What documentation do regulators expect to see during an information governance audit?
When regulators or auditors examine an information governance (IG) program, they are testing one core idea: can the organization demonstrate that it manages its records according to a documented, consistently applied set of rules? Auditors rarely want to see every record. Instead, they want evidence that the program exists, is authorized, and actually works in practice.
Governing Documents
Auditors typically begin with the policies and authorities that define the program:
- A written information governance or records management policy, with clear ownership and management endorsement.
- A current records retention schedule mapping record types to retention periods and disposition rules.
- Roles and responsibilities, including who is accountable for records decisions.
- Supporting procedures for classification, storage, access, and disposal.
These documents establish that recordkeeping is intentional rather than ad hoc.
Evidence the Program Operates
Policy on paper is not enough. Regulators look for proof that the rules are followed:
- Disposition and destruction logs showing records were retained for the required period and then destroyed (or transferred) on schedule.
- Legal hold records demonstrating that destruction stops when litigation or investigation is reasonably anticipated.
- Audit trails and metadata showing who created, accessed, modified, or deleted records.
- Evidence of access controls and security measures protecting sensitive or regulated information.
Compliance and Oversight Artifacts
Depending on the sector, auditors may also expect:
- Training records confirming staff understand their obligations.
- Documentation tied to specific legal regimes, such as privacy, FOIA, financial, employment, or tax recordkeeping requirements.
- Prior audit reports and evidence that earlier findings were remediated.
- For digitized records, documentation of scanning quality, integrity, and chain of custody.
The Underlying Theme
Across these categories, regulators are assessing defensibility: the ability to show that decisions were reasonable, authorized, consistently applied, and documented. A program that can produce its policies, its schedule, and the records of how that schedule was executed is far better positioned than one relying on informal practice.
For a broader overview of building such a program, see the information governance topic hub. Recognized frameworks and national archival guidance offer useful starting points for aligning documentation with what auditors expect.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). What documentation do regulators expect to see during an information governance audit?. Records Management University. https://www.recordsmgmt.org/questions/what-documentation-do-regulators-expect-during-an-information-governance-audit/
MLA
RM University Editorial. "What documentation do regulators expect to see during an information governance audit?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-documentation-do-regulators-expect-during-an-information-governance-audit/.
Related questions
- Big-bucket vs item-level retention schedules: how do I choose between them?
- Can a company be penalized for keeping data too long under privacy laws even if nothing was breached?
- Can a US company store records in the EU, or do data localization and cross-border transfer rules block it?
- Can executives or board members be held personally liable for information governance failures?
- Can information governance help reduce cloud storage costs, and how?