- Standards & Certifications
- News & Events
- Incident Service
- About Tapa
Remote or virtual auditing has seen rapid growth during the Covid-19 pandemic, BUT it has been around and in limited use for many years. Remote auditing is one of the audit methods described in ISO 19011:2018 Annex A1. and IAF MD4:2015 - so it’s not new, it’s just experiencing a big boost in popularity, and this is expected to continue post-Covid.
Typically, pre-2019, audits meant someone physically coming to a site, walking through the facility, meeting staff and verifying that activities were being undertaken to a pre-agreed arrangement. It is unlikely remote auditing will ever replace physical auditing, but at times of crisis like the Covid-19 pandemic, it has proven to be an effective solution to help reduce risk and maintain customer confidence – and some form of remote auditing will certainly stay in place moving ahead.
Audits are done for many reasons:
Audits themselves can be different types – i.e.
TAPA EMEA has also seen the merits of remote auditing and has established a Remote Verification Audit Criteria. This procedure can be applied to all current versions of TAPA’s Security Standards in use in EMEA and provides an alternative solution to a physical on-location, in-person audit.
So, let’s take a look at the requirements and process to be followed for auditors to use during remote TAPA audits.
What is a remote audit?
A remote audit is the method of conducting an audit without being physically present at the auditee location and typically uses such techniques as video conferencing, file sharing, email and telephone to collect the evidence needed to verify compliance, in the same way you would if you were at the site. More innovative techniques even include the use of drones or body worn cameras. Regardless of the method used, the audit must still verify objective evidence to show that the audit criteria are being met.
Commonly used platforms such as TEAMs, Zoom etc. provide a very good method of completing a remote audit, but it’s important to be aware of the limitations of such methods.
Virtual audits have many benefits, including:
Naturally, there are some disadvantages to be considered too, such as:
So, what should we consider before a remote audit is agreed?
The first thing is feasibility. Are you able to audit this location using remote methods and be satisfied that the outcome will provide confidence the audit was effective?
Confidentiality and security issues, as well as data protection are critical. By using the remote methods, are you going to compromise security or confidentiality? What should be put in place to assure the auditee the information they share during the audit is secure? Will the recording of sound and images be acceptable? When documented information is to be analysed in an asynchronous manner (i.e. not in real-time by screen sharing), how will it be shared in a secure and agreed system, such as cloud based, Virtual Private Network or other file-sharing systems? Once the audit is complete, how will the collected data be managed? Auditors should not take screenshots as audit evidence without prior agreement. Any screenshots to be used in a report should be pre-authorised by the audited organisation.
So, before any remote audit is even planned, we need to have a documented agreement between auditor and auditee covering the topics above.
Consider ICT (information and communication technologies). Is there a stable connection allowing full access? Are all areas of the site accessible – i.e. wi-fi/cell signal across the locations, explosive atmospheres where phones or tablets can’t be used etc.
Once you have done the risk assessment and decide to proceed, then the detailed planning process begins. You must utilise the audit time in the most productive and effective way. This can mean producing an agenda that is totally different from that of an onsite audit. If you took a typical supplier quality audit, it is often 2 days onsite plus a half day reporting. Remote auditing, because of its additional needs and approach, lends itself to a different approach. As an example, some of the audit can be completed offline before the initial client meeting. If your auditee is prepared to share data, you could easily complete some areas of the audit through document review. When you audit a site, you also need to be aware of how the site layout can impact auditability – i.e. are there clean rooms that need gowning time, noisy areas that are not easy to audit remotely, or areas where synchronous video isn’t possible. How does material flow through the process?
So, this is where a “thinking outside of the box” approach is better. Trained, well-prepared remote auditors will be looking to maximise client interaction and minimise down time. One thing to consider here is can you get two guides – i.e. work with one, whilst the other is preparing to enter another area, so the auditor is always auditing. Novel agendas could also see reporting time being allocated in smaller blocks instead of a half day at the end – i.e. using down time between auditing processes to complete each part of the final report.
Also, whilst auditing, it’s important the auditor keeps full control of the audit, ensuring they see what they need and are not being led by the auditee. Having a copy of the site plan and plotting the areas you have seen/visited is vital, so that at the end of the audit you can be sure you have seen everything you needed to. If you need to use asynchronous video, it’s vital the auditor tells the camera person what they want them to show and what data needs to be collected as evidence. It’s no use just saying ‘please walk me through the warehouse!’
Having completed more than 130 days of remote auditing in the last 18 months covering quality, environment H&S, security and GMP/GDP, and also working for clients who have been the subject of audits, I’ve seen the good, the bad and the ugly!! From third party auditors just requesting a bundle of documents at the opening meeting at 09:00, and then a TEAMs call at 16:30 to say everything was fine, to being asked if I could mail client sensitive documents as the auditor just couldn’t read them on the screen share. Seeing failing internet connections, so the planned 8-hour agenda time produced less than 3 hours of effective auditing.
I cannot stress enough the need for auditors to be trained in remote auditing, and for effective planning to be done. Auditor/auditee cooperation and flexibility must also be embedded into the process for this to be a success. Typically, lead auditor training courses have not prepared auditors for remote auditing, so top-up training will definitely be needed. Remote auditing lends itself to covering some areas – i.e. management review, internal auditing, purchasing, HR, etc, where much of the audit is done by looking at documents. In the future, this may be done offsite, and the only things where the auditor needs to be present onsite are items such as work environment, security, some production processes, and confidential areas including personal data, proprietary items, and matters covered under GDPR. So, future audits may require only a short onsite visit to verify those activities that cannot be done remotely, or as a means of due diligence to verify what was seen on screen was accurate.
Working with TAPA EMEA, I have prepared a Remote Auditing training course which leads the trainee to think through the whole process. This will help those completing the course to:
The course, delivered over two four-hour sessions one week apart, will enhance any auditor’s skills. The second session also includes a Live Audit situation where participants are able to use the tools and knowledge they have gained and then discuss how to maximise the learning experience. Feedback from the first TAPA EMEA course was excellent.
So, in conclusion, remote audits are here to stay. If you want to be effective at this, you need to understand the process and its limitations, to be trained in the remote audit techniques and then use the learning in your company, so it becomes second nature.
About the Author:
Jeff Dowson first became involved with management systems and auditing in 1979. Since then, he has audited organisations globally against a multitude of Standards. Since 2001, Jeff has been involved with TAPA EMEA, including providing input on the auditing methodologies and the TAPA Standards. Jeff has worked with many Blue Chip global organisations to help them develop bespoke Standards. After 27 years of working with the world’s largest testing, inspection and certification company, SGS, Jeff now runs his own consultancy, JD Business Enhancement, helping organisations reduce risk and improve performance and profits. Jeff continues to audit, both onsite and remotely, and provide training courses, and is supporting the rollout of TAPA EMEA’s Remote Validation Audit programme.