The Covid-19 pandemic is unprecedented in modern times and provides the first significant test for the relatively new programme of assessment and certification of management systems. Paul Simpson, CQP FCQI, Principal Consultant and Owner of s2a2s Ltd, discusses the risks and opportunities associated with remote auditing for conformity assessment organisations.
Current programmes for the assessment and certification of management systems largely rely on a third-party certification body sending auditors to their clients’ premises to conduct audits. This involves interviewing staff face-to-face and observing processes in operation on site.
Aside from the current focus on coronavirus transmission, there are environmental costs, time wasted, and safety and health risks associated with auditors driving to clients’ premises. Remote auditing can eliminate all these losses associated with certification, if it can be effectively managed.
The standard providing requirements for accredited certification bodies is ISO/IEC 17021-1:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems. This standard has recognised remote auditing in certification activities since 2011. In a note to the requirement clause on conducting on-site audits, it said: “In addition to visiting physical location(s) (e.g. factory), ‘on-site’ can include remote access to electronic site(s) that contain(s) information that is relevant to the audit of the management system.”
The latest edition (2015) of the standard continues to recognise remote auditing but concentrates on requirements for on-site auditing with the assumption that the majority of assessment activity will be in person and face-to-face.
With the need for social distancing and discouragement of all but essential travel, accreditation bodies are continuing to accredit organisations to conformity assessment standards including ISO/IEC 17025 for testing and calibration laboratories and ISO IEC 17021 for certification bodies. In UKAS’ most recent update on Covid-19, the organisation states it will be conducting all of its assessments remotely to provide an appropriate level of trust and confidence to the marketplace. This will be the case until at least 31 May 2020. This duration will be subject to ongoing review.
In line with the International Accreditation Forum’s (IAF) guidance ID3 for Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations it seems that certification bodies are scrambling to find ways of performing remote audits to support certification to management systems standards such as ISO 9001:2015 – Quality management system. The IAF policy for dealing with ‘extraordinary events’, such as travel restrictions, require accreditation bodies to assess the risks of continuing accreditation. Accreditation bodies should define alternate potential short-term methods of verifying continuing effectiveness of a management system.
The threat of a global pandemic has been a consideration for enterprise risk management for many years. For organisations like certification bodies, that rely on a significant proportion of their income to come from putting their people in front of clients, the threats of a pandemic and subsequent lockdown are catastrophic.
Why then, was there not more in place to ensure continuity of assessment and to provide continuing confidence in certification? The need for confidence does not go away. If anything, it is even more vital at a time when the world is struggling with a pandemic. Personal protective equipment and medical devices are just two areas of regulated conformity assessment that will be needed to keep front-line staff and patients safe in weeks and months to come.
The certification industry has been slow to embrace new technology because the expectation is for a majority of assessment activity to be undertaken on-site. The IAF, however, has published requirements for remote auditing through its IAF mandatory document for the use of information and communication technology for auditing and assessment purposes (IAF MD 4). In its introduction to MD4, the IAF stresses the importance of capturing the opportunities presented by information and communication technology (ICT) to enable conformity assessment to be more effective and efficient. In this document, a range of ICT tools are described in the context of a third party management systems and/or product conformity audit.
The balance of remote and on-site auditing is also considered in IAF’s MD5:2019 document, which looks at the determination of audit time of quality, environmental, and occupational health and safety management systems. Clause 2.1.1 in this document states that the audit time for all types of audits includes the total time on-site at a client’s location (physical or virtual) and time spent off-site carrying out planning, document review, interacting with client personnel and report writing.
The swift take-up of remote auditing is an indication that this was an unfulfilled need. I am aware of two recent assessments where the third party assessment process has been successfully completed. Both organisations assessed believe that the audit remained credible and was beneficial to them. In each case, there were teething problems associated with access to and use of the technology, but these were overcome at the time and did not interfere significantly with the audit process.
If management systems standards certification is currently a perfect process, a move towards remote auditing would introduce new risks, as it is the industry and the credibility of certification that is in the spotlight. ISO TC 176, the ISO technical committee responsible for ISO 9001:2015, is so concerned over the credibility of the use of its standard by certification bodies and others associated with management systems standards certification, that they have a task group looking at all aspects of brand integrity for ISO 9001. These credibility issues mean that use of technology requires further assessment of risks and reliable mitigation of risk to allow the opportunities that remote auditing promises.
ISO’s guidance document for auditing, ISO 19011:2018 – Auditing management systems, places the responsibility of deciding on appropriate audit methods with the audit programme manager. It says that the individual managing the audit programme should select and determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope and criteria.
Audits can be performed on-site, remotely or as a combination. The use of these methods should be suitably balanced and based on, among others, consideration of associated risks and opportunities.
There will be areas of conformity assessment that present increased risk for the credibility of remote auditing. High risk industries like aerospace and medical devices will always have an element of ‘boots on the ground’ to have confidence in the final products and services that the industry procures. The Poly Implant Prothèse (PIP) breast implant scandal, for example, is still relatively fresh in the memory.
As the industry turns, at least temporarily, to the use of remote auditing, it is worth us discussing other reasons why certification bodies haven’t taken this opportunity. Some of these are considered below:
- Access to technology – there are multiple hardware and software solutions available for collaboration and enabling remote interview and review of electronic (and other) documentation. The conformity assessment body needs to have access to relevant reliable solutions to enable them to provide the service. In accordance with ISO’s applicability principle this should not require the organisation looking for certification to incur significant costs.
- Reliability – technology solutions require reliable hardware, software and, in the case of internet-based solutions, wireless/phone and broadband services.
- Competence – Remote auditing requires new competences and for developments of others. The auditors must:
- be able to work with the technology solution(s) selected;
- be able to handle the difficulties associated with picking up on verbal and visual cues when interviewing remotely;
- develop new ways for selecting samples and following audit trails to ensure that samples are representative, are of their choosing, and that they remain in control of the audit process.
When the urgent need for remote auditing disappears as the impact of the pandemic recedes, we need to keep the pressure on those conformity assessment organisations. Certification and accreditation bodies need to ensure they remain fit for purpose in today’s connected age. All aspects of the process need to be aligned to enable remote auditing to be a cornerstone of future conformity assessment schemes.
Increased use of remote auditing creates risks and opportunities in conformity assessment. If we can ensure credibility of audit activities to at least current levels, we can then grasp the efficiencies currently available from proven technology.