Dive into the detail of your management system standard

The future of remote auditing

Remote auditing – an activity whose time has come?

This post formed the basis for an article I prepared for the Chartered Quality Insitute in March 2020, just as we were going into the lockdown at the height of the first wave of the Covid-19 pandemic. The final version was published on the quality.org website – here.

There is a new draft standard being produced by ISO’s CASCO conformity assessment committee I’ll probably update the article when I have had a chance to look at it.

The Covid 19 pandemic is unprecedented in modern times and provides the first significant test for the relatively new programme of assessment and certification of management systems. Current programmes largely rely on a 3rd party certification body (CB) sending auditor(s) to their client’s premises to conduct audits, interview staff face-to-face and observe processes in operation. Aside from the current focus on disease transmission, there are environmental costs, time wasted and safety and health risks associated with auditors driving to clients’ premises. Remote auditing can eliminate all these losses associated with certification if it can be effectively managed.

The standard for management systems standards (MSS) CBs is ISO IEC 17021-1, it has recognized remote auditing in certification activities since 2011. In a note to the requirement clause on Conducting on-site audits, it says: ‘In addition to visiting physical location(s) (e.g. factory), “on-site” can include remote access to the electronic site(s) that contain(s) information that is relevant to the audit of the management system.’

The latest 2015 edition of the standard continues to recognize remote auditing but concentrates on requirements for on-site auditing with the assumption that the majority of assessment activity will be  in person and face-to-face.

With the need for social distancing and discouragement of all but essential travel accreditation bodies (ABs) are moving to continuing accreditation of organisations to conformity assessment standards including  ISO IEC 17025 for laboratories and testing organisations and ISO IEC 17021 for MSS CBs . In UKAS’ most recent update on Covid 19 (since removed), it states: ‘To ensure that UKAS continues to provide an appropriate level of trust and confidence to the marketplace, with immediate effect UKAS will be conducting all our assessments remotely.’ 

In line with IAF guidance (since removed), it seems that CBs, in turn, are scrambling to find ways of remote auditing to support certification to management systems standards (MSS) including ISO 9001, in line with the IAF policy for dealing with ‘extraordinary events’ such as Covid 19 related travel restrictions that prevent the CB assessing organisations onsite. CBs are already very aware of the travel element of the cost of certification and have over the years done much to reduce the amount of travel including more regional operations.

 The threat of a global pandemic has been a consideration for enterprise risk management for many years. For organisations like CBs that rely on a significant proportion of their income coming from putting their people in front of clients, the threats of a pandemic and subsequent lockdown are catastrophic. Why, then was there not more in place to ensure continuity of assessment and to provide continuing confidence in certification? Whatever the crisis associated with the current pandemic the need for confidence does not go away. Personal protective equipment and medical devices are just two areas of regulated conformity assessment that will be needed to keep front-line staff and patients safe in weeks and months to come. 

Perhaps one reason the certification industry has been slow to embrace new technology is that the system rules that certification works to are, at best, vague. As mentioned above the expectation is for a majority of assessment activity being undertaken on-site. The IAF has published requirements for remote auditing through its IAF MD 4 and considers the balance of remote and on-site auditing in its MD 5 document: ‘2.1.1. The audit time for all types of audits includes the total time on-site at a client’s location (physical or virtual) (1.7) and time spent off-site carrying out planning, document review, interacting with client personnel and report writing.’

The swift take up of remote auditing is an indication that this was an unfulfilled need. I am aware of two recent assessments where the 3rd party assessment process has been completed. Both organisations assessed believe that the audit remained credible and was beneficial to them as the auditee. In each case there were teething problems associated with access to and use of the technology but these were overcome at the time and did not interfere significantly with the audit process

If MSS certification were currently a perfect process a move towards remote auditing would introduce new risks. As it is the industry and the credibility of certification is in the spotlight. ISO TC 176, the ISO technical committee responsible for ISO 9001 is so concerned over the credibility of the use of its standard by CBs and others associated with MSS certification that they have a task group looking at all aspects of Brand Integrity for ISO 9001. These credibility issues mean that the use of technology requires further assessment of risks and reliable mitigation of risk to allow the opportunities that remote auditing promises. 

ISO’s guidance document for auditing, ISO 19011 2018 places the responsibility for deciding on appropriate audit methods with the audit programme manager: 5.5.3 Selecting and determining audit methods

The individual(s) managing the audit programme should select and determine the methods for effectively and efficiently conducting an audit, depending on the defined audit objectives, scope and criteria.

Audits can be performed on-site, remotely or as a combination. The use of these methods should be suitably balanced, based on, among others, consideration of associated risks and opportunities.

There will be areas of conformity assessment that present an increased risk for the credibility of remote auditing. High-risk industries like aerospace and medical devices will always have an element of ‘boots on the ground’ to have confidence in the final products and services that the industry procures. The PiP scandal for breast implants made with inferior silicone is still relatively fresh in the memory.

As the industry turns, at least temporarily, to the use of remote auditing it is worth us discussing other reasons why the CBs haven’t taken this opportunity, some of these are considered below:

  • Access to technology – there are multiple hardware and software solutions available for collaboration and enabling remote interview and review of electronic (and other) documentation. The conformity assessment body needs to have access to relevant reliable solutions to enable them to provide the service. Following ISO’s applicability principle, this should not require the organisation looking for certification to incur significant costs
  • Reliability – technology solutions require reliable hardware, software and, in the case of internet-based solutions, wireless/phone and broadband services
  • Competence – conformity assessment auditors are often in a second or third career and are not necessarily the most up-to-date on technology. Remote auditing requires new competencies and for the development of others
    • The auditor has to be able to work with the technology solution(s) selected
    • They have to be able to handle the difficulties associated with picking up on verbal and visual cues when interviewing remotely
    • They have to develop new ways of selecting samples and following audit trails to ensure that samples are representative and of their choosing and that they remain in control of the audit process

Auditors need to be alert to new ways of gaming the audit process with carefully selected auditees and screened samples for evidence. Organisations that ‘get’ the benefit of independent 3rd party assessment are unlikely to game the system in this way, whereas those that see the audit as a necessary evil to support certification as a licence to trade will see remote audit as another opportunity to pull the wool over an auditor’s eyes.

When the urgent need for remote auditing disappears as the impact of the pandemic recedes we need to keep the pressure on those reading conformity assessment organisations. As just one facet of response to business continuity challenges, CBs and ABs need to be looking carefully at the rules of the game for certification and accreditation to ensure they remain fit for purpose in today’s connected age. All aspects of the process need to be aligned to enable remote auditing to be a cornerstone of future conformity assessment schemes.

Increased use of remote auditing creates risks and opportunities in conformity assessment. If we can ensure the credibility of audit activities to at least current levels we can grasp the efficiencies currently available from proven technology.


One response to “The future of remote auditing”

  1. OK…when are the IAF and TC176 going to understand that it is the customer’s of CBs and labs who are the target market for certification and accreditation?

    What do they think of the credibility of remote auditing? Have you polled the views of sectors scheme owners such as the GFSI and IATF, for example? Or defence procurement agencies of NATO members that are our genesis? Or those regulators who subscribe to the MDSAP…

    IMO, it doesn’t matter what IAF or TC176 thinks, does it? You guys aren’t the victims!

    The only case I’ve known where remote auditing was effective was at a software medical device client, where 100% of everything was visible anywhere in the world via the cloud and MS Teams.

    I fear almost everywhere else the term “remote auditing” approaches an oxymoron.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.