Remote Auditing – Old New Kid on the Block
The “overnight discovery” of a cleaner, greener, high-tech approach to auditing Management Systems is not without its difficulties – but it is likely here to stay
The coronavirus pandemic and accompanying restrictions have forced many to rethink established ways of doing things. Some of the “temporary” changes may never be reversed, and indeed may leave us wondering why we never thought of doing things this way before.
If you run any kind of formalised Management System where regular audit is a requirement (in particular by third party certification bodies – such as for the ISO Management Systems) you may be facing – or already have faced – a new style of “remote audit” as an alternative to the traditional site visit you may have been used to.
Rapidly adopted and sanctioned by certification and accreditation bodies worldwide, this “new” approach is being hailed as the inexorable shape of things to come.
So what exactly is a “remote audit,” and what is good, bad or different about it?
A “remote audit” is simply one where the person (or process) being audited is in a different place from the auditor.
Every audit involves gathering evidence to evaluate against some standard or criteria. Even if we weren’t using them before, the pandemic has highlighted to many businesses and individuals the wide array of technologies now available for doing this, from photographic or video evidence, through to video conferencing, web-based meetings and screensharing, collaborative working on Cloud documents or even the use of remote camera surveillance or drones.
Furnished with that evidence, the auditor could be literally anywhere on earth whilst assessing it against the specified requirements.
What’s so different?
For many this appears a radical departure from the “person with the clipboard” turning up once or twice a year to fire questions at the delegated audit interviewee.
And yet – we are used to the remote gathering and interpretation of information in many other walks of life, from GPS tracking devices and speed cameras to utility meters, process gauges and automatic alarm systems. In the age of the Internet of Things this is now simply a part of the way we live.
In fact, the “sudden” emergence of audit information-gathering at a distance turns out to be like the discovery of the “overnight” entertainment star whose career has been gradually building for years. The ISO 19011 Guidelines for auditing management systems included remote auditing methods back in 2011, including the use of technologies both with and without interaction with a human auditee. The apps may have changed and become suddenly more universal, but the concepts were certainly well established a decade ago.
The current experience of remote auditing is proving showing that many elements of the standard audit can actually be carried out just as effectively by a planned schedule of online “meetings” as through the more familiar face-to-face visit. Consider the usual audit interview:
You are introduced as the appointed interviewee for a given area / process / operation. There may be an initial discussion as to your role, the overall nature of the operation in question, etc. The auditor asks for documents to illustrate policies, procedures, specifications, drawings, customer requirements, applicable regulations, risk assessments and so on. (Some may be hard copy but most are likely to be held electronically these days.) Selected jobs / processes / incidents are sampled for more detailed discussion: you talk through the relevant records – again, more often electronic than hard copy – Customer orders, Purchase Orders, Design Plans, Complaints, Non-conformances and corrective action, improvement projects etc.
What part of this cannot be done remotely with today’s technologies? Almost none of it. There is nothing inevitable about the traditional face-to-face methods. Given the technology, adequate planning and the good will of all parties, most of this process works just as well from our own offices, sitting rooms or garden sheds, if we choose to make it work.
Benefits of remote auditing
In the present public health circumstances the immediate motivation behind the push for remote auditing has been one of safety and protection – for both auditors and auditees.
There is, in addition, an argument of principle that where businesses remain open, even during a pandemic, then Management Systems and standards need to be maintained. Customer and regulatory requirements still need to be met. Personnel still need to be kept safe. We still strive to avoid polluting our environment, still need to be vigilant as to data security and so on. And, enabled by technology, the maintenance of these systems and standards can still be “audited” (with any necessary allowances).
In keeping with this principle, audit and certification bodies have striven to maintain audit schedules by adopting remote audit methods rather than abandoning or postponing scheduled audits.
Being audited remotely may in some ways be less disruptive to your business. Online meetings can be scheduled, and if necessary rescheduled, to fit around other commitments. No meeting room needs to be booked, no refreshments ordered. People in different locations can readily be consulted without having to leave their work base. If you have the information infrastructure in place the supporting documentation can be accessed from anywhere, without rooting through hard copy filing cabinets or the inconvenience that the document “owner” is absent on the day, or is engaged in another meeting.
It is true that more careful and detailed advance planning may be needed to make things work smoothly on the day; but there is no reason in principle why all the necessary details cannot be discussed and agreed ahead of time. The audit scope (or plan) will already tell you the topics to be covered. It is not hard to work out which documents will be relevant: this will be information which you hold anyway and which would be a standard input into the audit whether remote or on-site. Some audit bodies are now issuing a list of indicative documents to their clients together with confirmation of the day’s audit plan.
A raft of arguments is now growing in support of maintaining these remote auditing practices even after pandemic restrictions no longer demand it:
- Remote monitoring may be safer and easier in many situations. Operations in hazardous areas, confined spaces, remote sites or even socially or politically unstable environments could be “observed” and audited without the same health and safety risks to both auditors and auditees, requirements for safety briefings, PPE, visas or permits etc.
- Efforts to reduce travel time, costs and environmental impacts are already on many business agendas. Some organisations have been successfully carrying out remote checks or monitoring of suppliers, subcontractors or franchisees for years.
- Where there are many locations all repeating the same straightforward processes a sample might be “audited” remotely, without needing to visit them all individually.
- Use of technology can improve sampling and verification: guidelines from the Auditing Practices Group (APG) cite examples such as using video cameras, smart phones, tablets, drones or satellite image to verify remotely-situated pipelines, machinery settings, storage areas, or forest or agricultural sites.
- Technology can also make it more economical to include technical specialists who may only be required for a short part of the overall audit duration.
- Use of resources such as video or CCTV recordings could also be more efficient than site observation, allowing clips to be reviewed containing the most pertinent operations or information (e.g. cutting out waiting time / handovers or other changes if not relevant to the audit). Sensitive information not required for the audit could be “selected out” for audit purposes, to meet confidentiality or privacy concerns.
- Electronic exchange of information allows a more in-depth and measured review of documents, providing a better understanding all round and more insightful and potentially valuable audit conclusions.
These and similar arguments are now being supported by positive feedback from both clients and auditors about the experience of remote auditing and its effectiveness.
Limitations and difficulties
The debate is still young as to the full potential of remote auditing, and its limits. Whilst many of the document-based elements of Management Systems can be audited perfectly well, there are likely to be some aspects, and some types of audit, which will always require “boots on the ground” – for example:
- Site-specific aspects of health and safety, or environmental aspects and impacts.
- Operational processes such as manufacturing (particularly manual processes), or those in high risk industries such as aerospace, nuclear or medical devices. A policy statement by the United Kingdom Accreditation Service (UKAS) on Assessment During the COVID-19 Outbreak accepts that some “technical functions” may not be able to be covered fully at present, but notes that these may need to be assessed at a later date.
- Certification of “products, processes, services or persons (e.g. manufacturing facility, assessment centre, etc).”
- Any elements of an audit dependent on hard copy documents (or other information) only available on-site.
- Stage 2 (final assessment) for any new Management System certifications (i.e. if this is your first formal certification audit to ISO 9001 or another Standard) should normally be carried out at least partly on-site unless the audit body is satisfied that all requirements can be fully demonstrated remotely. (Also transitions to new or updated Standards.)
Where a full audit of all aspects is not possible in the present circumstances, there are well-established industry policies for (time-limited) extensions to the timescales for both interim (surveillance) and certification audits. UKAS has stated that subject to certain conditions it may accept client recertification audits as much as 12 months after the original expiry date. Extensions to deadlines have also been agreed internationally for clients currently migrating to a number of new or updated Standards.
What worries the auditors
Perhaps not surprisingly, as the party faced with the greatest change to their established working practices, audit and accreditation bodies have their own list of concerns as we embark on this Brave New World of remote auditing. These include:
Ensuring the right technology and technical resources are available to make audits feasible with clients. Will the technology work? Is there sufficiently robust Broadband? Are specific devices (cameras, drones) or technical experts needed?
- Competence of auditors (as well as auditees) to use the technology (and cope with any technical glitches).
- Confidentiality, Security and Data Protection:
Ensuring client consent to any sharing or exchange of documentation. (Accredited certification bodies will work to a standard Non-Disclosure Agreement anyway). What client IT policies need to be observed? What processes are needed to ensure the security, confidentiality, and timely deletion of any information obtained (for example to comply with GDPR)?
- Access to relevant information sources:
Co-ordinating access during the audit to all the relevant information (including software, databases, records etc) and to the relevant people for interview.
- Veracity and validation of information:
Ensuring the identity of people / places / plant etc seen on recordings or via a screen can be authenticated. Can the dates be verified with certainty? How can the auditor be satisfied that they have seen the full 360o picture of a site or when the auditee (operator, guide, technical expert) is controlling the camera (or screen)? How to ensure that data is genuine and not edited or manipulated?
- New rules or protocols:
What additional “rules” need to be agreed for conduct of the audit e.g. muting microphones / pausing cameras when not part of the formal audit session? How can background noise disruptions and interruptions be minimised?
How to manage comfort breaks to ensure against long stretches sat at a screen?
Above all, the profession will be concerned to protect the credibility and robustness of the audit process. Any risk to the validity of an audit threatens the trust placed in its result – so ultimately your reputation. It is in everyone’s interests to ensure that the accuracy and integrity of audit findings are beyond reproach.
There is no doubt that the remote audit environment will be different to the site visit. The opportunities for incidental observations, casual conversations and spontaneous audit trails which arise during a site-based audit will be constrained. These can provide valuable points of information for auditors but also cement the relationship between auditor and auditee, to the advantage of both.
Similarly those “non-verbal” elements of every conversation which add both context and interest – the small gestures, facial expressions, the interactions of people in a room – all may be more difficult both to communicate and to interpret within the limitations of a small screen.
On a purely personal level, I would be sorry to see “clipboard person” disappear entirely from the audit landscape. Infralogics’ 20+ years of joint endeavour with clients, working to hone and improve their management and organisational systems, has generated in many cases a great sense of partnership and immense professional satisfaction. I cannot help wondering whether quite the same relationship could be established with an avatar talking through a series of transactional document checks and date-stamped photographic records. That way, perhaps, lies auditing by robots and AI – but that’s a whole generational step for a different discussion.
We are not there yet, despite the temporary hiatus in site audit visits. Face-to-face auditing will return to an extent: the balance to be reached will be between how much of the “new” audit map will be covered by our new-found remote audit capabilities, and what will be left needing to be addressed by the older, “traditional” methods.
In the short term the message is – remote auditing is here, and likely to become part of the “new normal.” Plan for it, treat it just like any other audit and it can deliver valid and useful results. It may, in the process, create efficiencies, save costs and deliver environmental and other benefits as compared to our pre-2020 standard auditing methods. At the same time, recognising its limitations and difficulties may enable us all to improve the entire auditing process even further in the future.
Are you facing remote audit by an external body – or perhaps have a requirement to conduct your own internal or supplier audits remotely? For any advice, support or information please contact Infralogics to talk to one of our experienced auditors. E-mail firstname.lastname@example.org or contact Stephen Singer directly: 0161 796 2558.