Remote audits have tremendous potential, but they are also subject to a learning curve. In this series of articles, we provide a step-by-step guide to conducting a remote audit. Today, we'll look at the risk assessment that precedes the remote audit.
This is part two of a seven-part article series:
- Part 1 - How to conduct remote audits
- Part 2 - Risk Assessment
- Part 3 - Audit Method
- Part 4 - Technology
- Part 5 - Preparation
- Part 6 - Tips for conducting remote audits
- Part 7 - Follow-up
Companies rely on audits of their business partners to provide assurance of compliance with standards. When audits miss critical aspects or otherwise become ineffective, it poses a risk to all involved.
For this reason, before planning a remote audit, auditors and certification bodies must assess whether a remote audit is appropriate for the intended purpose. Some of the criteria for this risk assessment are:
- Integrity of the audit process
- Effectiveness of the audit in achieving the audit objectives
- Feasibility with respect to ICT:
- Risks to the objectivity and validity of the information collected
- Information security for all audit participants
- Feasibility with respect to the selected technology (auditors and customers)
- Up-to-date and stable ICT, with competent people
- Good bandwidth for data transmission and reliable power supply
- Uninterrupted and high quality of sound/image
To decide whether an audit can be performed remotely (partially or fully), DQS uses the following criteria:
- Availability of the necessary infrastructure to support the use of the proposed ICT (e.g., data security, data integrity, media equipment, bandwidth, etc.)
- Systematic implementation of the management system where records, data, etc. can be reviewed at any location, regardless of the physical location
- Complexity of the site (e.g., a small sales office would have lower risk than a large manufacturing site)
- Familiarity of the auditor with the customer's management system, procedures and facilities.
A remote audit should be avoided in the following cases:
- Initial audits: The auditor must be familiar with the customer's management team and premises.
- Clients with a history of critical deviations at the site being assessed.
- Significant changes in management or process responsibilities for relevant processes
- Any violation of accreditation rules or legal and regulatory requirements
- Where security issues exist, e.g. restricted areas or secret documents
- Conflicts between supplier and customer: remote communication is more difficult than face-to-face communication. So if there is a conflict between supplier and customer, remote audits can be ineffective at best and contribute to further misunderstandings at worst.
Was the outcome of your risk assessment positive? Great - learn more about the different audit methods in part three.