Undertaking a Remote Management System Audit

The first thing to note is that a remote audit is essentially a normal audit that is undertaken using a suitable ICT platform. It is conducted partially or completely off-site and encompasses everything that is usually covered on site but uses technology to support the auditor when a site visit is neither appropriate nor possible.

The auditor and auditee can use emails (for documented information), phone calls, screen share (in order to reduce the amount of data and information transferred between the auditee and the auditor), videos and photographs.

In essence, the scope of the audit remains the same as if it were being conducted on-site. The duration of the audit will typically be the same as for the on-site audit.

Preparation for a remote audit will typically involve the following activities.

• Jointly confirm the audit objective, scope and criteria; and agree that these can be achieved.
• The auditor should develop a robust audit plan and submit it to the auditee to allow him/her sufficient time to prepare for the audit and ensure the availability of key personnel. The auditor may need an organisational chart/organogram in order to identify the most appropriate personnel to interview and ensure their availability during the audit. The audit plan should contain details on timings, personnel needed, specific areas to be covered, and documented information required to be available.
• Decide on which platform to use – Microsoft Teams, Zoom, Go to Meeting, Google Hangouts, Skype or WebEx – which suits the auditor and auditee?
• What resources need to be available for the audit and when – at the site, at the auditees’ homes?
• Are all participants in the audit process familiar with the technology? Do they need training? Are they in possession of the requisite hardware/software?
• What areas/processes are operating and are they suitable for remote auditing?
• Are there any issues relating to information security/data protection that need to be addressed? Is transmission secure? How is transmitted information disposed of?
• If online connectivity is limited or erratic it may be necessary to send data and information via email.
• In advance of the audit, the auditee should collate all the documented information that is likely to be requested by the auditor, based on the audit plan submitted by the auditor and by communicating with the auditor in advance.
• The auditee should confirm the availability of relevant personnel for particular parts of the audit based on the audit plan/schedule and should also confirm that the latter will have access to appropriate documented information such as training, inspection/test, maintenance and process records. Ad hoc interviews will not be possible – therefore it is essential to identify key personnel and schedule audit time for them.

Information Collection

ISO 19011:2018 Guidelines for auditing management systems states that methods of collecting information include, but are not limited to the following:

• Interviews
• Observations
• Review of documented information

The information collection process that is most circumscribed by remote audits is that of observation. This may be ameliorated to some degree by the auditee allowing the auditor access to the “shop floor” by means of a webcam or video call from a mobile, provided the auditor can dictate/request what route the tour takes. This presupposes that the auditor has foreknowledge of the site layout, which can be gained by requesting a site map/process flow diagram in advance of the audit. Alternatively, if the auditor previously had visited the site this requirement can be eliminated.

By observing the aforementioned directions remote audits can be discharged in as competent, intuitive and comprehensive a manner as conventional audits but requires the active co-operation of both auditor and auditee.

Sample Audit Plan