What happens if an auditor finds our DoD 5015.2 certified system was reconfigured in a way that broke compliance?
A DoD 5015.2 certification applies to a specific product configuration that was tested against the standard. Certification is not a permanent property of your installation. If an organization later changes settings, disables controls, or customizes behavior in ways that break the tested baseline, the system can fall out of compliance even though the underlying product remains “certified.” When an auditor discovers this, the finding is generally about your environment and how you manage it, not about the vendor’s certificate.
What the finding typically means
An auditor’s report usually documents the gap between what the standard requires and what your live system actually does. Common issues include:
- Disabled or weakened controls over disposition, holds, or final disposition (deletion).
- Altered metadata or audit-trail capture, so record events are no longer reliably logged.
- Permissions or workflow changes that let records be modified or destroyed outside approved processes.
The auditor characterizes the risk, not just the technical setting. The core concern is whether records remain authentic, reliable, complete, and usable, and whether retention and disposition still happen as scheduled.
Likely consequences
Consequences depend on your sector and obligations, so treat these as general patterns rather than guarantees:
- A formal finding or corrective-action item with a remediation deadline.
- Loss of reliance on the certification for the affected functions until you restore the baseline.
- Heightened legal and discovery exposure if audit trails or disposition records are unreliable.
- Possible reportable deficiencies where laws, contracts, or oversight programs require certified recordkeeping.
How to respond
- Document the current configuration and identify exactly which changes broke the baseline.
- Restore the certified settings or implement compensating controls, and record the rationale.
- Verify that audit trails, retention, and disposition behave correctly after remediation.
- Strengthen change management so future reconfigurations are reviewed against the standard before deployment.
The durable lesson is that compliance is a continuous practice, not a one-time certificate. Treat configuration baselines as controlled records, govern changes formally, and periodically test the live system against the standard. For more background, see the compliance standards hub.
Sources & further reading
Authoritative government and non-profit references.
- Records management policy and guidance — National Archives (NARA)
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). What happens if an auditor finds our DoD 5015.2 certified system was reconfigured in a way that broke compliance?. Records Management University. https://www.recordsmgmt.org/questions/what-happens-if-an-auditor-finds-our-dod-5015-2-system-was-reconfigured-out-of-compliance/
MLA
RM University Editorial. "What happens if an auditor finds our DoD 5015.2 certified system was reconfigured in a way that broke compliance?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-happens-if-an-auditor-finds-our-dod-5015-2-system-was-reconfigured-out-of-compliance/.
Related questions
- Can a commercial off-the-shelf system meet the NARA Universal ERM Requirements without being DoD 5015.2 certified?
- Can a company be fined or sanctioned for not following ISO 15489 in a lawsuit?
- Can a US company store its records on servers in another country, and what cross-border data rules apply?
- Can following ISO 15489 actually help us pass an audit or hold up in court?
- Can I just adopt ISO 15489 word-for-word as our records policy, or does it not work that way?