This article is written like a research paper or scientific journal that may use overly technical terms or may not be written like an encyclopedic article.(April 2022) |
The information audit (IA) extends the concept of auditing from a traditional scope of accounting and finance to the organisational information management system. Information is representative of a resource which requires effective management and this led to the development of interest in the use of an IA. [1]
Prior the 1990s and the methodologies of Orna, Henczel, Wood, Buchanan and Gibb, IA approaches and methodologies focused mainly upon an identification of formal information resources (IR). Later approaches included an organisational analysis and the mapping of the information flow. This gave context to analysis within an organisation's information systems and a holistic view of their IR and as such could contribute to the development of the information systems architecture (ISA). In recent years the IA has been overlooked in favour of the systems development process which can be less expensive than the IA, yet more heavily technically focused, project specific (not holistic) and does not favour the top-down analysis of the IA. [2]
A definition for the Information Audit cannot be universally agreed-upon amongst scholars, however the definition offered by ASLIB received positive support from a few notable scholars including Henczel, Orna and Wood; “(the IA is a) systematic examination of information use, resources and flows, with a verification by reference to both people and existing documents, in order to establish the extent to which they are contributing to an organisation’s objectives” [3] In summary, the term audit itself implies a counting, [4] the IA being much the same yet it counts IR and analyses how they are used and how critical they are to the success of a given task.
In much the same way as the IA is difficult to define, it can be utilised in a range of contexts by the information professional, [5] from complying with freedom of information legislation to identifying any existing gaps, duplications, bottlenecks or other inefficiencies in information flows and to understand how existing channels can be used for knowledge transfer [6]
In 2007 Buchanan and Gibb developed upon their 1998 examination of the IA process by outlining a summary of its main objectives:
Furthermore, Buchanan and Gibb went on to state that the IA also had to meet the following additional objectives:
In 1976 Riley first published a definition of IA as a way of analysing IR based on a cost-benefit model. Since Riley, scholars have outlined further developed methodologies. Henderson took a cost-benefit approach hoping to draw focus from manpower-costing to information storage and acquisition which he felt was being overlooked. In 1985 Gillman focused upon identifying the relationships which existed between various components in order to map them to one another. Neither Henderson nor Gillman’s methods offered alternative approaches beyond the existing organisational frameworks. Quinn took a hybrid-approach combining Gillman and Henderson’s methods to identify the purpose of existing IR and to position them within the organisation, as did Worlock. The differentiator between Quinn and Worlock lay in Worlock’s consideration of solutions outside of the current organisational structure. These approaches had thus far had paid little attention to the needs of the user or in making structured recommendations for the development of a corporate information strategy. [7] Therefore, here follows a brief outline and overall comparison of four published strategic approaches in order that one might understand the development of the IA methodology.
In 1988 Burk and Horton developed InfoMap, the first IA methodology developed for widespread use. It aimed to discover, map and evaluate the IR within an organisation using a 4-stage process:
Although the method inventoried all IR (and therefore met standard ISO 1779) this bottom-up approach revealed limited analysis of the organisation holistically and the steps were not explicit enough. [8]
Orna produced a top-down methodology in contrast to Burk and Horton, placing emphasis upon the importance of organisational analysis and aimed to assist in the production of a corporate information policy. Initially the method had just 4-stages, this later revised to a 10-stage process which included pre and post-audit stages as below:
Orna’s method introduced the need for a cyclical IA to be put in place in order for the IR to be continually tracked and improvements made regularly. Again this method was criticised for lacking some practical application and in 2004 Orna revised the methodology once more to try to rectify this problem [8]
In 1998, similarly to Orna's earlier publication, Buchanan and Gibb took a top-down approach, drawing techniques from established management disciplines to provide a framework and a level of familiarity for information professionals. This set of techniques was a notable contribution to IA methodologies [8] and understood the need to be flexible for each organisation. Theirs was a 5-stage process:
This was the introduction of a new approach to costing the IR and had an integrated strategic direction, yet the scholars admitted that this method may be impractical for smaller organisations. [9]
Henczel’s methodology drew upon the strengths of Orna and Buchanan and Gibb to produce a 7-stage process: [10]
Focus was made once more on the strategic direction of the organisation conducting the IA. Furthermore, Henczel made examination into the use of the IA as a first-step in the development of a knowledge audit or knowledge management strategy [11] as discussed in the later section.
Scholars and information professionals have since tested the above methodologies with varied results. An early case study produced by Soy and Bustelo in a Spanish financial institution in 1999 aimed to identify the use of information resources for qualitative and quantitative data analysis due to the rapid expansion of the organisation within a six-year period. [12] Although the methodology was not explicitly credited to any of the above-mentioned scholars, it did follow a strategic (post 1990's) IA process including gaining support from management, the use of questionnaires for data collection, analysis and evaluation of the data, identification and mapping of the IR, cost-analysis and outlining recommendations to assist with the establishment of an Information policy. In addition the IA report suggested that the process would need to be continual (cyclical as Orna, Henczel and Buchanan and Gibb suggest). Conclusions of this case-study stated that the IA allowed a greater understanding of the basis of the organisation's information policy and personnel and identified technical problems within the organisation. In addition this method was believed to be cost and time-effective to the two auditors involved and the organisation used the results of the IA as a marketing tool to promote services users may not have been previously aware of. [13]
In 2006 a paper testing the 'viability' of Henczel's methodology was published in the South African Journal of Library and Information Science. The purpose of the study was to determine the financial position of an organisation (Statistics SA) through a report of financial statements made over a period of time. The IA was used as part of the holistic audit process and was limited to just the methodology of Henczel after consideration and dismissal of others. [14] The IA followed the seven-stage process as outlined above (planning, data collection, analysis, evaluation, communicating and implementing recommendations and the IA as a continuum) and the objectives were outlined as identifying the needs of respondents, identifying information sources and their significance, mapping information flow and identifying gaps in available sources.
Upon conducting the IA several recommendations were made including making print the preferred format for information and that the library should be responsible for missing information and address this in a development plan. Finally, advantages and disadvantages to this methodology were identified. It was reported that the methodology was flexible in its application as it provided a framework which could be adjusted to suit the needs of an organisation, that the scope could be easily expanded to cover more objectives and that guidelines for data collection and analysis were varied. Secondly it was felt that the methodology was cost-effective as it made use of existing resources (email, workspace etc.). The greatest disadvantage reported was that the process was 'cumbersome' and that the researcher became weary with the repetitive nature of the planning process.
In conclusion, the study reported that Henczel's methodology had allowed the information professionals to effectively manage the information management activities of the public sector organisation in question. [15] Positively it had been viewed as cost-effective and depicted a snapshot of the use of information in the organisation, yet it had been a 'cumbersome' process with some repetition within the planning phases.
In 2007 Buchanan and Gibb published another examination of the IA to include case studies of their own methodology, an element they had been previously criticised for not including. [16] In the first case study conducted in a university research department, the objectives were to identify how effective information flow within the department was and what improvement would be required. The methodology was tailored to the study by removing the costing stage and establishing a workgroup to assist at various stages of the process, whilst all other stages remained as per the above (promote, identify, analyse and synthesise). Recommendations were made by the auditor towards greater synergy and systems analysis and it was found that staff immediately recognised the value of this output. [17]
The second case study dealt with a public body within the arts sector with the objectives to streamline evaluation and approval processes and to improve communications between stakeholders. The sponsor also specified that a list of recommendations were required to be incorporated into a change management programme and this aligns well to Buchanan and Gibb's strategic directional method. The IA methodology was scoped to be primarily resource-orientated and once again the costing stage was removed. All else remained as per the original methodology. The IA output recommended that for all organisational processes a shift was needed from process-modelling to capturing process descriptions. [18]
The main strengths identified in Buchanan and Gibb's methodology were its logical structuring of stages, provision of tools, inclusive process for stakeholders, adequate illustration of the role of effective Information Management within an organisation and much like Henczel, the flexibility to tailor the methodology. Their scope matrix was also proven to be useful. A weakness lay still in the limited instructional depth which affected the qualitative data analysis. As regards the applicability of this method, the costing stage was not included in either study and that this might suggest it is not required in an information audit. Further study is required to produce a more conclusive analysis of the methodology. [19]
The conclusions of the case studies suggested that further development into the methodologies for IA was needed to include further explanation of tools, techniques, templates, interview preparation, process modelling and analysis. In 2008 Buchanan and Gibb drew comparisons from the published IA methodologies of the following scholars: Burk and Horton, Orna, Buchanan and Gibb and Henczel, with the purpose of understanding if a hybrid-methodology could be produced as a ‘baseline’ from all four.
The hybrid-methodology was formed of seven stages and is as below:
However, Buchanan and Gibb themselves declared that this should not be considered a conclusive comparison as it is high-level "and does not assess how well each methodology addresses each stage." [20]
In more recent years, since the development of the top-down methodologies, IA have been used as a basis for the development of a knowledge audit, which itself in-turn contributes to an organisation's knowledge management strategy. Once complete, the IA allows examination into where knowledge is produced, where there may be need for further input and where knowledge transfer is required. Furthermore, this analysis develops strategy for knowledge capture, access, storage, dissemination and validation. [21] Dissimilarly to the IA, the objectives of the knowledge audit are to identify any people-related issues which impact the ways in which knowledge is created, transferred and shared and to identify where knowledge could be captured, where it is required and then determine how best to undertake a knowledge transfer as "unlike information, knowledge is bound to a person, organisation or community." [22] Similarities between the knowledge and information audit methodologies can be noted however, as questionnaires, the development of an inventory, analysis of flow and a data map [23] are here again used. The importance of this audit therefore is to understand the strategic significance of an organisation's knowledge assets to ensure management is focused to those areas it is specifically required.
Project management is the process of leading the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. The primary constraints are scope, time, and budget. The secondary challenge is to optimize the allocation of necessary inputs and apply them to meet pre-defined objectives.
Systems engineering is an interdisciplinary field of engineering and engineering management that focuses on how to design, integrate, and manage complex systems over their life cycles. At its core, systems engineering utilizes systems thinking principles to organize this body of knowledge. The individual outcome of such efforts, an engineered system, can be defined as a combination of components that work in synergy to collectively perform a useful function.
In management accounting or managerial accounting, managers use accounting information in decision-making and to assist in the management and performance of their control functions.
Evaluation is a systematic determination of a subject's merit, worth and significance, using criteria governed by a set of standards. It can assist an organization, program, design, project or any other intervention or initiative to assess any aim, realisable concept/proposal, or any alternative, to help in decision-making; or to ascertain the degree of achievement or value in regard to the aim and objectives and results of any such action that has been completed. The primary purpose of evaluation, in addition to gaining insight into prior or existing initiatives, is to enable reflection and assist in the identification of future change. Evaluation is often used to characterize and appraise subjects of interest in a wide range of human enterprises, including the arts, criminal justice, foundations, non-profit organizations, government, health care, and other human services. It is long term and done at the end of a period of time.
Broadly speaking, a risk assessment is the combined effort of:
Benchmarking is the practice of comparing business processes and performance metrics to industry bests and best practices from other companies. Dimensions typically measured are quality, time and cost.
Information management (IM) concerns a cycle of organizational activity: the acquisition of information from one or more sources, the custodianship and the distribution of that information to those who need it, and its ultimate disposal through archiving or deletion.
In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life-cycle, is a process for planning, creating, testing, and deploying an information system. The systems development life cycle concept applies to a range of hardware and software configurations, as a system can be composed of hardware only, software only, or a combination of both. There are usually six stages in this cycle: requirement analysis, design, development and testing, implementation, documentation, and evaluation.
Information technology (IT) governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.
Clinical audit is a process that has been defined as a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change
Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It may help an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
A regulatory impact analysis or regulatory impact assessment (RIA) is a document created before a new government regulation is introduced. RIAs are produced in many countries, although their scope, content, role and influence on policy making vary.
Quality engineering is the discipline of engineering concerned with the principles and practice of product and service quality assurance and control. In software development, it is the management, development, operation and maintenance of IT systems and enterprise architectures with a high quality standard.
Sustainability accounting was originated about 20 years ago and is considered a subcategory of financial accounting that focuses on the disclosure of non-financial information about a firm's performance to external stakeholders, such as capital holders, creditors, and other authorities. Sustainability accounting represents the activities that have a direct impact on society, environment, and economic performance of an organisation. Sustainability accounting in managerial accounting contrasts with financial accounting in that managerial accounting is used for internal decision making and the creation of new policies that will have an effect on the organisation's performance at economic, ecological, and social level. Sustainability accounting is often used to generate value creation within an organisation.
Business systems planning (BSP) is a method of analyzing, defining and designing the information architecture of organizations. It was introduced by IBM for internal use only in 1981, although initial work on BSP began during the early 1970s. BSP was later sold to organizations. It is a complex method dealing with interconnected data, processes, strategies, aims and organizational departments.
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
The following outline is provided as an overview of and topical guide to project management:
Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.
Social accounting is the process of communicating the social and environmental effects of organizations' economic actions to particular interest groups within society and to society at large. Social Accounting is different from public interest accounting as well as from critical accounting.
BUCHANAN, S. and GIBB, F., 1998. The information audit: an integrated strategic approach. International Journal of Information Management, 18(1), pp. 29–47.
BUCHANAN, S. and GIBB, F., 2007. The information audit: role and scope. International Journal of Information Management, 27(3), pp. 159–172.
BUCHANAN, S. and GIBB, F., 2008. The information audit: methodology selection. International Journal of Information Management, 28(1), pp. 3–11.
BUCHANAN, S. and GIBB, F., 2008. The information audit: Theory versus practice. International Journal of Information Management, 28(3), pp. 150–160
BURNETT, S. et al., 2004. Knowledge Auditing and Mapping: a Pragmatic Approach. Knowledge and Process Management, 11(0), pp. 1–13.
ELLIS, D. et al., 1993. Information audits, communication audits and information mapping: a review and survey. International Journal of Information Management, 13(2), pp. 29–47.
HENCZEL, S., 2001. The Information Audit: a practical guide. Wiltshire: Anthony Rowe Ltd.
HENCZEL, S., 2000. The information audit as a first step towards effective knowledge management. IFLA Publications, 108(1), pp. 91–106.
MEARNS, M.A. and DU TOIT, A.S.A., 2008. Knowledge audit: Tools of the trade transmitted to tools for tradition. International Journal of Information Management, 28(1), pp. 161–167.
RALIPHADA, L. and BOTHA, D., 2006. Testing the viability of Henczel’s information audit methodology in practice. South African Journal of Library and Information Science, 72(3), pp. 242–250.
SOY, C. and BUSTELO, C., 1999. A practical approach to information audit: case study. Managing Information, 6(9), pp. 30–36.
SOY, C. and BUSTELO, C., 1999. A practical approach to information audit: case study La Caixa Bank, Barcelona Part 2. Managing Information, 6(10), pp. 60–61.
WOOD, S., 2004. Information auditing: a guide for Information Managers. Middlesex: Freepint.
BRYSON, J., 2006. Managing Information Services : A Transformational Approach. Hampshire: Ashgate Publishing Ltd.
GILLMAN, P.L., 1985. An analytical approach to the information audit. Electronic library, 3, pp. 56–60.
HENDERSON, H.L., 1980. Cost effective information provision and the role for the information audit. Information Management, 1(4), pp. 7–9.
HIGSON, C. and NOKES, S., 2004. The information audit asset register: a practitioner’s guide for the Freedom of Information Act. London: Rivington Publishing Ltd.
QUINN, A.V., 1979. The Information Audit: a new tool for the Information Manager. Information Manager, 1(4), pp. 18–19.
RILEY, R.H., 1976. The Information Audit. Bulletin of the American Society for Information Science, 2(5), pp. 24–25.
THEAKSTON, C., 1998. An information audit of National Westminster Bank UK’s Learning and Resource Centres. International Journal of Information Management, 18(5), pp. 371–375.
WEBER, R., 1999. Information systems, control and audit. New Jersey: Prentice-Hall Inc.