Are e-Audits in Your Future?

With the increasing use of electronic media for the operation and control of management systems, auditors need to consider new ways to efficiently and effectively verify conformity to audit criteria.

For multi-site organizations, this could include remote access to electronic documents and records to save travel time and dollars. And, the remote access can be carried out without taking the time of anyone at the remote location.

As a result, some organizations are already conducting remote audits using collaboration tools like MS SharePoint. However, the companies relying on e-Audits to assess remote sites are typically software or services firms with professional staff where the loss of physical observation is less of an impact.

To evaluate how an e-Audit might work, let’s examine how a remote audit would examine the four primary types of evidence (DOoRS): Documents, Observations, Records, and Statements:

Documents: With the proper authorization, auditors could review the remote location’s electronic documents while planning the audit and also see them during the execution of the audit. However, use of a collaboration tool and/or a teleconference will not allow the auditors to see if any uncontrolled or obsolete documents are in use.

Observations: Since the audit is remote and video cameras will not be available for full viewing of the facility, the auditors will not be able to see if the work is being done per planned arrangements. So, evaluating conformity will be limited to what can be judged through interviews and electronic records. Auditors will not see poor housekeeping at the site or observe body language during interviews.

Records: If an organization creates electronic records and scans hardcopy records into electronic format, these records will be available for remote access by the auditors. However, some companies may have a significant number of completed forms that are kept as hardcopy records. Even if the auditors request some of these hardcopy records be scanned for viewing, the auditors would not be physically selecting the sampled records.

Statements: In a traditional audit, the person being interviewed is reluctant to have their responses captured on a recording device. As a result, auditors write an abbreviated version of the comments in their notes. If an auditee wanted to, they could later say it was a case of miscommunication.

With remote audits, the auditor keys the questions into the collaboration tool and the auditee types in the responses. A concern is that a more experienced employee could be coaching the interviewee and the auditor wouldn’t know it. Also, with a typed response, you don’t hear the tone and inflection of the voice to aid you during the interview.

Although the answers are recorded, they will not become a direct part of the audit report. And, the auditee should be made aware of this fact to alleviate any fear they may have about their responses being captured verbatim.

If a teleconference is being held, the auditor captures the responses in their notes, as with a traditional audit. However, they won’t be able to observe the body language during the interview. Even if a video feed is available, what can be gained through observation will be limited.

Auditor Competence
The selected auditors must have the necessary competence to carry out an e-Audit. They will need time allocated to familiarize themselves with the electronic management system and collaboration tool. The auditors must be given the access instructions and security clearances needed to view the relevant documents and records. And, the auditors must be reminded of the need to protect the confidentiality of the electronic data during and after the audit.

Third Party Audits
What about the use of e-Audits by certification bodies? Will the duration of third-party surveillance audits be reduced by, or in some cases be replaced by, remote audits? Let’s look at what the ANAB accrediting body has to say on the subject.

ANAB Advisory 1
The ANSI-ASQ National Accreditation Board (ANAB) has issued an Advisory that states it supports a certification body (CB) applying the Advanced Surveillance and Reassessment Procedures (ASRP) and Computer-Assisted Audit Techniques (CAAT) described in the International Accreditation Forum (IAF) guidance documents.

The Advisory explains that the application of ASRP and/or CAAT will vary for each CB and for each client depending upon the capabilities of the CB and client, therefore, each application must be reviewed and approved by the Accreditation Committee of the Accreditation Council.

1. The CB must document its proposed ASRP or CAAT audit program for the client, consistent with the applicable IAF guidance.

2. The CB must document how the audit program varies because of ASRP or CAAT (i.e., how it varies from an audit program for the same client without ASRP or CAAT).

3. The proposal must be reviewed and accepted by the ANAB executive assessment team leader prior to its submission to an Accreditation Committee of the Accreditation Council.

4. The CB and its client must make a presentation to the Accreditation Committee at a face-to face meeting or by electronic means explaining the program and answering any questions.

5. Immediately following the presentation, the CB and its client will be dismissed, and the Accreditation Committee will make its decision, which may or may not include conditions, to accept or reject the ASRP and/or CAAT program for the CB’s client.

The decision and any conditions will be promptly communicated to the CB. The ASRP and/or CAAT process must not be used for any industry sector program unless the industry group has specifically stated it may be used for its program.

So, ANAB supports e-Auditing, but certification bodies have a detailed process to follow to gain approval for its use. Let’s see what the International Accreditation Forum (IAF) says on the subject.

IAF GD2:2005
According to the IAF guidance document GD2:2005, if remote auditing techniques such as interactive web-based collaboration, web meetings, teleconferences and/or electronic verification of the organization’s processes are used to interface with the organization, these activities should be identified in the assessment plan, and may be considered as partially contributing to the total on-site auditor time.

If the certification body (CB) prepares an audit plan for which the remote auditing activities represent more than 30% of the planned on-site auditor time, the CB must justify the audit plan and obtain specific approval from their accreditation body prior to its implementation.

NOTE: On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out on the organization’s premises. Regardless of the remote auditing techniques used, the organization must be physically visited at least annually.

Audit Practices Group
The ISO 9001 Auditing Practices Group is an informal group of quality management system experts, auditors, and practitioners, drawn from ISO/TC 176 and the International Accreditation Forum (IAF).

The Auditing Practices Group website is an online source of papers and presentations on auditing quality management systems. See their article, “Auditing Electronic-Based Management Systems.”