- Security TWENTY
- Women in Security Awards
Richard Jenkins, Chief Executive of the National Security Inspectorate (NSI), pictured, explains how remote audit can be part, but only a part, of a robust audit programme. A ‘blended audit strategy’ involving both on-site and remote elements ensures no missing pieces in the certification jigsaw – and best serves the public interest, he writes.
In light of the Covid-19 pandemic NSI suspended all audit activity from the start of April, giving ‘breathing space’ to an industry thrown into adapting to the crisis to safeguard their staff, implement measures required in ‘lockdown’, and focus on the safety of their customers and the wider public. As the UK takes its first steps towards easing lockdown measures NSI resumed its core audit and assessment activity from Monday, June 1, adopting a blended audit programme strategy – a carefully considered combination of remote and on-site audit capability fit for the future post pandemic world, and in sync with Government Covid-19 guidelines.
Interest in remote auditing has exploded dramatically over the last couple of months; hardly surprising given the consequences of the pandemic we all face. Some call it a ‘dynamic desk top review’ – yet desk top reviews have been resisted for years by assessing bodies firmly of the opinion that nothing beats ‘getting out in the field’, ‘seeing for yourself’, and ‘kicking the tyres’.
Whilst on-site audits will remain the mainstay of any product certification auditing process and with good reason, necessity is still the mother of invention! Lockdown has seen collaboration technologies being put to the test in far wider use across society and no less in the auditing community. It’s not just the innovators and early adopters who are involved: all but the most laggardly have given it a go, and learned to adapt far more quickly than would ever have been imagined. Progress indeed.
Covid-19, so the headlines have it, means that in the world of auditing the time for remote audit has come. Where audit programmes require a focus on reviewing and a reliance on documentation, the now widely familiar technologies of Skype, [Microsoft] Teams and the like go a long way to making this possible. Of course, user familiarity with technology and resilient connectivity are essential to avoid disruption during remote audits, and the availability of key personnel is essential. Unreliable network connections, VPN issues, and interruption in interviews and meetings can be hugely wasteful and limiting in the completion of successful audits.
NSI has been in the ‘Inspectorate business’ for 50 years and covers a wide range of approval activities, from business quality management systems to fire and security systems design, installation and maintenance, and security guarding services. It’s an organisation renowned for its independence, competence and thoroughness in auditing and issuing of Certificates of Approval within the sector.
It does an important job: independent third party certification plays proxy for the discerning buyer. It serves to give confidence in the capability and integrity of providers. The job of all certification bodies is a significant responsibility.
Modern communications technologies have been around for many years and NSI is fortunate that such tools – already universal in its business – have meant remote working and remote audit demanded by the Covid-19 pandemic has been little more than business as usual.
With much of the security industry’s work and services conducted on site or in the field, on-site audits continue to be valuable in gathering evidence of compliance to technical product (and service) standards. As part of NSI’s new blended audit programme, remote audits are now being routinely utilised at NSI’s discretion for assessing ‘Management System’ requirements where process and control is more documented or – as they used to say – more ‘paper-based’. Understanding the pros and cons, the limits of what can be achieved through remote auditing, is key. So what is its place in the auditor’s toolbox? What are the benefits and drawbacks?
Remote audit pros and cons
Remote audit means many parts of an audit programme jigsaw can now be completed without a physical on-site presence. However, in most sectors, and certainly in the security sector, remote auditing is not and never will be a universal panacea for the public and businesses reliant on the certification proxy. To suggest so is folly: it cannot be considered a complete confirmation of ongoing ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements. Without on-site verification and evidence gathering of service delivery, the audit jigsaw remains incomplete.
“Trust in the audit” is key: when an auditor has physical access during face-to-face, one-to-one interviews the strength of evidence gathered is unquestionably greater; confidence in observations and reports made first-hand is stronger, and the opportunity to seek clarification when needed is far more open. Unscrupulous auditees have much less opportunity to be economical with the truth, disguise grey areas, and hide non-conformities during physical audits. The opportunity for auditors to dip sample ‘off piste’ in a free ranging way is clearly easier in the flesh.
Non-verbal signals evident in a face-to-face meeting can be virtually impossible to detect during a remote audit, lessening the opportunity for in depth situational analysis. Moreover, the auditor’s skill in triangulating fully the evidence presented through independent interview of multiple parties and ‘disconnected’ documentation is severely hampered, potentially nullified.
Only where information gathering is highly structured, with an audit trail readily reviewable, and dip-sampling facilitated by business tools, can remote auditing unquestionably deliver.
The ‘new normal’
Establishing the ‘new normal’ for the use of these tools is key. Will the pendulum swing too far toward remote audit as early enthusiasm in the technology takes hold? – it’s almost inevitable. The rules of successive approximation dictate it. Will the take-up of remote audit add value in the world of certification? In many cases, most certainly. Finding the optimal balance for each client, as part of their individually designed blended audit programme, is the job of the certification body.
Some pieces of the audit programme jigsaw will come into sharp focus and be well defined during remote audit. Others will be blurred or simply be out of reach. Over-reliance on remote audit could be a real threat to quality and compliance frameworks. As such, business should be wary of jumping lock, stock and barrel onto the remote audit bandwagon; mismanagement and misunderstanding of this tool could have serious unintended consequences and ultimately deliver a disservice to customers, public safety and industry standards generally.
Commercial pressure and a desire to ‘just get the audit done’ is already being referenced in some reports. It’s clear there is a need for a more balanced approach to manage the risk and ensure certification is not brought into disrepute with an over-zealous light-touch approach that risks overlooking the cracks. Remote auditing undoubtedly has its place in the independent auditor’s toolbox and can be effectively incorporated in audit programmes, but it comes with a health warning: ‘handle with care’.
To ensure approved companies are fully informed regarding the responsible and effective integration of remote audits alongside on-site audit, NSI has issued clear guidance advising remote auditing may only be offered for ‘Management Systems’ requirements in certain circumstances. NSI believes adopting a blended audit programme strategy to be the most appropriate, responsible, practical and adaptable approach to the ongoing challenges posed by Covid-19, to ensure there are no missing pieces in the ‘new normal’ audit jigsaw of the post-Covid world.
Remote auditing – checklist
Effective remote auditing requires robust planning, with a consistent approach to:
– risk assessment of a company’s ability to engage in a remote audit, considering such elements as the availability and familiarity of information and collaboration technologies, history of non-conformance, significant changes to the organisation, availability of key personnel, and ability to share documentation securely whilst maintaining GDPR compliance.
– subject matter suitability for remote audit. This may vary significantly between different disciplines, and a correspondingly varying impact on a company’s audit programme will result. The balance of remote vs physical (on-site) audit duration should be built into each and every audit programme.
– auditor competence in remote auditing principles and remote assessment skills, such as the use of available technology to facilitate audit, weaknesses and risks in unrepresentative sampling, insufficient and unreliable evidence to support judgements, validating identity of interviewees and remote interview techniques. An assessment of competence should be made for each auditor before undertaking remote audits. Lack of training or experience in conducting remote audits can lead to inability to collect sufficient audit evidence required to enable a sound judgement being made on continued approval.
Auditee/Approved Company competence and readiness for remote audit:
o define and test the collaboration platform to be used
o grant security and/or profiles for access as required within business systems
o agree how documentation and audit evidence will be shared (eg. screen sharing, One-drive, Dropbox etc); and
o competence of auditee’s staff in use of the necessary business tools during the audit
Effective remote audit agenda checklist/guidance to the auditee/approved company:
o specify collaboration tool(s) and connectivity to be used
o specify records and documentation to be shared with the auditor
o list of activities, departments, information, and personnel to be involved in the assessment
o specify sampling numbers required; and
o schedule time for each part of the assessment.