Records management audit framework

Our procedure to ensure good practice in records management.



Records management is the process by which the NHS Counter Fraud Authority (NHSCFA) manages all the aspects of a record, whether internally or externally generated and in any format or media type, from creation to eventual disposal.

The NHSCFA is committed to conducting regular audits of its records management and recordkeeping practices that will demonstrate and provide assurance of its compliance with records management good practice standards.

Audits will be undertaken with a view to offering the Board assurance against identified risks. Approval for agreeing the annual Information Governance Assurance programme and the resource (whether internal or external) rests with the Board and Audit Risk Committee (ARC).

NHSCFA will measure good practice required across a number of standards, including the Information Governance Alliance’s ‘Records Management Code of Practice for Health and Social Care’ and the Lord Chancellor’s Code of Practice on the management of records.

This framework is designed to support and ensure the implementation of the policies and procedures governing records management in the NHSCFA and should be read in conjunction with the following organisational policies:

  • NHSCFA - Data Handling, Storage, Retention and Records Management policy; and
  • NHSCFA Data Protection (GDPR) policy

All NHS records are public records under the Public Records Act 1958. The NHSCFA will also take action as necessary to comply with the legal and best practice obligations set out in the following non exhaustive list:

and any new legislation or best practice guidance affecting records management as it arises.

Scope and conduct of an audit

The audit scope and requirement may relate to any operational records held in any format by the NHSCFA and all actions related to those records from planning and creation to ultimate disposal.

Audits may evaluate, measure and test compliance within the key components of records management: creation, retention, maintenance, its use and disposal. Audits should be planned, executed and reported on in as structured a way as possible.

Audits may be conducted across the NHSCFA as a whole or limited to a single business unit or set of records. There may be instances when this will be limited to a particular aspect of recordkeeping or records management. Concerns regarding information governance practices should initially be raised through unit business Leads and forwarded to the Information Governance Lead.

Irrespective of whether the assurance work is conducted by NHSCFA’s own Governance and Assurance team or the Government Internal Audit Agency’s function, a formal term of reference will be produced by the assurance service and agreed with the designated Audit Sponsor. The audit report will then be shared with the Information Governance Lead, who will discuss and oversee the implementation of any recommendations with the Board Secretary.

Roles and responsibilities

Chief Executive

The Chief Executive has overall responsibility for records management in the NHSCFA. As accountable officer they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to audit the quality and compliance of its business activities.

The Director of Finance & Corporate Governance Unit (F&CG) The Director of F&CG is responsible for ensuring that this framework is implemented and kept up to date. This responsibility has been delegated to the Board Secretary who will be responsible for agreeing/overseeing a regular programme of audit for records management and for reporting updates to the Board and the ARC on progress, including any significant areas of non-compliance.

Business Unit Leads

The responsibility for local records management is devolved to the relevant Business Leads. Where audits are undertaken, the Business Leads will be responsible for ensuring that staff cooperate with auditors conducting the audit and for ensuring that outcomes, including required improvements are acted upon.

All staff

All NHSCFA staff who create, receive or use records, will have recordkeeping and records management responsibilities. This includes facilitating any audits of records for which they or their business area are responsible.

Validity of this framework

This framework will be reviewed annually under the authority of the NHSCFA Board.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!