Home Resources Blog July 2020

Remote Auditing using ICT Pros & Cons

21 July 2020
During the past several months, there has been a significant amount of information regarding Information and Communication Technology (ICT) or remote auditing. 

This information was critical as organizations strived to maintain their management system certifications and Certification Bodies (CBs) required alternative solutions using their business continuity planning activities to perform audits in a COVID-19 world.
ICT auditing information sharing has taking numerous forms including:

  • ICT Best Practices/Lesson Learned to help auditors and clients have a positive experience using ICT practices.

  • IAF MD4:2018 The Use of ICT for Auditing/Assessment Purposes is a mandatory document developed by the International Accreditation Form (IAF) for conformity assessment that CBs are required to comply regarding ICT auditing.

  • IAF ID12:2015 Principles on Remote Assessment is an informational document developed to provide more guidance information to CBs.

  • Auditing Practices Group (APG) released a revision to their Remote Auditing paper that has consistently been the most frequently downloaded paper from the ISO APG website.

  • Sector direction from aerospace, automotive, medical device, and telecommunications industries has provided specific protocols on what’s allowable during the pandemic.

The aerospace industry has seen the number of ICT audits drastically increase in the second quarter in response to COVID-19 environment. It is encouraging that most auditors and clients have a favorable opinion of the audit experience and the quality and depth of auditing activities.
What has been learned after several months of ICT audits are some pros and cons associated with performance of ICT audits.

ICT Pros

  1. ICT auditing approach allowed for continued management system viability for emergency situations, like COVID-19 response.

  2. ICT audit effectiveness has resulted due to the evolution and sophistication of technology with tools such as web meeting applications, video (including Facetime), document and objective evidence sharing that could include documentation, records, and photos.

  3. ICT auditing requires the CB to assess and understand the potential risks of remote audits including client’s ICT capability, tool familiarity, audit cycle considerations, and certification scope.

  4. ICT auditing requires additional auditor planning, preparation, and coordination with the customer that leads to an improved and effective audit. Audit expectations are defined with objective evidence frequently requested prior to audit. This improved pre-audit planning will hopefully be embraced moving forward to on-site audits. 

  5. ICT auditing reduces third-party certification expenses to the client due to reduced auditor travel costs resulting in savings.

  6. ICT auditing increases auditor resiliency as it reduces auditor travel fatigue and associated stress.

ICT Cons

  1. ICT Auditing effectiveness is dependent upon the organization and the auditor familiarity and expertise with ICT tools. This concern is compounded when additional personnel are required to be on the call and may lack ICT skills.

  2. Auditors find it difficult to remotely audit “hands-on” processes such as Receiving, Production, and Verification processes. Many organizations restrict the use of ICT devices allowed in these areas that diminishes the effectiveness of ICT auditing. Auditors may even be required to rely upon organization trusted agents and guided auditing.

  3. ICT auditing is more complicated for mostly paper-based organizations. Typically, these organizations need to scan documents including contracts, engineering evidence, purchase orders, production travelers, and other objective evidence. This activity slows down the audit significantly and provides greater risks of confidentiality leaks.

  4. ICT auditing does not allow the auditor to have visual cues when auditing. Even if the auditees use a computer camera, the auditor is limited by the quality of the connection and not being on-site.

  5. ICT auditing can create auditor and auditee frustrations due to poor internet connectivity, internet dead zones, or not being able to hear or communicate effectively.

  6. ICT auditing may not appeal to all auditors as some are not comfortable with the ICT technology and find auditing remotely frustrating.

So, is ICT auditing the new normal? It is hard to say. IAF MD4 removed the percentage of ICT restriction in 2018 so that 100% of audit activity can be performed remotely. Several sector standards have taken a stricter view of ICT auditing. Automotive scheme does not officially allow for ICT auditing. Aerospace scheme allowed ICT auditing during the pandemic but otherwise restricts ICT auditing to 30% of audit time.
CBs will need to comply with industry and sector requirements while assessing the risk of ICT auditing. CBs are responsible to ensure the credibility and reputation of the certificates that they issue. As more organizations increase remote workforces and ICT tools continue to evolve, it is expected that the application of ICT auditing techniques will also continue to expand and become more commonplace.