Public Records Act Audit Tool [A372878]
Public Records Act Audit Tool
Audit Tool Background
This Audit Tool is based upon the recordkeeping requirements of the Public Records Act 2005 (PRA) and related mandatory recordkeeping standards (namely,
the Create and Maintain Recordkeeping Standard (CM), the Storage Standard (SS) and the Electronic Recordkeeping Metadata Standard (MD)). This Audit Tool
will be used by Archives New Zealand for undertaking five-yearly recordkeeping audits of public offices from 2010. These requirements apply to all a public
office’s recordkeeping systems, including operational business systems that maintain records of its affairs, in accordance with normal, prudent business practice
(refer PRA section 17).
This audit tool will not apply to schools, which are not subject to the mandatory standards. The audit process for schools is under consideration. Nor does the
audit tool apply to records excluded by section 3(c) of the PRA, namely those within a special collection or records created by academic staff or students of a
tertiary institution (unless those records have become part of the records of that institution).
Audit Tool Framework and Objectives
This audit tool will be used by Archives New Zealand to assess recordkeeping practice in public offices as is required under section 33 of the PRA. It is also
intended that the audit tool will provide public offices with a reliable basis for undertaking regular recordkeeping self-assessments and developing plans to
continuously improve their recordkeeping capability. This approach is reflected in the current Audit Tool by:

Translating existing PRA and mandatory standard requirements into attributes of achievement that describe or reflect the expected range of
recordkeeping operational practices. In some instances, a public office may be able to demonstrate the desired outcome without necessarily addressing
the proposed attributes within the Audit Tool. This equivalence would be recognised via the audit process, as required.

Providing three stages of achievement that are intended to reflect a pathway of increasing recordkeeping / information management capability. These
stages will allow future PRA audits to reflect the implications of practical recordkeeping risk assessments and different public office capabilities. This
approach will also ensure a more informed and comprehensive assessment of a public office’s progress, rather than deriving an arbitrary pass / fail audit
result. Note that the attribute of achievement numbering regime (e.g. 1.1.1) reflects respectively the [business area / stage / attribute] sequence.
The stages, in descriptive terms, broadly correspond to:

Stage one – Initiation (needs identified and solutions examined, evidence of planning, systems designed or redesigned)

Stage two – Establishment (evidence of practical application)

Stage three – Extending Capability (Evidence of good practice, including regular review and monitoring, etc)
Version 13: 2009/10 PRA Audit Tool. Page 1
Public Records Act Audit Tool [A372878]

Identifying examples of evidence that will demonstrate the attainment of a nominated attribute. This would involve Archives New Zealand critically
reviewing available documentation, undertaking observations and testing to determine behavioural conformance and quality of implementation practices.
The identified evidence is illustrative only. In practice, there is likely to be a range of activities and descriptions that will represent equivalent attainment of
the attribute. The audit reporting methodology will be configured to capture an appropriate multi-dimensional perspective of a public office in relation to
each audit tool attribute. This multi-dimensional approach will include the following assessment and rating structure for each attribute:

Progress (0 = no, 1 = approved but not yet started, 2 = underway, 3 = completed: some out of date, 4 = yes: completed and up-to-date)

Coverage (0 = not at all, 1 = few parts of the public office, 2 = most of the public office, 3 = whole of the public office)

Intentions to progress to this stage (0 = no, 1 = undecided, 2 = yes, 3 = already done)
The examples of evidence, audit methodology and reporting approach will be further developed and refined on the basis of pilot PRA audits during 2009/10.
Over time, Archives New Zealand would look for opportunities to integrate its PRA audit requirements within other public office audits.
Audit Tool Structure
The audit tool is structured into eight areas, with areas one to four reflecting general business activities and areas five to eight reflecting more specific
recordkeeping requirements, as follows:
General Business Activities
1. Planning
2. Resourcing
3. Training
4. Monitoring and Review / Reporting
Specific Recordkeeping Practices
5. Creation and Capture
6. Retrievability and Security
7. Maintenance and Storage
8. Disposal and Transfer.
Version 13: 2009/10 PRA Audit Tool. Page 2
Public Records Act Audit Tool [A372878]
Definitions
Definitions for recordkeeping terms can be found in the Archives New Zealand publication, Glossary of Archives and Recordkeeping Terms and/or in the
respective mandatory standards. Copies of these publications can be found at: http://continuum.archives.govt.nz/recordkeeping-publications.html
Version 13: 2009/10 PRA Audit Tool. Page 3
Public Records Act Audit Tool [A372878]
1. Planning
Recordkeeping functions and activities are defined and have a planned outlook
Stage
One
Attributes of Achievement
1.1.1 A governance framework has been established in which the
recordkeeping function will operate from chief executive
(accountable), executive management (sponsor) to
recordkeeping and other staff (responsible).
Examples of Evidence
Executive management (sponsor) of the recordkeeping function
is assigned in a public office structure and acknowledged in
organisational charts. or
Documentation to support this such as policy identifying roles
responsible for recordkeeping from executive to the records
manager (or equivalent) and all staff members.
See Archives New Zealand’s Guide to Developing a
Recordkeeping Policy for assistance.
1.1.2 A profile of systems (both physical and electronic) within the Organisation-wide information / data maps are defined and in
place. or
recordkeeping framework exists (i.e. systems which create and
maintain records have been identified). Link to 5.2.1.
Repository stock-take has occurred (refer to Archives New
Zealand’s Guide to Completing a Records Survey (NB: pending
publication) and outcomes documented. or
A survey has been conducted identifying business systems,
physical recordkeeping systems, etc. or
An analysis of legacy recordkeeping issues and/or recordkeeping
gaps has been conducted. or
A classification structure/file (or taxonomy) plan is in place, is in
use and is maintained. or
Business-critical (vital) records and systems are identified.
Two
1.2.1 Recordkeeping policies are documented and implemented.
An appropriate recordkeeping policy document exists and
Version 13: 2009/10 PRA Audit Tool. Page 4
Public Records Act Audit Tool [A372878]
1. Planning
Recordkeeping functions and activities are defined and have a planned outlook
Stage
Attributes of Achievement
Link to 2.2.1 and 5.2.3.
Examples of Evidence
identifies relationships with related policies (e.g. IT Security
Policy). and
Metadata specifications and decisions for all recordkeeping
systems are documented, including:
1.2.2 Recordkeeping procedures have been documented and
implemented, including procedures for verifying metadata. Link to
2.2.1 and 4.2.2.

the recordkeeping policy acknowledges the role of
metadata in ensuring an authentic record

the policy specifies the roles of point of capture and
process metadata, and the rules relating to
changing metadata.
Appropriate recordkeeping procedure documents exist and are in
use. For instance, including:
 procedures manuals or recordkeeping training material/s
 workflow models
 staff guidance notes
 electronic system design documents identifying autocapture of metadata elements, auto-classification, etc. and
Key procedures observed as being implemented. and
Procedures manual identifies quality checks including
responsibility for carrying out quality audits, frequency and
acceptance criteria.
1.2.3 Business-critical records are identified and managed. Link
to 5.3.1 and 6.2.1.
A register of business-critical (or vital) records and a supporting
statement in the public office’s recordkeeping management plan
is evident.
Version 13: 2009/10 PRA Audit Tool. Page 5
Public Records Act Audit Tool [A372878]
1. Planning
Recordkeeping functions and activities are defined and have a planned outlook
Stage
Attributes of Achievement
Examples of Evidence
1.2.4 A disaster recovery plan for records is implemented. Link to
3.3.2 and 6.2.1.
Organisational disaster recovery plan or contingency plan exists
and has been communicated to staff.
1.2.5 New (or significantly re-developed or replacement)
business-specific systems are designed to deliver the capability
to meet recordkeeping principles.
New system functional specifications include recordkeeping
requirements. or
New system project plan includes consideration of record
management requirements. and
Documentation is cross-referenced to the relevant Archives New
Zealand recordkeeping standards.
Three
1.2.6 An approved recordkeeping plan is regularly (biennially or
as per existing review cycle) reviewed by senior management.
Recordkeeping plan exists, containing specific detail and
prescription (SMART Objectives and Actions: – Specific/
Measurable/ Actionable/ Relevant/ Targets).
1.3.1 Regular reviews of recordkeeping policy and updates are
evident. Link to 4.2.1.
A review schedule is in place. and
The recordkeeping policy and procedures have been updated in
a manner consistent with the public office’s policy framework (e.g.
defined responsibilities, default biennial review or on-demand,
etc).
1.3.2 Regular reviews of recordkeeping procedures and updates
are evident. Link to 4.2.1.
A review schedule is in place. and
Substantive versions of the recordkeeping policy and procedures
evident.
1.3.3 The public office’s risk management planning considers
recordkeeping risks and mitigation strategies. Risk assessment
includes consideration of meeting PRA requirements.
Records manager (or equivalent) is part of the team developing
the corporate risk management plan. and
Version 13: 2009/10 PRA Audit Tool. Page 6
Public Records Act Audit Tool [A372878]
1. Planning
Recordkeeping functions and activities are defined and have a planned outlook
Stage
Attributes of Achievement
Examples of Evidence
A risk management plan is in place and takes account of
recordkeeping capability.
1.3.4 The public office’s business plan (or ISSP – Information
Services Strategic Plan) references recordkeeping outputs and
outcomes. Link to 2.3.2.
The business plan contains references to recordkeeping,
knowledge or information management capabilities, etc.
1.3.5 The public office’s disaster recovery plan is regularly
reviewed.
Disaster recovery plan has evidence of regular review and
testing.
Version 13: 2009/10 PRA Audit Tool. Page 7
Public Records Act Audit Tool [A372878]
2. Resourcing
Appropriate resources are allocated to recordkeeping
Stage
One
Attributes of Achievement
2.1.1 The public office has defined the recordkeeping roles (i.e.
number, qualifications and/or experience/skill) and related
support resources in order to meet its core information
management requirements.
Examples of Evidence
Clearly defined recordkeeping roles and responsibilities are
documented within organisation charts and job descriptions. and
Recordkeeping resourcing identified within capital and
operational budgets. and
Funding requirements for wider recordkeeping capabilities (for
instance, capital funding and storage requirements) are
documented and sufficient.
2.1.2 The responsibility for creating and managing records is
assigned and communicated to individual staff. Link to 5.1.2.
Documentation exists regarding delegation, performance reviews,
internal processes, job and person specifications.
Staff recordkeeping responsibilities are
reflected in either:
 statement in recordkeeping policy on staff responsibilities
for recordkeeping; and, position descriptions, job
specifications or performance agreements incorporate
standard recordkeeping competency statement, requiring
conformance with the public office’s recordkeeping policy
(including responsibility for record creation); or
 public office’s code of conduct reinforces recordkeeping
policy staff requirements.
Two
2.2.1 The public office has appointed (in-house or out-sourced)
appropriately qualified and/or experienced or skilled
recordkeeping practitioners for all defined roles (whether a
centralised or decentralised organisational structure).
Qualified and/or experienced or skilled recordkeeping
practitioners and professionals are appointed to relevant
recordkeeping roles (e.g. records manager, knowledge manager).
and
Job descriptions and delegations, are defined and in use. Link to
Version 13: 2009/10 PRA Audit Tool. Page 8
Public Records Act Audit Tool [A372878]
2. Resourcing
Appropriate resources are allocated to recordkeeping
Stage
Attributes of Achievement
Examples of Evidence
1.2.1 and 1.2.2. and
Recordkeeping practitioners or equivalent persons co-ordinate
all recordkeeping tools, systems, practices and resources.
Three
2.3.1 The public office has a proactive human resource
management programme in place to maintain and develop
recordkeeping personnel capacity.
There is clear evidence of approved career planning and
development, or succession plans. and
Recordkeeping staff training logs or registers.
2.3.2 Consideration of future budget and personnel requirements
to sustain improvements in the public office’s recordkeeping
programme. Link to 1.3.4.
The public office’s periodic self-assessment processes
demonstrate incremental improvement in recordkeeping
capability and capacity. Goals and performance measures
developed for identified improvement areas.
Version 13: 2009/10 PRA Audit Tool. Page 9
Public Records Act Audit Tool [A372878]
3. Training
Staff are trained to achieve recordkeeping requirements
Stage
One
Two
Attributes of Achievement
Examples of Evidence
3.1.1 The public office has conducted an analysis of the
recordkeeping management needs and skills of:
 recordkeeping practitioners; and,
 staff
consistent with their respective roles and responsibility.
Recordkeeping training needs analysis document exists and is
current (or regularly updated).
3.2.1 The responsibility for defining the recordkeeping training
requirements is assigned to the records manager or equivalent
position. Delivery of staff training is assigned to an appropriate
trainer (internal or external).
Documentation within job descriptions.
3.2.2 A recordkeeping training plan is implemented and
maintained. Link to 8.2.1.
A recordkeeping training plan is defined and in place, with
adequate supporting budget and resourcing (including factoring in
anticipated turnover).
This assignment will be dependent on the public office’s
organisational structure (e.g. whether centralised or
decentralised, including outsourced).
‘On-the-job’ coaching is provided by recordkeeping staff.
Training course objectives have been identified.
3.2.3 Staff receive training in:
 the public office’s recordkeeping policies, procedures and
practices (particularly staff obligations and the need to
create and capture records). Link to 5.1.2.
 organisation specific tools and systems, for example,
business classification system or file map, Electronic
Document and Records Management System (EDRMS)
operation, general disposal authorities, etc.
 relevant legislation and standards such as, the Public
Records Act, Official Information Act, Privacy Act, etc.
New staff induction documentation exists, outlining recordkeeping
responsibilities and benefits of proper recordkeeping. and
Staff awareness of recordkeeping policy. or
Information provision via the public office’s intranet.
Training documentation appropriately reflects Archives New
Zealand’s standards and guidance. and
Version 13: 2009/10 PRA Audit Tool. Page 10
Public Records Act Audit Tool [A372878]
3. Training
Staff are trained to achieve recordkeeping requirements
Stage
Attributes of Achievement
Examples of Evidence
Training delivery documentation (e.g. training course registrations
(external) and training attendee logs (internal), and competency
checklists are in place. and
All (existing and new) staff are trained to use electronic record
system/s.
Three
3.3.1 Recordkeeping training and skills are regularly reviewed.
Link to 4.2.1.
Staff training is evaluated against an appropriate assessment
framework (e.g. completed training questionnaires, etc). and
Refresher or targeted remedial training undertaken based on
assessment of staff recordkeeping practices. and
Recordkeeping responsibilities are assessed as part of
performance review processes.
3.3.2 Recordkeeping staff trained in emergency procedures to
protect and salvage records.
Individual training plans belonging to recordkeeping staff include
emergency procedures, certificates of attendance of courses (inhouse or external) on salvaging records. and
Out-sourced storage contract/s define requirements for protection
and salvage activities and assign responsibilities for those
activities. Link to 1.2.4. and
Staff are clear on their responsibilities with respect to the
protection and salvation of records.
Version 13: 2009/10 PRA Audit Tool. Page 11
Public Records Act Audit Tool [A372878]
4. Monitoring and Review / Reporting
The effectiveness of recordkeeping practices are monitored
Stage
One
Attributes of Achievement
4.1.1 Reporting or review requirements are defined and
documented.
Examples of Evidence
Documented rationale and purpose of recordkeeping reporting is
available to staff. and
Signed-off reporting templates are defined and in place. and
Reporting requirements are built into system specifications for
electronic systems that have been identified as holding electronic
records.
4.1.2 Responsibility for actively monitoring and reporting on both
the public office’s physical and electronic recordkeeping
practices is assigned to the records manager or equivalent
position/s.
Delegated authorities and/or recordkeeping policies explicitly
define the responsibility of the records manager (or equivalent) in
monitoring and reporting activities. and/or
Job description for records manager (or equivalent) explicitly
assigns responsibility for monitoring and reporting across all
recordkeeping systems.
Two
4.2.1 Reviews of various recordkeeping practices are
undertaken and reported to senior management and appropriate
action taken.
Link to 1.3.1, 1.3.2, 3.3.1, 5.3.2, 6.3.1 and 8.3.1.
Recordkeeping monitoring reports distributed to line
management and acted upon. Managers are accountable for
recordkeeping objectives being met and ensuring performance
levels are reported.
Reporting of recordkeeping key performance indicators (KPI) and
adhoc issues are reported to appropriate management level as
per public office schedule (for example, compliance with the PRA
is part of the public office’s compliance framework and is
regularly signed off as per senior management compliance
statements). and
Reports are likely to include monitoring performance metrics such
as storage space utilisation, registration of records (for instance,
comparison of actual versus expected levels, etc), transfer and
disposal trends, quantity and frequency of disposal versus
creation. and
Version 13: 2009/10 PRA Audit Tool. Page 12
Public Records Act Audit Tool [A372878]
4. Monitoring and Review / Reporting
The effectiveness of recordkeeping practices are monitored
Stage
Attributes of Achievement
Examples of Evidence
There is evidence of follow-up management action and response
evident from management team minutes / decision register or
action lists. or
Monitoring reports, internal audit reports and remedial action
documentation exists.
4.2.2 The creation and capture of records (including associated
metadata assigned manually) is routinely monitored and
corrective action taken accordingly. Link to 1.2.2.
Monitoring records of corrective action/s undertaken, internal
audit or quality assurance procedures. and
Reports identifying numbers of records registered, etc. are
defined and available for review. and
Manually attributed metadata quality reports (either sampling or
automatic reports) are available. and / or
Procedures manual identifies quality of checks in place including
responsibility for carrying out quality audits, frequency and
acceptance criteria.
Three
4.3.1 The public office undertakes a systematic self-assessment
(using Archives New Zealand PRA Audit Tool and mandatory
standards) of its recordkeeping capability.
Annual public office self-assessment reported to public office’s
executive. and
Interim staff assessments are reported to management and are
used to identify and track continuous improvement (e.g. update of
training plan and delivery). or
Evidence of an internal audit programme that incorporates
elements of the PRA and associated mandatory standards, as
determined by the public office’s risk management profile and
management programme.
Version 13: 2009/10 PRA Audit Tool. Page 13
Public Records Act Audit Tool [A372878]
4. Monitoring and Review / Reporting
The effectiveness of recordkeeping practices are monitored
Stage
Attributes of Achievement
4.3.2 Performance benchmarks are developed, or reviewed, to
set the public office’s targets and measure operational
effectiveness of recordkeeping function.
Examples of Evidence
Performance measures (defined in 4.1.1) are compared to similar
organisations’ performance levels, according to the public office’s
performance management framework and schedule.
Version 13: 2009/10 PRA Audit Tool. Page 14
Public Records Act Audit Tool [A372878]
5. Creation and Capture
Business activities and decisions are appropriately recorded
Stage
One
Attributes of Achievement
5.1.1 The public office’s (including relevant out-sourced)
functions and business processes are reviewed or analysed to
map recordkeeping requirements (including legislative
requirements, business decisions and transactions).
Examples of Evidence
High level (as required) process mapping or business analysis of
business activities to map recordkeeping requirements (including
legislative requirements, business decisions and transactions).
and
Out-sourced contract templates include recordkeeping
requirements and clauses (refer to Archives New Zealand’s
Guide to Contractors Records G17) and are actively used. and
Risk assessment undertaken to identify business-critical records.
5.1.2 Records of all business decisions and transactions are
systematically and consistently created in a records
management system.
Staff are trained to identify the activities that produce business
records. Link to 3.2.3. Refer to Archives New Zealand’s Fact
Sheet: - Make A Record.
For example, staff are encouraged to create file notes, minutes,
etc. recording business decisions as part of their business as
usual activities. and
Policy, recordkeeping strategy, role and responsibility statements
are defined and in place. Link to 2.1.2.
Two
5.2.1 Physical and electronic records are systematically
captured as part of business as usual activities in a way which
meets the public office’s business requirements.
Link to 1.1.2.
Systems are in place that can adequately manage the public
office’s records. This may include:
 paper-based filing systems
 structured and monitored organisational shared drive/s
(with appropriate security practices, back-up and
systematic file structure)
 line-of-business systems and applications
 recordkeeping system that conforms to Archives New
Version 13: 2009/10 PRA Audit Tool. Page 15
Public Records Act Audit Tool [A372878]
5. Creation and Capture
Business activities and decisions are appropriately recorded
Stage
Attributes of Achievement
Examples of Evidence
Zealand’s Electronic Recordkeeping Metadata Standard.
5.2.2 Public office has considered and documented decisions
around the application of minimum point-of-capture and process
metadata elements. Specified minimums should meet at least
Requirements 8 and 9 in the Electronic Recordkeeping
Metadata Standard.
Public records are assigned minimum point-of-capture metadata
elements (e.g. unique identifiers, name etc.). and
5.2.3 Recordkeeping metadata schemas and schemes are
managed as records in their own right. These are regularly
updated to reflect changes in business activities and structure.
Substantive versions of metadata schemas are available,
together with reasons for changes to the schema/s and/or values
assigned. or
Minimum process metadata is associated with public records.
Recordkeeping metadata schemas for individual systems and
applications are documented and maintained. Link to 1.2.1.
5.2.4 The records of the public office are identified and
documented within a business (records) classification scheme
(or schemes where the public office has many functions and/or
semi-autonomous business units).
Business (records) classification scheme (operational or
functional), or file plan exists and has been approved by public
office senior management. or
There are systematic structures used to manage records and the
rationale for these is documented.
Three
5.3.1 Business systems/applications are reviewed and critical
business systems/applications have been identified. Mapping is
undertaken between business systems/applications and the
recordkeeping metadata schema (as per the Electronic
Recordkeeping Metadata Standard’sTechnical Specifications).
Systems managers (or equivalent) have related critical business
system functional specifications to recordkeeping metadata
schema in Technical Specifications. or
Mapping documentation exists. or
A list of critical systems and the metadata contained within those
systems exists (as per public office’s business decision
Version 13: 2009/10 PRA Audit Tool. Page 16
Public Records Act Audit Tool [A372878]
5. Creation and Capture
Business activities and decisions are appropriately recorded
Stage
Attributes of Achievement
Examples of Evidence
determining which business systems/applications are considered
critical). Link to 1.2.3.
5.3.2 The business classification scheme/s is/are routinely
reviewed for relevance. Link to 4.2.1.
Frequency or rigor of review of business classification scheme/s
(e.g. degree of user involvement or endorsement, reasonable
degree of logical layers, user awareness).
5.3.3 Disposal authorities linked to business classification
scheme so record sentencing is possible at time of record
creation. Link 8.2.1.
Disposal authorities are mapped to public office’s business
classification system.
Version 13: 2009/10 PRA Audit Tool. Page 17
Public Records Act Audit Tool [A372878]
6. Retrievability and Security
Records are secure and can be used when required
Stage
One
Attributes of Achievement
6.1.1 The public office manages the location of records it
captures within its recordkeeping system/s over time.
Examples of Evidence
Records can be retrieved when required by the public office
within reasonable timeframes. and
Actions of accessibility and retrievability are defined in the public
office’s recordkeeping procedures and there is evidence the
procedures are being followed. and
Recordkeeping system/s includes appropriate controls and
security, including, for example:
 for physical records there is a list of files, including
locations, in either physical form or in a database
 for electronic records there is an agreed structure and
defined metadata to manage and locate records.
Two
6.2.1 Recordkeeping systems and storage facilities are
protected from unauthorised access, destruction or theft, or from
accidental damage by fire, flood, earthquake, volcanic eruption
or vermin.
Public office security model, (both information security and
physical security) and/or disaster recovery plan, and/or risk
management plan (quantifying the risk of storing records) are
documented and implemented. Link to 1.2.3 and 1.2.4.
6.2.2 Sensitive or restricted records are identified, documented
and controlled. Where applicable, access to records is provided
in accordance with the Official Information Act, Privacy Act and
Security in the Government Sector (SIGS) Manual and
Technical Specifications for the Electronic Recordkeeping
Metadata Standard.
Security model is in place, taking account of SIGS and other
requirements; and, is regularly tested to ensure ongoing
conformance. and
Dedicated storage areas are provided for high risk classes of
records and additional security measures are instigated. and
Records of cultural value (e.g. records of significance to Māori
stakeholders) are identified. and
Version 13: 2009/10 PRA Audit Tool. Page 18
Public Records Act Audit Tool [A372878]
6. Retrievability and Security
Records are secure and can be used when required
Stage
Attributes of Achievement
Examples of Evidence
Procedures for granting and withholding records access are
defined and implemented.
6.2.3 The access status (either open or closed) of public records
over 25 years of age (or pending transfer) is determined
according to Archives New Zealand’s Access Standard and
registered with Archives New Zealand
Access policy and procedures exists. and
Access status documentation maintained, including rationale for
access decisions. and
Access status recorded in Archives New Zealand’s Access
Register.
See Advisory Notice Making Access Decisions Under the Public
Records Act.
Administration arrangements for public access to records over 25
years of age are documented. Link to 8.2.3.
Three
6.3.1 The ability to locate records is monitored and routinely
audited. Link to 4.2.1.
Survey of record users identifies individuals’ ability to locate
records using the public office’s recordkeeping system/s. or
Exception reports from Official Information Act (OIA) officer
identifying issues in providing information due to retrieval issues.
or
Regular monitoring and reporting identifies quantities of records
retrieved when needed by the public office (within reasonable
timeframes).
Regular audit of storage locations and conditions and reporting to
public office’s risk management team and senior management.
Version 13: 2009/10 PRA Audit Tool. Page 19
Public Records Act Audit Tool [A372878]
7. Maintenance and Storage
Records are maintained in a manner consistent with their format and value
Stage
One
Attributes of Achievement
Examples of Evidence
7.1.1 All records (regardless of format or media and including
recordkeeping metadata) are managed so they cannot be
altered or deleted without due permission.
Existence of recordkeeping controls to ensure creation of
authentic records. For example:
 appropriate recordkeeping controls including version
control
 metadata schema defined for electronic recordkeeping
systems in accordance with Electronic Recordkeeping
Metadata Standard
 rules around the use of read-only functionality in electronic
systems
 access and loan policy for documents in semi-current /
controlled storage
 file tracking for paper files.
7.1.2 Records must contain both content and sufficient
contextual information necessary to ensure that a link to the
applicable business activity is maintained.
Metadata schema includes rationale for choices and omissions,
and has been assessed against Electronic Recordkeeping
Metadata Standard. and
Metadata is appropriately managed over time to ensure authentic
and reliable records:
 documentation is created outlining how persistent
metadata will be managed. Policies should ensure static
metadata is not over-written by dynamic metadata
 policy exists outlining alterations to recordkeeping
metadata – identify circumstances (e.g. privacy
management) where alterations can occur (as opposed to
adding recordkeeping metadata)
 records are accompanied by appropriate metadata
 records are assigned to an area of the business
classification system
 staff understand and assign appropriate metadata to
Version 13: 2009/10 PRA Audit Tool. Page 20
Public Records Act Audit Tool [A372878]
7. Maintenance and Storage
Records are maintained in a manner consistent with their format and value
Stage
Attributes of Achievement
Examples of Evidence
records (physical or electronic).
7.1.3 The public office has undertaken a risk-based assessment An assessment is undertaken and documented of the public
of its records storage (based on the Archives New Zealand
office’s storage facilities for records against Archives New
Storage Standard) to ensure its records are stored appropriately. Zealand’s Storage Standard and (where applicable) plans in
place to ensure storage facilities comply. or
A storage plan is agreed by senior management.
The facility in which records are stored meets the applicable
Building Code and has appropriate flood and fire protection
systems (demonstrated by Code of Compliance Certificates). and
Shelving equipment and other equipment is appropriate to the
format and size of the record.
Two
7.2.1 Records are reviewed/appraised and stored in accordance
with their value and security needs.
Appraisal processes in place. And
Appraisal reports exist and approved by appropriate management
tier. and
Storage requirements are defined including requirements for
managing information of a sensitive nature.
Three
7.3.1 Public office must have a storage plan in place if it is
Public office archival storage plan exists.
retaining physical records of archival value over 25 years of age.
Plan must meet requirements of the Storage Standard that apply
to archival records and inactive records of archival value. Link to
8.2.3.
Version 13: 2009/10 PRA Audit Tool. Page 21
Public Records Act Audit Tool [A372878]
8. Disposal and Transfer
Records are only retained for as long as required and disposed of appropriately
Stage
One
Attributes of Achievement
8.1.1 Core functional records and associated metadata are
appraised and disposal authorities developed.
Examples of Evidence
Appraisal report/s approved by appropriate management tier.
and
Authorised disposal authorities endorsed by public office’s
senior management and authorised by Chief Archivist. and
Business rules around retention of metadata elements agreed
as part of recordkeeping framework.
Disposal of recordkeeping metadata separately from the record
object must be identified in and authorised by a disposal
authority.
Two
8.2.1 The public office applies disposal authorities to classes or
groups of records within the recordkeeping framework.
Disposal authorities mapped to public office’s to Business
Classification System. Link to 5.3.3. and
Disposal actions are defined and implemented. and
Procedures, including training are in place to prevent accidental
or deliberate unauthorised disposal. Link 3.2.2.
8.2.2 Procedures are in place to manage disposal (including both
the transfer and/or destruction) of records as soon as they are no
longer needed for business use as per the authorised retention
and disposal schedule.
Procedures in place to ensure records are closed once no longer
needed for current business purposes.
Disposal process is documented and lists/evidence of
destroyed records are retained for as long as required. and
Regular destruction of records authorised for destruction that
are no longer required for business use. and
Regular transfer of records of archival value to Archives New
Zealand or deferral of transfer is undertaken. or
Version 13: 2009/10 PRA Audit Tool. Page 22
Public Records Act Audit Tool [A372878]
8. Disposal and Transfer
Records are only retained for as long as required and disposed of appropriately
Stage
Attributes of Achievement
Examples of Evidence
Public office has deferral agreements in place. or
Public office has signed up to Archives New Zealand’s Legacy
Records Programme.
8.2.3 Appropriate deferral agreements are in place, for records
that are over 25 years of age, but are still administratively required
by the public office. Link to 7.3.1.
Deferral process exists, including templates and sign-off
process. and
Register of disposal actions exists that identifies the reason for
deferral and the individual / role accepting the deferral
recommendation. and
Deferred Transfer Agreement exists. and
Administration arrangements for public access to public records
over 25 years of age are documented. Link to 6.2.3.
8.2.4 The minimum recordkeeping metadata associated with
records as defined in the Electronic Recordkeeping Metadata
Standard (this recordkeeping metadata is sometimes known as a
metadata stub) is retained after disposal action for as long as is
administratively required.
Three
8.3.1 Public office disposal programme is monitored and
reviewed. Link to 4.2.1.
Recordkeeping metadata associated with records is
documented as part of the appraisal process and identified in
appraisal reports (as either a metadata stub in an electronic
system or as part of the appraisal list in a physical system). and
Recordkeeping policy identifies retention of minimum
recordkeeping metadata following the disposal of the record
object as identified in the Electronic Recordkeeping Metadata
Standard Requirement 15.
Disposal controls and monitoring reports are defined and
regularly reported to appropriate management tier.
Version 13: 2009/10 PRA Audit Tool. Page 23
Public Records Act Audit Tool [A372878]
8. Disposal and Transfer
Records are only retained for as long as required and disposed of appropriately
Stage
Attributes of Achievement
8.3.2 Regular and efficient records disposal occurs as part of the
public office’s recordkeeping framework.
Examples of Evidence
Disposal occurs on a regular basis. and
Records do not build-up unnecessarily. and
Disposal schedules are reviewed and revised following
expiration. and
Evidence that regular transfers to Archives New Zealand are
planned.
Version 13: 2009/10 PRA Audit Tool. Page 24