The Role of Evidence in Establishing Trust in Repositories
http://www.dlib.org/dlib/july06/ross/07ross.html
parties involved. This can help auditors to assess the suitability of repository functions
and contractual controls.
• Job Descriptions: As these detail the duties and responsibilities of each member of the
repository staff, they give auditors evidence of the existence of capacity to deliver the
kinds and levels of service outlined in the mission statement and depositor agreements.
In addition they provide a mechanism for mapping between the organisational
objectives and the means to deliver them.
• Organisational Chart: Documents detailing the roles and responsibilities of staff and
how they interrelate offer evidence of the existence of appropriate management
structures and support validation of quality control mechanisms.
• Staff Profiles/CVs: Overviews of experience, expertise, and qualifications of staff
should be provided, as these will offer an indication of the capabilities and
backgrounds of individuals performing key tasks within the repository and assist in
giving auditors evidence as to whether the right staff mix is available.
• Annual Financial Reports: Details of income and expenditure as well as project
income and expenditure provide evidence as to the financial footing and planning of
the repository. This evidence should be considered for at least the three previous years.
For example, the historical data will enable auditors to assess how good the repository
is at predicting its future income and expenditure. This will be valuable in enabling
auditors to assess repository financial risk.
• Business Plan: This document details the financial, organisational and methodological
basis for the repository, providing a justification for its existence and a plan to ensure
its persistence. The Business Plan offers evidence of organisational approaches to
sustainability, projected developments, and plans for exploiting emerging market
opportunities.
• Risk Register: How repositories approach risk management will be a central concern
to auditors. They will wish to review any risk registers and assess the repository's
approaches to them: is the register appropriately scaled and detailed; does it indicate a
proactive or reactive approach to risk; and is it likely to help the repository manage
risk? A detailed list should indicate the risk, its likelihood, what actions are being
taken to avoid it occurring, how the repository will respond if the risk were to occur,
and what the impact of its happening would be. For example, how would the
repository approach accidental disclosure of some of its holdings?
• Policy Documents: Documents detailing the repository's policy in key areas, such as
acquisitions, preservation strategies, guidelines for selecting and ingesting digital
objects, and access and disaster recovery, provide a range of insights illustrating the
means by which the repository performs particular functions, the way it provides
specific services, the processes by which it manages its relationships with the user, and
how it responds to such extrinsic factors as legislation and regulation.
• Procedure Manuals: This class of documentation gives evidence of the procedures
carried out by the repository in such areas as methods for validating submissions,
backup, data checking, storage media change, system maintenance, and destruction of
old media.
• Workflow Models: These indicate the level of understanding and management of the
processes applied by the repository. They also give auditors an indication of pressure
points that can be tested as part of the audit visit.
• Technical Architecture: Documentation of the repository's hardware and software
infrastructure provide evidence to enable auditors to validate suitability of hardware
and software infrastructures to support effectively the functions and services aspired to
in both the mission statement and agreed in the individual depositor agreements.
• Maintenance Reports: These documents describe maintenance that has been
6 of 13
01/08/2006 17:25