Is e-auditing the next logical step?
by J.P. Russell
When you start talking about remote auditing—or e-audits—around a group of auditors, you will hear plenty of strong opinions. Some auditors are vehemently opposed, while others are open to the idea.
An e-audit is an audit in which electronic means are used to collect audit evidence. And, like it or not, every organization will need to get used to the idea of e-auditing in the next few years due to the potentially significant savings stemming from advancements in communication technology.
E-mailing has been around for about 20 years, but e-auditing techniques have stayed on the back burner due to credibility issues and technical limitations. Now, we have ready access to—and increased confidence in—other communication tools, such as video conferencing.
The new ISO/DIS 19011 draft in development has incorporated language to address e-audits. Audit-accrediting organizations, such as the American National Standards Institute-ASQ National Accreditation Board and the QuEST Forum, have issued guidelines or rules on e-auditing practices for third-party audits.
The obvious benefit of e-auditing is more efficient use of resources. E-auditing techniques can save auditor travel time and expenses, while improving efficiency.
Currently, it is not unusual for auditors to spend as much time traveling as auditing. If you must travel to perform internal or external audits, you could potentially save 50% of resources by using e-audits. Instead of sitting in airports, auditors could be auditing, completing reports or meeting with an improvement team.
It may also be possible to improve efficiency by recording and analyzing information electronically. In addition, the auditee (customer) could be required to provide more information in advance of the audit.
During the past decade, the trend has been for organizations to make customers provide their own customer service. We have self-help telephone menu systems and frequently asked questions (FAQs) requiring customers to figure out their own solutions. Last year, over the telephone, a man in India helped me take my printer apart and make a repair. And, to my surprise, it worked.
For auditing, the auditee can complete checklists or surveys before the audit to report on the controls in place or recent changes in the system or process.
Benefits ultimately depend on the travel cost savings, number of remote locations and availability of communication equipment required.
A few concerns
Are audits conducted remotely still audits, or are they surveys? If the auditor never sets foot in the area being audited or interviews personnel face to face, can audit objectives be accomplished? If a potential supplier claims to conduct e-audits, should you be concerned?
We must ensure that whatever means we use, we maintain the credibility of the audit results. If an organization claims it is conducting e-audits, you should still have it explain what that entails because there isn’t a universal definition of an e-audit. For example, there is e-auditing software for recording audit results that has nothing to do with whether the audit is conducted on or off site.
The definition of an e-audit should be the same as that of an audit in which on-site or direct means are used to collect evidence. If this were not true, an e-audit would not be an audit. It would be something else, such as a survey, assessment or poll.
An audit is "a systematic, independent and documented process for obtaining [sufficient] audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled."1 This general definition is applied to quality, health, safety and environmental management system audits.
I added the word "sufficient" because one of the issues with remote or electronic means for collecting data is the data may not be sufficient compared with data obtained via on-site auditing collection methods. As a result, compromises that affect the trustworthiness of the audit results may be made by the auditor or auditing organization.
Electronic communication techniques are being integrated into almost every facet of an audit. These techniques are used to notify the auditee of the impending audit, keep the auditee informed during the audit process, prepare schedules and audit plans, and distribute reports. Software is used to help analyze the results.
During the performance phase of an audit, however, data must be collected to verify conformity to the audit criteria. The data must be sufficient to verify conformity, free of bias and representative of the current status of the area being audited.
A possible qualification for an e-audit is an audit that uses electronic means to remotely obtain audit evidence to determine the extent of conformity to the audit criteria. An e-audit means auditing from a remote location. The methods used to converse from a remote location may include the telephone, videoconferencing, e-mailing or online chat rooms.
There should be e-auditing guidelines for an organization to claim conformity when the auditing is conducted from a remote location. External auditors can review the guidelines to ensure good audit practices are used to collect and analyze data.
Collecting data, information
Four facets of a traditional audit are affected when the audit is performed remotely:
1. Interviewing. This can be conducted remotely using teleconference technology. Remote interviewing may require the interviewees to go to a central location, such as a conference room. Many auditors prefer to conduct the interviews in the interviewee’s office or work station, but that is not always possible due to distractions.
If the off-site auditor has an on-site assistant, video cameras can be used to conduct the interview at the work location. Off-site and on-site auditors can submit questions for the auditee to answer prior to the interview. Based on the answers to the pre-interview questions, the auditor can ask interview questions to determine the need to collect audit evidence.
- The potential disadvantages of remote auditing are:
- The need to have an on-site assistant to ensure interviews are punctual and that the interview room is suitable.
- The need to be trained on the communication equipment.
- An ability to interpret body language.
- The need to have someone on site to collect evidence or operate video or camera equipment. It’s also possible that, in some instances, the use of cameras and video equipment could be banned due to security issues.
2. Inspecting and verifying documents and records. This can be done off site as long as the auditor has access to the electronic document control system. Records can be scanned and forwarded to the auditor as requested.
The auditor will need to be able to select records to be verified during the interview, such as from an index or list of available records. In this way, off-site verification of documents and records could be as effective as on-site auditing and could save auditing time and cost.
The potential disadvantages are the need for scanning equipment, gaining remote access to the organizations’ documents used by the auditee, and the time it takes to be trained on accessing and navigating the document control software.
3. Counting and measuring (physical examination). Remote audit practices can be used to collect data online for many administrative, paper or electronic processes. That may include document and record controls, the corrective action process, order-entry function or information from the purchasing department.
Each situation should be evaluated based on data access and importance of the process or audit risk. Physical examination can be used for process elements that can be viewed or provided electronically.
Collecting data remotely from processes involving product or delivery of equipment or a service is less credible when done electronically. It is possible to use a camcorder or digital camera operated by an independent person to view the evidence. But this might not be practical. Surveillance cameras could be used, but the quality or functionality could be inadequate.
For some off-site audits, data collection may need to be skipped or verified during a later on-site audit. Using an on-site assistant or surrogate, however, may provide cost-saving solutions.
A surrogate could be a certified auditor who is located in the same geographical area. Based on the lead auditor’s needs, that person could verify documents, records and processes. In some cases, such as internal audits, the organization’s management representative could assist or be a surrogate for the auditing organization.
If an on-site physical examination by the lead auditor is required, the cost benefits of e-audits will be significantly reduced. Physical examination is not always needed, however, and it may be possible to reduce its use depending on the risks to the audit objectives.
4. Observing tasks, processes, inputs and outputs. For e-audits, observing may not be important for certain areas or in certain industries. For example, walking around an insurance office or purchasing department is not going to yield new information related to quality management system controls. But if the audit criteria are safety, environmental or security, observing the office surroundings could be important because there may be physical signs of management system implementation.
Similar to collection of physical data, collecting data remotely from processes involving production or the delivery of equipment or services is less credible. If process implementation, ongoing process controls or process outputs need to be observed, an on-site audit by the lead auditor or his surrogate may be needed.
In the future, it may be possible to perform real-time video surveillance of operations, which will reduce the need for on-site auditing.
Internal vs. external
Internal audits offer the best opportunity to perform e-audits due to trust and confidence factors. External, second-party audits are also a golden opportunity if you have a good relationship with your suppliers. For external third-party audits, the opportunities are fewer due to the lack of trust and confidence in the audit results.
There are almost as many e-audit rules as there are third-party accrediting organizations. Most require extra approvals and go beyond requirements for on-site audits, such as sampling.
It’s clear the third-party auditing organizations and accreditation organizations are being cautious, but e-audits are feasible, and organizations can benefit from them. They are not always practical or advisable, however, if the creditability of the audit result is questionable.
When other organizations, such as suppliers, claim to conduct e-audits, they need to clearly explain what that means. You should ask how the audit evidence was collected or ask to review their e-auditing procedures. Was data collection independent, sufficient and free of bias? Even a good off-site audit program may require periodic on-site, face-to-face audits.
Keep in mind the following when planning or reviewing e-auditing techniques:
- Travel. Are there significant savings in travel costs and employee productivity?
- Audit scope and objectives or purpose. Does the audit involve a new certification, a new process or supplier approval? Is it a system or process audit?
- Nature of the processes to be audited. Does the process to be audited involve oral communication or documentation, such as order entry, purchasing and document control?
- Type of product, equipment and materials involved in the process to be audited. Is equipment used to conduct the process (drilling, cleaning or inspecting)? Is observing the operation of the equipment, product movement or materials handling a critical factor for verification of conformity?
- Number of locations. Does the organization have enough locations to benefit from e-auditing?
- Nature of the audit. Is the audit internal or external? Internal audit risks are lower than those for external audits. External audits require a higher standard for collecting unbiased and sufficient data.
In addition, you should consider the availability of appropriate electronic communication equipment, the capability of the auditor and auditee to operate electronic communication equipment, and the need for security. —J.P.R.
Portions of this article were taken from J.P. Russell’s presentation at the ASQ Audit Division Conference in Tucson, AZ, October 2009.
- International Organization for Standardization, ISO 19011—Guidelines for quality and/or environmental management systems auditing, 2002.
J.P. Russell is president of J.P. Russell & Associates in Gulf Breeze, FL. He is also managing director of and provides training for QualityWBT Center for Education. Russell is an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. In 2008, Russell received the Paul Gauthier ASQ Audit Division award. He is the editor of The ASQ Auditing Handbook, third edition, and author of several ASQ Quality Press books, including The Process Auditing and Techniques Guide, second edition.