DRAMBORA Notes PART II: Audit Process

5.1-5.6 Introduction, Requirements, Definitions, Principles, Methodology and Stages

The rest of part II (pages 43 to 104) has only been skimmed over.

Stage 1

Describe mandate and purpose; identify goals and objectives (within functional classes). The initial two stages will help identify repository boundaries, activities and stakeholder communities

Stage 2

Collect policy documents and regulatory documents that may be relevant to the repository (including legal and contractual frameworks) and analyse relevance to goals and objectives (and to the different operational functions). Page 60 provides a list of relevant acts and regulations in the UK as inspiration.

Stage 3

Develop a conceptual model of what the repository does and how it does it... By splitting mission and goals into more specific activities, we should develop a list of repository activities, assets and owners (the focus of this stage seems to be managerial). Methodologies for identifying functions and activities commonly used: hierarchical (or functional) analysis and process (or sequential) analysis (see page 65). Submission agreements? Activity and asset examples pages 68-73; look at the functional classes activity examples p. 71-73.

Stage 4

Derive repository risks from activities and assets. Consider the following kinds of risks:

The result of this stage should be a list of risks categorised according to functional class, organisational objectives and identified activities and assets; and for each risk description, owner, type classificaton and optionally relationships with other risks. See generic list of risks pages 81-83.

Stage 5

Characterise risks and risk relationships and assess severity. See risk characteristics table pages 84-85, risk probability and impact scores pages 88-89, example risk description tables Appendix 3.

Stage 6

For each risk, determine how to approach... Risk management examples:

In this stage the auditors should chooce a risk management strategy, describe the risk mitigation measure, assign responsibility for the risk mitigation activities and set target dates and results for the risk mitigation activities. See risk description table p. 98-99.

5.13 How to Interpret the Audit Result

Example of extended risk attribute tags p. 100-101. The self-audit should be followed up by risk maagement monitoring to ensure that the risk register is kept up to date and risks are re-evaluated and new risks managed as well. Example risk avoidance and treatment strategies p. 102-103.