Safe Auditing in the Age of COVID-19
Original source of article:
Authored by Mike Richman
“Maintaining your certification safely” is a goal for everyone working to ensure the compliance of business management systems to recognized standards and schemes, most especially in this year of unprecedented challenges that is 2020. Accreditation bodies, certification bodies, and certainly auditors and auditees alike have a vested interest in making sure not only that organizations are functioning as they should, but that the audits which confirm that fact happen without any undue risk to anyone’s health.
One of the companies that is front-and-center in this effort is NQA USA, a leading global certification body (CB) providing accredited certification and support services to clients within industry. NQA specializes in management system certification in quality (with a particular focus in aerospace), automotive, medical, environmental, health and safety, and information security.
NQA made safety in management system audits a top priority even before COVID-19 struck around the globe. Now, as we all adjust to a new normal in business, the company’s flexibility enables NQA to continue serving the market with minimal disruption in terms of cost, time, or efficiency.
"When this pandemic first hit, no one knew what companies and individuals were going to do” says Jim Dozier, general manager of NQA USA, a man with an extensive background in engineering as well as certification as an ISO lead auditor and an AS9100/AS9120 aerospace experienced lead auditor. “We wanted to make sure that, number 1, our employees were safe. We made the determination that if our auditors didn’t feel like it was safe to go out and do audits, then we were not going to reprimand them for not going.
On the client side, if we had a customer that was up for a reassessment audit with a certificate that was going to expire in May, for example, we also didn’t want that clients to feel forced to do the in-person audit on that timeline to maintain their certification. The accreditation bodies and the different oversight bodies in aerospace and food safety, for example, realized this as well and came up with different rules about how you can manage without a site audit. It was important to be sure that everyone involved in the certification process felt safe as we carried out these audits.
That degree of flexibility was welcome both inside and outside the company. What made it possible was a deep understanding of the mechanics of auditing and the perspective that certain important pieces of that process could be accomplished using technology that’s more robust and secure than ever before.
“We’ve always done a certain level of remote auditing,” says Dozier, referring to the process by which the auditor conducts interviews, examines documents, and “walks” the auditee’s site via various communications technologies, with a particular emphasis on videoconferencing. “A few of our clients, particularly those certified to ISO 9001, have been doing remote audits with us for a few years. We never did it widely because we did feel that there was value to physically being on-site, sitting across the table and looking into the eyes of our clients. That way you can see the people, walk onto the manufacturing floor, or talk to the purchasing agent. We just felt that, although remote audits were out there, as long as we could perform them on site, we would.
“Now, however, we need to make sure that the management system is still in place and isn’t being neglected because of COVID-19. That changes the equation. The guidance we’ve given to our auditors is, ‘Look, you’re not going to get everything that you would have gotten out of an audit on site, but just make sure that management review is being done, that internal audits are being done, that customer issues are being addressed, and that product being shipped isn’t compromised in any way.’ We’ve given the auditors that guidance that it’s not going to be everything you’d like when you’re doing a remote audit, but that they absolutely need to make sure that our clients are maintaining their certification and that the management system is still effective.”
One of the potential holdups with remote auditing is the information and communication technology itself. Whether the audit is conducted on Zoom, or Microsoft Teams, or GoToMeeting, or any of the numerous other platforms that have recently come to the fore, it’s important to make certain that everyone understands how to work with the technology to avoid wasted auditing time.
“That up-front setup of the audit can be tricky,” Dozier confirms. “We want to ensure that if we’re planning to start the audit at 9 a.m. on a Tuesday morning, that everything is ready to go and we’re not fooling around with technology at 9:30 or 10 still trying to get the speakers to work or trying to get the camera on and things like that. It ends up being a lot more up-front planning on the technology side.”
Security is another issue that requires CBs and their clients to work together closely. Auditors pledge to hold any information revealed during the audit in the strictest confidence, whether those proprietary details are shared in person or via remote technology. Even with that understanding, however, there’s a need to harden systems against being compromised. This is a burden that is ultimately the responsibility of the client, however, the CB’s auditors must understand the proper precautions and care that must be taken with all information. As such, exposure to unsecured servers and platforms must be minimized (ideally, eliminated) by all parties to the audit.
With all this said, the response from the clients to remote audits, according to Dozier, has been enthusiastic.
“Having done these pretty regularly for the past few months, we’ve had really great feedback from our clients and the auditors,” states Dozier. “It was a big unknown… clients wondered if we could do an audit really well remotely. And now the clients are saying, ‘We did a remote audit, and it was seamless. It was almost like the auditor was there with the documents being shared, and the interviewing of the employees that are in contract management or purchasing or inspection.’ They felt they got the same feeling, that we were really digging into the audit and asking the right questions. The clients feel that, even though we’re not on site, they still got a lot of value out of the audit.”