Procedural documentation for document management
- Necessary or just an embellishment?
Dr. Stefan Spitz, Lead Auditor ECM at TÜV Informationstechnik GmbH and Dr. Klaus-Peter Elpel, Managing Partner of Consultec Dr. Ernst GmbH Published in: DiALOG - THE MAGAZINE FOR ENTERPRISE INFORMATION MANAGEMENT | MARCH 2017.
The topic of procedural documentation is not dealt with at all or only very superficially in many companies, although the requirement for procedural documentation is stipulated in the GoBD, BASEL II, SOX as well as ISO 9001 and the maturity model of ISO 9004 / CMMI. It is an important component of a document management system and indispensable for proving audit compliance. However, the benefits of procedural documentation are often not clear, as are the requirements for the content and the required level of detail of the descriptions.
The following core requirements must always be taken into account (see e.g. GoBD):
- Completeness: Complete recording and archiving of documents.
- Order: Documents are clearly indexed and assigned
- Unchangeability: Each document must be archived in an unchangeable form.
- Traceability: All stages through which a document has passed must be documented and traceable.
- Availability: Documents must be available and readable in a timely manner.
In addition, procedural documentation must be meaningful enough to meet the core requirements and be usable for an audit. The GoBD formulates this as follows: "[...] a clearly structured procedural documentation must be available for each DP system, from which the content, structure, process and results of the DP procedure are completely and conclusively evident. [...] The procedural documentation must be comprehensible and thus verifiable by an expert third party within a reasonable period of time." This requirement is subjective and can be assessed differently from auditor to auditor. However, there are core contents that should not be missing from any procedural documentation. One area that is often neglected, both in documentation and in operation, is the internal control system. This is not only about regular quality assurance and reaction to identified errors and deviations, but rather about whether the described procedures are actually lived. This is the only way to successfully demonstrate audit compliance.
The creation and maintenance of procedural documentation is an ongoing process: "The procedural documentation must be versioned in the event of changes and a traceable change history must be maintained. [...] The retention period for the procedural documentation does not expire insofar and as long as the retention period for the documents has not yet expired, for the understanding of which it is required." (GoBD)". However, the investment is well spent, provided that the creation and maintenance of the documentation is approached seriously, i.e., according to the above explanations. In addition, non-existent, insufficient or completely outdated documentation can lead to a fine (see for example AO §146). An annual audit of the DMS and the procedural documentation by a recognized, external specialist expert (certifier) rounds off the whole process and significantly increases audit security. However, the depth and scope of the audit should be chosen appropriately. A superficial audit may be more cost-effective, but will probably not create the desired added value. The review of the procedural documentation and the on-site audit should be documented by a detailed description of the audit results and preferably also stored in the DMS in an audit-proof manner. In this way, even after many years, it can be proven that:
- the DMS corresponded to the respective current state of the art
- the process flows were adhered to and regularly reviewed
- the legal requirements for your company have been met
TÜV Informationstechnik GmbH (TÜViT) is one of the leading testing service providers for IT security and is part of the TÜV NORD GROUP. TÜViT focuses on topics such as cyber security, smart energy, mobile security, Industry 4.0, critical infrastructures, data protection audits, ISMS consulting and auditing in accordance with ISO/IEC 27001, and the testing and certification of data centers with regard to their physical security. In addition, TÜViT supports users and operators of document management solutions in proving legal security requirements for the audit-proof storage of documents. This is based on the test criteria for document management solutions (PK-DML) developed jointly by VOI and TÜViT.
www.tuvit.de