The genie is out of the lamp, and there’s no going back.
by Denise Robitaille
Remote auditing is here to stay. And, that’s not a bad thing. As with so many advancements in many fields, progress and innovation have often been foisted on the reluctant, the unprepared, and the recalcitrant. Undoubtably, the current pandemic made it essential. Equally indisputable is the fact that the development of telecommunications technology made it possible.
In hindsight, the concept of utilizing remote technology for auditing should not surprise any of us. It’s logical to have audit tools and practices aligned with those of the processes that are being audited. Web conferencing did not sprout fully formed the day after the stay-at-home directives were first issued in March of 2020. The popularity of web-based apps has been on the rise for over a decade. The increase in accessibility and affordability serendipitously coincided with the onset of the pandemic. What was until very recently perceived as leading edge has become de rigueur.
It’s important to bear in mind that remote auditing is not a new category of auditing. In fact, it is merely the application of new tools and methods to the audit process. The use of remote auditing techniques has also been around for a while. The use has been mostly limited to industries where remote processes occurred. A typical example would be software development programs using remote teams.
Remote auditing involves the application of technology to gather information when in-person methods are not possible or desired. The level of sophistication of the technology can vary. It can run the gamut from simple phone calls and emails to video conferencing software and sharing of cloud based documentation. The term “remoting auditing” encompasses activities that facilitate the assessment of processes occurring in a location other than where the auditor is situated, using verification means that do not include face-to-face meetings. ISO19011 repeatedly makes reference to “remote audit activities.”
The tools and methods may be different, but the same audit requirements apply. Auditors must assess if the auditee has determined inputs to processes, conducted activities under controlled conditions, provided the necessary support resources, defined the interrelation to other processes, ensured control throughout the process, verified the outcome, and retained requisite records and information relating to both the implementation of the activities and the verification of the product (or process output).
The basic elements to remember are:
• Activities occur at a location other than where the auditor is situated regardless of the distance
• There is no face-to-face meeting or on-site presence
• The principles of auditing still apply
Same process; same requirements; different tools and methods.
There is one thing to note. It is possible to have an audit where some processes are assessed remotely while others are audited on-site. The advisability of conducting audits that combine both methods is based on considerations of constraints and benefits—or in QMS parlance: risks and opportunities.
Having established that remote auditing is here to stay, the best course of action is to acknowledge the potential benefits and develop plans to optimize the chance of success.
Utilizing remote auditing manages a whole variety of constraints. By auditing processes remotely an organization may achieve immediate financial benefits. There are no travel expenses: no airfare, no hotel and meal costs, no mileage compensation. It’s an easy win.
Beyond the immediate financial boost there are other potential benefits to be derived.
There’s greater flexibility in the quantity of audits to be completed because they consume fewer resources. An auditor doesn’t spend hours or days traveling so there are more auditor hours available to apply directly to the audit process. Let’s assume that a supplier audit takes 6 hours to complete and an auditor spends a total of 8 hours traveling to and from the audit site. (In this hypothetical scenario the suppliers are all relatively local—within a few hours’ drive of the company.) If the audit is conducted remotely, most of those 8 hours are now directly available for conducting other audits. (The whole 8 hours aren’t available because there’ll be time required to address telecommunication protocols and technology access issues.) The time required to generate the audit report isn’t shortened, because the report still has to contain all the same stuff as for one done on-site. Therefore, if you have 12–14 extra unassigned hours every month, it means that over the course of the year, there are approximately 150 more hours available to conduct additional audits. Under normal conditions, allowing for some variation in time, that means there are resources available to conduct an additional 15–18 audits each year. Or, if the person conducting the audits has other responsibilities, the time resource can be reallocated to other internal activities.
An alternate scenario dealing with a supplier audits program could have an even greater financial impact. Imagine that the company manufactures a complex medical device. Multiple components have critical attributes and/or elaborate production and test protocols. The company has determined that the 20 level-one critical suppliers are to be audited twice per year. The suppliers are scattered around the globe. If even one-third of the audits could be conducted remotely, the cost savings could easily exceed $20,000–$30,000 each year.
Add to this benefit the potential to broaden the pool of potential auditors. There may be some well-qualified individuals who are unable to travel due to family constraints. This provides them with an opportunity to develop their auditor skills while augmenting the audit resources available to the company.
An organization with a multi-site scheme could choose to conduct some of their internal audits remotely. They would experience the benefit of observing remote processes, such as quoting, from the customers’ perspective and identify possible risks and constraints in the process. Questions that could arise might include: How accessible is our product information on the web site? What might cause a delay if a customer needs to change an order? How robust are our security protocols when customers send us CAD files? It would be enlightening to observe how some of these contingencies are managed when the person with the answer isn’t in the next office.
Finally, as we all move inexorably into the digital age, it will be beneficial to observe the level of agility our own organization and our suppliers have with electronic media and virtual processes. From an internal audit perspective it could detect risks for top management to consider. During supplier audits it could identify those companies with a sustained and long-term commitment to improvement and innovation. And, for certification assessments it could facilitate determining if, for example, an organization is effectively managing technological changes that affect their ability to fulfill their customers’ expectations.
Recent events may have propelled organizations toward remote auditing practices at an unanticipated pace. However, the benefits to be derived are valid and sustainable regardless of the impetus.
About the Author
Denise Robitaille is the author of numerous books on various quality topics. She is an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. Denise is an active member of U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is also Certus-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of the ASQ. She is the author of numerous books, including Remote Auditing: A Quick and Easy Guide for Management System Auditors, published by Paton Professional.
Copyright 2021 by Denise Robitaille. All rights reserved.
Denise, I liked the article. I´ve been remotely auditing, internal ISO 27001 audits, for a few years and I never had any issues with those. ISO 27001 is the easiest management system to audit remotely. When pandemic shut everything down, to me was great because I could keep auditing, for registrars, without the travelling annoiance. SInce the pandemic started, I delivered 137 remote audit days, and I never had any issues so I really hope this is for good, win-win situation, nobody loses except that travelling industry of course. 🙂