GM1 21.A.139, 21.A.157, 21.A.239, 21.A.257, 21.B.120, 21.B.140, 21.B.220, 21.B.235 and 21.B.240 The use of information and communication technologies (ICT) for performing remote audits

CAA ORS9 Decision No. 48

This GM provides technical guidance on the use of remote information and communication technologies (ICT) to support:

— regulated organisations when conducting internal audits / monitoring compliance of their organisation with the relevant requirements, and when evaluating vendors, suppliers and subcontractors;

— the CAA when overseeing regulated organisations.

In the context of this GM:

— remote audit’ means an audit that is performed with the use of any real-time video and audio communication tools in lieu of the physical presence of the auditor on-site;

— ‘auditing entity’ means the CAA or organisation that performs the remote audit;

— ‘auditee’ means the entity being audited/inspected (or the entity audited/inspected by the auditing entity via a remote audit).

It is the responsibility of the auditing entity to assess whether the use of remote ICT constitutes a suitable alternative to the physical presence of an auditor on-site in accordance with the applicable requirements.

The specificities of each type of approval / LoA need to be considered in addition to the general overview (described below) when applying the ‘remote audit’ concept.

The conduct of a remote audit

The auditing entity that decides to conduct a remote audit should describe the remote audit process in its documented procedures and should consider at least the following elements:

— The methodology for the use of remote ICT is sufficiently flexible and non-prescriptive in nature to optimise the conventional audit process.

— Adequate controls are defined and are in place to avoid abuses that could compromise the integrity of the audit process.

— Measures to ensure that the security and confidentiality are maintained throughout the audit activities (data protection and intellectual property of the organisation also need to be safeguarded).

Examples of the use of remote ICT during audits may include but are not limited to:

— meetings by means of teleconference facilities, including audio, video and data sharing;

— assessment of documents and records by means of remote access, in real time;

— recording, in real time during the process, of evidence to document the results of the audit, including non-conformities, by means of exchange of emails or documents, instant pictures, video or/and audio recordings;

— visual (livestream video) and audio access to facilities, stores, equipment, tools, processes, operations, etc.

An agreement between the auditing entity and the auditee should be established when planning a remote audit, which should include the following:

— determining the platform for hosting the audit;

— granting security and/or profile access to the auditor(s);

— testing platform compatibility between the auditing entity and the auditee prior to the audit;

— considering the use of webcams, cameras, drones, etc., when the physical evaluation of an event (product, part, process, etc.) is desired or is necessary;

— establishing an audit plan which will identify how remote ICT will be used and the extent of their use for the audit purposes to optimise their effectiveness and efficiency while maintaining the integrity of the audit process;

— if necessary, time zone acknowledgement and management to coordinate reasonable and mutually agreeable convening times;

— a documented statement from the auditee that they will ensure full cooperation and provision of the actual and valid data as requested, including ensuring any supplier or subcontractor cooperation, if needed; and

— data protection aspects.

The following equipment and set-up elements should be considered:

— the suitability of video resolution, fidelity, and field of view for the verification being conducted;

— the need for multiple cameras, imaging systems, or microphones, and whether the person that performs the verification can switch between them, or direct them to be switched and has the possibility to stop the process, ask a question, move the equipment, etc.;

— the controllability of viewing direction, zoom, and lighting;

— the appropriateness of audio fidelity for the evaluation being conducted; and

— real-time and uninterrupted communication between the person(s) participating to the remote audit from both locations (on-site and remotely).

When using remote ICT, the auditing entity and the other persons involved (e.g. drone pilots, technical experts) should have the competence and ability to understand and utilise the remote ICT tools employed to achieve the desired results of the audit(s)/assessment(s). The auditing entity should also be aware of the risks and opportunities of the remote ICT used and the impacts they may have on the validity and objectivity of the information gathered.

Audit reports and related records should indicate the extent to which remote ICT have been used in conducting remote audits and the effectiveness of remote ICT in achieving the audit objectives, including any item that it has not been able to be completely reviewed.