Article Information Audit: Towards common standards and methodology Business Information Review 29(1) 39-51 © The Author(s) 2012 Reprints and permission: sagepub.co.uk/journalsPermissions.nav DOI: 10.1177/0266382112436791 bir.sagepub.com Peter Griffiths Independent Information Specialist Abstract This article further analyses a number of issues highlighted in a previous discussion of the current state of Information Audit (IA), and offers a graphical representation of the IA landscape. Library and Information Science (LIS) struggles to establish its 'soft' approach to IA as the leading methodology despite repeated endorsement by authors in other professional groups with some kind of interest in information management. They have found the LIS IA methodology using analysis of information needs and flows to be a useful analytical tool that allows them to evaluate information assets and to demonstrate compliance in asset management - whether those assets are financial, documentary or intangibles such as know-how. Since the implementation of Freedom of Information legislation, records management has espoused a strong focus on compliance and the avoidance of penalties for data protection breaches, but recent publications suggest that organizations of all kinds are adopting this finance- and accountancy-driven approach to information audit. This may be because it is seen as best able to manage the growing complexity of regulation and legislation (local, national and international) that affects information management. Forming strategic alliances with other players, the information profession must take the lead in establishing standard IA procedures and definitions drawing on its own praxis, which is widely accepted by other disciplines. There needs to be a single point of call for standardizing and accrediting IA skills, with the creation of a supporting body of knowledge whose evidence base goes beyond standard journal literature and monographs to include the now considerable corpus of unpublished theses as well as papers in languages other than English. As IA is adopted by a growing number of professional disciplines, LIS and KIM (Knowledge and Information Management) professionals - and also some finance professionals -can now find and seize opportunities beyond the boundaries of more traditional information work. Keywords audit methodology, compliance, evidence, financial audit, information asset registration, information audit, information management, knowledge management, leadership, records management, regulatory compliance, skills accreditation, valuation Introduction In a previous Business Information Review article Griffiths (2010) highlighted the multiple approaches to information audit (IA)1 that are now discernible in the literature and in practice, and considered claims on ownership of the topic among information scientists, financial accountants, internal auditors, records managers, information security professionals, and competitive intelligence professionals. This update focuses on issues of business information management; technical aspects of information management issues will be explored in greater detail in the technical press. The previous article highlighted a number of areas where further work was required: to establish agreed definitions of IA skills and of IA itself across interested sectors; to establish leadership and future ways of working on IA; and to examine the role and potential of information asset registration. This analysis is developed here using further recent case studies and considering additional factors that have come to light, such as national practice and the adoption of IA as an analytical tool in emerging professions. There are concerns that the wider adoption and adaptation of IA techniques by such new disciplines is making it progressively more difficult to set standards and competencies, and that given the shortage of case studies it remains difficult to turn IA theory into good practice. Corresponding author: Peter Griffiths Email: pdg@dircon.co.uk Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016 40 Business Information Review 29(1) The Need for Common Guidelines and Standards Although the information profession as codified by library and information science (LIS) has a body of literature, experience and knowledge of IA going back over 30 years, there is still no universal acceptance of its methodology. Two of its approaches in particular, those of Henczel (2000) and of Buchanan and Gibbs (2007), are widely cited as models - now also, as will be seen, in domains unrelated to LIS - but its comparatively 'soft' methodology, focusing on information flows rather than on compliance or asset monitoring, has been slow to be adopted as a generally applied technique. Recent literature suggests rather that either the information professional approach to IA is being used as a bridge to another approach, or that freedom of information (FOI), data protection (DP), financial and other regulation has led to a 'harder' approach based on compliance with standards set by legislators or other bodies with a quasi-legal function. Despite the growing body of discussion there continues to be a lack of accepted guidelines or agreed standards for IA, even though these exist in other forms of audit and in related activities such as information systems management. In confirming this observation Aleliunas and Atkociuniene (2010) also remark that in the absence of these agreed standards there is no minimum level of acceptable information audit performance. Because of this, discussion tends to be theoretical and stakeholders and shareholders have no real idea of what information auditors actually do. In this context it is interesting to find a recent Chinese study (Xiangling Fu and Xiaoyan Zhang, 2009) that describes a synthetic information audit. Because of what the authors perceive as a lack of practical examples they derive a methodology by combining elements of the main published approaches to IA, and apply it theoretically to a model of a large-sized Chinese company. Aleliunas and Atkociuniene further note that in several business domains standards are set by external bodies (e.g. the ISO 27000 series standards and ISACA COBIT Baseline for information security). Compliance management therefore falls naturally not to IA professionals but to groups such as information security professionals who are the primary users of these standards. They discuss the role of IA as part of a range of business tools, as does Sidlichovska (2011) who describes the IA process using Henczel's model before suggesting using it as part of a package including other techniques for measuring the quality of information management. She would also use mystery shopping, needs analysis, content analysis, SWOT analysis and expert interviews. From a discussion of all these elements she concludes that a standardized audit would allow direct comparison of the information management performance of a group of organizations (in the case of her study, bodies within the Czech public sector). The pragmatic solution to this problem would be to adopt a widely endorsed methodology as a starting point, and then either to adopt the various survey instruments associated with that methodology, or else to design new forms that align with the chosen approach. The obvious candidate to become the base methodology is either Henczel or Buchanan and Gibbs, where a body of commentary, critical assessment and case studies already exists, along with some teaching materials from training courses. However, this raises a problem in sectors such as finance where a detailed or extended audit is required because compliance requirements may be complex and may be governed by overseas legislation as well as that of the country where the organization is based. This means that any existing published methodology is likely to need extension to include these local requirements. Where there are factors that appear only in a defined business area such as banking or legal services (e.g. requirements to comply with sector-specific regulation), a bespoke process will be needed for the extended enquiry, although a single extended survey instrument could be devised for use across a particular sector regardless of geographical location. In any case, adopting a published methodology does not guarantee simplicity. Raliphada and Botha (2006) tested Henczel's method in a South African public sector environment but only completed five of the seven elements, noting that although there are benefits, the method is repetitive and cumbersome. By stopping before the implementation and continuum stages of Henczel's model, Raphilada and Botha raise concerns about the robustness of the lessons from this case study, and suggest that during a large-scale audit using Henczel's methodology, fatigue might lead to error in the analysis and outcomes. Meanwhile Vo-Tran (2010, 2011a, 2011b) proposes combining Henczel's methodology with the Action Research methodology in order to audit the information held by an Australian architectural practice as it designs a new building for a university. Recent contributions to the literature of IA have tended to widen rather than define its scope, which makes it increasingly urgent that there should be agreed definitions of IA activities as a first step toward common guidelines. The Information Audit Islands In order to establish these agreed and widely-used definitions, it is first necessary to establish the domains where reports of IA practice appear from which to draw the detail. Figure 1 represents IA in diagrammatic form as a kind of map showing 'islands' within the 'sea' of IA inhabited by the various professional groups (who might here be called 'tribes') with a role in IA. These islands are arranged in broad groups clustering those functions that tend to report to the CFO (to the left) and the CIO (to the right). IA appears at the core within a list of core corporate functions in the central column; these functions may be Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016 Griffiths 41 INFORMATION AUDIT AS THE HUB Investor/ public requirements Corporate governance Business benefit I responsibility . External financial audit /Share/stake holders perspective/ Financial policy Financial management, management and cost accounting, accounting standards ^statutory reporting Accountants, analysts, " ■> budget controllers & auditors. Internal audit Internal & organisational control & compliance Information policy Purpose, product definition & information assurance . Private/public sector/social responsibility information needs Share I stakeholder /public sector and community confidence GOVERNED BY ( CIO - Information scientists Information governance Accountability I accuracy I usability transparency I management Knowledge audit Information Audit Role, principles, guidelines, compliance control and a learning experience