ICAC report, Investigation into the conduct of officers and students at University of Technology, Sydney. Accessed via the ICAC website on 14 August 2002 at: http://www.icac.nsw.gov.au/