Risk Analysis and Countermeasures for Remote Auditing

The COVID-19 pandemic has greatly impacted the audit work in the certification industry. Travel restrictions and inability to reach client sites have made remote audits the choice for many organizations. At the same time, identifying, assessing, and analyzing various risks in certification audits, then proposing preventive measures and countermeasures for certification (audit) risks to avoid audit risks and ensure information security, has become an indispensable part of remote audits.

Risks and Their Characteristics

In ISO 19011:2018 "Guidelines for Auditing Management Systems," risk is defined as: the effect of uncertainty.

Certification (audit) risk: The risk in certification (audit) activities within the certification industry refers to the impact of the variability or uncertainty of certification audit results produced by the certification body's control over its own certification audit activities on the certification audit objectives.

 

Certification (audit) risks generally have the following characteristics:

Uncertainty — The occurrence and consequences of certification (audit) risks are uncertain. This is reflected in the uncertainty of the likelihood, timing, location, frequency, and consequences of occurrence.

Objectivity — Every industry faces certain risks objectively; the certification (audit) industry is no exception, differing only in the degree of risk faced (e.g., high, medium, low).

Controllability — Most certification (audit) risks can be identified and, generally, most certification bodies can control them. Risk control mainly involves reducing the original audit risk to an acceptable level for the certification body through more effective certification (audit) activities.

Variability — Under certain conditions, everything develops and changes, and risks are no exception. When factors causing risks change, risks inevitably change. Certification (audit) risks vary with the objective environment and depend on changes in the management system of the certified organization. If the certification body does not effectively supervise the certified organization, certification (audit) risks will increase, thus requiring multi-level dynamic control.

Relativity — Risks are always relative to the subject of the event. The same uncertain event affects different subjects differently. For different certification bodies, due to varying capabilities in controlling certification (audit) risks, the manifestation of similar certification (audit) risks also differs. Therefore, certification (audit) risk outcomes vary under different management levels.

Potentiality — There are more or less uncertain factors in the certification (audit) process. Influenced by these factors, as well as limitations in personnel capability, technical conditions, and currently unknown knowledge areas, people cannot easily comprehend, perceive, or sense them.

 

Remote Audit

What does "remote" mean? In English, it means: long-range, long-distance, remote; in Chinese, it means: a long journey.

A remote audit is a system audit conducted by auditors using computer and network transmission technology from a location outside the audited organization.

When the "face-to-face" method is impossible or unnecessary, technology is used to collect information and interactive communication means are used for conversation.

Remote audit activities take place anywhere outside the audited party's (enterprise's) site, regardless of distance.

Equipment and software required for remote audits include but are not limited to PCs, mobile phones, DingTalk, WeChat, QQ, ZOOM, voice, video, email, and other methods.

 

Risk Analysis of Remote Audits

While remote audits save costs on accommodation, transportation, reduce expenses, and eliminate travel fatigue, they also bring unavoidable certification (audit) risks that must be faced. This requires certification bodies and auditors to remain clear-headed, establish risk awareness, and avoid certification (audit) risks anytime and anywhere, minimizing operational risks for clients and creating certification (audit) value.

 

Preventing and avoiding certification (audit) risks is a top priority for all certification bodies' management work, requiring careful analysis, calm handling, and continuous attention:

Certification body management level — National policies, government supervision, self-management, and execution capabilities can affect the certification body's own development, strategy, and business objectives.

Auditor work level — Personal qualities, auditing ability, risk control, physical condition, etc., can affect the auditor's career and personal and family income.

Audit level — An audit is a process of obtaining sufficient evidence within a specified time to prove the conformity and effectiveness of the audited party's (enterprise's) management system, serving as a form of risk control.

 

Based on the author's summary of remote audits since late February 2020 for over half a year, the main risk analysis is as follows:

Remote audits cannot access or cannot be implemented

Enterprises located in remote areas or some regions with no network signal access;

Client's important security or sensitive areas;

Client prohibits photography or video recording in product manufacturing sites;

Data transmission is not secure or stable enough;

Delays in large file sharing;

Users have psychological concerns about leakage of electronic or scanned materials;

Some areas or entire processes cannot be audited using remote audit methods;

Special or abnormal environments such as high temperature, high pressure, etc.

Insufficient time for remote audits

Network transmission delays causing slow file reception and download;

Abnormal network speed causing shared operation display to freeze or extend time;

Communication (such as text, voice, video) is not smooth enough;

Improper positioning of video/photo images;

Enterprise intentionally or unintentionally concealing or blocking;

Scanning, retransmission, or shared display of altered or defaced materials.

The above situations can lead to failure to obtain system operation data and information timely and accurately, requiring additional on-site audit time.

Incomplete evidence acquisition in remote audits

Narrow perspective/field of view;

Insufficient enterprise assistance and cooperation, temporary patching;

Auditor not on site, insufficient audit strength/depth in some processes;

Unable to video record unattended or remotely operated intelligent work locations, insufficient line of sight;

Insufficient validity of sampled evidence;

Customer data transmission packet loss, inaccuracies, etc.

Interruption of remote audit business

Unexpected power outage;

Equipment failure;

Network link abnormalities;

Communication software bugs;

Natural disasters, such as typhoons, heavy rain, snow disasters, earthquakes, fires, etc.

The above situations may cause the audit team to be unable to conduct the audit as planned on schedule, requiring subsequent supplementation or adjustment.

Other possible related risks

Insufficient equipment (such as PC, tablet) and/or training for conducting audits;

Improper selection of audit team, resulting in insufficient overall capability to effectively conduct audits;

Too many audit tasks, assigning personnel without professional ability or with insufficient ability;

Ineffective external/internal communication processes/channels;

Failure to consider information security and confidentiality, such as important customer data being obtained or screenshotted by others during transmission;

Unreasonable planning of professional system clauses;

Using public Wi-Fi;

Unknowns due to current technical limitations, etc.

 

Risk response for remote audits

Currently, risk control for remote audits mainly relies on national policies, industry regulations, certification body management systems, as well as the quality, audit capability, and effective operation of audit team members. All audit team members must carefully identify and assess risks of remote audits and strictly control them to prevent and avoid remote audit risks.

Among the seven audit principles, confidentiality (information security) and risk-based approach (audit methods considering risks and opportunities) have been clearly defined.

As the direct link between customers and certification bodies, the audit team/personnel should practically avoid and control remote audit risks, identify issues that customers need to rectify or pay attention to, and help customers recognize and evaluate the harm of nonconformities or problems and the necessity of rectification.

Audit team/personnel should start from obtaining customer documents, planning schemes, document review, audit planning, reasonable sampling, quality improvement, scope definition, enhancing awareness of legal/product risks, remote communication and response capabilities, as well as professional qualities, ethical standards, health status, and work loyalty to avoid remote audit risks. These are basic capabilities required for auditors.

 

Planning of the scheme

The existence of risks and opportunities related to the customer's environment can be linked to the audit scheme and may affect the achievement of its objectives.

The audit scheme should consider the customer's organizational objectives, relevant external and internal issues, the needs and expectations of interested parties, and information security and confidentiality requirements.

The planning of the audit scheme should pay special attention to content suitable for remote audit use and reduce risks brought by remote audits through subsequent on-site verification or supplementary audits.

Remote audit planning includes but is not limited to the following content:

Risk level of epidemic control in the audited party's region, such as high, medium, low;

Characteristics and complexity of the enterprise's products, system scope, confidential content, and level of understanding and familiarity;

Software, hardware, and network resources, as well as the customer's acceptance of remote methods;

Determination of auditor days, such as remote/on-site audit content;

Definition of remote and on-site audit content;

Considering signing confidentiality agreements based on customer information security and confidentiality;

Pre-building, rehearsing, and testing the remote audit environment in advance;

Preservation of evidence such as audio, video, interviews, and communications;

Remote emergencies and remedial measures;

Others.

When determining auditor days, a combination of on-site and remote methods should be adopted for initial audit enterprises. Based on product types and complexity, internal and external environment, system scope, number of people, operation locations, temporary on-site or production sites, auditor days should be determined, with 1-2 person-days on-site being appropriate. If necessary, adjust audit dates according to the availability of key personnel of the audited party, such as spacing or non-continuous auditor days.

On-site audit content should consider processes related to product design, production, manufacturing within the system scope, and verify original qualifications, total number of personnel, system personnel, coverage areas and sites, and check for omissions or concealments.

Remote audit content should not include system processes with confidentiality or environments that cannot be accessed remotely.

For surveillance and recertification enterprises where system scope or product types have not changed or changed little, or products have increased but production processes are the same/similar/close.

 

Document review

Use ICT to communicate in advance, obtain enterprise system documentation and operational data, and provide document review comments;

Understand the enterprise system overview and voluntary system certificate acquisition status, such as ISO 9001, ISO 20000-1, ISO 22301, ISO 27001, ISO 45001, GB/T 23001, etc.;

Determine corresponding qualifications and validity periods based on system scope, such as safety production license, product production license, CCC, QS, telecom qualifications, construction enterprise qualifications, building intelligent system design specialization, security engineering enterprise design, construction and maintenance qualifications, surveying and mapping qualifications, etc.;

National credit information serious dishonesty subject related lists, etc.

 

Plan preparation

When preparing the plan, a risk-based approach should be adopted, considering:

ICT methods used;

Remote and on-site auditor days;

Appropriate sampling and stratification techniques;

Risks of failing to achieve audit objectives due to ineffective audit planning;

Risks to the audited party caused by the audit plan;

Matters related to confidentiality and information security, etc.

 

Audit implementation

The opening meeting should preferably be conducted via video conference;

During the audit, the audit team should establish timely and smooth internal communication channels;

Communication with the auditee should be strengthened;

Fully leverage the advantages of ICT to obtain as much evidence and verify information from the system as possible;

The final meeting should preferably be held via video conference, and audit conclusions and nonconformities should be saved in electronic document form;

The audit report is sent to the auditee via the company email;

Rectification of nonconformities should be communicated and confirmed through electronic documents;

The entire process should retain necessary remote audit evidence, including but not limited to audio, video, voice calls, photos, screenshots, interview and communication evidence, etc.

 

Audit Focus Points

Auditors should focus on the following during the remote audit process:

All activities and monitoring results of the production/manufacturing process comply with specified requirements;

Product processes, especially key and special process controls, are effectively controlled;

Nonconforming products are effectively controlled, and the effectiveness of corrective actions;

Internal and external environment analysis, risk assessment, internal audit, management review, and improvement measures;

Personnel competence and awareness;

Equipment management and maintenance, especially regular inspection of special equipment and monitoring and measuring devices;

Procurement and supplier management, document and record management, continuous improvement mechanisms, etc.;

Major stakeholders and outsourced activities are effectively controlled, and process monitoring is in place;

Collection, updating, application, compliance, and evaluation of applicable laws and regulations for the organization, especially those closely related to enterprise production, safety, and management (including regional regulations), such as the Cryptography Law, Food Safety Law, Environmental Protection Law, etc.;

Emergency preparedness and response: suitability of plans, emergency equipment, emergency drills, such as electric shock, fire, food poisoning, lifting injuries, etc.;

Monitoring results and penalties from external regulatory authorities, etc.

 

Audit Security

Security measures and content:

Access by auditors to the client's remote users must be authenticated;

Complex passwords must be used for login access;

Antivirus software must be installed, and virus definitions updated to the latest version;

Access control lists;

System hardening services for hosts or devices;

At the entry point between the client network and other external networks, configure firewall systems according to the actual network situation to achieve network access control;

Auditor operations must be audited by the client's access devices; typical audit technologies include log files (automatically generated by servers) and user behavior monitoring (using internet behavior monitoring software or monitoring devices);

During system access, no data or programs may be taken away by any means (such as photographing, copying, screenshots, printing, manual recording, etc.) without permission.

 

Audit Conclusion

When the remote audit activities end, the client should promptly revoke or lock the auditor's ICT remote login authorization and access rights to ensure information security.

 

Trends in Remote Auditing

Change and development are eternal; the risks of remote auditing are continuously evolving. With the growing development of SDN, blockchain technology, artificial intelligence, big data technology and applications, cloud computing, and virtualization technology, remote auditing and remote work will gradually become a normal mode. Auditors need to continuously improve risk awareness and their auditing capabilities to avoid risks in the audit process, help enterprises reduce operational risks, and contribute to the sustainable development of the certification industry.