<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=489233&amp;fmt=gif">
  • Book your Demo
Science Boosters

Are remote audits the new normal?

With Lee Hahmann

Picture of Lee Hahmann, our audits expert in the second episode of Scilife Podcast
 
In this episode of our podcast, the experienced ISO Management Systems Consultant Lee Hahmann,  shares his view on the future of audits in a conversation with Filip Heitbrink, CEO of Scilife.

Related documentation:

Filip Heitbrink:

Hi, and welcome to another edition of Science Boosters, the podcast for life science professionals. Here, you'll find the movers and shakers in the space sharing their insights on the evolution of the industry and how to grow a thriving company in these rapidly changing times.

I'm Filip Heitbrink, CEO of the life sciences software platform Scilife, and today I'm joined by Lee Hahmann to talk about remote audits.

Lee is an experienced ISO Management Systems Consultant who has worked as a quality manager, security officer, internal auditor, and lead auditor. He was a lead auditor at SGS and has recently started his own company “Hahmann BV”, which offers consultancy services in ISO 9001 Quality, ISO 27001 Information Security, and ISO 22301 Business Continuity.

Hi Lee! Thank you for being here today.
 
 

Lee Hahmann:

Hi Filip! How are you today?

 

Filip Heitbrink:

Great. I'm doing great. I hope you're doing great yourself too.

 

Lee Hahmann:

Yeah, it's all good here.

 

Filip Heitbrink:

So the thing I wanted to talk to you about today is that tech innovations are somehow driving the rapid evolution of everything that humans do, right? So auditing is also no exception. So since 2020, remote or virtual audits have become commonplace, we could say, right? So this has been born out of necessity in a time when onsite audits were simply impossible. So what do you think, are remote audits now really the new normal?

 

Lee Hahmann:

Well, they have certainly increased.

I guess the answer is yes. And in a way, no. Maybe start with the no. Remote audits for me, at least as an auditor is not a new concept. I have done audits in a remote fashion already the past the past few years and have experienced them also being on the other side of the table and being the auditee when I was at other companies. Typically, as I can recall at that time I would say remote audits were more in the context of you would have a remote site and you would use, you know, virtual or conferencing tools in those days. We didn't all use zoom or Microsoft teams not to name products.

But that typically was used to audit people remotely. So in that sense, remote audit certainly existed. As such though it is not a new concept at all, even in official documents, remote audits have been described in the past. So it's, it's not a new there. I would even say that without really thinking about it parts of remote audits were also done and most people have experienced them. Typically things like closing an audit, closing meetings when you talk about the findings.

 

Filip Heitbrink:

Yeah, you would do that already remotely.

 

Lee Hahmann:

Yes. Very often that would be the case. Now, when I speak about that being the case remotely, I am often talking about that I am actually physically at the customer's location. And in their conference room and they use their systems to connect remotely to employees or others.

 

Filip Heitbrink:

Yeah, got it. So already parts of the audit. Even if it's a physical audit, parts of the audit would already be done somehow remotely to make it just more practical, right?

 

Lee Hahmann:

Absolutely. And then to say, is that the new normal?

The yes part: definitely. You now see remote audits and most people, if I speak or talk about remote audits today, have experienced through video conferencing applications, but then completely entirely the auditor is no longer onsite with the auditee, with the company. This is what we've all experienced lately.

So in that sense, that is becoming more prevalent. Definitely. There is a bigger mix.

 

Filip Heitbrink:

Yeah. And I guess that also, of course, the remote audits have been now somehow required and forced upon us because of the whole COVID situation, but there are definitely benefits, right? So what do you see as the main benefits of remote auditing nowadays?

 

Lee Hahmann:

Well, I would say the biggest one, and I'm not talking about restrictions, obviously, if you have restrictions to be onsite, then an obvious benefits is to have that site included in your auditing plan because you can do remote auditing. That's obvious, that's a given that that is of course the big benefit. That's why we're all doing this. But I would say one of the bigger things that I could see as a benefit today is, well, your geographical range reach is vastly increased. Not unimportant environment: traveling costs... even, and maybe to teach that part of traveling costs. If I have an hour's drive to see an auditor, an auditee versus me having to fly, I mean, I'm talking about flying over there and that, in that context is that if I can see somebody in half an hour, I will certainly go onsite, but that's just my personal preference. So that's typically one of the typical benefits that you would have. Then I would say today, even you could have, not to use this word because it's very, very fashionable: hybrid auditing. But let's say in this sense, maybe that an audit plan today, we'll definitely have a mix: onsite audit and remote audit, typically an opening and closing. But if you look at the audits you have. , yeah, maybe I should explain that quickly: when I'm talking about audits now, the context I'm using is really the third-party audits. To quickly say you have this first, second and third-party audit. Briefly explain, a first is internal. Second-party is more you being audited by maybe a customer, but not within the context of a specific certification or a norm, a bit more their own standards, or you were doing it yourself, of course, towards others. I'm talking about the third-party audits where we are really auditing against a set of controls and norms that are then certified and have specific rules according to, just to clarify that. Coming back to the benefits I think also what you can see now is because homeworking was also a trend typically this has extended into also auditing where you have. Documents or parts of a site where you no longer have to go physically. And that ties into a little bit also cost reduction, travel time. But sometimes you want to call in an expert, you know, to have a learning specific parts of your audit. That becomes also a lot more practical, also with regards to the availability of experts. There are certainly benefits there and I'm sure there's more, I might come up with a couple more during the audit.

 

Filip Heitbrink:

Maybe also if you have different sites, one site might be like the remote site. And then because of the fact that it's remote and hard to audit, you might say, you know what, we're not going to include it in certification. But if you, if you come to the conclusion, oh we can actually do it remotely, the full audit of that site, you might decide to put it into that same certification audit. Does that make sense?

 

Lee Hahmann:

Yes, absolutely. Totally. What I'm thinking about now is document review, for example, very often I mentioned the level one audit to where that is something that could be done remotely. I actually I'm inverse. I like to do them on site because I have, I get to know the customer a little better. When I do that and then we can look at the benefits on the second part of the audit and the actual certification, all that. But one thing that I certainly see as a benefit when you look at more synchronous auditing where you do your document or data review because you get this information shared or sent to you previously, it does allow for better and more independent and more in a more deeper exploration. Then when this is shared over the screen quickly, pages are flipped, you know? That's one of the opportunities I think we should also look at or benefit from with remote auditing or having at least. That's something maybe we should address also here in this in this conversation is not to underestimate the ease that you generate in the auditing process by just having your management system, whichever that one is to really have that in a digital form, a structure, at least in that way.

I do see a lot of benefits there. The documents, the way they're shared access control becomes all of a sudden, very clear you can prove you can show it while through auditing. So I really do enjoy auditing. Not to say the companies who have still parts of their quality management system in systems that cannot be immediately shared via screen or on documents are not audit-able of course not at all.

I don't want to send that message into the world. It won't be the first audit that I do remotely, where a paper was shown on the screen, but it's not that practical.

 

Filip Heitbrink:

Yeah, I know. Exactly. I think you mentioned in past conversations that you could even ask the person to just stand up and with their smartphone, use the camera and show you around at the site to see specific things. So it's, it's like imitating what would happen if you would go onsite and show me here, show me there, right? So, that's something that is possible too. It's not about just having your quality system in a digital fashion where you can just show everything over the screen, but technologies like just using the camera in a call are also useful for remote audit.

 

Lee Hahmann:

Absolutely. And maybe I can expand a little bit on that from the perspective of the auditor. Let's say you've agreed on performing a remote audit. And on the preparation side, that's maybe something we can address a little later. What definitely is going to happen. If you prepare yourself for a remote audit it's no different than when you prepare for an onsite audit, you have evidence ready. , everything is prepared, you know what you want to present to the auditor, and depending on how the audit evolves the auditor can, of course, ask for different, you know, evidence. When that happens remotely that's not, sometimes there's a little hiccup there where that's not prepared or not easily accessible.

Often, this has been resolved by, you know, somebody actually grabbing a phone and walking over. Typically I have a physical aspect, physical control, or security control in the 27001. Beautiful how they're prepared for real often, you know, with floor plans prepared or showing or sharing it in some form CCTV footage where it's allowed. And then we can maybe go into the risks a little bit because security and confidentiality are a big part that needs to be clarified here. But that typically yes, is something that I definitely appreciate if that's available. Because it gives me the confidence, you know, that I have been able to order specific control. Conserve a room with your camera to just confirm that what's being said is indeed in place.

That's not uncommon.

 

Filip Heitbrink:

No, and what you're mentioning here are some common pitfalls right? That you probably need to prepare a little bit differently, a little bit more thoroughly, even though everything is digital because of the fact that it's remote, you might want to anticipate all the things that the auditor might ask you because, in the end, it's really your responsibility that you can show the auditor what the auditor needs to see.

 

Lee Hahmann:

So that's good that you say that and yes, it is at least it's a shared responsibility. And I'll put it to you from this perspective. Me as the auditor, when I do or I'm no, I will perform a remote audit, I will perform a risk analysis with the customer before I do the actual audit. This is quite important.

And typically the points that are addressed there, or the biggest one that I know that is being addressed. And maybe we can refer to some guidelines a little later on in this conversation, but is of course the confidentiality, the risk. So, you have to all of a sudden, imagine that you're sharing documents, you're sharing your desktop. You might even send documents before you need people to have the bandwidth, to know how to work with the tools I still learned, feature and functionality, and sometimes teach them in, in, in order to in calls. It's not that everybody really is used to using all these features. You can maybe record or print  screens, but this has all to be defined before where you have some potentiality issues where all of this might not be possible or necessary in any case.

An auditor will always ask that as the guidelines for auditors are always to make sure that this is all discussed. Before, when I'm auditing. And I think that
a particular screenshots. A document might be a relevant for me, whether it is to just complete a more detailed report later, or whether it's an actual evidence that I want to incorporate. These pictures are not really used as evidence, but just the content of what is being viewed. We always remove everything after an audit. Of course you have to do that. I think it speaks for itself. And to date, I cannot recall if there's any tools that allow me or forbid me to take a screenshot.

It's never a hundred percent safe, but that's why these things have to
be discussed up front. Absolutely interesting.

As a conclusion of this trust topic, right regarding remote audit, Is it the new normal? Yes and no. Would you say that remote audits are somehow easier for the auditor or the auditee than the physical audits or is it just different?

Well in essence I should say that it's the same.  The mix is going to be there. Me going forward, I will really look at opportunities where remote audits are useful in my audit plan was maybe previously because of not really having been pushed into using
these, these new tools. I would have preferred to go onsite with the exception of the ones I mentioned before, where you just remotely audit a person at a very remote site. That makes sense somewhere in Siberia, for example.

 

Filip Heitbrink:

Due to the pressing circumstances, this transition from onsite to remote has been really quick, right?
For a lot of companies many oddities and also auditors are still familiarizing with a new procedures on how to do this effectively. So just to insist a little bit,
we already touched on it during our conversation, but how would you plan for remote audits?
 
 
Lee Hahmann:

Well, I think it starts all with just having your risks and opportunities addressed before you start. Let's take this scenario. You have a company that I would audit. And let's say I'm not in an initial certification audit or recertification, but in a surveillance audit, for example, I would typically have
my audit plan. And typically this is something which is defined over a period of
three years.
The durational recertification, I would have my audit plan already set
in context, maybe over 9000, she would say I'm going to order this and this and this process. And context of the 27001, you would say this and this
and this control that I want to order it in this period. So the planning is there, but what would you do now differently if this was the first time you would do it
remotely is you would go into conversation with your auditee and say, well,
what we touched before from a perspective of security and practicality, you
need to address all these points.
 
Agree on what tools you're going to use, who will be responsible for sharing
other backups who will be Available? Yes. But more. What are your
restrictions? What are your risks around sharing data on the screen?
Obviously most companies these days have access control. Well, whilst you're in this boardroom and somebody walks in with a laptop and he has
access to, she has access to specific parts and quickly shifts on the screen.
This is not going to be any different. But these people will still have to be called
in the call, take over share, etcetera. So all these practical aspects really have to be looked at. And then if you look at the 9020 7001, which process and which control as particular risks with orders during them remotely, a typical control in the 27001.

Well, let's talk anout the physical security. It is not that evident to do that remotely. Not easy at all. But it's feasible. And in a 9001 I can imagine a context where you might look at a specific process running and it might be in a factory, but it might be visible from a safe distance within the factory, from a
platform where you can observe it.
 
But what are you going to do in context of your remote audit? Will somebody
stand there with a camera? Some of these things are very practical. You might therefore conclude that, part of it will be remote and a part of it will
still have to be onsite. And then yeah, the necessary arrangements have to be addressed.
That's typically something you do before, really? Yeah. So that's different in that sense that it's just a couple of new risks or opportunities added to the already standard way of planning and all that.


Filip Heitbrink:
 
Maybe you could say for a physical audit, you just would get on a call and discuss the scope and some practical things, but for a remote audit, you really have to dig in a little bit more and see according to the scope, which things might be in practical in a remote audit to show evidences or stuff like that. And then you actually need to come up with a solution to get. How to plan for this to make it feasible during the audit. That's a little bit what I get from your explanation.
 
 
Lee Hahmann:
 
Exactly. And this is where this shared responsibility comes in. At the end, when I do write my report, it is my responsibility as the auditor.
And I actually have to make a statement in my report when I do perform a
remote audit or partially remote audit that nothing impacts. This audit being performed correctly because it was done remotely. And this is typically where you then have documents that you do share with your customer
and both sign off on that. You've looked at the risks, and this is something that is typically introduced with the review package of your reports. So there are a couple of new documents that are included in remote.
 
 
Filip Heitbrink:

It makes a lot of sense. What also comes to mind is do regulations like ISO or FDA actually have the guidelines to perform remote audits?
Or is that something that you need to figure out yourself?
 

Lee Hahmann:

Good question. Actually the guidelines already existed because we touched a little bit on. Or maybe we haven't yet, but typically what happened with COVID really impacted a lot of us here. But yes, guidelines certainly exist and they were there already pre COVID.
If you look into this a little bit online, or you might've heard auditors talk about this, the typical things that are referenced to obviously you
have the ISO 9011 that basically have all the guidelines for auditing
management systems in there. There was already a mention, at least in the 2018 version of remote audit.
So this is not new. And then specifically, if you look at the
international accreditation forum, the IAF, there's this MDF document that is
referred to often. You might hear that specifically talks about the
use of ICT in remote. It's a guideline, not typically listing what you should
look out for,  what could potential risks and opportunities be that
you would have to look at to make sure that the audit is performed in an
adequate. So, yes, it does.
 
 
Filip Heitbrink:
 
We were already doing things remotely before COVID happened. It does make sense that regulations already come with some guidelines.
How would electronic quality management systems help you during this remote boarded process?
I assume it will make things a lot easier for both parties. But maybe you can
elaborate on that.
 
 
Lee Hahmann:
 
I haven't yet audited a company that has all their policies and procedures on and show it on the screen. That would be definitely a challenge. No, but you see that they either use tools of management systems that are available in the market or classically, within SharePoint for just a couple of sets of
documents, but it depends how far your integration goes and your company
allows it. 
 
 
Filip Heitbrink:
 
What would you say would be the conclusion of remote audits overall? I mean it's not new, right?
 
 
Lee Hahmann:
 
Well, maybe I'll going to repeat myself but my conclusion is no, it's not. Remote audits have always been part of auditing, but what is definitely new is how frequent these remote audits will be today and in the future, the mix is going to be there and it's obvious the reasons for remote audit.

You see a lot of companies moving into that direction where they
perceive it as very, very positive. Maybe a little side note as an auditor
auditing a lot of multinationals, remote audits greatly improves their
efficiency. Really. And that's something I think is maybe not always heard in
mainstream auditing land, but this is something I've often heard how this has
greatly improved their efficiency. I totally agree. 
 
 
Filip Heitbrink:
 
Lee, thank you so much for sharing your knowledge here on science boosters.
Thank you again and I hope to see you soon.
 
 
Lee Hahmann:

Yes. Thank you very much for the invitation. It was a pleasure to share a little
bit of this new world of remote audits that we are experiencing. So thank you for the invitation.
 
 
Filip Heitbrink:
 
To continue the conversation, we're looking forward to your comments and feedback on our social media channels. We'll also let you know when the next episode of science boosters drops through these networks. If you're listening to this on a podcast player, don't forget to follow us. If you know someone else in the industry who would find this episode interesting, why not share it with them or with your network? A big shout out to everyone on the Scilife team who made this episode possible. Thanks for tuning in, and then looking forward to uncover more life science knowledge with you soon.
 

 

Join our community

Thousands of happy users are boosting their companies with Scilife.

 

Contact us to learn how we can help you make life-changing solutions.

Scilife-boosts-life-sciences-2