Q&A

Planning and
Conducting
Remote Audits
In our recent webinar Planning and Conducting Remote Audits,
Carmine Liuzzi, Industry Expert and Principal Consultant with SAI
Global, discussed key considerations including auditor competency,
maintaining confidentiality of information, prepping your
organization for a remote audit and key difference between on-site
and remote audits. This document summarizes the Q&A captured.
With people working from home and
restrictions within plants, conducting internal
audits could present a challenge. What are the
implications of not completing the audits before
December 2020?
It is advisable to revisit your audit schedule and conduct a risk
assessment of each of your processes in order to determine
which can be performed remotely, either fully or partially and
then schedule and complete the audits. The ones that are of a
higher risk will need to be completed on-site. Ensure you
schedule the high-risk audits with priority when you can return to
your work site. Document all your decision making and the
revisions to the audit schedule to show the external auditor the
efforts you took to keep the audit program active.
What is the difference between a virtual audit and a
remote audit?
A virtual audit is an audit of an organization that performs work
or provides service in an online environment (i.e. cloud
computing, company intranet site). There is no physical location
to visit. A remote audit is an audit conducted of an organization
using information and communication technology (ICT) when a
face-to-face or on-site visit is restricted or prohibited. There is a
physical site where the activity occurs. Please refer to ISO
19011:2018, Annex A 16.
Is it difficult to conduct a remote audit for Stage
II/registration audit?
Yes, conducting registration audits will be difficult using remote
methods. However, it is not impossible. The key will be to
perform a risk assessment of the organization to be audited to
determine if using remote auditing will allow the achievement of
the audit objectives. If it is a higher risk operation, then remote
auditing methods will not be applicable, and an on-site audit will
be needed.
Can remote audits be performed over the phone or
does there have to be a visual element associated
with them?
While some part of the audit could be conducted via a phone
interview, a visual component will be required. Documents will
need to be reviewed / shared with the auditor, needing another
ICT method.
How can we ensure housekeeping effectiveness and
real-time completion of documentation
that is typically observed during a tour?
Utilize ICT tools such as Facetime to conduct audits of the
production floor. As the auditor you need to control or direct the
camera to see what you need to see in order to make an
informed judgement. Obtain a floor plan of the facility to help
orient you and plan out the areas you need to see ahead of time.
Can remote audits be used for Offline audits (where
the auditee is not present)?
Yes, remote audits can be conducted of certain activities without
any human interaction, but not the full remote audit. Please refer to
ISO 19011, Annex A, Table 1 and A.16 for additional information.
Is it important to have an independent person when
a camera is used at auditee facility as part of the
remote audit?
It is not a requirement to have an independent outside person
controlling the camera. It might be helpful to have a person
independent of the area or process being audited, who will follow
the direction of the auditor for where to point the camera. This is
an attempt to limit the ability of the auditee to only show what
they want the auditor to see.
What elements should be considered as part of risk
assessment?
Risk assessment is unique for each organization. The factors to
consider and evaluate are determined on a case by case basis.
Items to consider in your decision making include: Confidentiality of
information shared and data security, availability of a stable internet
connection for ICT, accessibility of the necessary individuals to
participate in the audit via ICT, is the organization operating at full
capacity to enable observation of all desired processes, complexity
of the process operated by the organization. If the risk of obtaining
and reviewing required information is too high, then an on-site audit
or possibly a combination of remote and on-site for the higher risk
areas may be necessary.
Is it a norm for the auditee to allow someone from
the plant to provide live video to observe
employee behaviour?
Regarding allowing the use of video on the production floor, it
will depend on the organization. There are going to be situations
where any type of recording devices will not be allowed in a
facility. If the scope of the audit requires review / observation of
actual work activities as they are being performed and if the site
does not allow remote video equipment / tools to be utilized for
this purpose, then the audit objective cannot be achieved. An on-
site audit will be required. Leadership of the audited organization
needs to communicate why the audits are being conducted
remotely. It is important to train the auditees as well as the
auditors in order for everyone to become comfortable with the
technology.
Can the auditee decide if a remote audit can be
conducted?
The auditor will need to conduct a risk assessment to determine
if the objectives of the requested audit can be achieved. If not,
then an on-site audit for at least some portion of the audit
(higher risk processes) must be conducted. This is true
for 1st, 2nd and 3rd party audits. 2
How is supplier's proprietary information handled?
This is one of the key points in remote auditing. Both parties need
to agree on what methods will be used to maintain confidentiality
of any shared information. You will need to work out if screen
shots or photos will be allowed and the deletion of any shared
information after the audit has been completed. If the
confidentiality concerns cannot be resolved, an on-site audit may
be necessary.
How will the auditee be assured that the information
shared with the auditor will be kept confidential and
documents shared are deleted after the audit?
Information security is a key point in any remote audit. Your
organization and the auditor must agree on the security of the
information shared. Many organizations utilize a limited access
document vault and grant the auditor access for the duration of
the audit. No copies or recording of any documents are allowed.
Some organizations will grant the auditor access to their
document control system. Regardless of how you decide to share
information, you must have assurance from the auditor that the
information will be kept strictly confidential and that if any
recording is permitted, it is destroyed at the end of the audit.  We
recommend formalizing an agreement on document / information
sharing and confidentiality while planning the audit. This
agreement also contains language regarding the steps the auditor
will take to keep the information confidential during the audit and
how the information will be deleted after the audit is completed.
The auditor would then confirm back to the auditee that all
information shared was deleted including any screenshots or
photographs.
In case of remote auditing, will the internal audit
still be documented? How can this information
be shared with the external auditor?
Yes, you will follow your internal audit procedure and document
the audit as you have in the past. You will also note the audit as
conducted remotely. Additional time will need to be allocated for
planning and conducting interviews, viewing operations, etc. Take
note of the samples chosen and the findings, both positive and
nonconforming. You will need to arrange for the methods to share
any information with the outside auditors. Concerns regarding
information security and the handling of sensitive information
should be worked out and agreed upon before the audit begins.
Arrangements should also be made on whether or not screen
shots, photographs, etc. will be allowed and if so, how are these
documents and evidence disposed of once the audit is complete.
Are remote audits here to stay after the current
pandemic is over?
Remote audits will increase in acceptance and frequency.
Organizations have seen the benefits and are getting on board.
However, it is important to conduct a risk assessment prior to
each audit to determine if the remote audit option will achieve
the audit objective.
What guidance does SAI Global have (as the
auditor) regarding remote auditing platforms,
expectation, use of tools, etc.?
Regarding remote auditing ICT tools, a registrar should
discuss the use of ICT tools with the auditee. The auditee may
defer to the registrar and use their platform. However, the
auditee may also prefer to use a different ICT platform that
their employees are comfortable using. The auditor needs to
be competent on different platforms and tools in order
to conduct a remote audit.
This presentation seems geared for 1st & 3rd
party audits. What are your thoughts of asking the
auditee to pre-fill a questionnaire prior to the 2d
party audit, in order to expedite the on-line time
spent with them?
We did touch on all three types of audits during our webinar.
We were also attempting to prepare people to be audited
remotely as well as conducting remote audits. Sending a
questionnaire for the supplier to complete prior to an audit has
been a common practice for on-site audits as well. You can
certainly continue this practice if it is of value to your
organization. The issue will be to ensure you have a clear
understanding of the risk posed to your organization from this
supplier's operations and whether or not the supplier's
management system can be comprehensively and confidently
evaluated remotely based on the level of risk they present to
you. Please remember that we are not simply changing to
perform remote audits to keep to a schedule and check a box.
Any audit should be supporting your business objectives.   
With organizations reducing staff or partially shut
down, what actions may be needed to ensure a
complete and effective remote audit.
One of the difficulties is that organizations may not have
begun full operations yet due to the pandemic. If the scope
includes evaluating all operations, then the audit objective will
not be achieved or it will need to reduced. Conducting a risk
assessment prior to each audit is key to determine if a remote
audit will be a viable method for the audit.  
3
 Any tips for conducting remote supplier audits?

The organization will continue to follow their supplier Utilize the guidance in ISO 19011:2018 to Plan – Conduct -
qualification / evaluation process as they would have done Report on the audit.
previously. The organization must consider their objectives
for supplier audits. If they are attempting to qualify a new Be prepared to “teach” the auditees on your ICT platform if
supplier, the organization should conduct a risk they are not aware of its functions or how it can be used.
assessment based on the potential consequences to the
organization from the supplier if they do not meet their Work out the logistics with the supplier ahead of time.
commitments.  If the potential new supplier poses a high Confirm the day before the audit that all the planned
risk, a remote audit will not be feasible. With current arrangements have been made including cameras and
suppliers, we would suggest a risk assessment of the headsets being available for the auditees and access to
supply base be conducted to determine the level of risk
relevant documented information has been granted.
from the suppliers in order to prioritize the supplier
development process. Once this prioritization has been
performed and the sequence of audits decided, conduct a
second risk assessment to determine if a remote audit can
be utilized to achieve the audit objective of the supplier.

Be certain to work out an agreement on how confidential

information will be shared during the audit. Will the supplier
allow photographs or screenshots of information
(remember to ask permission before you take
a photograph, so everyone is aware a copy has been
made). Also define how any copied or photographed
information will be disposed of once the audit has been
completed.

Test the ICT platform to be used beforehand so the audit

will run smoothly. Have an alternative method in case the
primary fails.

Do your research ahead of time. Talk to people within your

organization on their experience with the supplier’s
performance. The Purchasing department should have
complete files and metrics that can be useful in helping
focus the audit objective on critical areas.

4
About SAI Global
At SAI Global Assurance, we understand the organizational
challenges of building stakeholder trust and confidence at
all stages of maturity. We work with organizations to help
them meet stakeholder expectations for quality, safety,
sustainability, integrity and desirability in any market and
industry worldwide, while embedding a critical risk-based
thinking and a continuous improvement culture.

SAI Global Assurance has offices in 21countries and

services clients globally, delivering more than 125,000
audits and training more than 100,000 students through
its Assurance Learning courses each year.

Our services include:

Audit and Inspection – An accredited certifying with

respected and independent expert auditors
Learning and Training – Extensive range of accredited
courses to support career advancement, career
change or enhanced industry expertise
Product Certification – Third-party certification against
known standards for product conformance
Business Advisory – An independent team to support
business improvement and control, including your
supply chains

Contact Us
For more information, or to find out how SAI Global
Assurance can support your organization, visit
saiassurance.com

SAI Global ABN 67 050 611 642 © 2019 SAI Global.

The SAI Global name and logo are trademarks of SAI Global.
All Rights Reserved. 114921 0819