The Audit Trail Is the Last Thing Standing
There’s a moment in almost every organisational crisis — an inquiry, a dispute, a regulatory challenge — when everything else falls away. The strategy documents, the brand values, the relationship capital. What remains, what is either your salvation or your exposure, is the record of what actually happened.
Most organisations treat that moment as the reason they need records management. I’d argue it’s the wrong place to start.
We Built the Law From a Tragedy
The Public Records (Scotland) Act 2011 didn’t emerge from a policy review or a committee recommendation. It emerged from a reckoning.
The Act has its origins in the Historical Abuse Systemic Review of Residential Schools and Children’s Homes in Scotland 1950–1995, the Shaw Report, published in 2007. The Shaw Report demonstrated that management of records is not just a bureaucratic process, but central to good governance and should not be ignored. 
What the Shaw Report found was devastating. Thousands of records had been created, but then lost due to an inadequate legislative framework and poor records management. Former residents of children’s homes were denied access to information about their own formative years. 
Think about that. The records existed. People created them. And then, through neglect, through indifference, through the absence of any culture that valued them, they were gone. The people who needed them most were left with nothing.
That is what poor records management actually looks like at its worst. Not a filing cabinet problem. A human one.
The Public Records (Scotland) Act 2011 came into force on 1 January 2013. It was the first new public records legislation in Scotland in over 70 years, and it affects more than 270 named public authorities.  Every authority subject to the Act must prepare a Records Management Plan setting out proper arrangements for the management of its public records, submit it to the Keeper of the Records of Scotland for agreement, and ensure that its public records are managed in accordance with that agreed plan. 
That is the legislative floor. The minimum. And compliance, on its own, is not enough.
The Three-Legged Stool
I’ve come to think about records management as a three-legged stool. Each leg is load-bearing. Remove any one of them and the whole thing tips, usually at the worst possible moment, in front of the worst possible audience.
The first leg is protection. Records are your defence when something goes wrong. A contract dispute, a regulatory investigation, an employment tribunal: the audit trail is your witness, and unlike most witnesses, it doesn’t get nervous under cross-examination. The Keeper expects an authority’s Records Management Plan to provide evidence that it maintains a complete and accurate representation of all changes that occur in relation to a particular record. Audit trail information must be kept.  The document you create today, properly filed and retrievable, may be the thing that protects someone years from now. Or it may not exist, because someone decided it wasn’t really worth the effort at the time.
The second leg is compliance. Before you glaze over: this is not the leg about ticking boxes. It’s the leg about an organisation that actually works. Effective records management supports operational efficiency by reducing the time taken to identify and locate information, minimising duplication and confusion over version control, and offering significant savings in physical and digital space.  The PRSA framework, with its 15 elements covering everything from retention schedules to business continuity, is not an obstacle to getting things done. It is a description of what a well-run organisation looks like from the inside. Most organisations that struggle with compliance don’t have a records problem. They have a process problem that records make visible.
The third leg is value creation. This is the one that gets left off most records management conversations, presumably because it sounds too optimistic for a profession that spends a lot of time explaining why things have gone wrong. Traditionally, organisations have viewed records management in terms of compliance. But it needs to be positioned as a business enabler with benefits that extend beyond compliance.  The records an organisation creates are a cumulative asset, the institutional memory of every decision made and every lesson learned. When they are well-managed and trusted, they become the foundation for better decisions, stronger bids and more credible governance. Organisations that treat information governance and records management as matters of box-checking compliance are leaving potential value on the table.  Considerable value, in most cases.
The Culture Problem
Here is what no legislation can mandate: the moment someone decides a document matters.
The records that survive are the ones someone chose to create properly, name correctly, and store in the right place. That is a behavioural choice. It happens, or doesn’t happen, in the ordinary moments of an ordinary working day, far from any audit or inspection.
Information and records management covers how information is gathered, processed, stored, accessed, used, shared, and ultimately either permanently preserved or destroyed.  Every one of those verbs is a human action. Every one of them is an opportunity for care or carelessness.
The organisations that get this right don’t just have good systems. They have a culture in which records are understood as assets rather than filing obligations. The document you create at the end of a project meeting, the decision log from a governance board, the email that captures an agreed position: these are not administrative debris. They are the evidence that your organisation existed, thought carefully, and acted with intention.
That culture doesn’t emerge from a policy document. It emerges from leadership that models it, from professionals who champion it, and from a shared understanding that the things we record are the things we can stand behind.
What Good Can Look Like
The Keeper’s model Records Management Plan sets out 15 elements that together describe a functioning records management ecosystem, from policy and governance through to disposal, audit trails and business continuity. The guiding principles are to ensure that information is available when and where it is needed, in an organised and efficient manner, and in a well-maintained environment. 
Behind those 15 elements is a single question worth asking of every organisation: if something went badly wrong today, and someone needed to reconstruct what happened and why, could your records tell that story?
If the answer is yes, completely and reliably, then you have good records management. If the answer involves a hesitation or a “well, it depends on who was keeping notes,” then you have a risk. And you have an opportunity.
The audit trail is the last thing standing. Build it like it matters. Because one day, for someone, it will.