ISO 9001 Auditing Practices Group Guidance on REMOTE AUDITS

Iso 9001 Auditing Practices Group Guidance On Remote Audits-PDF Download

  • Date:12 Sep 2020
  • Views:3
  • Downloads:0
  • Pages:13
  • Size:204.47 KB

Share Pdf : Iso 9001 Auditing Practices Group Guidance On Remote Audits

Download and Preview : Iso 9001 Auditing Practices Group Guidance On Remote Audits

Report CopyRight/DMCA Form For : Iso 9001 Auditing Practices Group Guidance On Remote Audits


ISO IAF 2020 All rights reserved, www iaf nu https committee iso org home tc176 iso 9001 auditing practices group html. Editon1 2020 04 16,INTRODUCTION, Remote auditing is one of the audit methods described in ISO 19011 2018 Annex A1 The value. of this audit method resides in its potential to provide flexibility to achieving the audit objectives. In order to realize the benefits of this audit method all interested parties should be aware of. their role in the process inputs expected outputs and risks and opportunities that will provide. the basis to achieve the audit and audit program objectives. There are a variety of reasons that an auditor may not be present due to safety constraints. pandemics or travel restrictions The voluntary or mandatory confinement due to the current. COVID19 pandemic commissioning of windmill assembly of scaffold explosive testing and. other scenarios are all examples where auditing remotely is beneficial. New information and communication technologies ICT have made remote auditing more. feasible As access to ICT has increased remote auditing has become more commonly used. This allows the auditor to communicate with people globally accessing a wide range of. information and data, These techniques transform the way we work These ICT open the opportunity to audit sites. and people remotely shortening distances travel time and costs reducing the environmental. impact associated with audit travel adapting audits to different organizational models ICT can. help to increase the size or quality of sampling in the audit process when prepared validated. and used properly This is the case for example when using video cameras smart phones. tablets drones or satellite image to verify physical settings such as pipe identification in the. petroleum industry machinery settings storage areas production processes or forest or. agricultural sites, Use of ICT also allows for the inclusion of expertise in an audit that otherwise might not be. possible due to financial or logistical constraints For example the participation of a technical. expert may only be needed to analyse a specific project for only two hours With ICT available. the technical expert may be able to analyse the process remotely thereby reducing time and. costs associated with travel, On the other side however we must consider the limitations and risks posed by ICT in the.
fulfilment of audit objectives These include information security data protection and. confidentiality issues veracity and quality of the objective evidence collected amongst others. The following are questions that may arise, When watching images are we looking at real time images or are we looking at video. Can we capture everything about the remote site or are we being guided by selected. When planning for a remote interview will there be a stable internet connection and the. person to be interviewed knows how to use it, Can the processes and sites to be audited be realistically audited offsite. Can you have a good overview of the facilities equipment operations controls Can you. access all the relevant information, Many of these questions can only be answered after a visit to the site. ISO IAF 2020 All rights reserved, www iaf nu https committee iso org home tc176 iso 9001 auditing practices group html. Editon1 2020 04 16, To use ICT in the audit process the audit program manager and the audit team need to identify.
the risks and opportunities and define decision criteria to accept or not accept its use where. and in which conditions, In this paper we approach remote auditing from the establishment of the audit program moving. to audit planning and audit realization We point out to some good and bad practices in its use. and we share some examples We present a generic risk and opportunity analysis for the use. of some ICT that can serve as a basis for the decision making process. BACKGROUND INFORMATION ON ISO 19011 2018 AND IAF MD 4. According to ISO 19011 2018 the feasibility of a remote audit using ICT should be considered. when establishing the audit program It is important to verify the adequacy of resources required. to ensure an effective audit outcome In its annex A 1 ISO 19011 gives several examples for. the application of remote audit methods in combination with on site methods. Remote audits refer to the use of ICT to gather information interview an auditee etc when. face to face methods are not possible or desired ISO 19011. IAF MD 4 is a mandatory document for the use of ICT for audit assessment purposes It defines. the rules that certification bodies and their auditors shall follow to ensure that ICT are used to. optimize the efficiency and effectiveness of the audit assessment while supporting and. maintaining the integrity of the audit process, Both ISO 19011 and IAF MD 4 should be known and considered by the auditors. An important clarification made in ISO 19011 A 16 is between remote audits and auditing virtual. locations Auditing of a virtual location is sometimes referred to as virtual auditing. Virtual audit is a set of audit activities on a virtual environment A virtual environment may be. composed by digital and or non digital activities using technological assets software hardware. sensors PLCs automated devices taking some or all decision s in the process es As an. example a manufacturing plant may have robots doing some production processes but also. people doing traditional production processes The decisions on the production processes made. by robots or people are equally important Those of the robots certainly come from people who. make their code establish their assumptions decision making criteria and other features. GENERAL RECOMMENDATIONS FOR REMOTE AUDITS,AUDIT PROGRAM. Considerations for the use of remote auditing techniques. IAF documents accreditation bodies and certification bodies requirements provide the. framework to determine eligibility for the use of remote auditing technics For second and first. ISO IAF 2020 All rights reserved, www iaf nu https committee iso org home tc176 iso 9001 auditing practices group html. Editon1 2020 04 16, party audits it is the customer or audited organization s purview to determine convenience of.
remote auditing according to audit objectives,Feasibility. The use of ICT for remote auditing will only be successful if the right conditions are in place. The fundamental ones are that technology is available and that both auditors and auditees are. competent and at ease with its operation This should be assessed prior to the decision to use. remote techniques This preparation contributes to optimizing the audit process. There are two general scenarios, On site remote auditing the auditor is at the organization sites and is auditing people. activities or processes that are offsite, Off site remote auditing the auditor is not at the organization and people and processes. are located either at the clients facility or at another location such as an off site. installation, The first step to ensure feasibility is determining what technology may be used if auditors and. auditees have competencies and that resources are available. Feasibility also depends on the online connection quality A weak bandwidth or limited hardware. capability may slow the process to the point of inefficiency The audit process may be affected. by the speed at which the auditee access and shows evidence by video or through a tablet or. Confidentiality Security and Data Protection CSDP, Critical to the use if ICT are confidentiality and security issues as well as data protection The.
CB and the organization should take into consideration legislation and regulations which may. require additional agreements from both sides e g there will be no recording of sound and. images or authorizations to using people s images and possibly from the auditee itself Where. applicable by National law the DPO data protection officer of both organizations should be. involved in assessing these issues In some situations security requirements will not allow for. the use of ICT, To prepare for the use of ICT all certification legal and customer requirements related to. confidentiality security and data protection should be identified and actions taken to ensure. their effective implementation This implies that both the auditor and the auditee agree with the. use of ICT and with the measures taken to fulfil these requirements. Evidence of agreements related to CSDP should be available This evidence could be records. agreed procedures or emails The importance resides in having these CSDP criteria. acknowledged by all participants, Measures to ensure confidentiality and security should be confirmed during the opening. The audit team should prevent the access and retention of more documented information than. it would in a normal face to face audit It is probable that the audit team will want to have access. to more information to prepare for the audit or to have the ability to analyse documented. information in an asynchronous way However it is important to reinforce trust in the audit. ISO IAF 2020 All rights reserved, www iaf nu https committee iso org home tc176 iso 9001 auditing practices group html. Editon1 2020 04 16, It is a good practice that when documented information is to be analysed in an asynchronous. manner it should be shared in a secure and agreed system such as cloud based Virtual Private. Network or other file sharing systems utilizing CSDP guidelines Once the audit is complete. the auditor should delete from its system or remove access to any documented information and. records not required to be retained as objective evidence. Auditors shoud not take screenshots of auditees as audit evidence Any screenshots of. documents or records or other kind of evidence should be previously authorized by the audited. organization,Risk assessment, The risks for achieving the audit objectives are identified assessed and managed.
Another important issue is to understand what processes activities or sites of the organization. may be audited remotely with which ICT tool available. IAF MD 4 makes clear that this decision should be based in the documented identification of. the risks and opportunities that may impact the audit assessment for each ICT considered. The table below lists the main issues to assess feasibility and risk analysis for a remote audit. This assessement should be done and documented for each audit involving all members of the. audit team and the audited organization representative. Any specific arrangements should be documented and communicated between relevant. interested parties,FEASIBILITY AND RISK ANALYSIS FOR REMOTE AUDITS. 1 Confidentiality Security and Data Protection CSDP. Ensure agreement between auditor and auditee about CSDP issues. Document any arrangements to ensure them,2 Use of ICT. There is a stable connection with good online connection quality. The ICT allows access to relevant documented information including software databases records etc. It is possible to make the authentication identification of interviewed people preferably with image. If observation of facilities processes activities etc is relevant to achieve audit objectives it is possible. to access them by video,3 People in the organization. It is possible to access and interview people relevant for the QMS. 4 Operations, If the organization is not operating regularly due to contingency situations the processes activities. being performed are representative and allow fulfilment of the audit objectives. 5 Complexity of the organization and Audit Type, In case of complex organizations processes or products and services and where the objectives of the.
audit type require full assessment of the standard and wider sampling e g initial assessment or. reassessment a careful analysis of feasibility of remote audits to fully evaluate the organization. conformity to all requirements should be performed. 6 Conclusions, The audit objectives can be attained with the remote audit proceed to remote audit. The audit objectives can be achieved partially a remote audit may be done partially and later. complemented with a on site audit, The audit objectives cannot be attained via remote audit. ISO IAF 2020 All rights reserved, www iaf nu https committee iso org home tc176 iso 9001 auditing practices group html. Editon1 2020 04 16, 7 Validate risk analysis with audit program manager. Finally when analysing feasibility the digital quality of the data to be reviewed should also be. considered This is more relevant when the organization still retains information on paper that. needs to be scanned for remote review, The Annex in this paper provides a generic identification of potential risks and opportunities by.
type of communication technology and it can be used as starting point to the determination of. R O for the decision making process In any case the determination should be made or revised. for each situation It is also important to remember that the intent is not to design a complex. formal and quantified approach to risk and opportunity determination The intent is to have the. ability to identify the opportunities and the risks and to determine if the risks can be mitigated. or accepted and in order to take a substantiated decision whether to proceed with the application. of remote methods or not, Determine the use of ICT for the third party audit cycle. Remote auditing is one of the audit methods described in ISO 19011 2018 Annex A1 The value The value of this audit method resides in its potential to provide flexibility to achieving the audit objectives

Related Books