Guest Blog - How to Conduct Remote Internal Audits
With Governments around the world preventing non-essential businesses from operating from their original sites, now is the time for Compliance Professionals to step into a new era and begin to conduct remote internal audits.
In this guest blog Andrew Thornhill from IRM Systems in OZ will discuss some tips and tricks when conducting remote internal audits with Craig Thornton of Mango Global. Definitely worth a listen.
In this presentation, you're going to get some great tips and tricks for when you conduct remote internal audits in your organization.
In today webinar, we will look at these topics:
Refresher - Purpose / Principles of Auditing
Why do remote audits?
Risks and opportunities
Remote Audit Process
What's the purpose of auditing?
The purpose of internal auditing stays the same whether it's remote or site-based - here is a bit of a refresher.
Auditing serves a purpose because you as a business are required to verify that processes are implemented as planned and that aspects, hazards, and risks are managed as planned.
Audits are not only about the process and procedures, but we want to also make sure the outcome is what we want. Are we providing a safe workplace? Are we managing environmental impacts? Is our product or service meeting customer needs?
Audits can be really useful in identifying any gaps and improvement opportunities in those kind of areas.
Probably the main point here is there's no change in if we now need to look at options for doing remote audits- we're doing it for the same business reasons and the same business benefits.
Why Remote Audit?
Obviously, the current situation of being in lock-down due to COVID-19 is a good example as a benefit of remote auditing. Can we continue with our internal audit program? Remote auditing is obviously an option that may allow us to do that, as well as minimize any other site access issues.
Every business I've ever been to has always got a limited budget for internal audit programs, so remote audits can be cost effective.
Could we get better outcomes from our audit program if we plan and schedule some critical audits on site? Using remote auditing would result in a reduced cost to more frequently audit sites that are geographically dispersed or cost a lot to travel to.
Increasing number and frequency of sites audited:
If we're a water body, for example, in a large site like Western Australia or Queensland, if we've got hundreds of sites, yes, we might be able to increase the frequency at which we actually visit some of these sites.
More Responsive Audits (Incident)
Another opportunity with remote audits to is to conduct a very responsive audit. If we've got a site far away from where the auditor is based and there's been an incident, near misses, or performance is dropping away, as an auditor, you could organize a remote audit around the related Safe Work procedures.
Planning and Preparation
Anyone I've ever done any training with or if you watch my videos, you'll see even on a normal audit that when we are intending to visit a site, that planning and preparing for the audit is the key to a successful audit that offers your business a real value.
There's will be a big difference in the audit if we're planned and prepared. We understand the processes on the Safe Work procedures were meant to be auditing, what some of the hazards and risks are, and perhaps some of the related compliance obligations. That's going to be a much more effective audit than turning up and we've got no idea of any of that.
That kind of pre-planning preparedness is more important in a remote audit, then when you can actually be on site.
Some of the things we need to work through in our planning and preparing for the audit is talking to the auditees about the kind of tools and software systems we want to use to conduct the remote audit.
You also need to think about some of the equipment they have on site - if you're not going to be able to physically or visually observe with your own eyes then more planning around what plant and equipment is on site is needed.
We're going to need to know the roles responsibility and who's doing what on site so we can plan for a remote audit.
Plan for the arrangements and agreements around information, which will depend on what remote audit methodology and tools we're going to use. For example, If I'm auditing Craig today and he's going to send me some documents afterwards, or I'm going to view them via share screen mechanism, what happens with that electronic documentation? And what's the rules around an agreement around information security, given there's additional technology used. That is definitely worth working through prior to your audit.
It's also fundamental that you outline the objective for each and every specific audit that we do. As an example, to verify storage and handling of chemicals is consistent with the related Safe Work procedure.
It's probably worth asking yourself whether the objective you have outlined is actually achievable via a remote audit. There can obviously be some limitation, as well as the remote audit objective possibly influencing what kind of tools, equipment, and software you attempt to use.
Physical Audit Plan
A physical audit plan is the document we sent to the auditors ahead of time. I really think this is more critical for a remote audit, given we can't be in the same room as the auditees.
Some things that should be outlined in the audit plan are: What the criteria of the audit is
Personnel - who do we need to interview
Timeframes - when do they need to be available
Documentation/Records you will need
How you will review information
One thing I do emphasis is that it's the auditors responsibility to keep things on time. If somebody goes off track, I need to manage that and make sure that I'm ready for that next appointment. In remote audits, if someone is sitting there waiting for you to log into the system but nothing's happening, the audit can fall over very easily at that point.
If we can't view some of the information and evidence or we can't interview someone we want to interview. Well, how can we address that and deal with that after the audit? If that information can't be shared remotely or as we planned what are we going to do?
What are the Risks of Remote Auditing?
Certification bodies will be looking at the risks and opportunities of the remote audits, to figure out if it is worth it to go ahead with the remote audit.
Some of the key risks that could be more difficult to manage or impact on our audit objective are:
Communication could be lacking
It may be easier for the auditee to hide something if you're not on site
The auditee may feel uncomfortable due to lack of awareness around the remote interaction technologies
What are the Opportunities of Remote Auditing?
Ability to cover more sites
The costs will be reduced - no travel costs
Can talk to or interview more people over short period of time
People and Remote Auditing:
One of the things we always emphasize in our internal audit training is to manage people and communicate effectively, because auditees can be a bit nervous or threatened by the process.
We always advocate in auditor training to take time to put people at ease - break the ice, explaining the objective. Emphasize that we're here to audit system processes, not to find fault with people. Letting them know how audit findings are dealt with. It's not the end of the world or you don't usually lose your operating license to get a non conformance. Things like that can help the auditee understand the process.
It may be difficult to get a gauage of when the auditee is uncomfortable. I have seen very skilled auditors who've got excellent perceptive people skills, and in that case you might be OK. But, most people don't stick up their hand and say, "Hey, Mr. or Mrs. auditor, I'm really nervous and uncomfortable", they tend to show it through their non verbal communication.
That's where a skilled auditor will excell - if they start to get a bit of a gut feel that this person's not that comfortable, they can take some preemptive steps to just try and reinforce what we're doing and make the auditors more comfortable.
You need to set aside extra time for planning and preparing some strategies that will help put people at ease.
Equipment and Remote Auditing:
I do see organizations and people within the organizations are perhaps more comfortable and familiar with the kind of webinar technologies, screen sharing technologies, things like that than they were 3,4,5 years ago.
Just on Wednesday I completed a remote audit with an engineering consultancy that's got offices all around Australia. It went very, very smoothly. I was able to speak to different project managers at different times. They're all very comfortable with the technology.
That point I made earlier about time management, leaving a break between events. You don't want to be trying to sign off with one project manager at 10:29 and then trying to log in and speaking to the next project manager at 10:30, so make a bit more of a gap than normal.
The point I'm trying to make is that people are more comfortable, at least anecdotally, with some of the technology. That same company I tried to audit remotely about three or four years ago, and they got cancelled after five minutes because they just couldn't get it going at their end.
You need to test these things at both ends:
In our normal audits, we really encourage if you want to emphasize the importance of planning and preparedness, you need to get an understanding of the criteria or the requirements you're auditing. Even prior to the audit, it's really figure out what type of evidence might be available to demonstrate conformance to that criteria.
If it's a chemical storage procedure, what kind of evidence might the auditee have for a specific requirement, such as on risk and opportunities?
The next point is making sure we have that information security, and access rights. Software options are quite good in that you can create an access a profile for your auditor and limit what they need to see.
I have given the example of chemical storage and handling. That's the Safe Work procedure we need to audit. We want to move on from just seeing records and documentary evidence, we probably need to go and use some of those chemical storage areas and see how things are actually stored. What is the outcome? Are they stored properly is anything leaking?
I'll step you through a remote audit process, but just some of our standard auditing approaches... If anything, we need to be a little bit more formal. You can be relatively informal on a site audit when you already know everyone. You're already met the team you work, but in a remote audit, you probably need to go the other way and be a little bit more formal about things like formal communication opportunities, opening and closing meetings, clear timeframes and breaks.
Personally, I tend to ask for a bit of a site tour. If I am on site doing an audit fairly early on in the process, they're very valuable. You can see some of what's happening well or not so well, and what plant and equipment is being used and who's on site, things like that. It's still good practice in a remote audit, but work out through what means you're going to do that.
If we're working as part of an audit team, we need to communicate and update each other more regularly than a normal order in a remote audit. When I do site audits, I tend to debrief auditees and let them know how everything's going.
With our key contact person on site, if we have that arrangement where we say, if there's any actionable findings, we'll raise them with society manager in the first instance. And then communicate it to them. I think those formal communication channels with a key contact and more important in a remote audit.
Different styles of questions can be used when we're interviewing people, to both put the auditor at ease but also to uncover the information and evidence that we need to say one or two of those question types were reflective and clarifying questions.
The purpose of a reflective or clarifying question is to start our next question with a statement that reconfirms what we've heard in in the auditor's response to the previous question. Auditors really like these questions, because if Craig is interviewing me now, it signals to me that Oh, yes, Craig understands what I've just told him. It's a way of building confidence within the auditees that you are treating their information appropriately, and you understand it.
So if Craig's just given me a response around something that's really critical, that's a good time to ask a reflective or clarifying question to say, "Well Craig, let me see if I understand, when you inspect the incoming goods, you check x and y and z, and then it needs to be signed off by the warehouse manager?" And then I go into my new question.
It also gives the auditees a chance to say "Well hang on Andrew, no, we don't always check x, y and z some days, we need to apply a different checklist instead". So it shows them you're listening, it shows them your understanding the critical points, and it gives them the opportunity to confirm that you understand things correctly.
So the big tip is that I would probably ask a few more of those than in a normal audit. Take extra time to confirm and communicate findings, any action required, particularly if there's any non conformance findings.
There's always a risk in a normal audit that we go back and the auditees say I didn't realize we had to take action on that. Obviously, there's an increased chance of that during a remote audit.
Take Extra time to Confirm Findings and Action (Particularly NCR)
When you're writing your report, be a clearer about what the evidence was, who you were interviewing, what the document or record was that demonstrated non-conformance. In a remote audit, I think there's an argument to say it's important to be a little bit clearer because that audit report becomes your key record of the audit immediately and into the future as well.
So if Craig's got to conduct the same audit in 12 months time, and there's nothing recorded about how I determined conformance, or non conformance is it's going to be more critical.
Failure of remote tools
Another really important point that I have seen some misunderstanding around is where I will say that it's a non-conformance because the auditors couldn't demonstrate that they've got a safety data sheet. If the underlying reason is because of their remote already tools, that really shouldn't be an answer.
You've got two choices:
State that you couldn't determine conformance or non-conformance with this requirement for this reason
Ask them to send you additional evidence once the remote audit has taken place
We can't really blame a failure of the remote auditing tools as a reason for why they couldn't demonstrate conformance, because perhaps they could have if those tools were working properly.