Article
Information Audit: Towards common standards and methodology
Business Information Review
29(1) 39-51
© The Author(s) 2012
Reprints and permission:
sagepub.co.uk/journalsPermissions.nav
DOI: 10.1177/0266382112436791
bir.sagepub.com
Peter Griffiths
Independent Information Specialist
Abstract
This article further analyses a number of issues highlighted in a previous discussion of the current state of Information Audit (IA), and offers a graphical representation of the IA landscape.
Library and Information Science (LIS) struggles to establish its 'soft' approach to IA as the leading methodology despite repeated endorsement by authors in other professional groups with some kind of interest in information management. They have found the LIS IA methodology using analysis of information needs and flows to be a useful analytical tool that allows them to evaluate information assets and to demonstrate compliance in asset management - whether those assets are financial, documentary or intangibles such as know-how. Since the implementation of Freedom of Information legislation, records management has espoused a strong focus on compliance and the avoidance of penalties for data protection breaches, but recent publications suggest that organizations of all kinds are adopting this finance- and accountancy-driven approach to information audit. This may be because it is seen as best able to manage the growing complexity of regulation and legislation (local, national and international) that affects information management.
Forming strategic alliances with other players, the information profession must take the lead in establishing standard IA procedures and definitions drawing on its own praxis, which is widely accepted by other disciplines. There needs to be a single point of call for standardizing and accrediting IA skills, with the creation of a supporting body of knowledge whose evidence base goes beyond standard journal literature and monographs to include the now considerable corpus of unpublished theses as well as papers in languages other than English. As IA is adopted by a growing number of professional disciplines, LIS and KIM (Knowledge and Information Management) professionals - and also some finance professionals -can now find and seize opportunities beyond the boundaries of more traditional information work.
Keywords
audit methodology, compliance, evidence, financial audit, information asset registration, information audit, information management, knowledge management, leadership, records management, regulatory compliance, skills accreditation, valuation
Introduction
In a previous Business Information Review article Griffiths (2010) highlighted the multiple approaches to information audit (IA)1 that are now discernible in the literature and in practice, and considered claims on ownership of the topic among information scientists, financial accountants, internal auditors, records managers, information security professionals, and competitive intelligence professionals. This update focuses on issues of business information management; technical aspects of information management issues will be explored in greater detail in the technical press.
The previous article highlighted a number of areas where further work was required: to establish agreed definitions of IA skills and of IA itself across interested sectors; to establish leadership and future ways of working on IA;
and to examine the role and potential of information asset registration. This analysis is developed here using further recent case studies and considering additional factors that have come to light, such as national practice and the adoption of IA as an analytical tool in emerging professions. There are concerns that the wider adoption and adaptation of IA techniques by such new disciplines is making it progressively more difficult to set standards and competencies, and that given the shortage of case studies it remains difficult to turn IA theory into good practice.
Corresponding author:
Peter Griffiths
Email: pdg@dircon.co.uk
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
40
Business Information Review 29(1)
The Need for Common Guidelines and Standards
Although the information profession as codified by library and information science (LIS) has a body of literature, experience and knowledge of IA going back over 30 years, there is still no universal acceptance of its methodology. Two of its approaches in particular, those of Henczel (2000) and of Buchanan and Gibbs (2007), are widely cited as models - now also, as will be seen, in domains unrelated to LIS - but its comparatively 'soft' methodology, focusing on information flows rather than on compliance or asset monitoring, has been slow to be adopted as a generally applied technique. Recent literature suggests rather that either the information professional approach to IA is being used as a bridge to another approach, or that freedom of information (FOI), data protection (DP), financial and other regulation has led to a 'harder' approach based on compliance with standards set by legislators or other bodies with a quasi-legal function.
Despite the growing body of discussion there continues to be a lack of accepted guidelines or agreed standards for IA, even though these exist in other forms of audit and in related activities such as information systems management. In confirming this observation Aleliunas and Atkociuniene
(2010) also remark that in the absence of these agreed standards there is no minimum level of acceptable information audit performance. Because of this, discussion tends to be theoretical and stakeholders and shareholders have no real idea of what information auditors actually do. In this context it is interesting to find a recent Chinese study (Xiangling Fu and Xiaoyan Zhang, 2009) that describes a synthetic information audit. Because of what the authors perceive as a lack of practical examples they derive a methodology by combining elements of the main published approaches to IA, and apply it theoretically to a model of a large-sized Chinese company.
Aleliunas and Atkociuniene further note that in several business domains standards are set by external bodies (e.g. the ISO 27000 series standards and ISACA COBIT Baseline for information security). Compliance management therefore falls naturally not to IA professionals but to groups such as information security professionals who are the primary users of these standards. They discuss the role of IA as part of a range of business tools, as does Sidlichovska
(2011) who describes the IA process using Henczel's model before suggesting using it as part of a package including other techniques for measuring the quality of information management. She would also use mystery shopping, needs analysis, content analysis, SWOT analysis and expert interviews. From a discussion of all these elements she concludes that a standardized audit would allow direct comparison of the information management performance of a group of organizations (in the case of her study, bodies within the Czech public sector).
The pragmatic solution to this problem would be to adopt a widely endorsed methodology as a starting point, and then either to adopt the various survey instruments associated with that methodology, or else to design new forms that align with the chosen approach. The obvious candidate to become the base methodology is either Henczel or Buchanan and Gibbs, where a body of commentary, critical assessment and case studies already exists, along with some teaching materials from training courses.
However, this raises a problem in sectors such as finance where a detailed or extended audit is required because compliance requirements may be complex and may be governed by overseas legislation as well as that of the country where the organization is based. This means that any existing published methodology is likely to need extension to include these local requirements. Where there are factors that appear only in a defined business area such as banking or legal services (e.g. requirements to comply with sector-specific regulation), a bespoke process will be needed for the extended enquiry, although a single extended survey instrument could be devised for use across a particular sector regardless of geographical location. In any case, adopting a published methodology does not guarantee simplicity. Raliphada and Botha (2006) tested Henczel's method in a South African public sector environment but only completed five of the seven elements, noting that although there are benefits, the method is repetitive and cumbersome. By stopping before the implementation and continuum stages of Henczel's model, Raphilada and Botha raise concerns about the robustness of the lessons from this case study, and suggest that during a large-scale audit using Henczel's methodology, fatigue might lead to error in the analysis and outcomes. Meanwhile Vo-Tran (2010, 2011a, 2011b) proposes combining Henczel's methodology with the Action Research methodology in order to audit the information held by an Australian architectural practice as it designs a new building for a university.
Recent contributions to the literature of IA have tended to widen rather than define its scope, which makes it increasingly urgent that there should be agreed definitions of IA activities as a first step toward common guidelines.
The Information Audit Islands
In order to establish these agreed and widely-used definitions, it is first necessary to establish the domains where reports of IA practice appear from which to draw the detail. Figure 1 represents IA in diagrammatic form as a kind of map showing 'islands' within the 'sea' of IA inhabited by the various professional groups (who might here be called 'tribes') with a role in IA. These islands are arranged in broad groups clustering those functions that tend to report to the CFO (to the left) and the CIO (to the right). IA appears at the core within a list of core corporate functions in the central column; these functions may be
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
Griffiths
41
INFORMATION AUDIT AS THE HUB
Investor/ public requirements
Corporate governance
Business benefit I responsibility .
External financial audit
/Share/stake holders perspective/
Financial policy
Financial management, management and cost accounting, accounting standards ^statutory reporting
Accountants, analysts, " ■> budget controllers & auditors.
Internal audit
Internal & organisational control & compliance
Information policy
Purpose, product definition & information assurance .
Private/public sector/social responsibility information needs
Share I stakeholder /public sector and community confidence
GOVERNED BY ( CIO -
Information scientists
Information governance
Accountability I accuracy I usability transparency I management
Knowledge audit
Information Audit
Role, principles, guidelines, compliance control and a learning experience
<L  IS/fURM professionals
Information systems audit:
Integrity, quality, reliability & sustainabllty
vO.4.1: GR-30Í11/2011
© Graham Robertson 2012
Information security
Business operation I risk
Technical systems / platform management/audit
Infrastructure provision* user competence
Knowledge management j
Identification of Intellectual propeny, ^business Intelligence, innovation^
KIM/LIS/RM/IS professionals
"Records survey/audit'
(Vital records management/ risk management?)
IS/TT/RM professionals
Personal data protection management/audit
(operational competence/ statutory compliance?)
Figure I. The IA Islands 'map' diagram (© Graham Robertson 2012).
Notes: CFO - Chief Finance Officer; CIO - Chief Information Officer; IA - Information Audit; IM - Information Management; IS - Information Systems; IT - Information Technology; KIM - Knowledge and Information Management; LIS - Library and Information Science; RM - Records Management
provided by either the CFO or CIO, or by other parts of the organization.
The 'islands diagram' provides a starting point and structure for the analysis in this article, which considers activity on each island or a group of islands. The geographical metaphor could be extended by considering that there are tall buildings on some of the islands, representing activities in vertical markets. Among these (as will be seen in the following discussions) are buildings containing legal services, tourism and travel services, and banking: these are built when case studies are published describing the use of information audit in those sectors. A further extension of the metaphor might be to represent enclaves of particular national groups where it is evident that IA has particular dimensions as a result of national legal requirements, or national custom and good practice. (For example the Technical Systems island at the foot of the centre column would have a Romanian enclave representing the view there - discussed later - that, as part of their audit, IT systems auditors must review not only the technology but the information held within a system).
Towards a Definition of Information Audit
The 'Information Audit Island' lies at the centre of the map, representing its central role in this discussion and its central
role within organizational management. What is the role of IA within the organization, and what is the role of the information auditor? As set out by Griffiths (2010), these are difficult questions to answer because of inherent confusion in the terminology, whose meaning varies according to whichever of the 'IA tribes' is staking its claim to lead on the issue. However the literature produced by 'tribes' shows their broad agreement on a number of activities comprised within the scope of IA. As a minimum, the role of the information auditor covers:
• Verifying that information added to a corporate or other information system is authentic and accurate;
• Verifying the provenance of information within a system (e.g. to support the management of intellectual property, and to ensure integrity throughout its presence within the system being audited);
• Verifying the proper functioning of the information storage and retrieval system, including logging access, amendment/alteration, overwriting and deletion of information entities;
• Assessing the economic value of information resources within corporate systems and deriving a financial value that may (or may not) be shown in the organization's accounts - with the implication that applying an actual or notional financial value creates an asset that entails
Downloaded from bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
42
Business Information Review 29(1)
certain standards of stewardship for the information, and also that this value is at least partly created by the context provided by the corporate owner or licensee; • Assessing the informational value of the content of corporate systems - i.e. verifying not only the physical integrity of information but rating its accuracy, timeliness, reliability, relevance, degree of duplication or uniqueness, and other elements that might be used to establish a score for the value of the actual knowledge or information content to the organization.
It is striking that this common core does not include elements that are essential in the LIS/KIM professional view of IA, and seems to lie closer to the activities of financial audit than to professional practice in LIS or KIM. These core activities are (rightly) concerned with verification and authenticity, which the KIM professional might consider to be elements of information literacy or digital literacy, but they do not for example consider whether information resources meet information needs, are held in multiple versions or are effectively and properly licensed. They include neither analysis of published and unpublished information resources and flows, nor records management or knowledge audit activities, nor the compilation of information (or data) asset registers. So despite the appearance that they are a 'hard' and defining set of activities capable of being assessed against notions such as 'compliance' (with 'regulation') or 'accuracy', these common core elements with their strong bias to accountancy are insufficient on their own to provide a full definition of IA.
Recent additions to the literature propose further IA activities but some of these could be argued to be either non-core IA activities, or to be activities that have been assigned to IA by commentators who are actually describing a different function such as information systems audit or internal audit. This can happen where practitioners whose first language is not English, use the term IA to describe one of these other activities. For example Griffiths alluded to but did not analyse the claim by information systems auditors to be information audit practitioners. Rus and Danescu (2010) indicate that in Romania, systems auditors already consider that their activities include IA. They argue that their IT systems audits necessarily include checks on the integrity of information whilst it is within the systems being audited. (Further research may prove this to be the case in other countries). To represent this, the Systems Audit 'island' could be shown with a Romanian enclave, and as analysis of the literature develops there may be similar enclaves representing local practices to be discovered on other islands.
This 'map' is very much a work in progress. New islands will appear on this diagram when a further group adopts IA as a methodology for their professional activities. There may be some changes in population and government
depending on further analysis, discovery, and commentary by practitioners and academics as this project progresses.
Leadership Roles in IA
Preparation of this article began with the assumptions that it would be readily possible to describe a combination of the information professional and accounting professional approaches to IA, and that it would be simple to outline joint standards for future audits. However, research identifies further professions using IA (although as noted earlier a number of these acknowledge the two principal information professional methodologies of Henczel and of Buchanan and Gibbs) and new contenders claiming to lead work on IA, sometimes based on practice in particular countries. These findings cause some dismay as they add further fragmentation to an already complex picture. But they suggest that IA could offer considerable potential for information professionals who have been displaced from more traditional LIS work as well as for other professionals seeking new challenges.
The 'island diagram' indicates the domains managed by the two Chief Officers with the greatest professional interests in IA, namely the Chief Information Officer (CIO) and Chief Finance Officer (CFO). The role of the CIO should be distinguished from that of a Chief Technology Officer (CTO) despite the fact that many public sector CIOs are primarily concerned with technology, not information; paradoxically, a CTO often works as their subordinate taking day-to-day charge of corporate information and communications technology. On the left of the map is the domain of the CFO; on the right is the CIO. An exhaustive list of the areas for which they are responsible is not included here, but note that their responsibilities overlap (the islands in the central group) and have an outward-facing as well as an internal element. For example, the CIO role is responsible for information required by investors and potential investors in the organization, for information relating to corporate social responsibility, and for environmental information, as well as for internal information resources.
The CIO thus plays a role in maintaining shareholder and stakeholder confidence, and in keeping good relations with the client community and the public at large. Griffiths et al. (2006) argue that LIS professionals have a unique combination of skills making them the natural focus for corporate reputation monitoring (a role now becoming known as the Chief Listening Officer, as is found at Dell, for example): this is a role that is embraced comfortably within the CIO domain under discussion here. Carrillo-Duran and Nuno-Moran (2010) develop this argument, asserting that information professionals should take the role of corporate image managers as well as (quasi-passive) reputation monitors; their discussion identifies various reputation audit methodologies suitable for use by documentalists
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
Griffiths
43
or information managers. Reputation monitoring aligns too with the interests of the growing business intelligence community, for which the CIO should also be responsible. The management of corporate intellectual property (IP) completes this group of CIO interests, building on the long standing interest of LIS professionals in copyright and IP generally.
Fanning (2007, 2008) in his wide-ranging and often very perceptive discussion of both public and private sectors, considers the variety of corporate roles that are given responsibility for IA. He concludes that a new role of Chief Information Manager is required, with strategic skills rather than IS/IT, and with a short reporting line to board level. He believes that librarians have strong potential for this role, but 'this can only be the case when they are proactive ... or are able to position themselves as the 'eyes and ears' of the organization'. In Farming's view, IA practitioners must position themselves as 'an essential constituent of market research, strategic planning, business development, risk assessment, compliance, etc' in the same way as competitive intelligence practitioners. Like other contributors noted here, Fanning also comments on the perceived burden of IA as an administrative overhead process rather than an essential business tool delivering efficiency and savings.
The literature expresses general support for a common core of IA activities that are concerned with 'hard' notions of compliance, regulation and accuracy. It is therefore puzzling that the information profession appears generally unable to command similar support for its complementary 'soft' activities and competencies, for these provide a framework for understanding the use, flows and value of this compliant, regulated and accurate information. Among information professionals, only records managers have raised their profile in this field, as they have become corporate experts on compliance with regulation and the avoidance of the increasingly severe penalties for breaches of data protection and freedom of information legislation.
Parts of the skill set required by an IA practitioner fall into the spheres of interest of several different professional associations. However the key work to establish and develop IA has been done by information professionals so it would be logical for them to take the lead, forming strategic alliances with other players, in establishing standard procedures and definitions - such as what exactly constitutes an information asset, and how should it be registered and accounted for. Most importantly, there must be a single point of call for standardizing and accrediting IA skills, underpinned by a body of knowledge whose supporting evidence base goes beyond standard journal literature and monographs to include the now considerable corpus of unpublished theses and papers in languages other than English. An information professional body should undertake this role, encouraging a collegiate approach. A further benefit of this arrangement would be that body's
ability to tap into the professional skills needed to deliver effective horizon scanning for forthcoming changes to regulation or new studies by IA practitioners.
The Value of Business Information Assets
Debate continues without final agreement around the valuation of information held within a business. The discussion of the accountancy-based approach to IA by Griffiths (2010) describes the problem of deriving a financial value for corporate information in an organization's balance sheet. In their report for the Parliament-based EURIM group, Higson and Waltho (2010: 9) point to the long-running debate about the admissibility, under accounting rules, of intellectual capital and information assets as corporate assets on published balance sheets. The work of the Hawley Committee in the 1990s first sparked discussion in the UK which was continued by the IMPACT Programme, leading for example Home (1998) to argue that the difference between an organization's value in terms of its tangible assets and the value of its stock and market standing must be accounted for by the value of its intangible assets, primarily its intellectual capital. Koenig (1997, 1998) summarizes the issues, while Higson and Waltho observe that the accounting rules make knowledge-based companies such as pharmaceutical researchers and web developers worth far more than the value of their tangible assets, explaining why such large sums exchange hands on the basis of a company's likely future knowledge-derived profits rather than its present performance.
Sandori (2001) draws from work by Koenig, Laurence Prusak, Tom Peters and others to compile a list of intellectual capital assets that would produce these knowledge-based profits: the list includes patents, publications, licences and the income from them, products and the time taken to bring them to market (both of which can be compared with competitors to establish a ratio for comparison), training (including value from presentations made to an organization's employees by external speakers, and from conference attendance), database searches, the contents of communities of practice and intranets, knowledge maps and inventories.
Having compiled this extensive catalogue, which goes far beyond the content of the corporate library or file store, Sandori then points to the findings of Wilson, Stenson, and Oppenheim (2000) who describe the reluctance of British companies to assess the value of their information assets and considers the reasons for this reticence. Wilson et al. were surprised to find that UK companies appeared not to be using FRS10, the UK financial reporting standard for goodwill and intangible assets, to value their information assets. Problems were reported in establishing what constitutes an information asset while many organizations simply did not believe that information should be categorized as an asset or valued for inclusion on the balance sheet. The
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
44
Business Information Review 29(1)
information assets considered most important by interviewees were internally-generated and typically not valued for internal purposes, so that there was little impetus to include information assets on the balance sheet - perhaps because it could be unwise to report externally that which had not been addressed internally. From the information science viewpoint, Yates-Mercer and Bawden (2002) drew on a wide range of sources to reach similar conclusions whilst Wilson and Stenson (2008) updated their previously published arguments with a further literature review, but also essentially restated this problem. The British academics El-Tawy and Abdel-Kader (2011) recently argued to an international conference on information systems that a new approach is needed to recognize and account for intangible information assets. It is notable that although their audience was from their own field of systems management, their case was built on papers published in the fields of information management and librarianship over the past 20 years. In summary, there has been little progress for some time in getting businesses to deal with the problem, but there are frequent restatements of the issue to a growing range of professional disciplines.
A consequence is that neither the purpose nor the practice of IA has been widely embraced in the organizations that could reap the benefits that are clearly set out in much of the literature reviewed and cited here. The benefits also include the ability to take an overall view of corporate finance that embraces: the financial value of information assets and intellectual property; effective asset management and exploitation, including a true reflection of the organization's value on the balance sheet; assurance - in the sense of comfort as well as indemnity - regarding legal compliance; and knowledge in the boardroom that the organization is proof against the legal action or public criticism that might be levelled by the relevant Information Commissioner,2 or qualification of accounts by the relevant audit body.
Perhaps the most difficult message to get across is that information management is everyone's responsibility within the organization. But that is not to set aside a corporate management responsibility to publish internal guidelines for information management and governance, supported by training and enforced if necessary. One obstacle to achieving this is the poor reputation of audit within many organizations, and confusion of the various kinds of audit.
Changing the Image of Audit
Information audit suffers by sharing some of the image of internal audit, being potentially viewed as a 'corporate policeman' or 'witch-finder'. The positive value of IA needs to be communicated in a way that overcomes the widespread negative perception. KPMG explains the problem succinctly:
The goal of audit [... ] must be to ensure that financial reporting is of the highest quality. But at the end of the day it is a mistake to see corporate governance and [audit] purely in terms of compliance - the audit committee as corporate policeman.
Clearly, audit committees have an important role in relation to reporting and ensuring compliance. But they have an equally important role alongside the board as a whole -in ensuring that the business seizes the opportunity to use any new regulatory framework imaginatively. (Wardle and Lai, 2004)
Jones and Burwell (2004) go further:
No one wants an audit to occur. An audit has the smell of seeking problems and laying blame ... Organizations conducting an audit call them something else. [They] conduct related processes, such as a collection satisfaction survey, and refer to that as an audit. This aversion to the name contributes to confusion surrounding what an information audit actually is. It ... diffuses the true impact an audit can have on the organization, (p. 53)
Any one of the recent high-profile stories in the UK about misuse of information will reiterate the need for information audit to show what resources are available, where they have been obtained (and one hopes verified) and who has had access to them. Yet it sells IA short to regard it only as a tool to be used in some process of witch-hunting to reveal offences and offenders in information handling and management, and its negative image as summarized by Jones and Burwell continues to dilute its potential value.
Many institutions produce internal guidance explaining IA programmes and setting out the benefits for their members and employees; among these are for example a number of UK universities and colleges. However the benefits often fail the ' WIIFM' (What's In It For Me) test. Setting consistent document retention periods (as described by SOAS (2008) in its statement of benefits) is only a benefit for records managers, while many would consider the transfer to a remote central secure store of key corporate documents identified by an audit to be a hindrance to any team that used those documents frequently. A rather more appealing case can be made by highlighting issues such as the potential to reduce information overload on teams and individuals.
IA should be collaborative and non-confrontational, and should deliver assurance and benefits that can be explained persuasively at corporate and team levels. It should be a continuous process of discovery where current practice is compared with standards and regulation as well as business needs. Best practice should be derived, shared and applied to ensure compliance with regulation and in order to meet and exceed expectations as well as standards. IA should identify, catalogue and preferably categorize information
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
Griffiths
45
assets within the organization, ensuring that these are exploited for the greatest corporate benefit, and that those assets are properly valued and managed within the terms of required practice or the best available optional standards.
With positive stories to share, the IA team can emphasize the benefits of audit rather than reinforcing any negative impressions.
The Need to Manage Compliance
It was noted earlier that giving the auditor the role of compliance monitor ('corporate policeman') alters the perception of the audit role among those creating and managing information within an organization. Yet some corporate function must be responsible for checking and if necessary enforcing compliance, while the organization as a whole needs to understand that there are legal constraints that mandate its compliance. Just a few of these constraints are, depending on the sector concerned, Freedom of Information legislation, Data Protection legislation, Sarbanes-Oxley, the Basel II Accord, Gramm-Leach-Bliley (USA), LSF (loi 2003-706, the French law on financial security), EU directives such as Solvency II (insurance industry), privacy legislation, and information security standards such as COBIT. A compliance check is an important element of audit, which requires proper identification and registration of information assets subject to compliance measures as well as assurance that proper controls are in place and are being applied.
Compliance may also have implications for other professional groups related to information managers - for example, risk managers in the case of the Basel II accord (Wright, 2005). However this does not reduce the importance of information audit within organizations subject to these legislative and regulatory constraints; it simply reinforces the importance of IA in a wide range of business situations.
In this respect there is also the need for a business intelligence function that identifies forthcoming legislation and regulation that will apply to an organization. This will ensure that the organization is always aware of corporate information assets that are or that will become subject to compliance checks, and is not inadvertently put in breach of new requirements. Auditors need to be aware that regulations from foreign jurisdictions can apply to their own organizations, and that horizon scanning should include a watch on new legislation and regulations in all countries where the organization has or could have business interests. (For further discussion see Mainelli, 2005). Controls may also need to be put in place in respect of information collected to meet the requirements of anti-terrorism or anti-money-laundering legislation, as that information is likely to be subject to restrictions on its re-use or sharing.
There should also be concern that IA practitioners may be placing emphasis on the quality of the subject
organization's data processing when the key element should be an assessment of the quality of the data itself. Even if data has been accurately identified, listed and allocated to named owners, and owners have agreed retention schedules, this is of little use if the data is of poor quality. Bad data has little or no value as an asset of an organization and may pose a risk if business decisions are based on it. It would be useful to find a confidence indicator that provides a rating of data quality alongside other elements of the description provided in an IAR or an auditor's report.
Information Systems Audit
Some current contributions (Aleliunas and Atkočitiniené (2010), Rus and Dansecu (2010), Šidlichovská (2011)) have blurred the boundary between IA and information systems audit. Šidlichovská for example explicitly recommends Henczel's methodology as a method suited to the initial stages of an information systems audit, but does not argue for the involvement of LIS professionals to administer it. Meanwhile, as noted earlier, El-Tawy and Abdel-Kader (2011) presented their findings about information asset valuation to a conference on information systems management, despite their recommendation of a range of methodologies drawn from information management and librarianship. The reasoning in all these cases is that the information within a system is an integral part of the system itself, and the system may have been designed to suit the structure of the information, so that an information audit is an essential and integral part of a systems audit. This thinking contrasts distinctly with earlier work where systems audit was described in terms of hardware functionality and portrayed as a function of the IT specialism without reference to the records or information management professions.
It is becoming more difficult to argue that information systems audit is a task to be undertaken solely by information systems (IS) management professionals, despite the claims by Rus and Danescu (2010). IT professionals design the database systems that contain data, and there are roles for other professionals who have not so far appeared in our discussion such as information architects who may be responsible for data structures and the relationships between elements of the database. Records management professionals may also be involved in the design of information systems and potentially in their audit, for example in setting and monitoring retention schedules. Among the concerns of IS auditors will be the integrity and reliability of the systems (including back-ups), data quality (does the system maintain and deliver high quality data, without corruption or alteration?) and the sustainability of the system and the data it contains (is it scalable, or is there a limit beyond it will not operate?). These elements take on particular importance when an audit is carried out as a preliminary  to  a   systems  upgrade,   for  example the
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
46
Business Information Review 29(1)
migration of an intranet to a more recent version of SharePoint.
The literature now includes studies by practitioners in a number of what might be considered 'vertical markets' - in other words, specific business sectors that have proposed or adopted IA as an appropriate method of information management. These sectorial case studies demonstrate how IA can be applied in a wide range of contexts and include: tourist information (Fryc, 2010; Gonzales Guitian, 2009), banking (Soy and Bustelo, 1999; Theakston, 1998), public utilities (Ganesan, 2003; Scholey, 2008), legal services (Doherty, 2004; Ferreira, 2006; Rigney, 2002) and professional bodies (Asensio, 2006 - a study of the Spanish legal profession).
Some practitioners report recent use of IA to assess and value the content of websites, again with frequent citations and recommendations of the approaches developed by information management professionals.
• The assessment of the website of Univerzity Karlovy [Charles University], Prague by Dombrovska and Skolkova (2006) used a methodology (Dombrovska, Ocko and Zeman, 2005) that drew on the work of several authors from the LIS domain (Henczel, Buchanan and Gibb, Orna, Dubois and Horton). The Czech information literacy society SPRIG states that it is developing this methodology further (SPRIG, 2008).
• In the field of leisure science, Fryc (2010) assesses a range of government-owned websites promoting various tourist destinations in order to judge their effectiveness, based not only on their attractiveness and ease of use but on the quality, quantity, breadth and completeness of the information provided. This is described as an information audit - which, whilst not strictly accurate in terms of what the LIS or accountancy professions might understand by the term, describes succinctly a process where not only the accessibility and functionality of a website is audited but also the accuracy and coverage of the information content and its value as an asset in first attracting and then adequately informing new tourists to a particular destination.
Although many available studies are based on the work of the key theorists of IA in the field of LIS, it is difficult to draw any standards or universal conclusions from them. A number of writers comment on the problems of applying published methodologies that are inadequate when auditing sectors that have their own statutory requirements or regulations that affect information management. The publication of this wide range of studies also adds complexity to the picture of IA since the term is not always applied in the sense that the information profession or other groups would acknowledge.
Information Asset Registration
Once an organization accepts that information entities are valid corporate assets, it must take steps to treat its information assets with similar care to its financial and physical assets. Information assets must be registered, audited and tracked through an Information Asset Register (IAR). Because value can fall, rise or be transformed by association with other assets,3 the IAR must be more than a simple list of which information entities are owned.
An IA may be undertaken as a means of matching information resources to business requirements (i.e. generating benefit through alignment of needs and provision) as a possible precursor to improving corporate knowledge management, or it may be done as a means of generating and then managing an IAR that will possibly include estimates of the financial values of those resources. Conflict between these two approaches is not inevitable, but it demands proper project planning and management if there is to be clarity for the auditors and for the organization.
In the United Kingdom, IARs have mainly been tools used by public sector organizations. Driven by the impetus to make public sector information (PSI) available for reuse, and led by a succession of bodies from Her Majesty's Stationery Office to The National Archives, work has gone on for well over a decade to develop and implement standards and to publish registers from a number of government departments, agencies and other bodies. However coverage remains rudimentary and incomplete because there has been no element of compulsion whilst active management and promotion of the IAR has been confined to a small group of LIS practitioners. The adoption of standards based on Dublin Core has reinforced a tendency to focus on bibliographic description of paper documents published in multiple copies for internal or external distribution, while some database assets are now listed on data.gov.uk but have never appeared on a departmental IAR. Government IARs have in effect been specialist library catalogues of published and semi-published departmental documents such as reports and research summaries. Even the requirements of Freedom of Information (FOI) legislation proved insufficient to raise awareness or widespread adoption of IARs: instead organizations issued Publication Schemes (often through their records managers not their librarians) identifying broad classes of published material rather than creating or adding to registers of individual items.
This explains why, despite over a decade of work on government IARs, EURIM still felt it necessary in 2009 to propose that 'the National Audit Office (NAO) should require all Central Government Bodies and Agencies to include Information Asset Registers in their annual reports to common standards' (EURIM, 2009) or that a respondent to the House of Commons Public Affairs Committee enquiry on Government IT should note in evidence in 2011 that: 'Most organizations do not have an information
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
Griffiths
47
asset register. People cannot govern what they don't know exists nor where it is located.... There is no coordinated Government asset register for people or information assets,' (Anderson, 2011, pp. EV w38, EV w40).
The UK government's consultation paper Making Open Data Real (2011) further highlighted the need for data asset registration (sections 8.10-8.14)- a function that should have been fulfilled by departmental IARs but in practice remained distributed among IARs, FOI publication schemes, the Local Government Data List and various information strategy documents. IARs are potentially powerful tools for both public and private sector bodies that decide to make better use of IA to manage their information assets. Information assurance has become a key activity following the various highly publicized data losses from the public sector and some of its private sector contractors. Effective information assurance requires effective information audit as a necessary first step. Undertaking an information audit and compiling a register provides a catalogue of the assets to be covered and protected by an information assurance regime, allowing them to be categorized, ranked and audited.
There is little guidance to support organizations undertaking this broader form of information asset registration. Social enterprises have some outline guidance from Social Enterprise UK (2011), compiled with the help of the knowledge and information management sector consultancy TFPL. This guidance develops the IAR beyond a simple catalogue to include details of responsibilities, retention policies (or regulatory requirements) and information about back-up arrangements. The Records Management Society issued a toolkit for schools (Barber, 2008) that describes an IAR as 'the 21st century descendant of filing classifications and disposal guidelines', advising readers to identify 'which information is created at which point in the process, what it is used for, how long it is needed and whether or not it should be captured as part of the "vital" record' (i.e. whether it is a working document or a final policy or report). Both these documents include a sample matrix showing recommended elements of an IAR; they are simpler in their approach to asset description than the public sector model and stronger in their approach to asset management, but they are also both rather basic and offer no real guidance to help users set appropriate policies for managing the elements being described (recording the location of back-up copies is good, but is that location a good, safe place?).
Higson and Waltho (2010) offer a definition of what should appear in an IAR but they omit any discussion of information ownership (rather than custodianship) and focus more on the valuation of the assets identified by the audit. It is probably Stevens (2005) who offers the most extensive and readily available methodology for what he calls Information Asset Profiling. His work derives from a programme at Carnegie Mellon University sponsored by the US Department of Defense, so that the user may
have reasonable confidence in its value and utility. Stevens considers a range of issues concerned with information assets including ownership, value, location and security, as well as technical issues such as document and file format and IT system configuration. He indicates that the next stage of this project would be to consider information security assessment - and the rather limited take-up of his work seems to have been in the information security sector. So, for example, at the December 2009 Workshop on Information Security and Privacy (WISP, organized by the Association of Information Systems) two Swedish speakers cited the LIS domain authors Oppenheim, Stenson and Wilson (2001, 2003) alongside Stevens in support of their asset valuation and security classification model (Oscarson and Karlsson, 2009).
There is considerable value in the suggestion by Doherty (2004) that IA and by extension the IAR have particular importance as an element of business continuity planning. In his view the information map (which many would describe as an IAR) must extend to show ownership of servers and data, and inventorize computing machinery and backup procedures. It would also include essential information resources not owned by the organization, such as CD-ROMs and electronic journal subscriptions.
Accessibility of the Evidence Base
In the absence of a fully developed and standardized methodology, access to a substantial evidence base is essential if progress is to be made in defining the IA profession and its practice. Although there is a fairly long history of publication on IA, a number of barriers to access are slowing progress and delaying agreement on standards.
A significant part of the literature can be difficult to locate. For example Quinn (1979) published in a journal that survived for little more than a year, and like some other early literature of IA his contribution is not readily available in either printed or digital form. Some potentially useful material is unpublished; for example, Buchanan and Gibb (2007) cite three unpublished MSc dissertations from Strathclyde describing potentially valuable case studies:
• Kassenova, A. (2005) Information audit at the British Council. Unpublished MSc dissertation, University of Strathclyde;
• Martin, E. (2005) Information audit at MacFarlanes Law Firm. Unpublished MSc dissertation, University of Strathclyde;
• Roussakis, C. (2005) Information audit at the Office of Marketing and Communication. Unpublished MSc dissertation, University of Strathclyde.
Several relevant MSc theses from other institutions including Sheffield are similarly unpublished or available only on internal systems. As must be apparent, there is a significant
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
48
Business Information Review 29(1)
non-English corpus of literature that contains important contributions to the development of IA as a professional discipline. It includes material in some less widely-read languages (Lithuanian, Czech and Hungarian are included in the references to this article as well as Catalan, Spanish and Dutch). This is a problem not just because these languages are not widely read by an English-speaking audience (although Google Translate is an invaluable aid) but because this material is not abstracted or covered by the databases widely used by English speakers to research IA. A thorough literature search or alert must include equivalent terms in a range of languages, and not rely on the presence of an English-language abstract or the similarity of the foreign-language term to 'information audit', whether truncated, stemmed or otherwise manipulated.
Connecting Information Science and Accountancy in Reporting Non-Financial Information
Chartered accountants in the Netherlands have considered how to deal with non-financial information found during a financial audit such as information about social performance or the effect of public sector policies when implemented. Admiraal and Turksema (2009) describe work to develop reporting of such non-financial information resources and to apply rigorous auditing standards. They concur with a number of points in the work of other authors: the lack of standards, the diverse nature of the data and the consequent difficulty in reporting them, and the sheer novelty of auditing such data. They make a useful distinction between assurance and non-assurance of the audited information - that is, the auditor may be an advisor (merely advising on the best way to present the information, which might be for example the design of the IAR); or a reporter (presenting factual findings on the process of discovering and auditing information); or a provider of assurance. In the final case a full audit report is provided, commenting on the reliability and completeness of the information - and of the IAR - that is subject to the full framework of ethical and professional safeguards. That distinction is explained in more detail in a publication by the Netherlands national professional body for chartered accountants Royal NIVRA4 (2009).
In a further extension of IA, Royal NIVRA's programme of knowledge sharing ('Kennis Delen') issues generalized statements and observations on social issues that come to light during individual audits. Consultations are held in expert meetings and stakeholder meetings before anonymized and generalized findings are issued to draw public attention to the findings. An Identification Board (Signaleringsraad) correlates information taken from audits within specific sectors to 'identify any relationships with developments  in  society',  and  decides  whether to
communicate 'clearly defined signals' through a range of public activities (Royal NIVRA, 2010). This programme has strong echoes of the thesis of Christina Soy Aumatell (described in more detail in Griffiths (2010) p. 221) that information audit is a necessary precursor of knowledge management: in a sense NIVRA is closing the loop by proposing that the route to KM from IA lies through a panel structure within the (chartered) financial accountancy profession rather than through professional practice in the library and information profession. This appears to be a practical demonstration of collaboration between LIS professionals and accountants, and Royal NIVRA's initiative may prove to be an example of best practice for our approach.
Summary of Issues from this Stage of the Research
1. The lack of agreed standards and methodology in IA remains an unresolved problem. It is being exacerbated as the LIS approach to IA is adopted by a widening range of other disciplines, which appear to be attracted by the potential of the approach but then find that it is insufficient without adaptation or additional elements. However, there appears to be sufficient endorsement (and reported adoption) for either Henczel or Buchanan and Gibbs to provide the basis of a common audit baseline that could be built upon by adding existing sector- or country-specific research instruments. Although the variety of specific regulations makes total standardization impossible, a common method would allow auditors to compare the performance of two or more organizations in terms of basic data elements.
2. IA's cross-disciplinary nature has worked against the emergence of coherent leadership. In order not to dilute or even lose the benefits of IA the information profession must now take the lead to build strategic alliances that will establish the necessary standards and methodologies - a logical conclusion given the frequent adoption of the work of LIS practitioners by other professions interested in IA. A collegiate approach would see an information professional body acting as co-ordinator so that IA professionals could obtain a widely recognized certification of their skills from a single point of contact.
3. Standards and methodologies developed by other professions will prove inadequate if they do not embrace good information management. However the requirements of those professions also add complexity, making it difficult or impossible to develop a single standard IA methodology that can ensure that an organization's information assets are being managed in compliance with regulation in its particular location and sector. The
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
Griffiths
49
fear of penalties for non-compliance may be leading organizations to adopt an accountancy-driven approach to IA.
4. Studies have appeared demonstrating the potential to apply techniques of information audit to particular vertical markets, e.g. tourist information, banking, legal services, and professional bodies. Others have shown the application of IA techniques to website evaluation. But this means that evidence and case studies are clustered on relatively few sectors or corporate activities, and that scalability to create a generic and widely applicable survey instrument has not been conclusively demonstrated.
5. IA is an important and necessary precursor to effective information asset management, and thus a potentially important technique supporting the drive to open public data. But it appears difficult to define information assets and for corporate organizations to accept that these assets may form a considerable part of their total market value. Agreement is needed on what constitutes an information asset, what should appear in an information asset register and what attributes should be described. Without this agreement neither the purpose nor the practice of information audit will be widely understood in the organizations that could reap greatest benefit.
6. Access to evidence and case studies is problematic. The English-language audience overlooks significant items in the literature that have been published in other languages, while non-English-language authors may reference only items in their own vernacular. Theses remain unpublished that could help overcome the lack of available case studies. Studies appear in journals that are comparatively difficult to access, such as local LIS professional journals that are not widely indexed. Because of the growing wider interest in LIS-based techniques of IA means valuable contributions appear in publications from subject disciplines apparently unconnected to LIS or financial management (such as the study of tourism and economic development) that are not covered by abstracting services for LIS and KIM. Finally, in some sectors audit reports are likely to be edited on grounds of confidentiality (i.e. protectively marked), making it more difficult to derive scalable and generally-applicable conclusions from the case studies.
7. At present, focus is predominantly on the methodology. There is little in the LIS literature that suggests any consideration is being given to the quality of the data being collected (confidence indicators), to continuous monitoring or horizon scanning (e.g. to trap new legislative requirements) or to implementation of changes as a result of audit (i.e. the LIS profession considers itself to be a reporting agent foremost, possibly an analysis agent, but not an agent of change management).
Remaining Work
While considering the issues raised in the initial article, this review has identified others that need further examination. A hypothesis has emerged which needs to be proved that a valid universal methodology could be designed by building on an existing pattern, either Henczel or Buchanan and Gibb. This review has not addressed IA as a learning activity, while a draft maturity model is still at an early stage. Information asset registration may become an important technique in the UK public sector depending on the UK government response following its consultation on open data: an official decision to endorse and robustly implement departmental and agency IARs could be the step that finally resolves several problems described here. Members of the information profession have contributed a great deal to the development of IA but the profession as a whole will lose a major opportunity if it does not now lead and co-ordinate future work.
Acknowledgement
I am grateful to Graham Robertson of Bracken Associates for Figure 1, which illustrates and expands the analysis in my original article in Business Information Review. He intends to publish a complementary article later in 2012 examining some technical auditing issues that were highlighted by bis analysis when constructing the diagram. A jointly-authored article is planned that will discuss IA as a learning experience, outline a maturity model and draw final conclusions from the project.
Notes
1. In this article the term 'information assurance' is spelt out to avoid confusion with 'IA' for information audit.
2. For example, a search of the Scottish Information Commissioner's website www.itspublicknowledge.info quickly shows the importance of information audits as evidence in freedom of information cases.
3. For example, share price data rapidly loses value with age (which may perhaps be measured in minutes in live share trading) but may later regain value as part of a time series showing longer term market fluctuations.
4. The English-language titled used by NIVRA, otherwise Koninklijk Nederlands Instituut van Registeraccountants, www.nivra.nl.
References
All web links were verified on 30 November 2011.
Admiraal M, Turksema R (2009) Reporting on non-financial
information. International Journal of Government Auditing,
July: 15-20.
Aleliunas I, Atkociuniene Z (2010) Informacijos auditas kitu audita rusiu kontekste [Information audit in the context of other types of audit]. Informacijos mokslai [Information sciences] (Vilnius) 54: 7-16. Available at: http://www.ceeol.com/aspx/issuedetails. aspx?issueid=c5b69c40-dcb6-4f24-9674-5380fb2730fe&article Id=a83bc7dd-74af-4e51-8332-cf46d78bac21.
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
50
Business Information Review 29(1)
Anderson L (2011) Written evidence submitted by Dr Leonard Anderson (IT16). In: Government and IT - 'Recipe for Rip-offs': Time for a New Approach. London, Parliament. House of Commons Paper HC 715-III, session 2010-2012, available at: http:// www.publications .parliament.uk/pa/ cm201011/ cmselect/ cmpubadm/writev/goodgovit/goodgovit.pdf.
Asensio NM (2006) Estudi sobre ľús i necessitats informatives a la Biblioteca d'un coll • legi professional: Memoria metodolôgica. Barcelona, Universität Oberta de Catalunya. Dissertation available at: http://openaccess.uoc.edu/webapps/o2/bitstream/10609/ 1253/l/37995tfc.pdf.
Barber E (2008) Information Audits. London, Records Management Society (Records Management Toolkit for Schools, version 3.1). Web resource available at: www.irms.org.uk/downlaod/735 NB - a new version 4.0 was open for consultation until August 2011 (www.kms.org.uk/download/1200). See also Records Management Society Of Great Britain. Local Government Group (2004). Information Audits - Guidelines. London, IRMS. Available at: www.irms.org.uk/download/48.
Barker RL (1990) Information Audits: Designing a Methodology with Reference to the R&D Division of a Pharmaceutical Company. Sheffield: University of Sheffield, Department of Information Studies Occasional Publications Series, 8.
Buchanan S, Gibb F (2007) The information audit: Theory versus practice. International Journal of Information Management 28: 150-160.
Carrillo-Durán M-V, Nuflo-Moral M-V (2010) La documentación y gestión de la imagen corporativa [Documentation as part of the evaluation and management of corporate image]. El Professional de la Information 19(2): 122-132.
Doherty A (2004) Law firm information audits in a time of transition. Practice Innovations 5(2): 4-7. Available at http://west. thomson.com/pdf/iii/Practlnnov July04 .pdf.
Dombrovská M, Očko P, Zeman P (2005) Informační audit - cesta k rozvoji znalostní organizace [Information audit: The way to develop the information organization]. Ikaros 9(9). (Electronic journal). Prague: Ikaros. Available at: http://www.ikaros.cz/ Clanek.asp?ID=200508005.
Dombrovská M, Skolvoká L (2006) Audit internetové prezentace Filozofické fakulty Univerzity Karlovy v Praze - základní zjištění a doporučení [Audit of the web presentation of the Philosophical Faculty at Charles University, Prague - basic findings and recommendations]. Ikaros 10(3): 2006. Prague: Ikaros. (Electronic journal). Available at: http://www.ikaros.cz/audit-internetove-prezentace-filozoficke-fakulty-univerzity-karlovy-v-praze-%E2%80%93-zakladni-zjisteni-a-do.
El-Tawy N, Abdel-Kader M (2011) Accounting for the recognition of information as an asset. In: European, Mediterranean and Middle East Conference on Information Systems [conference, proceedings], Athens, 30-31 May 2011, 842-859. Available at: http://www.iseing.org/emcis/EMCISWebsite/EMCIS2011% 20Proceedings/AIS2.pdf.
Ellis D, Barker R, Potter S, Pridgeon C (1993) Information audits, communication audits and information mapping: A review and
survey. International Journal of Information Management 13(2): 134-151.
EURIM (2009) Unlocking the Value of Information. London, EURIM Information Governance Value of Information Subgroup. Available at: http://www.eurim.org.uk/activities/ig/ 0909-Unlocking_the_Value_of_Information.pdf.
Fanning M (2007) The role of the information audit and the information auditor in commercial organizations. In: Kooperation versus Eigenprofil? 31. Arbeits- und Fortbildungstatung der ASpB e.V. Sektion 5 im Deutschen Bibliotheksverband (edited by U Flitner and others). Karlsruhe: Universitätsver-lag, 125-136.
Fanning M (2008) What happened to the IFG Rundbrief? In: oci Information Access Rights (blog). Available at: http:// ociaccessrights.wordpress.com/.
Ferreira RdM (2006) Auditoria de informacäo: um instrumento a ser-vico da unidade documentäria, 2006. In: VII Encontro de Biblio-tecärios e Documentalistas da Justica do Trabalho Fortaleza CE (Brazil), 24 May 2006. Available at: http://eprints.rclis.org/ handle/10760/7541.
Fryc L (2010) Are tourism websites useful for travelers? Applying an information audit rubric to Mediterranean tourism destination websites. Advances in Culture, Tourism and Hospitality Research 4: 47-58.
Ganesan N (2003) Information Audit in Industrial Utility Supplier Pte ltd Singapore. MSc thesis information studies, Nanyang Technological University, School of Communication and Information.
Gonzalez Guitiän MV (2009a) Auditorias de informacion; anäli-sis de dominio en la base de datos LISA. Acimed 19(4): 13p. Available at: http://scielo.sld.cu/pdf/aci/vl9n4/aci04409.pdf.
Gonzalez Guitiän MV (2009b) Procedimento para realizar auditorias de informacion en instalaciones hoteleras. Tur y Des 2(6). Malaga, Eumed.net, Universidad de Malaga. Available at: http://www.eumed.net/rev/turydes/06/mvgg.htm.
Griffiths P (2010) Where next for information audit? Business Information Review 27(4): 216-224.
Griffiths P, George K Robbins R Saklatvala M (2006) Blogs, wikis and feeds: Creating a vital electronic information resource for a government department. In: Online Information 2006: Proceedings. London: Learned Information, 67-71
Henczel S (2000) The information audit as a first step towards effective knowledge management: An opportunity for the special librarian. INSPEI 34(3/4): 210-216.
Higson C, Waltho D (2010) Valuing Information as an Asset. Medmenham, Bucks: SAS. Available at: http://www.eurim. org.uk/activities/ig/InformationAsset.pdf.
Hörne N (1998) Putting information assets on the board agenda. long Range Planning 31(1): 10-17.
Jones R, Burwell B (2004) Information audits: Building a critical process. Searcher 12(1): 50-55.
Koenig MED (1997) Intellectual capital and how to leverage it. The Bottom line: Managing library Finances 10(3): 112-118.
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016
Griffiths
51
Koenig MED (1998) From intellectual capital to knowledge management: What are they talking about? INSPEL 32(4): 222-233.
Maineiii M (2005) Competitive compliance: Manage and automate, or die. Journal of Risk Finance 6(3): 280-284. Available at: emeraldinsight.com, or in a re-edited version at http://www. zyen. com/ products/prophezy/12 6 .html.
Morgat P (1995) Audit et gestion strate'gique de I'information. Paris, Editions de l'Organization.
Oppenheim C, Stenson J, Wilson RMS (2001) The attributes of information as an asset. New Library World 458-463.
Oppenheim C, Stenson J, Wilson RMS (2003) Studies on Information as an Asset I: Definitions. Journal of Information Science 29(3): 159-166.
Ortiz de Urbina Criado M (2002) Medición y auditoria del capital intellectual [Intellectual capital: Information audit and measurement models]. El Profesionál de la Informacion 12(4): 282-289.
Oscarsson P, Karlsson F (2009) A national model for information classification. In: Association of Information Systems SIGSEC WISP 2009 [proceedings], Phoenix, Arizona, December 2009, pp. 1-1 to 1-14. Available at: htrp://www.security-conference. org/sigsec/WISP2009papers/l .pdf.
Quinn AV (1979) The Information Audit: A new tool for the Information Manager. Information Manager 1(4): 18-19.
Raliphada L, Botha D (2006) Testing the viability of Henczel's information audit methodology in practice: Research article. South African Journal of Libraries and Information Science 72(3): 242-250.
Rigney S (2002) The information audit process. Australian Law Librarian 10(4): 316-327.
Royal NTVRA (2009) Niet-financiéle Informatie in Beweging. Amsterdam: Royal NTVRA Available at: http://www.mvra. nl/readfile.aspx?ContentID=54528&ObjectID=526837&Type =1 &File=0000022014_NFI_WEB .pdf.
Royal NIVRA (2010) Sharing Knowledge. Amsterdam: Royal NIVRA. Available at: http://www.nivra.nl/readfile.aspx? ContentID=61036&ObjectID=613297&Type=l&File=000 0030587_Englishfactsheet_July2010.pdf.
Rus I, Danescu T (2010) The information audit - between necessity and regulation. In: 2nd World Multiconference on Applied Economics, Business and Development, Sousse, Tunisia, May 2010. World Scientific and Engineering Academy and Society. Available at: http://www.wseas.us/e-library/conferences/ 2010/Tunisia/AEBD/AEBD-15 .pdf.
Sándori Z (2001) A tudástoke mérése [The measurement of knowledge capital]. In: Mi a tuddsmenedzsment? Konyvtdrtan, informdciotudomdny [What is knowledge management? Libraries and information science]. E-book available at: http://mek.oszk.hu/03100/03145/.
Šidlichovská Z (2011) Evaluační přístupy k informačnímu manage -mentu ve státní správě [An evaluation of access to management information in public administration]. In: Prolnflow 3(1): 50-66. Brno, Kabinet informačních studií a knihovnictví
Filozofické fakulty Masarykovy univerzity v Brně. Available at:
http://pro.inflow.cz/sites/default/fUes/p(rfclanky/06.recenzovane
Sidlichovska.pdf.
SOAS (2008) Information Audit. London: SOAS. Available at http://www.soas.ac.uk/infocomp/recordsmanagement/audit/.
Social Enterprise UK (2011) Information Asset Register. London, Social Enterprise UK. Available at: http://www.socialenterprise .org.uk/(kta/fUes/BusinessSupport/mformation_As set_Register.pdf.
Soy C, Bustelo C (1999) A practical approach to information audit: Case study La Caixa Bank, Barcelona Part 2. Managing Information 6(10): 60-61.
SPRIG (2008) Informační audit: Funguje Vaše společnost optimálně? [Information audit: Is your company [working] optimally?] Prague: SPRIG. Available at: http://www.sprig.cz/ main.php?page=./infoaudit/audit_nabidka.
Stevens JF (2005) Information Asset Profiling. Pittsburgh PA: Software Engineering Institute, Carnegie Mellon University.
Vo-Tran H (2010) Auditing the architectural design process: An information management approach. In: Proceedings of the International Conference on Information Management and Evaluation, 1st, Cape Town, 25-26 March, 422^130.
Vo-Tran H (2011a). Adding action to the information audit. In: Proceedings of the International Conference on Information Management and Evaluation, 2nd, Toronto, 27-28 April, 546-555.
Vo-Tran H (2011b) Adding action to the information audit. The Electronic Journal of Information Systems Evaluation 14(2): 271-281. Available at www.ejise.com/issue/download.html? idArticle=777.
Wardle M, Lai M (2004) Springboard or straitjacket? Frontiers in Finance 26: 1-4. Available at: http://www.kpmg.com/CN/en/ IssuesAndlnsights/ArticlesPublications/Newsletters/Frontiers-in-Finance/Documents/Frontiers-in-Finance-0404-26.pdf.
Wilson RMS, Stenson J (2008) Valuation of information assets on the balance sheet: The recognition and approaches to the valuation of intangible assets. Business Information Review 25(3): 167-182.
Wilson RMS, Stenson J, Oppenheim C (2000) The Valuing of Information Assets in British Companies. Loughborough, Business School, Loughborough University (Research series, papers; 2000: 3: Library and Information Commission, Research Reports; 80). Available at: https://dspace.lboro.ac. uk/dspace-jspui/bitstream/2134/2014/3/2000-3.pdf.
Wright J (2005) Risk and reward: The information management challenges of Basel II. In: Managing Information and Documents, March 20-24.
Xiangling Fu, Zhang Xiaoyan (2009) A synthetical information audit of a Chinese operator practical study. In: COINFO 2009 - Fourth International Conference on Cooperation and Promotion of Information Resources in Science and Technology. Beijing, 2009, 9-15.
Yates-Mercer P, Bawden D (2002) Managing the paradox: The valuation of knowledge and knowledge management. Journal of Information Science 28(1): 19-29.
Downloaded Irom bir.sagepub.com at PENNSYLVANIA STATE UNIV on September 17, 2016