Many people question me daily as to why QMS have not made any specific content on remote auditing during this quarantine. Let me explain:
We haven’t really done it, the main reason is that we believe that remote auditing is not a separate process, or a major innovation. Remote auditing is auditing, there is no distinction.
Based on this principle, we have infinite content about auditing on our blogs and social networks. We even recently launched the EAD course of ISO 19011 – Audits on management systems in Brazil, and we had more than 2,000 enrollments in just 1 month. This is not a course on remote auditing, it is on auditing, on who takes the course and acquires the content, and is then able to do remote audits, documentations, on-site audit, and any other means.
Until now, we have never discussed service provision or auditing related to environment, OH&S, anti-bribery and innovation, in a separate and distinct way. We always discuss audit techniques based on ISO 19011 and ISO 17021, combined with knowledge, training and experience in the subject, and in the reference Standard.
I agree that there are particularities in a remote audit because what changes is not the method but the means.
Firstly, it is important to inform you that YES! at QMS we are conducting remote audits on our customers based on a lot of technology, risk analysis, training, qualification and lessons learned daily. However, I reaffirm that remote auditing for us is an AUDIT, it is necessary to follow the same parameters that are followed in an on-site audit.
ALL audits can be remote audits, but not all audits are able to be done remotely.
There are several factors that must be observed in order to decide whether to perform a remote audit or not. It is these factors and only these factors that will define whether or not you can perform a remote audit.
ISO 19011:2018 has already established the risk analysis of audits. For remote audits, this process must be very well observed, evaluated, categorized, detailed and discussed.
Remote auditing is not just turning on Skype and requesting documented information.
Risk analysis is a fundamental part of the remote audit process. That includes establishing all risks from different approaches, including competence risk, applied technology, audited process and several other factors, which will create a real scenario for the decision to carry out a remote audit.
In particular, I believe that it is based on this factor that many audit processes will fail, because risk-based thinking is not something that is practiced naturally and continuously. In remote audit cases, this needs to be done.
Technology to be used
There is no single “type of technology to be used”, what exists is a combination of technologies, based on the processes to be audited, the reference standard(s), the scope of the organization and other factors to be observed during the risk analysis.
Many imagine that the technology used is the name of the video conferencing software (Skype, Zoom, Hangout, etc.), but no matter which software is chosen, the most important type of technology to be used is the video call.
There are several types of technology that can be utilized, from the access to CCTV (closed-circuit television) of the organization, through to drones, smart glasses, cell phones, tablets, access to company systems, file transfer, live stream, etc.
Without being repetitive, what will depend and define this factor is the risk analysis of the audit and the availability of resources of the organization. Perhaps due to these factors, remote auditing will not be possible.
As I have mentioned above, it is here that problems will occur. A poorly made or underestimated risk analysis will directly impact the results of the remote audit. So what will happen is that, in many cases, a remote audit should not even occur.
The performance of the audit
As I said at the start of this article, a remote audit is nothing more than a regular audit, so the performance strategy will basically take place according to the precepts of ISO 19011 and ISO 17021: interviews, document analysis and visual observation.
Obviously some risks, if materialized, may impair the audit, so once again a detailed assessment of this aspect is necessary, because if there is a mapped risk there will certainly be a control, and it should be applied.
Situations such as the maintenance of the types of technology used throughout the audit period so that they are not interrupted, must be observed. In addition, a preponderant risk factor is the confidentiality of the audited information, the risk of which can be increased in a remote audit.
Traceability is one of the factors that will directly impact the result and final delivery of the audit.
In a remote audit, traceability before, during and especially after the process must be preserved more than ever.
This factor is important to emphasize, because all items described above will culminate in the traceability of information that is robust enough to guarantee the final results of the audit and the conclusion by other interested parties, that the audit was effective or not. However, it is necessary to take extra care, so that the traceability records do not impact the confidentiality and impartiality of the audit process in any way, factors that are also key to the result.
I conclude by reaffirming that the remote audit is just an audit, however, I consider that all the factors I have listed here are factors that could pose several risks to the audit process, risks even greater and more complex than an on-site audit.
I therefore believe that the current phase worldwide, due to the pandemic and the boom in the subject of remote auditing, will be of fundamental importance and a great watershed for the following reasons :
Identify and separate organizations and professionals who really care about creating a systematic audit process, whether remote or not, and others that just call Skype and request documented information.
Because at the end of the day, it is all about credibility.