Remote Audits have become a mainstay in the quality world owing to the current pandemic. While there are several significant benefits to remote audits such as eliminating costs of physically sending auditors to a site – and as technology develops, deliver increasingly accurate reflections of the audit site’s condition, being highly flexible and can be scheduled quickly in response to problems, there are also real challenges and risks to consider and address if a remote audit is going to yield a useful and accurate representation of the audited organization.
Are remote audits for you?
It is important ascertain if the audit objective(s) can be achieved by using remote methods. For high risk industries or processes, an onsite audit maybe still be required for all or portion of the audit.
A risk-assessment should be conducted for each audit. Risk associated with achieving the audit objective must be identified, assessed and controlled to an acceptable level. The assessment looks at:
– Confidentiality and security of information that will be shared. Define and agree on the rules between all parties. If an agreement cannot be reached with respect to information security, then an onsite audit maybe required for portion or all an audit.
– Stability/capability of the ICT. A stable and good quality connection is required, and the ICT must have audio and video capabilities.
– Availability of required individuals to review the performance of the management system with the audit teams.
– All operations within the audit scope are being conducted. Contingent situations may prevent the auditor from viewing the operations being audited. Define what needs to be observed and evaluated in order to achieve the audit objective.
– Availability of samples. Take into consideration the complexity of the processes because it may require the audit of the entire organizations management system, which may require a wider sample. Ensure that enough samples are available for review in order to make a valid, informed judgement about the management system and that the samples are truly representative of the processes and its capabilities and its performance.
Remote Audit Planning:
Audit plan detailing the objective, scope and criteria of the remote audit is created by the audit team leader. Plan will define details such as agenda, processes and activities, the personnel to be audited and decisions and arrangements on how information will be shared to maintain confidentiality and data security. Alternative arrangements should be made when remote sharing isn’t possible. For a multi-site audit, the audit team leader must replicate the plan across all the different sites and verify that the necessary resources are available and tested at each location.
Information security requirements need to be communicated to the audit team members in order to have consistent understanding and application by all parties involved ensure that the auditee and the audit team have the necessary equipment and capabilities to complete their audit assignments.
Validity of the information provided is one of the biggest risks faced in a remote audit. Is the information/sample truly representative of the process or activity that we are auditing? Allow yourself additional time to prepare for remote audits; ensure that sufficient time is spent gathering research on the process or the area to be audited. Sample request may be made in advance for specific situations to ensure validity of the information being shown to the auditor.
Remote Audit Planning – ICT Considerations
The audit team leader and the auditee must pre-determine what ICT tool(s) will be utilized during the audit. If there are any restrictions on certain platforms, this must be identified. Auditors need to be competent on multiple platforms and verification of competency of the team prior to assigning and conducting any audit is a key requirement. Check if the ICT performs optimally in some of the remote areas. Identify dead spots and make alternative arrangements for viewing these areas or processes to overcome limitations.
Ensure that the links or passwords to access documents, systems or document vault, function properly. Have the auditee designate an on-site IT person, if you are using their platform.
Conducting Remote Audit:
A remote audit starts with an agreed audit plan and communication between the audit team members and/or with the auditee should be made immediately in the event a change is required or a significant issue is identified. Ensure confidentiality and security of information will not be affected or compromised by any changes that are made in the audit schedule. Both the auditor and auditee should confirm what was heard, stated, observed, read throughout the audit. Summarize the findings at the end of each interview to avoid any misunderstanding or confusion. Identified nonconformities should always be reviewed and confirmed before the end of each interview.
When using video capabilities for an online image of a remote site is important to ensure the images are valid. These images can be compared against a floor plan to help orient the auditor to work center locations. the remote audit should follow the same process as an on–site audit with the opening and closing meetings, review the audit plan and schedule, and stick to the audit plan interviews should be performed at the convenience of the auditee.
The auditee should always be kept informed of the progress of the audit –check in to communicate status at regular intervals. Conduct end of day wrap meeting if a multi-day audit similar to on-site audit. If for any reason, the full audit scope cannot be achieved remotely, make necessary notations of the exceptions and the reasons why it could not be completed. Other arrangements will need to be made to cover these items. It is important to review how the organization is managing risk and mitigating controls and the change in the organizational context associated with the pandemic – Contingency plans, Business Continuity Plans, Supply Chain Evaluations, Business Restart Plans.
Remote Audit Reporting:
When reporting findings auditors must ensure they have obtained sufficient objective evidence to determine the effectiveness of corrective actions taken in response to any non–conformities. Records to demonstrate that the individuals performing the tasks are competent and are aware of the inherent risks and hazards associated with their job responsibilities. We also need information that has been collected and analyzed and evaluated to determine the effectiveness of the actions taken to control the identified risks to an acceptable level of the organization.
Reporting of nonconformity should follow the same process as an on–site audit. The audit report should be a summary of all findings from the audit and it should be provided at an the agreed upon time. The report should detail the ICT tools utilized, samples chosen, documents reviewed and the overall conclusions of the audit. Once the audit report has been completed and forwarded to the auditee any documented information provided, recordings, screenshots etc. should be deleted as per the agreement made during the audit planning activity.
In our recent webinar Planning and Conducting Remote Audits, Carmine Liuzzi, Industry Expert and Principal Consultant with SAI Global, discussed key considerations including auditor competency, maintaining confidentiality of information, prepping your organization for a remote audit and key difference between on-site and remote audits. This document summarizes the Q&A captured.