How do Compliance Professionals Conduct Remote Audits?

Posted by Peter Rogers

So you may now be working from home or working remotely from you workplace.  

And you’ve read my article on 26 Ideas for Working from Home for Compliance Professionals.

One of the best ideas in that blog is to conduct remote internal audits.

But how do you do them?

Internal audit

How do you conduct remote internal audits?

First step is to throw the old way of formalised auditing and welcome in a new approach.

Next decide on some principles. Here are 6 principles to get you going:

  1. The ISO standards requires you to do audits. You do them how you like to do them. It doesn’t matter if the External Auditor doesn’t like the way you audit.
  2. There will be more planning and scheduling and less of a formal structure.
  3. Consider different communication devices: phone, video conference, LinkedIn Messages, Facebook Messenger, WhatsApp, Facetime or a mixture of these.
  4. Your questioning techniques will be unique
  5. Cross-check and verify that the information supplied by the Auditee is correct

Planning and scheduling the Audit

Now you get into the planning phase.

Take the opportunity to do a risk assessment of all your procedures prior to interviewing anyone. Most organisations never do this and end up wasting time auditing low risk and low value procedures.

During the risk assessment:

  1. Apply a criteria to determine the audit frequency.
    1. Low risk = infrequent audits
    2. High risk = frequent audits
  2. Depending on risk, you may find that a simple desk review would be appropriate.
  3. Does the procedure even need to be document or even in our management system, does it give value.
    Now that you know what needs to be audited you can create your schedule.

For remote audits you can be so more flexible.  For example, you can audit the night shift. Or you can audit multiple branches at the same time without the travel requirements.

In addition, you need to check a few things when you are planning:

  1. Does your IT Policy allow you the interview staff remotely?
  2. What infrastructure does you company have in place?
  3. Do a test run first and practice before you start.

What questions will I ask and how will I ask them?

Pre-audit:

  1. Read the procedure you are going to audit first.  If there is no procedure, then interview some customers of the process to ascertain what outputs the process has and how are they delivered.  
  2. Create questions at the decision points in a process. The decision points are where mistakes are made and these are places that you can garner some real knowledge. 
  3. Identify who you are wanting to speak to well in advance. Is that person contactable? Can you get a communication device to them?
  4. Identify the evidence you will expect to be shown and that the Auditee knows where it can be found.

Opening Meeting:

  1. Explain the remote audit process with the Auditee, including the post-audit follow up.
  2. Confirm the Auditee is complying with any Health and Safety procedures

During the audit:

  1. Ask your insightful questions.
  2. Ensure the Auditee can easily send you evidence if you request that. This is where they can take a photo or attach a file.
  3. Get them to show you the environment they work in, maybe using a camera if appropriate.
  4. If you are using an online application, and have access to servers. the evidence maybe found here.
  5. Your task is to ensure that the data you are viewing is accurate 

Closing meeting and reporting:

  1. Discuss your findings, both complying and non-complying.
  2. Raise any non-conformances
  3. Write-up the report with notes around how the audit was conducted.

Post-Audit follow up

You may not be able to do everything in the audit.  But don't worry, once things are back to normal you may revisit in person and check the information supplied on the day of the audit was correct.

 

Takeaway

  1. Discard the old way of formalised auditing and welcome in a new approach.
  2. Decide on some key principles.
  3. Create a new planning and scheduling process for remote audits
  4. Work out your questions and determine how you will ask them 
  5. Still have an opening and closing meeting. This will ensure that expectations are understood and actions are agreed. 

Tags: Compliance, External Audit, Internal Audit, Compliance Management, Internal audit schedule