Continuing risk-based audits during a pandemic
Gordon McNeil, IRCA Principal Auditor, has conducted audits globally in a variety of industries, including nuclear, defence, aerospace and civil aviation. He shares his experience and advice on how remote audits can continue to be conducted during the Covid-19 pandemic.
Many organisations, including national and international certification and accreditation bodies, have introduced remote assessments in lieu of onsite visits during the pandemic, but the conduct of such audits has been included in ISO 19011 Guidelines for auditing management systems for some time, and is a useful resource for auditors.
When the UK government’s first call to stop non-essential travel came in March 2020, my organisation’s management system audits of the supply chain were brought to an abrupt halt. Face-to-face onsite audits of suppliers were no longer advisable and two months of the audit programme were lost – initially as we waited to see the extent of Covid-19, and, subsequently, in researching alternative auditing methods.
This research included attending many webinars, advising on remote auditing, and discussions with our security and IT departments to establish what was not only achievable, but also allowable considering the access and information sharing that would be necessary. We quickly recovered the programme and are now back on track.
Certain activities are best suited to onsite assessment. These have not been ignored during remote audits and remain on the auditor’s radar, to be revisited when the pandemic allows.
Learning from experience
We are all familiar with Deming’s PDCA cycle, and, for me, if there has been one key element of it that relates to moving from onsite to remote auditing, it has to be planning. Not simply identifying the scope and criteria, as these are essential for any type of audit, but planning for the unexpected to happen.
If we plan for it, we can recover the audit, instead of potentially abandoning it and having to reschedule. Below is a list of 30 suggestions to help your remote audits be of value and run smoothly:
- Assess the risks of carrying out the audit remotely versus not carrying out the audit until a date when circumstances allow.
- Take a view regarding a new and unknown supplier, where this is to be an initial audit, as to whether risks are low enough to undertake the audit remotely.
- Consider the audit programme becoming a combination of onsite and remote audits, striking a balance over the period of the audit cycle.
- Ensure all parties have the ICT capability to take part remotely (including video and audio).
- Consider the location you will use during the audit, ensuring no interruptions or disturbance.
- Agree the scope and criteria of the audit, including necessary participants.
- Have a pre-audit meeting to test the video/audio and distribute alternative contact details for all auditees (preferably telephone numbers) in case the online connection is lost.
- Where possible, review auditee organisation’s processes/procedures in advance.
- Check that audit times take account of applicable time zones – GMT, BST, UTC, and so on.
- Agree the common language that all parties are able to converse in.
- Consider any cultural differences that may exist.
- Be aware that body language is much less obvious than in face-to-face situations.
- Especially in times of a pandemic, be empathetic to the fact that auditees may have been personally affected, directly or indirectly. Remember, managers may have had to furlough staff, or be operating with reduced staff numbers or a fragmented workforce.
- As social cues are not as obvious, people talking over each other is much more likely. Make allowances for it, or perhaps agree to use software functionality, such as a ‘virtual holding up of a hand’.
- Video is much more bandwidth hungry than audio; agree to switch off cameras if the audio is suffering.
- I find it advantageous to still hold an opening meeting/wash up/closing meeting.
- It is useful, where possible, to be given a tour of the facility via live streaming.
- Remember to take regular breaks to alleviate eye strain and allow stretching.
- Request breaks to carry out the review of evidence and verification of facts, and review and analyse information provided.
- During breaks, ensure images are switched off and audio is muted for privacy.
- As people are not located together, agree restart times following a break.
- When watching video, ascertain if it is a recording or live streaming.
- If accepting video or still photography as evidence, ensure it is date stamped.
- When viewing activities via live stream, it is important that the auditor direct the auditee as to what they wish to view, within the confines of which activities/areas are allowed to be seen by external parties.
- It is important to note that a person’s situational awareness can be severely restricted when operating a camera/mobile phone, so extra care should be taken in potentially hazardous areas.
- Do not be afraid to ask the camera/mobile phone operator to go to a particular machine/work area, or to revisit an area already visited if there is something that needs following up.
- Do not allow yourself to be rushed – the use of live streaming or photography is one of the main remote audit activities attempting to replicate what would have been carried out on site and it is important that it is covered in sufficient detail.
- Depending on the supplier’s activities, it may be necessary for you to insist there be an onsite element to the audit, as and when circumstances allow.
- The audit report should clearly indicate those processes that could not be audited and that should be audited on site at a later date.
- Feedback from the auditor regarding the effectiveness of ICT to carry out the audit should be used to update risks and opportunities.
It is clear there are pros and cons for both remote and onsite audits. We know that certain activities – such as manufacturing, fabrication and some forms of inspection – are best suited to onsite assessment. These have not been ignored during remote audits and remain on the auditor’s radar, to be revisited when the pandemic allows.
Our aim has been to instil continued confidence in our customers and regulators by not abandoning the need to assess our supply chain, but by adapting what we do in line with the current situation. While it is true that we are carrying out remote audits because of Covid-19, it is arguably more important to acknowledge that we continue to undertake risk-based audits despite Covid-19.