The risk assessment
The risk assessment is based on a questionnaire that identifies, among other things, the historical performance of the site and the availability of documentation and records. The certification body is responsible for assessing the risk assessment. It decides whether a site can achieve the audit objectives with the help of a remote audit.
How is a blended audit conducted?
The blended audit is carried out with the help of information and communication technology. There are no precise regulations regarding the means of communication. To minimize risks related to data security, DQS auditors ideally work with the tools that the respective clients are already familiar with.
What is audited?
What is audited remotely during the blended audit and what is scrutinized on-site can be identified in almost all BRCGS standards by the color coding. This can usually be found to the left of each requirement.
Remote audits review documentation, records and systems. On-site audits look at good manufacturing practices, implementation of food safety management systems, and traceability (traceability test).
Whether a site is audited remotely or completely on-site does not affect audit duration. If a site chooses the blended audit, the total audit duration is exactly the same as the audit duration of a traditional audit. How the time is split between the remote portion and the on-site portion depends on the risk assessment. What is certain, however, is that at least half of the audit duration must be spent on-site.
Confidentiality, security and data protection
Protecting sensitive information is a very high priority for remote audits. Certification bodies must take local data protection laws into account. To prepare for the use of information and communications technology, all certification, client, and legal requirements related to confidentiality, security, and privacy must be defined and measures taken to ensure their effective implementation. All participants must demonstrably agree to the confidentiality, security, and privacy requirements.