Business Information Review

They have found the LIST IA methodology using analysis of information needs and flows to be a useful analytical tool that allows them to evaluate Information assets and to demonstrate compliance In asset management – whether those assets are financial, documentary or Intangibles such as know-how. Since the Implementation of Freedom of Information legislation, records management has espoused a strong focus on compliance and the avoidance of penalties for data protection breaches, but recent publications suggest that approach to information audit.

This may be because it is seen as best able to manage the growing complexity of regulation and legislation (local, national and international) that affects information management. Forming strategic alliances with other players, the information profession must take the lead in establishing standard IA procedures and definitions drawing on its own praxis, which is widely accepted by other disciplines.

There needs to be a single point of call for standardizing and accrediting IA skills, with the creation of a supporting body of knowledge whose evidence base goes beyond standard Journal literature and monographs to include the now considerable corpus of unpublished theses as well as papers in languages other than English. As IA is adopted by a growing number of professional disciplines, LIST and KIM (Knowledge and Information Management) professionals – and also some finance professionals – can now find and seize opportunities beyond the boundaries of more traditional information work.

Keywords audit methodology, compliance, evidence, financial audit, information asset registration, information audit, information management, knowledge management, leadership, records management, regulatory compliance, skills accreditation, valuation Introduction In a previous Business Information Review article Griffith (2010) highlighted the multiple approaches to information audit (IA)I that are now discernible in the literature and in practice, and considered claims on ownership of the topic among information scientists, financial accountants, internal auditors, records managers, information security professionals, and competitive intelligence professionals. This update focuses on issues of business information management; technical aspects of information management issues will be explored in greater detail in the technical press. The previous article highlighted a number of areas where further work was required: to establish agreed definitions of IA skills and of IA itself across interested sectors; to establish leadership and future ways of working on IA; and to examine the role and potential of information asset registration.

This analysis is developed here using further recent case studies and considering additional actors that have come to light, such as national practice and the adoption of IA as an analytical tool in emerging professions. There are concerns that the wider adoption and adaptation of IA techniques by such new disciplines is making it progressively more difficult to set standards and competencies, and that given the shortage of case studies it remains difficult to turn IA theory into good practice. Corresponding author: Peter Griffith Email: [email protected] Co. UK Business Information Review 29(1) The pragmatic solution to this problem would be the various survey instruments associated with that methodology, or else to design ewe forms that align with the chosen approach.

The obvious candidate to become the base methodology is either Hence or Buchanan and Gibbs, where a body of commentary, critical assessment and case studies already exists, along with some teaching materials from training courses. However, this raises a problem in sectors such as finance where a detailed or extended audit is required because compliance requirements may be complex and may be governed by overseas legislation as well as that of the country where the organization is based. This means that any existing published methodology is likely to need extension to include these local acquirement. Where there are factors that appear only in a defined business area such as banking or legal services (e. G. acquirement to comply with streptococci regulation), a bespoke process will be needed for the extended enquiry, although a single extended survey instrument could be devised for use across a particular sector regardless of geographical location. In any case, adopting a published methodology does not guarantee simplicity. Railhead and Both (2006) tested Handel’s method in a South African public sector environment but only completed five of the seven elements, noting that although there are benefits, the method is appetitive and cumbersome. By stopping before the implementation and continuum stages of Handel’s model, Rapidly and Both raise concerns about the robustness of the lessons from this case study, and suggest that during a large-scale audit using Handel’s methodology, fatigue might lead to error in the analysis and outcomes.

Meanwhile Vow-Train (2010, 2011 a, 2011 b) proposes combining Handel’s methodology with the Action Research methodology in order to audit the information held by an Australian architectural practice as it designs a new building for a university. Recent introductions to the literature of IA have tended to widen rather than define its scope, which makes it increasingly urgent that there should be agreed definitions of IA activities as a first step toward common guidelines. The Need for Common Guidelines and Standards Although the information profession as codified by library and information science (LIST) has a body of literature, experience and knowledge of IA going back over 30 years, there is still no universal acceptance of its methodology.

Two of its approaches in particular, those of Hence (2000) and of Buchanan and Gibbs (2007), are widely tied as models – now also, as will be seen, in domains unrelated to LIST – but its comparatively ‘soft’ methodology, focusing on information flows rather than on compliance or asset monitoring, has been slow to be adopted as a generally applied technique. Recent literature suggests rather that either the information professional approach to IA is being used as a bridge to another approach, or that freedom of information (OFF), data protection (EDP), financial and other regulation has led to a ‘harder’ approach based on compliance with standards set by legislators or other bodies with a quasi-legal function.

Despite the growing body of discussion there continues to be a lack of accepted guidelines or agreed standards for IA, even though these exist in other forms of audit and in related activities such as information systems management. In confirming this observation Allen- NAS and Attack- nine_ u minimum level of acceptable information audit performance. Because of this, discussion tends to be theoretical and stakeholders and shareholders have no real idea of what information auditors actually do. In this context it is interesting to find a recent Chinese study (Gangling If and Kantian Ghana, 2009) that describes a hinted information audit. Because of what the authors perceive as a lack of practical examples they derive a methodology by combining elements of the main published approaches to IA, and apply it theoretically to a model of a large-sized Chinese company.

Allele- NAS and Attack- nine_ further note that in several u u e business domains standards are set by external bodies (e. G. The ISO 27000 series standards and ISAAC CUBIT Baseline for information security). Compliance management therefore falls naturally not to IA professionals but to groups such as information security professionals who are the primary users of these standards. They discuss the role of IA ‘ as part of a range of business tools, as does Sadomasochism (2011) who describes the IA process using Handel’s model before suggesting using it as part of a package including other techniques for measuring the quality of information management. She would also use mystery shopping, needs analysis, content analysis, SOOT analysis and expert interviews.

From a discussion of all these elements she concludes that a standardized audit would allow direct comparison of the information management performance of a group of organizations in the case of her study, bodies within the Czech public sector). The Information Audit Islands In order to establish these agreed and widely-used definitions, it is first necessary to establish the domains where reports of IA practice appear from which to draw the detail. Figure 1 represents IA in diagrammatic form as a kind of map showing ‘islands’ within the ‘sea’ of IA inhabited by the various professional groups (who might here be called tribes’) with a role in IA. These islands are arranged in broad groups clustering those functions that tend to report to the SCOFF (to the left) and the CIO (to the right).

IA appears at the core within a list of core corporate functions in the central column; these functions may be Griffith 41 Figure 1. The IA Islands ‘map’ diagram (O Graham Robertson 2012). Notes: SCOFF – Chief Finance Officer; CIO – Chief Information Officer; IA – Information Audit; IM – Information Management; IS – Information Systems; IT – Information Technology; KIM – Knowledge and Information Management; LIST – Library and Information Science; RMI – Records Management provided by either the SCOFF or CIO, or by other parts of the organization. The ‘islands considers activity on each island or a group of islands. The geographical metaphor could be extended by considering that there are tall buildings on some of the islands, representing activities in vertical markets.

Among these (as will be seen in the following discussions) are buildings containing legal services, tourism and travel services, and banking: these are built when case studies are published describing the use of information audit in those sectors. A further extension of the metaphor might be to represent enclaves of particular national groups where it is evident that IA has particular dimensions as a result of national legal requirements, or national custom and good practice. For example the Technical Systems island at the foot of the centre column would have a Romania enclave representing the view there – discussed later – that, as part of their audit, IT systems auditors must review not only the technology but the information held within a system). Role within organizational management.

What is the role of IA within the organization, and what is the role of the information auditor? As set out by Griffith (2010), these are difficult questions to answer because of inherent confusion in the terminology, whose meaning varies according to whichever of the ‘IA tribes’ is staking its claim to dead on the issue. However the literature produced by tribes’ shows their broad agreement on a number of activities comprised within the scope of IA. As a minimum, the role of the information auditor covers: Verifying that information added to a corporate or other information system is authentic and accurate; Verifying the provenance of information within a system (e. G. O support the management of intellectual property, and to ensure integrity throughout its presence within the system being audited); Verifying the proper functioning of the information storage and retrieval system, including logging access, amendment/alteration, overwriting and deletion of information entities; Assessing the economic value of information resources within corporate systems and deriving a financial value that may (or may not) be shown in the organization’s accounts – with the implication that applying an actual or notional financial value creates an asset that entails Towards a Definition of Information Audit The ‘Information Audit Island’ lies at the centre of the map, representing its central role in this discussion and its central 42 certain standards of stewardship for the information, and also that this value is at east partly created by the context provided by the corporate owner or licensee; Assessing the informational value of the content of corporate systems – I. E. Verifying not only the physical integrity of information but rating its accuracy, timeliness, reliability, relevance, degree of duplication or uniqueness, and other elements that might be used to establish a score for the value of the actual knowledge or include elements that are essential in the LIST/KIM professional view of IA, and seems to lie closer to the activities of financial audit than to professional practice in LIST or KIM.

These core activities are (rightly) concerned with verification and authenticity, which the KIM professional might consider to be elements of information literacy or digital literacy, but they do not for example consider whether information resources meet information needs, are held in multiple versions or are effectively and properly licensed. They include neither analysis of published and unpublished information resources and flows, nor records management or knowledge audit activities, nor the compilation of information (or data) asset registers. So despite the appearance that hey are a ‘hard’ and defining set of activities capable of being assessed against notions such as ‘compliance’ (with ‘regulation’) or ‘accuracy, these common core elements with their strong bias to accountancy are insufficient on their own to provide a full definition of IA.

Recent additions to the literature propose further IA activities but some of these could be argued to be either non-core IA activities, or to be activities that have been assigned to IA by commentators who are actually describing a different function such as information systems audit or internal audit. This can happen where practitioners whose first language is not English, use the term IA to describe one of these other activities. For example Griffith alluded to but did not analyses the claim by information systems auditors to be information audit practitioners. Russ and Dancers (2010) indicate that in Romania, systems auditors already consider that their activities include IA. They argue that their IT systems audits necessarily include checks on the integrity of information whilst it is within the systems being audited. Further research may prove this to be the case in other countries). To represent this, the Systems Audit ‘island’ could be shown with a Romania enclave, and as analysis of the literature develops there may be similar enclaves representing local practices to be discovered on other islands. This ‘map’ is very much a work in progress. New islands will appear on this diagram when a further group adopts IA as a methodology for their professional activities. There may be some changes in population and government Business Information Review 29(1) depending on further analysis, discovery, and commentary by practitioners and academics as this project progresses.

Leadership Roles in IA Preparation of this article began with the assumptions that it would be readily possible to describe a combination of the information professional and accounting professional approaches to IA, and that it would be simple to outline Joint standards for future audits. However, research identifies further professions using IA (although as noted earlier a number of these acknowledge the two principal information professional methodologies of Hence and of Buchanan and Gibbs) and new contenders claiming to lead work on IA, sometimes based on practice in particular entries. These findings cause some dismay as they add further fragmentation to an already complex picture.

But they suggest that IA could offer considerable potential for information professionals who have been displaced from more traditional LIST indicates the domains managed by the two Chief Officers with the greatest professional interests in IA, namely the Chief Information Officer (CIO) and Chief Finance Officer (SCOFF). The role of the CIO should be distinguished from that of a Chief Technology Officer (COT) despite the fact that many public sector Close are primarily unconcerned with technology, not information; paradoxically, a COT often works as their subordinate taking day-to-day charge of corporate information and communications technology. On the left of the map is the domain of the SCOFF; on the right is the CIO. An exhaustive list of the areas for which they are responsible is not included here, but note that their responsibilities overlap (the islands in the central group) and have an outdrawing as well as an internal element.

For example, the CIO role is responsible for information required by investors and potential investors in the organization, for information relating to corporate social responsibility, and for environmental information, as well as for internal information resources. The CIO thus plays a role in maintaining shareholder and stakeholder confidence, and in keeping good relations with the client community and the public at large. Griffith et al. (2006) argue that LIST professionals have a unique combination of skills making them the natural focus for corporate reputation monitoring (a role now becoming known as the Chief Listening Officer, as is found at Dell, for example): this is a role hat is embraced comfortably within the CIO domain under discussion here.

Cigarillo- Duran and Noun-Moran (2010) develop this argument, ‘ asserting that information professionals should take the role of corporate image managers as well as (quasi- passive) reputation monitors; their discussion identifies various reputation audit methodologies suitable for use by documentations Griffith or information managers. Reputation monitoring aligns too with the interests of the growing business intelligence community, for which the CIO should also be responsible. The management of corporate intellectual property (P) omelets this group of CIO interests, building on the long standing interest of LIST professionals in copyright and IP generally. Fanning (2007, 2008) in his wide-ranging and often very perceptive discussion of both public and private sectors, considers the variety of corporate roles that are given responsibility for IA.

He concludes that a new role of Chief Information Manager is required, with strategic skills rather than IS/IT, and with a short reporting line to board level. He believes that librarians have strong potential for this role, but this can only be the case when they are proactive o re able to position themselves as the ‘eyes and ears’ of the organization’. In Fanning view, IA practitioners must position themselves as ‘an essential constituent of market research, strategic planning, business development, risk assessment, compliance, etc. ‘ in the same way as competitive intelligence practitioners. Like other contributors noted here, Fanning also comments on the perceived burden of IA as an administrative overhead process rather than an essential business tool delivering efficiency and savings.

The literature expresses general support for a common core f IA activities that are concerned with ‘hard’ notions of compliance, regulation and unable to command similar support for its complementary ‘soft’ activities and competencies, for these provide a framework for understanding the use, flows and value of this compliant, regulated and accurate information. Among information professionals, only records managers have raised their profile in this field, as they have become corporate experts on compliance with regulation and the avoidance of the increasingly severe penalties for breaches of data protection and freedom of information legislation. Parts of the skill set required by an IA practitioner fall into the spheres of interest of several different professional associations.

However the key work to establish and develop IA has been done by information professionals so it would be logical for them to take the lead, forming strategic alliances with other players, in establishing standard procedures and definitions – such as what exactly constitutes an information asset, and how should it be registered and accounted for. Most importantly, there must be a single point of call for standardizing and accrediting IA skills, underpinned by a body of knowledge whose supporting evidence ease goes beyond standard Journal literature and monographs to include the now considerable corpus of unpublished theses and papers in languages other than English. An information professional body should undertake this role, encouraging a collegiate approach.

A further benefit of this arrangement would be that body 43 ability to tap into the professional skills needed to deliver effective horizon scanning for forthcoming changes to regulation or new studies by IA practitioners. The Value of Business Information Assets Debate continues without final agreement around the valuation of information held within a business. The discussion of the accountancy-based approach to IA by Griffith (2010) describes the problem of deriving a financial value for corporate information in an organization’s balance sheet. In their report for the Parliament- based RIME group, Higgins and Wealth (2010: 9) point to the long-running debate about the admissibility, under accounting rules, of intellectual capital and information assets as corporate assets on published balance sheets.

The work of the Hawley Committee in the sass first sparked discussion in the UK which was continued by the IMPACT Programmer, leading for example Horned (1998) to argue that he difference between an organization’s value in terms of its tangible assets and the value of its stock and market standing must be accounted for by the value of its intangible assets, primarily its intellectual capital. Koenig (1997, 1998) summarizes the issues, while Higgins and Wealth observe that the accounting rules make knowledge-based companies such as pharmaceutical researchers and web developers worth far more than the value of their tangible assets, explaining why such large sums exchange hands on the basis of a company’s likely future knowledgeable profits rather than its present performance.

Sanford (2001) draws room work by Koenig, Laurence Prussia, Tom Peters and others to compile a list of intellectual capital assets that would produce these knowledgeable profits: the list includes patents, publications, licenses and the income from them, products and the time taken to bring them to market (both of which can be compared with competitors made to an organization’s employees by external speakers, and from conference attendance), database searches, the contents of communities of practice and intranets, knowledge maps and inventories. Having compiled this extensive catalogue, which goes far beyond the content of the corporate library or file store, Sanford then points to the findings of Wilson, Stetson, and Oppenheim (2000) who describe the reluctance of British companies to assess the value of their information assets and considers the reasons for this reticence. Wilson et al. Were surprised to find that I-J companies appeared not to be using FRISK, the I-J financial reporting standard for goodwill and intangible assets, to value their information assets.

Problems were reported in establishing what constitutes an information asset while many organizations simply did not believe that information should be categorized as an asset or valued for inclusion on the balance sheet. The 44 information assets considered most important by interviewees were internally- generated and typically not valued for internal purposes, so that there was little impetus to include information assets on the balance sheet – perhaps because it could be unwise to report externally that which had not been addressed internally. From the information science viewpoint, Yates-Mercer and Baden (2002) drew on a wide range of sources to reach similar conclusions whilst Wilson and Stetson (2008) updated their previously published arguments with a further literature review, but also essentially restated this problem.

The British academics El-Taw and Abide- Sadder (2011) recently argued to an international conference on information systems that a new approach is needed to recognize and account for intangible information assets. It is notable that although their audience was from their own field of systems management, their case was built on papers published in the fields of information management and librarianship over the past 20 years. In summary, there has been little progress for some time in getting businesses to deal with the problem, but there are frequent restatements of the issue to a growing range of professional spineless. A consequence is that neither the purpose nor the practice of IA has been widely embraced in the organizations that could reap the benefits that are clearly set out in much of the literature reviewed and cited here.

The benefits also include the ability to take an overall view of corporate finance that embraces: the financial value of information assets and intellectual property; effective asset management and exploitation, including a true reflection of the organization’s value on the balance sheet; assurance – in the sense of comfort as well as indemnity – grading legal compliance; and knowledge in the boardroom that the organization is proof against the legal action or public criticism that might be leveled by the relevant Information Commissioner,2 or qualification of accounts by the relevant audit body. Perhaps the most difficult message to get across is that information management is everyone’s responsibility within the organization. But that is not to set aside a corporate management responsibility to publish internal guidelines for information management and governance, supported by training and enforced if organizations, and confusion of the various kinds of audit.

Business Information Review 29(1) The goal of audit [ … ] must be to ensure that financial reporting is of the highest quality. But at the end of the day it is a mistake to see corporate governance and [audit] purely in terms of compliance – the audit committee as corporate policeman. Clearly, audit committees have an important role in relation to reporting and ensuring compliance. But they have an equally important role alongside the board as a whole – in ensuring that the business seizes the opportunity to use any new regulatory framework imaginatively. (Warble and Alai, 2004) Jones and Barbell (2004) go further: No one wants an audit to occur.

An audit has the smell of seeking problems and laying blame … Organizations conducting an audit call them something else. [They] conduct related processes, such as a collection satisfaction survey, and refer to that as an audit. This aversion to the name contributes to confusion surrounding what an information audit actually is. It … Diffuses the true impact an audit can have on the organization. (p. 53) Changing the Image of Audit Information audit suffers by sharing some of the image of internal audit, being tangentially viewed as a ‘corporate policeman’ or Witch-finder’. The positive value of IA needs to be communicated in a way that overcomes the widespread negative perception.