SimpleQuE auditors have been conducting remote internal audits for more than a year and we’ve put together some tips for preparing for this new type of virtual quality management system (QMS) audit.  With health and safety concerns adding new challenges due to COVID-19, conducting on-site internal audits isn’t always possible, so remote audits offer a viable solution for maintaining the QMS while managing risk.

What is a remote internal audit?

A remote internal audit is one that is conducted partially or completely off-site utilizing technology to support the auditor when a site visit is not possible.  Remote audits refer to the use of Information and Communication Technology (ICT) for gathering information, interviewing auditees and even “touring” production areas to verify processes.  Types of ICT can range from teleconferencing, web meetings and collaborations to video technology and applications.  Some of the options include Skype, Zoom, GoToMeeting, WebEx, Microsoft Teams, Facetime, Facebook Messenger video chat – your auditor can also recommend some platforms for video and screen sharing.

As with an onsite internal audit, information relevant to the audit objectives is obtained by appropriate sampling and verified to become audit evidence.  The methods for collecting information are the same, (interviews, observation of processes and activities, review of documentation and records) just done in a face-to-face manner.

(For some processes it may not be possible to remotely verify their effectiveness within the QMS. In that case, a follow-up partial on-site internal audit should be completed at a future time. This is still preferable to cancelling or postponing an on-site audit.)  When this occurs, the annual audit plan or schedule should be updated to show approval and reflect the changes to the audit plan.

Are there guidelines for remote internal audits?

Yes!  SimpleQuE and Certification Bodies conduct remote audits based on guidance from:

• ISO 19011:2018  Guidelines to Auditing Management – Annex A1
• The Use of ICT for Auditing/Assessment Purposes
• Management of Extraordinary Events or Circumstances
• IAF ID12:2015  Principles on Remote Assessment
• Industry guidance from oversight bodies (IATF®, IAQG, ANAB, ISO, IAF)

Another good reference document – ISO 9001 Auditing Practices Group – Guidance on: Remote Audits was created by ISO and IAF.  It includes a Feasibility and Risk Analysis for Remote Audits.

Knowledge. Expertise. Experience.

Schedule A Free Consultation

Outsource Your Internal Audits

Whether you’re conducting virtual or on-site audits internally or hosting one by a Certification Body – preparation is key to success and following these tips can help simplify the process. A smooth and successful remote audit requires just a little more creativity combined with very reliable technology!

Tips for preparing for a remote audit

1. Collaboration between the auditor and company representative is crucial during the planning phase, especially if the auditor has not been on-site and is not familiar with your processes and corporate culture.
2. Determine the audit schedule and logistics. The basic requirements for an audit program are still applicable and prioritized based on risk, internal and external performance trends, and criticality of processes. Focus on the highest risk processes. Be sure audit objectives can be met and managed.
3. Use as much data as possible to conduct a risk assessment and determine what processes, activities or sites can be audited remotely. If you have supplier corrective action requests (SCAR), you may be able to limit your scope to information related only to the processes impacted by these corrective action requests. Prioritizing internal audits based on high-volume, high-risk or especially complex products focuses the audit’s scope.
4. Work with your auditor to agree upon the ICT – online conference system and means of communication to be used and that they meet your company’s cyber-security measures for confidentiality, security and data protection.
5. Ensure you are familiar with the remote technology platform prior to your audit. (You may want to test the system in advance to be sure it can be accessed by the auditor and any off-site auditees. Know how you will share your documents. Does your company have a Cloud based or other file sharing system, or is email acceptable for transferring documents?) Have a backup plan and IT support just in case.
6. Determine the technological infrastructure needed to support a virtual tour of the production or other areas. Will there be internet accessibility? Will you use a smart phone, tablet, webcam, drone or other method to share video, photos and documents?  Is background noise too high to have a conversation during this time in the production area?  How will you communicate with the auditor as questions arise?
7. All interested parties should be aware of their role in the process, inputs, expected outputs to achieve the audit objectives. Per the audit plan, be sure all interviewees have received meeting invitations and are available and prepared to answer the audit questions and to use the technology to communicate and share information.
8. Your auditor will tell you the documents needed in advance or on the audit day. Depending on the standard, these typically are internal audit records and plans, management meeting minutes and actions, complaints log, corrective actions, improvement documentation, risk register, key processes documents, etc.
9. Do a pre-audit walk through of the facilities that will be audited. Look at all the equipment labels and check documentation to be sure everything is in its proper place.

Executing the remote internal audit

1. The right way to conduct an ICT audit is the same as if on-site, using fundamental auditing skills with real-time active auditing. The wrong way to perform an ICT audit having an auditor or audit team reviewing documented information in isolation of the organization being audited.
2. It helps to have a quiet environment with minimal interruptions with all tools and resources ready for the audit. This will be used as a factor in determining what percent of the internal audit can be done remotely.
3. Consider reviewing the process flowchart and operator work instructions with the auditee prior to visiting the production area where samples will then be identified and targeted.
4. Manage the pace of the audit, but plan for some down time to gather records, collect samples or for any unforeseen delays.
5. What ICT was used for the audit and for collection of evidence?  The methodology used should be noted in the audit report.
6. The closing meeting should be conducted the same way as if the auditor was on-site, so designated leadership should be present.

Note: Any deviations from original audit plans should be reviewed and documented in management review meeting(s), and updated on a revised audit schedule with justification for any changes. Internal audit reports should also document the unique changes or circumstances, especially if a remote audit was performed.  The audit report shouldn’t hide that.  It is not an ideal way to perform internal audits, but this is a temporary and practical solution to maintain a company’s quality management system, and maintain ongoing certification.

Benefits of remote internal audits

• Health and safety policies can be observed
• Greater flexibility for scheduling audits
• Improved value of audit time – much more focused
• Greater flexibility in auditing processes
• Opportunity to sample more processes
• Limited disruption to operations and supply chains
• Savings on 2^nd party auditor travel expenses
• Environmentally friendly – reduced carbon footprint
• Maintain quality management system certification

Risks of remote internal audits

• Increased security/confidentiality risk
• Veracity and quality of the objective evidence collected
• Unreliable technology or internet
• Some customer expectations may not be covered in a remote audit so be sure to understand customer allowances.
• Remote audits for some standards like IATF 16949 may not be sufficient to address customer expectations or requirements – IATF is allowing 3^rd party audit “monitoring”.  Refer to IATF Measures Coronavirus Pandemic COVID-19 – Revision 5 October 30 2020

In summary, with the uncertainty of COVID-19, Remote Auditing is a good solution for maintaining certification at a time of social distancing, health concerns and partial to full business operations.

SimpleQuE can perform 2^nd party remote or on-site internal audits for ISO 9001, ISO 14001, ISO 45001, AS9100, AS9110, AS9120, ASA-100, IATF 16949®, and MAQMSR.  This article provides tips for 2^nd party remote internal audits.  For information regarding certification or surveillance audits, contact your certification body for their audit procedures.