The Methodologies of Remote Audits
Gary Jarvis, CQP MCQI, Group Quality and Information Security Manager at The Growth Company, shares his experience of conducting a remote audit, and an overview on the specific and unique challenges and the viability of auditing remotely.
Auditing, just like technology, is evolving. What was once an on-site exercise, be it a face-to-face meeting with an auditee at their desk reviewing the sales process, having a coffee in the boardroom with a senior manager or director and discussing context and leadership, or having a site tour of the factory floor with a member of the operational team, audits are now being carried out using remote techniques.
What is a remote audit?
A remote audit, also known as virtual audit, is the method of conducting an audit remotely, using electronic methods such as video conferencing, email and telephone to obtain audit evidence, just like you would during an on-site audit.
The overall aim is to evaluate this evidence objectively to determine the extent to which the audit criteria has been fulfilled.
Remote auditing provides a springboard for tools such as file and screen sharing, video conferencing (Skype and Zoom are common platforms), and live data analysis.
During this type of audit, auditors are able to adopt standard auditing techniques which they use during on-site audits, including being open minded, diplomatic, listening and being respectful to the auditee.
Auditors will continue to ask key and relevant questions related to the scope of the audit, and, more importantly, make full use of two key skills that are maximised during a remote audit –being versatile and collaborative.
One of the benefits is the ability to allow auditors to receive and share data, review documentation and processes, conduct interviews and make observations with auditees from all over the world without the need to commute to the audit site.
With the time spent commuting eliminated, auditors can also spend more time doing things that add value, such as reviewing documentation to ascertain which audit trails to explore, and spending time writing audit reports to a higher standard that clearly outline audit outcomes such as findings opportunities for improvement.
A key thing to consider is the audit objectives, the available technology and the type of audit evidence that needs to be gathered to determine if a remote audit is suitable
The utilisation of technology to carry out audits remotely also saves time and money. Data can be accessed from anywhere, such as a cloud portal. Auditees are also likely to be more engaged in the process if a set time is allocated for remote audit activity. They are less likely to be side-tracked or disturbed with any urgent work requests, including answering emails, telephone calls and dealing with queries from fellow staff members.
‘Audit burnout’ is a common term in the certification industry, particularly if auditors are carrying out several one-day audits over the week, travelling to different sites and writing several different reports each week. Remote auditing can break up that process and give the opportunity for a different approach and outlook, adding value to both auditor, auditee, and the overall audit process.
There are, of course, disadvantages to consider. A key thing to consider is the audit objectives, the available technology and the type of audit evidence that needs to be gathered to determine if a remote audit is suitable in the circumstances and aligned to the scope of the audit. For example, an audit of the physical work environment such as the factory floor or warehouse for a manufacturing company, or an audit of a welding process for a steel fabricator, may not be suitable to be completed remotely.
Remote audits should also not be used as a cost-saving measure, or because they are less of a logistical headache for the organisation being audited. They should only be considered when you are satisfied, beyond any doubt, that audit objectives can be met.
Another area to consider is technology. If network connections are not very reliable, interviews and meetings can be interrupted, and it may take some time to reconnect and solve all the network problems. Access to relevant databases and systems should also be considered to ensure tangible and objective evidence is available to review.
During remote audits, direct interaction with the auditee is lost, and although certainly not a witch-hunt, the ability to read body language can be lost, which can be crucial to exploring issues and audit trails further during an on-site audit.
My own personal experience
In early March 2020, I had an audit scheduled as part my organisation’s annual audit plan. It was a full management system audit against all the requirements of ISO 9001:2015 – Quality management systems for one of our operating companies.
The audit followed the standard process – the audit plan was put together following direct interaction with the key auditee, with a focus on areas of risk. The first day of the audit went ahead on-site, as planned, and was productive. I was able to sit with a number of different staff members, including senior management to review different clauses of the standard such as organisational context, leadership and planning, and later establish a link between this and the requirements in clause 8 of the standard – operational control. The plan was to reconvene the following day and continue the audit on-site.
However, due to the developing Covid-19 pandemic, and the government’s announcement advising workers to work from home and avoid all non-essential travel, the audit was put on hold.
As little as two years ago, this may have caused quite an issue and the audit will have more than likely been postponed indefinitely. However, due to the advancements in technology and agile working within the organisation we were quickly and easily able to cover the additional requirements (a final 60 per cent of the audit) via remote auditing.
This involved a quick mid-audit meeting with the key auditee to rescope the plan. Additional auditees were updated and advised that their areas would be audited remotely using Skype for Business.
I was later able to audit the required areas, in detail and without any issues, using this remote style of auditing, including a review of the operational compliance team and an audit of their central compliance verification process.
The auditee was able to share their screen with me, even giving me the option to take control of their laptop remotely to explore further audit trails and evidence. I was also able to interview other members of the management team to review further evidence in detail, such as the process for agreeing and monitoring quality objectives.
Overall, the process was seamless and added real value to the audit. It also enabled us to complete the audit on schedule. The feedback from everybody involved in the remote auditing process was very positive.
The future of remote auditing
Remote audits are a trend that is gaining traction rapidly and maximisation of this type of auditing can only be a positive thing. On-site audit activity, before or after a remote audit, encourages communication regarding key topics and areas to explore that strengthen the overall audit process and help build a better relationship between auditor and auditee.
Clear and well-planned audit planning and good communication are essential from all parties to ensure that the process runs as smoothly as possible.
While I do not envision remote audits will take over the entire audit activity, I do think there is scope for at least one third of audit activity to be completed remotely. This is because if an organisation or auditee is deemed higher risk, then more time on-site will be required. For more established organisations and auditees, remote audits should be built into their external or internal three-year audit plans.
For those familiar with ISO 19011:2018 – Guidelines for Auditing Management Systems, you will now note this includes new specifications for conducting remote audits. This is a clear indication that we are moving to a more virtual auditing approach. It is my view that in three to five years, every ISO lead auditor course will have at least 30 per cent of the syllabus focused purely on remote auditing.
Attribute to original publisher/ publishing organization: Gary Jarvis, CQP MCQI, Group Quality and Information Security Manager at The Growth Company, https://www.quality.org/knowledge/evolution-remote-audits