Like many businesses, Covid-19 has changed the landscape of the ISO certification industry and introduced remote auditing into the auditor toolkit. Remote auditing brought challenges throughout the pandemic but seems to be an auditing approach going forward. There are currently very loose rules around the remote audit process in terms of how many audits you can actually perform remotely, and instead, has more of a focus on how to conduct them. The industry recognised that there is a place for remote assessments in most organisations, and UKAS has produced a new guidance document to get some control over the process. It’s important to remember why certification is there; to provide confidence to the stakeholders and users of your products and services.
Remote audits can reduce that confidence level; therefore, action needs to be taken to ensure this does not happen. Fundamentally, remote audits going forward will be based on risk. Auva will perform individual risk assessments on every client to determine the remote allowance for your organisation. A risk assessment has always been performed during the contract review stage, and this will now transfer to the audit planning process.
Every type of organisation will be permitted to have at least some of the assessment performed remotely, but fully remote audits will reduce for many. The audits will move to a more blended approach, with some time allowed for on-site activities and some for off-site activities. No matter what level of remote assessment is permitted, organisations will only be permitted to have a remote assessment if they have suitable methods for transferring audit documentation to the audit team.
During the contract review stage, a risk assessment is performed using information gathered through the application process and aligned with accreditation guidelines. Organisations will typically fall into three categories; High, Medium, and Low. Just to add to the complexity of the determination, the risk can be different for each standard applied by the organisation.
Just as a small example, ISO 9001 risk is set out below:
Where failure of the product or service causes economic catastrophe, or puts life at risk. Examples include but are not limited to: Food; pharmaceuticals; aircraft; shipbuilding; load bearing components and structures; complex construction activity; electrical and gas equipment; medical and health services; fishing; nuclear fuel; chemicals, chemical products and fibres.
Where failure of the product or service could cause injury or illness. Examples include but are not limited to: Non load bearing components and structures; simple construction activities; basic metals and fabricated products; non-metallic products; furniture; optical equipment; leisure and personal services.
Where failure of the product or service is unlikely to cause injury or illness. Examples include but are not limited to: Textiles and clothing; pulp, paper and paper products; publishing; office services; education; retailing, hotels and restaurants.
Remote Audit Allowance
Once the risk has been determined and you have suitable methods for conducting a remote assessment, we can determine how much remote activity is permitted. Below you will find a simple table that gives an example of how the remote allowance shall be applied for each risk category and assessment type. This is not necessarily what will be applied as there are justifications for moving the allowance, but that’s too complex to outline here. There is also justification for increasing the limits based on factors such as performance.
Just because you are permitted to have some portion of your assessment remote, doesn’t mean you have to. The idea is to determine what is allowed, not what must be performed. Some organisations and assessors prefer to work face-to-face on-site, in which case you do not need to perform any assessments remotely. And some specialist schemes, such as Aerospace, do not allow remote assessments to be performed.
For further information about remote auditing and the certification process, please contact Mike Venner, CEO via email: firstname.lastname@example.org