Remote Auditing Best Practices

Remote auditing is one of the audit methods described in ISO 19011:2018 Annex A1. The value of this audit method resides in its potential to provide flexibility to achieve the audit objectives.

In order to realize the benefits of this audit method, all interested parties should be aware of their role in the process, inputs, expected outputs, and risks and opportunities that will provide the basis to achieve the audit and audit program objectives.

Despite the current crisis that contributed to safety constraints, travel restrictions, physical distancing, etc., there are a variety of reasons that an auditor may not be on-site hence remote auditing becoming an option

Emerging technologies have made remote auditing more feasible because it allows auditors to communicate with people globally as travel time & cost has decreased, and access to information and data has increased. Despite the technical glitches and other shortcomings, remote auditing is here to stay and the earlier we embrace it, the better but remember remote auditing is not a one size fits all.

The use of audit software is helping to increase the size or quality of sampling in the audit process, when prepared, validated, and used properly.

Remote auditing also requires the use of video cameras, smartphones, tablets, drones, or satellite images to verify physical settings such as pipe identification in the petroleum industry, machinery settings, storage areas, production processes or forest or agricultural sites, etc. The extensive use of ICT allows for the inclusion of expertise in an audit that otherwise might not be possible due to financial or logistical constraints.

Despite the flexibility, we must consider the limitations and risks posed by ICT in the fulfillment of audit objectives. These include information security, data protection, and confidentiality issues, reliability, and quality of the objective evidence collected, amongst others.

The following are questions that may arise.

1. When watching images, are we looking at real-time images or are we looking at video records?
2. Can we capture everything about the remote site or are we being guided by selected images?
3. When planning for a remote interview, will there be a stable internet connection and the person to be interviewed knows how to use it?
4. Is there enough storage for the data/evidence collected?
5. How independent is the person sharing the evidence?
6. Can the processes and sites to be audited be realistically audited offsite?
7. Can you have a good overview of the facilities, equipment, operations, and controls
8. Can you access all the relevant information?

Since Auditors are “Doubting Thomas” many of the above questions can only be answered after a physical visit to the site to avoid detection risk.

Below are some of the Best Practices that can be adopted to ensure the effectiveness of remote auditing process;

• Consider a remote audit when establishing the audit program.
• To use ICT in the audit process, the audit program manager and the audit team need to identify the risks and opportunities and define decision criteria to accept or not accept its use, where and in which conditions.
• Start the remote audit by reviewing the “dirty laundry” list of complaints, non-conformances, corrective and preventive actions, and deviations. This review is a good way to determine what processes and production records should be reviewed during the audit.
• The final audit report should indicate those processes that could not be audited and should have been audited while auditors are on-site.
• For supplier audits, ensure that nondisclosure agreements (NDAs)/ confidentiality agreements are executed prior to the audit. In addition, ensure internal and external (supplier) auditing procedures allow for the use of remote or virtual auditing techniques.
• Remote audits are best done in segments. This allows time for the auditor to review records and generate questions and the auditee to gather records, organize interviews, and formulate responses.
• The auditor and auditee/ audit client should practice using the virtual technology platform prior to the audit and ensure the document and record sharing method is also properly functioning.
• Remote audits need to be continuously conducted more than a traditional ISO audit.

Last thoughts

Remote auditing is not a one-size-fits-all solution. It is not a replacement for an in-person audit. However, as part of your assurance program, remote auditing can play a part, and provide assurance when special circumstances prevent business as usual.

NB: Remote auditing is here to stay and auditors should be prepared for bumps in the road and they should be ready for technology glitches. E.g. some company firewalls have size limits for video and photo files and might require facility personnel to seek out IT help when uploading them. All these hurdles will be overcome with time and experience.

Reference

• ISO 9001 Auditing Practices
• ISO & IAF 2020

"Together, We Work Smart"

#sharewithV