A Learning Guide for Effective Remote Auditing
Here at iqms Learning Ltd, we recognise that during last year many organisations have found it necessary to do 1st and 2nd party audits remotely. However, it soon became very clear that a disturbingly high percentage of organisations, (both large and small), have introduced remote auditing without actually sitting down and thinking about what new capabilities their existing trained auditors would need to develop to be able to apply new technology-enabled auditing methodologies, skills and techniques to carry out remote audits whilst not compromising effectiveness, integrity and value of the audit process itself.
Having spoken to hundreds of delegates attending our auditor training courses it became clear that so few organisations have really thought out what it takes for an auditor, (even the most experienced ones) to plan, prepare, do, report and follow-up remote audits to a sufficiently high standard to thoroughly test their management systems and deliver value to the organisation.
Looking forward some of you may be thinking that remote auditing is only a temporary necessity, but we at iqms Learning are certain it is here to stay and will continue to figure, (albeit to varying degrees), in many 1st, 2nd and even 3rd party audits, long after the Covid-19 virus is defeated.
Hence, the purpose of this blog is to share some insights that we hope will help you recognise how to adapt your internal audit process and the competencies of your auditors to cope with the different nuances and challenges of remote auditing.
Programming Remote Internal Audits
When considering your future internal audit schedule, first of all, sit down and carefully reconsider the overall purpose, objectives and key steps of your existing internal audit process, determine the key risks & opportunities that remote audits represent and modify your audit methodologies for remote auditing if necessary. Then it’s time to re-evaluate, define and address your internal auditor and auditee capabilities and competencies, ensure the necessary technology is available and then factor these new insights into deciding the main priorities for your programme of internal audits.
So, if you have an existing annual internal audit programme this should be reviewed in light of the current and potential future context of your organisation, its key business risks and opportunities and any planned changes to your strategy, systems, structures and operations.
NOTE: It is highly unlikely that an annual internal audit programme will be agile enough to ensure your organisation can focus your internal audit resources on key issues as they emerge, particularly as we come out of Covid-19 and the inevitable economic recovery challenges many countries and hence businesses will have to face in the medium to long term.
Due to the COVID-19 outbreak many organisations structures, systems and processes had to be quickly adjusted and new risks have appeared on the risk landscape of many organisations. Therefore, it is pretty much essential that internal audit takes up a more surgical, risk-based proactive role to challenge the business and provide clear insights in relation to new and developing risks and also any key planned opportunities.
Planning and Preparing Remote Internal Audits
In addition to planning and preparing for a traditional face-to-face audit, the remote internal auditor has to take into account other key factors that will most likely affect the successful conduct of a remote audit, for example; what are the precise objectives of the audit, who are the key interested parties, what information is already available and accessible (or not), how long is needed, how many people need to be involved and what technologies exist, etc.
Let’s now consider in more detail what range of additional factors need to be considered when planning & preparing for remote audits.
- Identify and confirm availability of auditees to cover the audit scope at the agreed times - Check availability of auditee(s) and other key stakeholders you need to be directly involved, agree on timings and send out Zoom/MS Teams/WebEx meeting invites, via your Outlook calendar if available (this will ensure the key audit interviews are planned and visible to all invited parties).
- Technology platforms and application tools - Which audio/video channels will you use for the audit interviews? In addition, ensure you have access to a reliable secure internet/intranet connection and a simple to use application for sharing documentation and data sets between you and the auditee(s). Make sure the tools you use are allowed and in line with your organisational IT security policies and confidentiality guidelines, (confirm this with the IS/IT security team if necessary) and ensure that the tools/applications are easily accessible to all auditees. It would be a good idea to test all connections pre-audit to address any functionality or incompatibility issues.
- Planning of the audit - Try to keep the duration of remote audits as brief as possible by focusing your audit on priority processes, key controls and key risks. It may even be better to split the audit into two or more separate segments to allow flexibility for the auditee(s) and reduce the duration of a sustained period of intense concentration for you and them both.
- Clarify the new remote audit process - Your pre-audit conversations with all key audit stakeholders and the actual audit opening meeting are very important to prepare for and conduct so you and the auditee(s) are on the same page. The remote audit approach should be clearly explained to the auditees as well as the key differences with face-to-face audits. As the auditor, you should also confirm how and when will the audit information be shared, what medium will be used and if there are any specific issues with security/confidentiality and/or authorisations/approvals.
Performing the Remote Audit
Set up and optimise the shared and interactive use and control of selected technology tools during the execution of the audit. You, as the auditor, should establish what it is you want to look at during the audit but be prepared to share the use and control of the video conferencing applications to make for a smooth and engaging audit.
Apart from using remote video conferencing and document/data sharing platforms which can make it more difficult for the auditor to check documentation and data against planned arrangements and specified process criteria, the stages for conducting a remote audit are quite similar to a traditional face-to-face audit. The points listed below will help when performing the remote audit.
Use proven video conferencing tools with good functionalities - Video conferencing tools such as Zoom, MS Teams, WebEx or Skype for Business will replace face-to-face interviews. When selecting your tool make sure that access to as well as data transferred through these tools is sufficiently secured.
When selecting a suitable tool and planning video meetings it is important to factor in some of the following guidelines;
- Take regular breaks (10 minutes every hour for example) because long and intensive video conferences are considered by many to be more tiring than face-to-face audit interviews and using hard copy system/process performance data and other traditional documented information.
- Keep the number of simultaneous auditees taking part to a minimum and politely mute any persons when they are not required to speak at any particular time.
- Sort out any potential technical issues (e.g. feedback, poor connectivity, sound and video quality, etc.) by testing before the actual audit.
- Practice and become slick at using all relevant software platform/application functionalities such as the use of the camera, selecting different views, screen-sharing and accessing real-time data sets, sharing documents, etc.
- Ask the auditees individually if it is ok for you to retain and records shared and to record the video and audio during your audit investigations to help supplement your note-taking and for reporting your audit findings accurately, (eg. the evidence for any non-conformances) and of course for the completion of your overall final audit report. Check out the requirements for GDPR compliance with your management if necessary, but once your audit report is completed, these records/recordings could be and perhaps should be deleted from your files.
Document sharing platform - Digital files, documented information and records/data would normally be uploaded on a mutually agreed shared platform or in some cases, the remote auditor could be granted controlled temporary access to the e-processes/procedures and real-time view of databases in the organisation being audited. You will, of course, have to respect and adhere to the organisations internal/external IT/IS security access controls and other potential circumstances such as;
- Gaining approved and controlled accessibility and security to the platform as well as maintaining full confidentiality of the data/information provided. Security of such data & information in transit (end-to-end) is usually supported by various levels of encryption.
- Ensure you check out what restrictions that might be in place regarding data accessibility and transfer between departments, organisations and perhaps even countries on occasions. Know
- what the constraints and/or limitations are in advance and modify your audit methodology if necessary, to still get the audit done.
- While a remote audit requires digital documentation, it is highly likely that some of the auditees could still be using hard copy plans, procedures, processes and records. Demanding digitalisation of these records and other information can be very time consuming, so always try to reduce the burden placed on auditees and try to be flexible by offering alternative solutions for sharing the required data/information you need to see.
Alternative approaches to access information - When practicable use of other real-time remote audit approaches can be used to great effects, such as an auditee could walk you along a production line or through the stores or perhaps a laboratory or warehouse using live video/audio streaming applications through a head-mounted webcam/microphone or via their hand-held digital devices and stopping at various points to talk to the people when requested to do so by the auditor.
Stay in contact with the auditee(s) - When conducting a full audit remotely over perhaps a number of days, it is extremely important to maintain regularly planned slots in your audit programme for keeping in contact with the auditee(s), for example, schedule recurring short meetings via Zoom or MS Teams on a once or twice daily basis to discuss any findings and to discuss the overall progress of the audit and thus giving the opportunity to all interested parties (including you) to ask questions and capture any concerns or potential issues.
Reporting the audit and post-audit reviews - Verbal and written communications during remote audits, (including follow-up audits to verify corrective actions), should always be organised, expected, clear and consistent throughout the whole audit and include relevant interested parties. When reporting a remote audit (particularly if it’s an internal audit), auditors should consider the following points;
- Prioritise reports on key issues such as risks, opportunities and any non-conformances
- Verify and validate your audit findings – Throughout the audit, each and every observation you make should be openly discussed and verified with the auditees in real-time as you progress through the various stages of the audit itself and certainly before you finalise your decisions and begin to create the final audit report. This is important because the use of video conferencing is more prone to the risks of misunderstandings between those taking part. Any positive feedback should also be included to ensure that the final report is comprehensive and balanced.
- Sit down with your audit programme manager and internal auditor colleagues and share your experiences – Discuss your remote audit experiences (both good and not so good) and try and learn from each other. Review which different tools were used during the remote audits and whether they were suitable and effective to achieve the audit objectives. Also, it would be a great idea to get feedback from auditees about the whole remote audit experience.
- Finally, discuss and consider what future learning and development, coaching or training may be available and beneficial to help you develop your organisation's remote auditing process and your personal approaches, techniques, skills and competencies.
The Future of Remote Auditing
Some organisations may well be viewing remote auditing as a temporary measure during Covid-19, but “the word on the street” is that many of these new ways of doing audits are here to stay, for both quality, logistical, economical operating efficiency reasons.
On that point, if you have enjoyed reading this article and found it interesting and informative, please don’t hesitate to contact the team at iqms Learning, when we shall be delighted to discuss future options to help you develop your remote auditing capabilities through a range of potential consultancy and/or training solutions.
David White, Senior Management Consultant