What To Do When the Virtual Auditor Comes

You can access the recording by clicking on the image below.

Webinar Topics

In this webinar, we discuss an overview of the remote audit including:

Benefits to both sides – Organization + Registrar
Who will be interviewed?
What activities can the auditor observe?
What documents will they want to see?

We also discuss how much can be audited, including:

Objective, Scope, Criteria
Methodology – Registrar supplied equipment and/or organization’s own equipment
Registrars still have to comply with relevant accreditation bodies requirements

Finally, we review different considerations for onsite and remote audits, including:

Interactions with auditees – smart cameras, screen sharing
Viewing evidence – wearable devices, drones?
Privacy act requirements – how does it impact a virtual audit?

Full Webinar Transcript

Rick:

Most people here are in the quality management realm, 42%. Next highest title is supervisor, one upper management and one consultant today.

Jim Moran:

Excellent. Thanks. It'd be a nice group. And then, this helps me to decide where I am, what to emphasize as well. So, COVID has pushed the virtual audit timetable forward. Remote auditing has always been part of ISO 19011. There's always been guidance for registrars on how to do remote audits. But if it weren't for COVID, we certainly wouldn't be talking about it with the intensity. We just did an audit or webinar with BSI last week on this very topic.

Jim Moran:

So, it's always been an option. And it said the new version of ISO 19011, 2018 version has a lot more information on remote auditing. It's almost as if there were a movement towards it. I think with today's technology, it's going to be a lot easier. So, we have another, so we're going to take a look at it as if it were the new normal. And remember that all of you who are ISO certified, if you request it of your registrar, you can take advantage of the various things we're going to talk about today, all the benefits of it.

Jim Moran:

There's probably no reason except for IATF 16949, the automotive standard. There's really no reason for the in person audit any longer if you have the right technology at your end. And by doing a virtual audit, it could give the whole activity of auditing more visibility in your organization. And most of you know that if you can do really good audits, internal audits especially, you can find ways to improve the effectiveness of all your management systems, whether it be quality, environmental health and safety, energy, whatever.

Jim Moran:

You can take advantage of this. You can make sure that you're getting ways to improve your system and of course, improve the bottom line. And by giving out a more visibility in organization, sometimes, top management starts to see the value of it, and starts to realize that you can actually improve the effectiveness or improve profits by using audits well. And there can be benefits, many benefits from virtual auditing. Not the least of which is staying on schedule.

Jim Moran:

I guess it's almost like buying a new golf club, or you go to the driving range and you're concentrating on it so well, your slice, all of a sudden, goes away, you stop [inaudible 00:03:13], all kinds of amazing things happen. So, by changing the methodology for an audit, everybody starts to focus on it a little bit more and that would definitely help staying on schedule. It's also possible that the staying on schedule benefit might occur because the participants have had to do a little bit more planning.

Jim Moran:

The first benefit I noticed when I did my first virtual audit back in April, I didn't have to travel to the client. They are only a couple hours away in Mississauga, but typically, I went down the night before, stayed at a hotel across the street from the client, walked over in the morning, audited for the day. And then, back to the hotel, I had dinner. So, there was the breakfast cost and on snows, I eat massive breakfasts. There was the travel time for them, the mileage for them, the hotel, and so on.

Jim Moran:

And it all adds up. And it was only two hours away. The other neat thing was when the day was finished, I didn't have to go to a new gym. Our gym was closed here in April but I was able to come downstairs to do a workout here. So, it just makes that even the travel time, the couple hours it took to get there, the traffic, and so on. And all this also reduced environmental issues. I wasn't using power at the hotel.

Jim Moran:

I wasn't using my hairdryer, not that I've ever used one in years, but all the things associated with getting a body to a location all disappeared, expense audits, air travel for auditors having to come from a different part of the country. I've got a client here in London who has implemented ISO 17025. And the auditor was going to have to come up from the Midwest from A2LA. They're one of the three accreditors in North America.

Jim Moran:

And we're probably looking at maybe three, $4,000 in expenses altogether, perhaps more. So, travel expense savings for other clients, that could be a major consideration or not. The auditors themselves have more time for their families. As I said, when I finished the audit in Mississauga, I didn't have a two-and-a-half-hour drive home. So, there's all kinds of benefits, not just the financial side, there's life-work balance benefits as well.

Jim Moran:

Now unfortunately, I have met a few auditors in my 28 years at this that actually relish getting away from home. So unfortunately for them, they'll have to come up with some new way of viewing life, I guess. It's just simply safer all around. It's good for everybody. It's great for your employees. It's great for the auditors. It's great for all the frontline people who would have to be serving the auditors traveling, hotel people, the people in the restaurant in the hotel, and all kinds of benefits from not having to actually physically go there.

Rick:

Hang on a second, I want to just make a comment here. Ray has mentioned, and it's a question really. In North America, does BSI still want to do certification audits partially in person for ISO 27001?

Jim Moran:

Oh, good question. The only standard that's on the list where the "governing bodies" have insisted that they cannot be done completely virtually is IATF 16949. So, I would suggest, Ray, that you will be able to do a 27001 Information Security Management System audit completely virtually. Now that I think about it, it's ironic because of all the standards that are good candidates for virtual audits, it's probably one of maybe near the top of the list, because you'll be looking at all the security on the system for sure.

Jim Moran:

So, again, talk to your registrar, but there's really no reason with today's technology that there has to be a body on your site. And we'll be talking about ways to achieve this too during today. Thanks, Rick. Good question. The other thing that could happen and Ray's point is very good about 27001, there could be some specific talent that the audit needs that isn't available or would perhaps only come in for a few hours or a day or half day.

Jim Moran:

Now, you'll be able to access them for an hour or two and take advantage of their expertise at the click of a button. So, it'll really be a benefit all the way around. Expertise all over the world is successful. Timing, obviously, with Europe being ahead of us and so on, we'll just have to get the time to work out right. But that's always doable. On your auditees, there'll be in their own spaces. Now, in a case like this where there's actually physical things going on, they'll be working at their own desks at work there or at home.

Jim Moran:

Though, one audit I did, the president and the two people that were helping her out with the audit were all working from their homes. And many cases, St. John's case in Strathroy Manufacturing Organization, you'll have to have laptops, tablets, phones maybe to show the auditor the assembly lines, the design areas, maybe go through some design drawings, that thing. Although, many of you will have your drawings stored electronically now as well.

Jim Moran:

But if you have ever been to an audit where the auditee has to take his or her information into a boardroom, sometimes, that can be a little disconcerting for them. But now, they have their own space and they can take care of their own space. They can work, they can keep it wiped down, they can keep the disinfectant there, and they'll feel pretty good. So, over to you, Rick, it's actually a click poll. But if you could just tell us about a couple of things in your virtual audit experience. Rick's going to keep an eye on the chat box.

Rick:

And while they're doing that, Jim, we've got a comment from Patel that says ISO 17025, which is of course the laboratory standard, cannot be accredited remotely due to lab competence assessment. So, I haven't heard about that before.

Jim Moran:

Yeah, I haven't. We're in discussions now with A2LA. And as far as we know, the entire audit is going to be done remotely. We have competence of spreadsheets, and we have evidence of training. I'll check that out. Was that Steve, did you say?

Rick:

Just Arpatel, so.

Jim Moran:

Oh, sorry. Thanks. So, I'll check that out. We talked to [SANS Counsel 00:10:54] Canada. And we talked to ANAB in the states and A2LA. And by the time we got discussing it in the spring, ANAB in A2LA were both talking in terms of a 100% remote audit. The original plan was for three live audits and then the fourth year would have been remote. And they would have had to have done competence confirmation there too. Anything else in the chat box, Rick?

Rick:

No, apparently, no one's had a virtual audit experience that I'm aware of. Oh, I'm sorry, right. Ray is chiming in. He says, coming as a far virtual audit, his experience was good. He found it easier to organize. The remote access needs to be handled by Zoom and various systems like iPhone, so forth. Bad side of this, he says the auditor sometimes forgets to allow for breaks since it's just charging through.

Jim Moran:

Good. Thanks, Ray. It's funny you mentioned it because I actually have a slide made up about that specific thing, remembering to pause. That's great. Thanks. Anything else in there?

Rick:

Nope.

Jim Moran:

Okay, thank you very much. Thanks for your help. So, there's Ray's tip, make sure you remind your auditor to take breaks. And we've killed two birds or three birds with one stone here, four actually. So, make sure based on what we've experienced. And the other thing I've noticed is that with Microsoft Teams, at least, as time went, as the clock was ticking, it almost seemed to be building up some, I don't know, the only thing I could use to describe it would be a static charge.

Jim Moran:

I mean, it isn't literally because that's not how it works. But you might notice that some of your communication software, some of your collaboration software might deteriorate over time. So, it's probably not a bad idea. And we did this with the one audit at the 50-, 55-minute mark, we stopped for five or seven minutes. And when it got bad enough that when the leg got really uncomfortable, we just rebooted and you may have to duck.

Jim Moran:

So, that could be something to keep aware of. So, ISO 19011, as I said, this is the new version. The 2018 version has some much more guidance than it had last time. 5.4.3, section k talks about communication technologies. If you haven't got a copy of the new version of 19011 and if you're registrar, it's barking it, giving you or extending the use of remote audits and you want remote audits, you might want to have a look in here.

Jim Moran:

Now, remember that 19011 is not a set of requirements, it's only a guidance document. But you could always point out to them that, well, 19011 says blah, blah, blah, blah. And again, the previous versions, and there's another document that you can get for free. It's called M for mandatory and D for days, mandatory days, MD5. It's readily available IAF, International Auditing Forum. I think that's what the F stands for, IAF.

Jim Moran:

And it has a chart in there for all the registrars to use for calculating days, for quality, and for environmental. But there's also guidance in there or used to be guidance in there that the registrars are only allowed to go up to 30% remote. And that's now been changed. If it hadn't been changed for COVID, it's definitely been revised. It's been revised during COVID. So, the door is open for 100% remote audits except for IATF 16949, and perhaps parts of 17025, which I'll confirm later.

Jim Moran:

And the technology is so much better now than it was even five years ago. And I'm not sure what's going to happen with 5 g, but that should pump it up even more. So, there's even guidance in there about communication technologies. There's resources that support collaboration that's in 5.4.4 g. You can see that clause number there, talks about resources, making sure that you can collaborate. And we're going to talk about testing ahead of time too.

Jim Moran:

Audits can be performed on site remotely or as a combination. So, there's an opening there, audits can be performed remotely. And again, if everybody's ready, and so many have switched to all kinds of communication tools now with COVID, that people are more and more comfortable with it, depending on where you're at. That's interesting. Scenarios for both human interaction and no human interaction. Sometimes, the auditor can be looking at documents and records without necessarily having to have you talking to him or her.

Jim Moran:

Especially in the stage one audit, if any of you are not certified who are visiting us today and are thinking about it, the stage one audit has typically been done without too much interaction. Although, I always encourage my clients to spend the time with the auditor, stage one, just so that you don't get a whole bunch of not addressed, not addressed, not addressed for the style of auditing, where they're looking for everything to be documented, which isn't required as much anymore.

Jim Moran:

So, in the standard, it talks about human interaction, that would be the auditor asking you to show him or her some things, any documented evidence, stuff you've retained or maintained. And then, he or she could be looking at things on their own, especially with software or our platform, for example, allows you to make the auditor a read-only-visitor and that way, they can look at things in your system. Anything you don't want them to see which shouldn't be the case with an ISO [inaudible 00:17:43], if say, there were something you didn't want them see, you can just protect the page separately.

Jim Moran:

This is in Annex A, Table A.1. You can check that out in 19011. Make sure that audit objectives can still be met. This is a requirement that the registrar has to demonstrate to the accrediting body that when they have issued a certificate to you for conformance to the standard, whichever ISO standard you're conforming to, the registrar needs to be able to demonstrate that the audit objectives were met. They're typically stated in the audit plan. That's one of the objectives, scope of the audit objectives, and the criteria. That's all mentioned, the audit plan.

Jim Moran:

So, make sure that you and that registrar's auditor agree on what the objectives are for the audit and that you have everything in place that you can actually meet it. Visiting the auditee's location. In A.15, you can see that number up here, addresses Section C, addresses virtual audit activities. And of course, we want to make sure that we continually pay attention to what risks are there. I guess the most debilitating risk would be to have the internet go down.

Jim Moran:

And so, if there's any possible way you can maybe develop. For example, in my case, I thought about this for today, so I can take my phone out and I can create a hotspot on my phone and hook my computer into the hotspot, it would take probably 30 seconds or 45 seconds. So, there's that backup, you can think of a backup like that. Another thing that can help is a floor plan of your location sent to the auditor, so that the two of you can be looking at the floor plan together at the same time.

Jim Moran:

And the auditee or the auditor can say, "Can you take me to the number 30 press?" And so, you'd walk out, you'd say, "Okay, I'm going down this hallway here." You can share your screen, show the auditor where you are, and then the auditor can ask to see some things. So, floor plans can be pretty helpful. Watching people actually perform activities. Remember the three ways that auditors gather information are interviews, which can be done virtually of course.

Jim Moran:

Watching people do things which now you could do with maybe the guide holding a phone or a tablet or even a laptop, aiming the camera at the person doing that work. And then, finally, there could be surveillance. Surveillance cameras are just Information Technology in your organization where the auditor, if you could give him or her access to the feed, they could see people moving from one area to another. This might be handy, say, in a place like receiving or shipping. There could be some information like that there.

Rick:

Jim, hang on a second.

Jim Moran:

Yes, please.

Rick:

Dr. [Choudhury 00:21:01] makes a point here, it goes with the last section you were just enumerating. He says some activities cannot be assessed remotely in a microbiology laboratory, how to deal with this issue during remote assessment?

Jim Moran:

Interesting. Well, if you can get a human into the part of the lab that you're thinking might not be able to be viewed remotely, if you can get a human in there and if you can get a sterilized, maybe a phone, a smartphone with a camera on it, or a tablet that you could sterilize, or maybe even sterilized and put it into a container that doesn't have any fibers, if it's that lab, or maybe just through the glass. That's a great example of some things that will be more challenging than others in terms of how to actually see activities going on.

Rick:

Well, something else we're going to be talking about later are some of the immersive technologies. We're talking about drones, but also essentially you can mount a camera on a robot these days too. So, I mean, you can have a non-personal contact too.

Jim Moran:

Yeah, thanks. Could perhaps be something like an arm inside the microbiology area, or maybe install two portals with gloves inside and hold the camera inside with the gloves. That would be interesting. That'd be a good one.

Rick:

Also, and by the way, Mel makes a comment. Remember, you also have the evidence to review. So, I think what he's saying is not everything has to be real-time. You can look at the effects and verify reporting and so forth.

Jim Moran:

Good point, even Dr. Choudhury's comment on the medical lab or the microbiology lab, there would be a report made from any tests that were done. So, that could be checked. But of course, you'd like to see it happening, that's for sure. This is SimplifyISO platform. And you can see that everything that you need for the audit is accessible here. There's a search function up there, if any of your auditees get a little nervous because they're being audited.

Jim Moran:

So, there's all kinds of ways you can take advantage of that. So, we have a poll, Rick. Are you ready for a virtual audit? If you'd like to pop that up? Are you ready for a virtual audit? Thanks. So, let us know how far along you are. Anything you want to add, Rick? Or any other comments in the box?

Rick:

Not yet. But I mean, in terms of readiness, I think we're going to talk a little bit more about access and so forth. But I think the reason we talked about systems here, because the virtual auditing is essentially system dependent, and it's also a system enabling. We talked about the fact that before, you might have had an audit assigned to one person, and you can stratify the audit into different expertise.

Rick:

It does open the door for a deeper look into your system should you wish to allow the registrar and the auditor access to that. We're looking at the results, the bulk of people, obviously, the documentation is available or somewhat available. That's half and about 30% say they're ready to go. And then honestly, about 14% say they're not ready at all. So, that's fair.

Jim Moran:

Yes. By all means, feel free to send us a question off anytime. We can even have a 45-minute workshop at your locations if you wanted to have me answer questions from your folks or talk about what it's like. So, we'll talk about that at the end as well. All right, thank you so much. And let's move on to screenshot. And it's going to be part of the audit. For sure, the auditor and you will be looking at screens together just like you're looking at this screen today.

Jim Moran:

Most auditors I've seen, any auditing I've done, I've never had to take pictures. I've noted the number of invoices I'm looking at, number of reports I'm looking at, any nonconformances, audit reports, Management Review reports, or even preventive maintenance logs, that thing. So, they shouldn't be something that an auditor will be doing constantly. You think of yourselves, you don't probably take too many pictures in internal audits.

Jim Moran:

I know some of you might for a nonconformance to show as found condition of whatever the issue was. But the other thing, of course, is going to be confidential documents, confidentiality. Remember, the auditor has signed a nondisclosure agreement with the registrar. And they're liable. They're legally bound to not share any information from any of the clients with anybody. And then, the registrar, in your contract with them, also have nondisclosure terminology as well.

Jim Moran:

So, just be aware of what screenshots the auditor is taking, if any. And just make sure that they're completely essential. It's possible they want them for some reason or other but if you find them taking excessive screenshots, that might be worth having a conversation. And make sure that anybody appearing on screen is given their permission. When we do the ASQ workshops, often, the people who are attending the workshops, their pictures are there.

Jim Moran:

And we do state at the beginning. And Zoom requires it as well that somebody announced that it's being recorded and you were told. For those who came late, the presentation gets recorded so that we can send it to you at the end of the week. So, make sure that anybody who is taking part in the audit is aware that they will be on screen and make sure they've given their permission. Events taking place. In 28 years, I've had three fire alarms go off.

Jim Moran:

Only one of the three, we had to postpone the audit. The other two was just an hour delay. In one case, in about an hour and a half than the other. So, we just worked a bit late and then started a bit earlier the next day. But there is a requirement in the guidance in 19011 to make sure that in the audit report, you identify any conditions that existed that you feel as the auditor that may impact the validity of the findings.

Jim Moran:

So, if you had a fire a major and major disruption, then we have to make a decision. Do we interrupt the audit and try to get back on track a little bit later? Do we reschedule the audit? This only happened to me once. In fact, I was on the way to an audit at a factory nearby, a few miles away, and got a phone call. And she said, "Don't come in. We just had a fire." They had some ductwork that exhausted the fumes from the paint area.

Jim Moran:

They created metal things and they painted them. And the vents had been malfunctioning, the fumes collected in the ductwork and they had a fire. So, it took a day or. So, we rescheduled that one. But the other ones were not a problem. We just had the quick break and continued. I think one of them, we even cut the lunch by 15 minutes just to keep on track. And I think Rick mentioned this, take breaks to reduce fatigue.

Jim Moran:

And it's tempting, especially when it's new for everybody, and it's new technology and everybody's getting used to it, you're rolling along, you want to make sure that you remember to pause, even just getting up out of the chair. When you're auditing live and walking around, it's not quite so bad. But when you're sitting in your chair, auditing, if you don't have the advantage of a standing desk like Rick has, then you need to force yourself.

Jim Moran:

Probably wouldn't even hurt just to put a little timer on your watch or on your phone just to remind you that move. And you'll find that the auditors are very, very cooperative in this regard. It reduces fatigue, screen time and all that thing. Respect privacy. So, even when you do take a break, I turned my camera off, turned the mic off, and it helped me ensure my own privacy. But at the other end, they did the same and it had ensured their privacy as well.

Jim Moran:

So, it's not quite the same as live because you can go into a room, you can close the door and have privacy. But with a virtual audit, you have to remember to take those steps and respect the other person's privacy as well. We have to be aware of privacy laws too for everybody online. And it's important that you know what they are for sure to see what applies. Obviously, none of you would have underage children at your workplaces.

Jim Moran:

Now, I suppose if you're working from home, one could wander into the screen from time to time, especially if when school starts back. If it's alternate days and some of the children are home during the day, that could be an interesting situation. You won't have to sign release forms or anything, but just be aware that there are these things called privacy laws and that you and your auditor need to be aware of how they apply.

Rick:

Jim, I'm going to make a comment here. In the States, there are state by state check variances. For instance, I live in Indiana and we are a single party recording state. Meaning, I do not have to ask permission of anybody I record. But if I go next state over, then I have to get explicit permission to record. So, you're right, it does vary.

Jim Moran:

Neat. So, not to imply that it's going to be scary or anything, just find out what they are and make sure that you have everything in place you need to meet those requirements. Thanks, Rick. And auditors need to know they need to be familiar with the equipment. And I've suggested many times and we'll see a slide later about practicing ahead of time, just so that you're comfortable, they're comfortable, there're no surprises. John Larroquette used to be in a Holiday Inn and that the line was no secrets, no surprises.

Jim Moran:

And again, just keep checking the transmission. You could go as far as checking the speed from time to time if you want to. And if you see it's getting slower and slower and slower, you may have to just figure out, just take 10 minutes, shut everything down reboot, and you're ready to go. Agree on the protocols. This is again, A16 from a clause in the annex from 19011 that you still need contingency plans and figure out if there are any unusual risks. As I mentioned, the biggest hammer would be if the power went out.

Jim Moran:

So, you could mitigate that risk by having an uninterrupted power supply on the router itself. But if all the power goes out, desktop computers won't work, but laptops still would. Especially if you've got a power supply for the router, you can still be in business. Depending on how widespread the outage is, your auditor may have experienced the same thing. And you need contingency plans for individual people's equipment failing for whatever reason.

Jim Moran:

One thing you can do there is have a couple or three extra laptops or phones or tablets. Tablets are pretty inexpensive and the quality of tablets today is remarkable for the price, and the sound quality is quite good as well. Right here right now, I have a microphone plugged into my laptop. And I used this during the audits that I've done. And it does make the sound a little bit better. And we have another poll, Rick.

Rick:

Just before we launch that, Ray had made a comment that I think just goes with what you just said. He said remote audits missed out on other sensory cues on people's activity and peripheral vision. The auditor that did not want to be seen, there may be visual cues that he's missing there, too. So, I mean, it might be something to be specified even though it seems like a vanity thing. I think Ray's point is accurate. You can actually have a nonverbal communication channel that's shut down if you're not careful. So, here's the polling.

Jim Moran:

Good. Thanks.

Rick:

Jim, I don't know if we need to maybe talk about some of these things. But document management applications on their own server, meaning, of course, we're going to talk about IT security and access and so forth. But there's a distinction there between anything that's stored in the Cloud versus locally, and the access and provisioning and permissioning that needs to be provided. We're talking about specific other types of quality tools accesses like document control software, audit control software, Incident Management software, that thing.

Rick:

The registrar, wanting to have drones, or like we talked about earlier, cameras on robots or something wandering the facility. I mean, that's a little more out there, but it is happening. I mean, BSI is using them. So, I mean, you have to think about those things.

Jim Moran:

Are you ready for it? Yeah.

Rick:

Mersive technology, I think if you think about gaming, that world with VR headsets, that's really what we're talking about there. Or GoPro if you want to think about a camera that you can put on a helmet, et cetera.

Jim Moran:

There'll be some challenging areas. Paradox with us today from [inaudible 00:36:34] Measurement Canada. And there are a lot of pretty tricky calibrations they do there and validations, verifications that it could be a challenge. As the doctor mentioned as well, could be a challenge in some types of labs, some installations. So, it'll be learning for everybody. That's for sure.

Rick:

Looking at the results, obviously, everybody's going to be using some a conference calling or collaboration software like we're doing now with Zoom and so forth. That's 86%. Next highest utilizations are the same, using some shared document storage system, which again, has its issues. So, security, we'll talk about that. And access to any specific document management system just like SimplifyISO that you showed.

Rick:

I mean, those seem to be the top thing. I don't think people are really, at this point in time, looking at more the advanced things like drones and things like that. I think it's coming potentially. But obviously, this is a crawl, walk, run stage right now.

Jim Moran:

Yeah. Yeah. We're still in the crawling stage. That's great. Well, thanks for all your inputs too, everybody. And it's going to help us moving forward, that's for sure. So, let's take a look at some of the other tools. We've talked about Skype, Microsoft Teams, the SimplifyISO platform, that's recommended, by the way, just like you see in the software settings. GoTo meeting, some of you may have used that, Webex, Zoom, ReadyTalk. We use Webex with the ASQ. It's a little clunky. Zoom's pretty good.

Jim Moran:

The polls are a little tougher to use that in ReadyTalk, that's for sure. And most of all of your registrars will have their own setup for you. Many of them will use Microsoft Teams. Some of them will use Webex. And again, could be a combination of Microsoft Teams and Zoom. Skype, I haven't heard too many people using Skype yet, but it'll certainly be case by case basis. But make sure that the registrar you're dealing with has people, has competent people, you have a chance to look into it.

Jim Moran:

And some of the pluses you'll see up here, pluses and the positives and negatives will depend on the installation. Again, you'll have to make sure you have the bandwidth to do this. When you think of the money you'll be saving on auditor expenses, that might help you justify spending a little bit of money on an upgrade for your service, for your web service. Now, there is a company idea within Tillsonburg, where they have a lot of EMF machinery on the floor and they do not have internet on the floor.

Jim Moran:

So, that will be a challenge for them. They'll probably have to change how they approach their business, how they run their business just for the period of the audit. And again, they use the SimplifyISO platform. So, the auditor will be able to see all the documentation, all their audit reports, any readouts they get from machinery and so on. So, again, just make sure you give yourself enough time to get all the kinks worked out before you-

Rick:

Jim, sorry to stop you there. Couple comments. Just from [Camilo 00:40:23], he said that they use at least two of those tools, the Cloud and Zoom meetings as Cloud storage, I'm assuming you said. However, that does bring up an issue. Like he had mentioned, if a service goes down, it doesn't hurt to have a backup service. It's unlikely that you're going to have much service disruption, but I'll be honest with you, Zoom has had a few major calamities, both from an access standpoint and from a security standpoint.

Rick:

And the other thing I would just point out having used a number of these programs over the years, probably for almost 15 years now, the capabilities vary wildly. I just didn't stop using. So, I have service that was a GoToMeeting service called join me, very simple, fairly reliable, but the feature set was just not there compared to Zoom. And then, specifically speaking to a Zoom, it has its own plugin or application environment.

Rick:

Some of which, we've explored news but different types of capabilities, different types of display, different types of forms and different types of things that interact or have APIs to other programs. So, in your evaluation, you have to decide how full of a feature set you need or want. Also, a comment from Samuel [inaudible 00:41:36] maybe using Google classes. I'm not sure. I thought Google stopped the class program.

Rick:

And I won't go into why they did that. That is an idea. And I have seen various iterations of it coming back. So, he brings up a good point. If somebody doesn't want to go to a full VR headset, which looks clunky, and also is restrictive, there may be some less invasive types of eyewear or camera outfits that might make the observation or the surveillance if you want to use that prerogative. And then, another comment from Mel, he said, we're going to talk about this.

Rick:

The clients have their own security systems they may use. These are ITAR requirements. So, I think, maybe will be his comment, we'll start to talk about IT security and so forth a little later.

Jim Moran:

Yeah. Good. Thanks. And there are lots of good ideas. If you want to check out a CSA website, Cloud Security Alliance, just type those words, Cloud Security Alliance, there could be some ideas there for you too. Thanks for your comments too, folks, and thanks for bringing us up to date on that, Rick. The audit itself shouldn't change. You'll have an opening meeting. You'll go through the typical methods that the registrar, auditors use that collect evidence, collect verifiable evidence through their three typical methods, interviewing people, watching activities, and then reviewing documents and records.

Jim Moran:

They'll evaluate the evidence, they'll come up with some audit findings, they'll review it with you, and then come up with a conclusion. They'll have daily debriefs. We had three when we did the first audit, seven, and the second one was a longer audit. And finally, there'll be just as always a closing meeting. It's possible here on the left-hand side, ahead of the opening meeting, the planning is going to be a little different. We're going to talk about that in another slide or two. The auditors might not want his or her camera... yes?

Rick:

I'm sorry. Good comment from Mel, that the sign in sheet is important to have for opening and closing meetings, the kickoffs and so forth. I think verifying who participated is a key aspect of it.

Jim Moran:

Yes. And on that same note, thanks for bringing that up, Mel, the audit report will clearly state that this audit was done remotely. Up til COVID, the auditors were expected and all of them did that I ever saw, they were expected and noted what parts of the audit were done remotely if there was some remote auditing that happened. So, that'll be exactly the same except the explanation will be that in this situation, the entire audit was done remotely.

Jim Moran:

Here's the telephone sign. You can see where this auditor didn't want to use his or her camera again. They'll have to get over that because Ray mentioned the visual cues you get from the auditor's expressions on their faces, questioning expression, agreeable expressions, nodding in affirmation, that thing. Some of people might still be working from home, dogs barking, children being themselves, phones ringing.

Jim Moran:

And if there's any other things that you have experienced, the few of you have had done remote audits or virtual audits, if you could just type a few things that maybe something that happened that was a bit of a surprise, if you could just type that into the chat box. That'd be great. And IT security issues, we talked about that already.

Rick:

I'd like to throw a few more ideas in there if you don't mind.

Jim Moran:

Yeah, please.

Rick:

I was listening to, and this was back in April or May, an IT security projection. And they were basically saying, it's not if but when the next major, in a sense, interference or hack, whatever you call it, and the reason is everybody was set up for onsite security, but not home-based security. It's just basically invitation any hacker or thief, as far as information is that thing. I do think that security policies though really need to be addressed.

Rick:

And I would almost counsel everybody to really reach out to your IT department and find out what their concerns are. And more importantly, like we talked about with the NDA, I mean, when you're just talking about permissioning auditors to different types of databases that you normally wouldn't do internally, this is a whole another area. In fact, quite frankly, I think it could be a webinar on its own to talk about some of these issues.

Rick:

And essentially, you're creating another employee or onboarding another employee. And all the issues with ISO 27001 standard with regarding phishing attempts would apply. They have to become aware of your security concerns and standards and come up with some compromise. Balancing their need for access to information with your need for security.

Jim Moran:

And that point about the employee working from home, huge. And again, before a virtual audit, it would really be wise for the IT department to counsel everybody, especially people working from home and having the IT folks check their things from home. Well, I know a lot of people have taken their work computers home, and they have lots of limits, like they can't download plugins and different things like that. So that it is farther reaching than you would first think of. Thanks for bringing that up.

Rick:

By the way, Mel also makes [inaudible 00:47:35] one of the questions that I asked during the audit. "I feel like the security of remote locations as part of the infrastructure." And you say, "Don't forget confidential papers that are still printed." I mean, that is a way of, I guess, securing things but also having them secured depending on how your physical document management systems.

Jim Moran:

Yep, we even had an example somebody gave about the sign in sheet. What we did was they printed it off. We had an electronic version, printed it off. Everybody signed it. We scanned it. The final scan was the one that had all the names. And there'll be certain things like that. A lot of organizations still do things, some things, in hardcopy. And if it's a large drawing, it can't be scanned very easily.

Jim Moran:

Some of you may have had the joy of being part of a witness audit, the registrars who are accredited have to be audited the same way you do every year. And you might end up, at some point, being part of a witness audit. So, the accrediting body will be watching the registrar audit you. That's what the witness audit is all about. And that'll be fascinating. Now, we have a whole another layer of observation in it and hopefully, it'll be smooth enough.

Jim Moran:

Again, every registrar has to have these done. So, depending on how large an organization you're certified by, you may or may not be part of that. But just be ready for it in case it happens. Auditor needs to be flexible. They're going to have to do a little bit more planning, and maybe a different planning. They may have to adjust their pace or the order of the audit. Evidence might have to follow after.

Jim Moran:

There could be things that just due to the nature I mentioned, drawings, large plan drawings, that thing, they may have to be sent on a later date, or find a different way to do it. I remember a couple years ago, there used to be some a handheld scanner that people would use for business cards and things like that. That technology could be brought back to life or revised in some way to make use of, say, if somebody just wanted to see some signatures on some documents, that could be helpful.

Jim Moran:

Preparation might take a little bit longer to share documents, sharing the audit plan, identify the auditees. And the methodology might include more breaks for the auditor to review documents. And again, the auditor may be reviewing documents with you or he or she might be reviewing them on his or her own. So, what do you think the main differences will be for you going forward? Just use the chat box if you would, please.

Rick:

I'm going to use the opportunity here to catch up on some chats that I-

Jim Moran:

Yes. Oh, great, thanks.

Rick:

I just want to let you know that that this attendance idea. Roberto has brought it up, Mel has brought it up, Samuel's brought it up. And so, one mentioned that some of the collaboration software like Webex does have a documented attendees list. Samuel asked, would you accept the Outlook accepted attendance list? And then, there was a comment back, from Roberto. So, this is not enough because you may invite a lot of people but no evidence that they attended.

Rick:

Mel comes back and says, this can also be part of the business continuity, which TC 176 is looking at for the update in 2022. So, I think what they're reflecting here, the newness of this and the need, essentially, to revisit some of that information. Mel also says, by the way, think about your continuity scanner, if you look at an iPhone or any Android device, there is a scanner right there the picture basically a, sorry, your cameras turns into scanner.

Rick:

Obviously, you have software that can recognize a barcode and so forth. So, it's not really that big of a deal to document it. I guess I would go back to the same thing of security, though, you're talking about this section here. And that is I think you need a plan for who has access to it, where the storage is going to occur. What security is going to happen to me? If an auditor keeps your documentation on his home computer, it's intrinsically or inherently unstable or accessible.

Rick:

So, I think that's an issue. [inaudible 00:52:02] we have to be flexible to new way to do business. So, it is a little bit of a wild west here, but I think the opportunity is always, in my opinion, the risks and the negatives.

Jim Moran:

Thanks. And its own world. We should have this again in a year. And see what transpired for everybody over the last year. Thanks. So, that brings us to the close. As many of you know that through just getting emails from us, we have a platform that we'd like to show you anytime you like, 10 or 15 minutes just to see if it's a fit to get you ready. And just head to the site. This one here SimplifyISO.com. And there's a big green button there to schedule a demonstration. So, we've got one last poll for you here.

Jim Moran:

We'd like to know, what topic would be most interest to you for the September webinar?

Rick:

I'm just going to go through, expand a little bit some of these topics. The cost of quality would be in a sense how you compute the cost of quality, mostly to show your management the return on investment than investing in quality could bring. And we're even thinking about maybe creating a little tool, a cost of quality calculator which you could use for your, obviously, you put your own fingers in, but we give a presentation that you could make, so to speak. That's the idea.

Rick:

Real-time quality data collection, there's a whole new set of technology that is lowering the cost of sensors and line sensors. Distributed types of things where you can use Wi-Fi, and essentially, take one machine if you needed it. And do a live stream data collection on that which is tremendously valuable for many people. Even some upstream customers are requiring it so they don't have goods returned and rejected coming out of a plant that's very far away and then they shut down there just in time.

Rick:

Assembly line, this could mitigate or at least ameliorate but mitigate some of that. Small proficiency testing for management systems. Basically, we're looking at, hey, testing your employees from time to time, or your quality team or whatever, even top management to see if they know enough to satisfy the requirements of ISO so that what auditor comes in, you have actually could have proficiency testing. This could be another record that you could use for remote auditing to prove that your people know their stuff.

Rick:

And this can be done a period of various times, could be an onboarding thing for new employees, or somebody who's been around for a few years and may have forgotten that, certainly, it could be a tune up before an audit, either internal or external. Self-paced online training is what it sounds like, instead of, forgive me, that you'll have butts in seats anymore, but eyes on the screen anymore, but the idea is instead of having a live training, to have something self-paced a little more, a little more expansive than perhaps you've seen in the past where it's just a PowerPoint or a video.

Rick:

This is more of interactive with through what we call a learning management system that people can actually use. And they use multimedia to create a tailored learning approach. However, people learn best for their own learning style. Another thing we could talk about is a back to basics webinar, we seem to be very popular. Jim's put down some of the topics, risk management, corrective actions, root cause analysis, those always "sell out," if you think about it.

Rick:

Career impact, we've got this whole project called a management system professional, where we're trying to give you the tools to not only create a better in effect resource base for yourself within your organization, get more resources that you deserve by getting more management visibility. It also helps you in your career path, things like that. Audit project management is self-explanatory. But audit is a world unto itself, and if you guys would like it, we could certainly delve into that in much more detail.

Rick:

This remote auditing that we did today would be one aspect of it. But all the ways from verification to management to making things more efficient, to, in a sense, lowering internal costs, the hours that you have to spend to it, making things more repeatable for next time, essentially, flying more process, controls too, and all kinds of things that we could explore. So, just for your opinions about these topics, and we'll be happy to put a session together, exploring some or all of them.

Jim Moran:

Fabulous. Well, it's 1:02 currently on my watch. And the next webinar we're planning is for the 28th. September 28, we'll make sure that you get plenty of notice about it between now and then. Complementary topic, intensive talk, peer-to-peer, we can have it any time of day, 45 minutes, just to let your folks talk about some issues that are important to them, or yourselves if you'd like. Or there could be a case where you feel that top management would be more convinced if someone from the outside had a comment or did a workshop with you guys on it, just 45 minutes, no charge.

Jim Moran:

And that would be something to keep in mind for you. So, we'll stay focused on that. And by all means, just a quick reminder about if you want to see if the SimplifyISO platform can give you a hand, we'd love to have the opportunity just to show it to you. Thanks very much for helping me out today, Rick. It's been great working with you. Any more comments in the chat?

Rick:

Yes, there's actually a few. And by the way, if you all want to stick around a little bit, Jim's available to address questions. So, we go ahead and put some of these. [inaudible 00:57:56] said, "Everybody, instead of once a year all-in audit, this remote auditing will allow us to do more frequent smaller audits." And I think that's a very powerful observation. And I really hope that that's true, that becomes true. From Dr. Choudhury again, "Remote assessments require a lot of document review. Any good suggestions to overcome this?"

Rick:

He's right, it's going to get document and systems heavy if you're not careful. I don't know how we would overcome it but maybe make the process a little more efficient. And then, as time goes on, reuse materials, templates. Obviously, templates, but checklists, guidelines, those things. Even though you don't want to depend on them too highly but they could make things a little more efficient. Would that be correct, Jim?

Jim Moran:

Yeah. And Dr. Choudhury has pointed out something that is pretty scary about remote audits. It's actually, if auditors aren't trained well, it has the potential of setting the whole management system movement back 30 years to 1987 when it was all about the documents. So, until people become comfortable with having auditees walking around, looking at activities, they could slide back into that old method. I hope all the registrars get their auditors the IRCA document called Next Generation Auditing. You could all get it all for free. It's free on the IRCA site. Next Generation Auditing talks about auditors trying to look for results.

Jim Moran:

Does the process give the proper results? For a while, could be a year or two, I think, as Dr. Choudhury's point is really important that beware that your auditor could slip back into a totally document focused audit. We hope it doesn't happen, but unless they're made aware that they're doing this, it's possible it could just happen under the radar. That's a good point. Thanks. Anything else? Any other comments?

Rick:

Yeah, also Mel's making a point that he had an auditee ready to talk about their work for the auditor. So, to focus on the results. I think that's a good point. And I think the idea of creating a forum, people is a great one.

Jim Moran:

Yep. Yeah, that'd be a good topic for a peer-to-peer interaction, just how to make your internal audits paid better. That was actually our first webinar, wasn't it? Enhanced Internal Auditing and we want to invite training auditors look for results, just for conformance to a badly written procedure. Not that all procedures are badly written, but more than just looking for conformance look to see if you're getting the results.

Rick:

And the last comment, I think, from Mel is sometimes you need to lead the auditor, I think that's probably a good wrap up for this whole webinar. And that is not to be passive, but ultimately, you're paying the bill. It's your audit, it's your certification. Do not be afraid to stand up to start or ask for change.

Jim Moran:

Yes, absolutely, you're paying the money. If the auditor and you aren't getting along, for example, if the auditor won't show his or her face so you can get some visual clues, and have a chat with your registrar. Thank you all very much. And as Rick said, I'm here. I'll stay on as long as anybody likes. And thanks so much all of you for taking time out of your busy days. And keep safe, whatever you're doing, stay safe. And that might actually not be a bad webinar.

Jim Moran:

What are you doing at work to keep your employees safe during COVID? That's an interesting thought. Maybe I'll do an article on that next couple of weeks. So hopefully, see you on the 28th. We'll send you lots of information between now and then, not to worry. And thank you once again.

Rick:

[inaudible 01:01:57], Jim.

Jim Moran:

Thanks.

Rick:

As far as sticking around, Patrick mentioned, there will be need to share a well-developed audit plan with a client well in advance of the audit so they can prepare responses and compare the interviews. Thanks, Jim. It's good to see you again, so.

Jim Moran:

Yes. Thanks for coming by, Pat. Hope you're enjoying your retirement. Good day. Yeah, thanks. Okay.

Rick:

I think that's about it, Jim. If you want to close your own?

Jim Moran:

All right. I will. Thanks, everybody. We will see you-

Rick:

Oops, I'm sorry. There's some more stuff here. So, what's your thoughts on competency management?

Jim Moran:

Wow. You mentioned the learning management system before, Rick. Something that automates it is definitely a bonus, especially if you have more than, say, a dozen employees. And competency is the demonstration of skills and knowledge as opposed to just having a certificate, the competencies, the demonstration.

Rick:

Good point.

Jim Moran:

So, assessing competency, managing competency can't be done by paper. But any system that remind you that somebody needs to either have their competency assessed or even by a regulatory requirement for, say, a welder's ticket to be updated or a forklift driver's ticket or first aid ticket, that thing. And it doesn't have to be $100,000 program. Learning management systems can really help take the pressure off of trying to remember who has to have what done, when. A lot of clients I have, you just strictly use Excel spreadsheet.

Jim Moran:

Names on one side. Skills across the top. But if you can get it into a database idea and you're larger, maybe larger manufacturing organization where people are multi-scale, then can be actually multitasking or can be shifted from one task to another. Any learning management system that helps you identify who's qualified to do what, that can help you manage your competency activities as well. Thanks. Anything else you've seen in the learning management system side, Rick, that would help address this question?

Rick:

No, I think it's true. In fact, I think we're underutilizing the LMS environment. Because of COVID, so many of the universities and so forth have gone online, teaching but also to online testing and verification, some of it can be a little draconian. But honestly, I think there's a balance point that we could reach between essentially learning and evaluation. And use it from the same system so that, like I said earlier, the learning style has changed. Some people have the ability to learn one way, some people have to learn ability the other way. We need to accommodate those styles.

Jim Moran:

Yeah. And lots of training class just taking the PowerPoint slides, put them up and videotape them with the person talking behind them. And that's better than nothing maybe. But it'll be a while, I think, before they start developing interactive, which is what we do in our courses. Of course, we have breakout rooms and interaction. So, it really helps. Thanks. Anything else?

Rick:

Some other comments. Yeah, from Mel. There's a checklist used by the client to show competencies expected. I think it's a good point. Samuel says, "We have 800. And we're trying to develop a system to manage this with CENELEC standard." I'm not sure what CENELEC is but obviously, when things get big, it's time to get out of the spreadsheet realm and into the database environment like you said. So, I think that's something we've learned from the end of the days of the crude spreadsheet and moving to a little slightly less crude database.

Rick:

But I think the databases is much more flexible these days.

Jim Moran:

Yes. Especially relational databases. Absolutely. Thanks. Yeah, if you could have some assessment tool that gave warning if someone's competency seemed to be slipping in some way-

Rick:

That's a good idea.

Jim Moran:

As you track that, do a green, yellow, red rating. You have a dashboard thing going on. Yeah. Especially with that you have more than 12 people, 15 people, it's pretty hard to keep track of everybody. Then if you take an 800-person company, if they have the typical turnover of 6%, that's 50 people a year, one person a week. And then, all those 800 people to continually monitor their competency. Yeah, definitely makes a good case for some learning management system.

Rick:

All right, I think that's it.

Jim Moran:

Thank you so much.