How Will COVID-19 Affect My Audit Schedule? What are the rules?

auditing Apr 17, 2020
 

Are you wondering how you will complete your internal audits? Or what you need to do to for your 3rd party registrar audits?  Well, this blog contains some official documents to help you sort out fact from fiction so you can make a plan that works for your organization and is within the international "rules."

First, let's explain that the International Accreditation Forum (IAF) is the overarching organization that sets requirements (via mandatory documents) and guidance (informational documents) that apply to Accreditation Bodies (ABs) and Conformity Assessment Bodies (CABs). Your 3rd party registrar is a CAB. Here is a link to an overview of IAF. An IAF Informative Document reflects the consensus of IAF members to support the consistent application of requirements. However,  IAF Accreditation Body Members, and the Conformity Assessment Bodies (CAB) they accredit, are not under any obligation to use or comply with anything in this document. These documents are useful guides.

Back in 2011, the IAF created an informative document Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations Issue 1 (IAF ID 3: 2011).  A pandemic qualifies! This document states that certification bodies are to define a plan in consultation with their clients: "An extraordinary event affecting a certified organization or CAB may temporarily prevent the CAB from carrying out planned audits on-site. When such a situation occurs, ABs and CABs, operating under recognised standards or regulatory documents need to establish (in consultation with certified organizations) a reasonable planned course of action."

Section 3 of the document lists several questions to assess risk for continuing certification and understand the certified organization’s current and expected future situation. An example question is: "If the certified organization is certified to a management system standard that requires a disaster recovery plan or emergency response plan, has the certified organization implemented the plan and was it effective?" You may want to read the full list of questions to assess your risks and prepare for the conversation with your registrar.

Section 3 also details the limits of delay time between the 3rd party audits (1st surveillance and re-certification audits have less flexibility than 2nd surveillance). With the potential of everyone wanting to delay their audits, it puts an incredible strain on the registrars and their auditors.  Some registrars are gearing up for remote audits. This means your internal audits need to be completed, perhaps via remote access too.

One of the next questions that arises is related to remote auditing. Can they be done? How would/ could it be done?  This applies to both internal and 3rd party audits. IAF defined a mandatory document in 2018 THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) FOR AUDITING/ASSESSMENT PURPOSES Issue 2 (IAF MD 4:2018).  IAF also created an informative document in 2015 Principles on Remote Assessment Issue 1 (IAF ID 12:2015). Both have useful information for remote audit planning.

There is an expectation that remote auditing under normal circumstances is limited to 30% of the overall audit time.  However, COVID-19 is not a normal circumstances. If you want to see the tables for calculating required time for Quality, Environmental and Health and Safety audits, see the 2019 IAF mandatory document DETERMINATION OF AUDIT TIME OF QUALITY, ENVIRONMENTAL, AND OCCUPATIONAL HEALTH & SAFETY MANAGEMENT SYSTEMS Issue 4, Version 2 (IAF MD 5:2019).

What should you do? 

  1. Review your internal audit program and schedule to evaluate current status. Are you on completing audits as planned or falling behind? Given the COVID-19 pandemic, should the plan be amended to ensure processes are audited based on risk?
    • You may need to revise the audit schedule to be appropriate to manage risks in our new reality.
    • You may need special resources to be able to complete the audits that are deemed necessary.
    • You may need special authorization from leadership for access to documentation to audit remotely or permission to be on-site where work is being performed if remote access auditing is not workable for some processes.
  2. Look at the schedule for your 3rd party audit. What type of audit is planned?  When is it due? Look at IAF ID 3: 2011 for any defined limits or flexibility for audit timing. Remember, it is based on the type of audit due (1st surveillance, 2nd surveillance, or re-certification).
  3. Contact your registrar to discuss what their plan is. Keep in mind that policies today can change next week!  Find out what is flexible and what cannot be flexed from their perspective. With everyone potentially wanting to postpone their audits, it will be unworkable for the registrars. Listen and be prepared with your questions based on the documents cited above.
  4. Bring this information together to present to your leadership team. Remember that the overall goal is to manage risk and maintain efficiencies, not to please the 3rd party auditors. This also means that your internal auditors will need to ensure they understand what the priorities are in this new reality so their audits can add value to the organization.

I hope these documents in the blog are helpful for you. If you want to discuss your specific circumstances, book some time with me. Book 30 minutes or Book 60 minutes

Remember that we offer consulting and auditing services. We can help evaluate your audit program, provide auditing support, or teach your auditors how to audit whether on site or remotely.

Close

Stay connected!

Sign up to get updates on the topics that are important to you.