Not much more than a year ago, businesses were operating as usual. The COVID-19 pandemic changed this, in many cases initiating a digital transformation.

The continuous travel and company restrictions still in place mean in-person audits are no longer feasible. To maintain supplier assurance levels, industries are using remote audits. With added information and communication technologies (ICT), remote audits enable quality and compliance teams to play an active role with ongoing supplier activities without disrupting critical operational areas. Embracing this alternative auditing approach helps maintain a robust supply chain.

Supplier audits provide insight and verification that suppliers are operating at the highest level of quality. Audits confirm a supplier’s ability to meet product requirements, production demands, and ability to maintain a positive relationship with the stakeholder.

The key to performing a successful remote audit is divided into six areas: plan, schedule, perform, report, actions, and close-out. Let’s look at each area and summarize the key aspects of each one.

Step One: Plan
A thoughtfully planned remote audit will minimize backtracking and streamline the process. It will also help ensure a stakeholder’s policies and procedures accurately reflect the expectations and requirements of suppliers. Current regulations do not provide guidelines on remote audits, so companies should evaluate each supplier using a risk-based approach and on whether the outcomes are achievable through a remote audit.

Before moving forward with scheduling a remote audit, review the list of essential items for each supplier, including whether:

• The quality agreement does not call for specific security and data protection issues
• There are any apparent IT concerns, firewalls, security, or limitations
• Access can be allowed to relevant documented information, including software, databases, and records
• The organization is operating regularly due to contingency situations 

Organizations should document if each supplier can meet goals by whether they can be attained with the remote audit. If so, they can proceed with the remote audit. If goals can be achieved partially, a partial remote audit can be completed. Finally, if goals cannot be achieved, an in-person or onsite audit must be performed.

Step Two: Schedule
Initial Stakeholder Review
After initial planning, the organization must provide a review of the supplier’s profile for critical stakeholders that includes the following deliverables:

• Company and point of contact
• How the audit will be performed
• Type of audit (e.g., new supplier, routine, risk assessment)
• Supplier risk-level category (high, medium, low)
• Product, service, or item being audited
• Number of days for the audit
• Number of auditors required
• Supplier Notification for a remote audit

The remote audit should be organized in an onsite audit format. A new or current supplier audit is used to verify the continued ability to meet product requirements, production demands, and an effective quality management system. Stakeholders must ensure both parties are competent in the process and have the online connection capability.

They can do this by providing the supplier with a detailed remote audit notification which contains the following:

• Purpose of the audit
• Scope of the audit, including items such as physical locations, departments and areas, relevant systems, and policies and procedures
• Dates, schedule, and auditors (e.g., remote tour, determine areas which are necessary to review, documentation request, department manager interviews)
• Pre-audit documentation request (e.g., quality policy, index or complete quality manual, organizational charts, list of products and current specifications/IFUs, facility map

Step Three: Perform
Opening Meeting (same format as onsite audit)
Remote interaction can be a phone call or videoconference web meeting that includes:

• Introduction
• Attendance sheet
• Audit plan and activities
• Review objectives, scope, schedule and criteria (standards and regulations, procedures and policies are applicable to work, procedures are up to date, employees are trained, records maintained, historical information, sampling plans and strategies, verification through observations, discussions and review of documents)
• Health and safety questions
• Confirm daily and final close-out meeting(s)

Conducting Audit and Document Observations
During a remote audit, documents can be reviewed via video conference with screen share, real-time video images, asynchronous document, and data review.

Stakeholders will need to gather information to support the audit activities which can include interviews, observations, and review of documented information. Audit observations evidence should be evaluated against the audit criteria to determine the audit finding/observation. Observations should be documented using risk-based thinking. During the audit, confirm inputs match the outputs, training, equipment is maintained, flowcharts match the process, housekeeping, and basic GMPs. Also determine whether the supplier identifies and controls hazards and risk.

Closing Meeting
According to ISO 19011:2018 guidelines for auditing management systems, the audit team should meet before the closing meeting to:

• Review audit findings and any other appropriate information collected during the audit against the objectives
• Agree on the audit conclusions, considering the uncertainty inherent in the audit process
• Prepare recommendations, if specified by the audit plan
• Discuss audit follow-up, as applicable
• The closing meeting is the same for onsite or remote. The purpose is to present a draft or preliminary audit report to ensure the audit results are clearly understood by top management.
• Document attendance
• Review scope, standards, and regulations
• Methodology of reporting
• How to address audit observations
• Recommendations or opportunities for improvement
• Best practices
• Observations (definition of nonconformance and CAPAs)
• Confidentiality
• Next steps

Step Four: Report
The purpose of the audit report is to communicate the investigation results, which will guide management on necessary decisions and activities. The report should be a complete and accurate record of the audit. If there are no observations, an audit report is still required. Ensure the audit report is written using common terms or define unfamiliar terms, try to avoid acronyms, and avoid using fluff.

The report should include:

• Objectives and scope
• Audit team
• Dates and locations
• Audit criteria
• Audit findings/nonconformities and evidence of the nonconformity
• Requirements
• Risk classification
• Provisions for recording corrective action and follow-up activities
• Opportunities for improvements or feedback on the suppliers’ best practices
• Statement on the degree to which the audit criteria were fulfilled
• Statement of the confidential nature of the contents

The audit report should be dated, reviewed, and accepted—then distributed to the relevant parties.

Step Five: Actions
Once the audit findings are complete, ensure the accuracy, sufficiency, and appropriateness of the corrective action and documentation received meets and supports the audit findings.

Step Six: Close-Out
“The audit is completed when all the planned audit activities have been carried out, or otherwise agreed with the audit client” (ISO 19011, clause 6.6). Clause 6.7 of ISO 19011 continues by stating that verification of follow-up actions may be part of a subsequent audit.

The benefits of remote audits are apparent: lower cost, no travel restrictions, no logistical constraints, better use of resources, and the ability to continuously monitor suppliers. The functionality of a QMS can further streamline remote audits and supplier management.

A supplier management module collects, tracks, and manages required supplier documents providing real-time status on the dashboard. Risk-based supplier audits can be scheduled, allowing suppliers to update certificates, specifications or instructions for use, and other documents in one location, enabling users to communicate bill of material (BOM) needs.

Once the appropriate criteria are evaluated, auditors can generate a formatted report that includes the written audit observations of good practices and risks and problems identified. This report forms the basis of the discussion about the audit results and findings. An audit management system provides reporting capabilities that also generate trends and metrics against data gathered across reports. For example, using a system that can track multiple auditing groups, risk and prioritization can be rolled up and used to determine the prioritization of resources across groups, not just on a siloed basis within each group.

Real-time data visibility and drill-down functionality enable organizations to become proactive. Furthermore, an integrated supplier management process allows manufacturers to identify trends, make decisions without relying on inconsonant data, determine the probability of issues, identify opportunities, and drive operational productivity.

Conducting audits is a necessary step to reduce costs, provide safe products, and reduce the chance of supplier chain disruptions. To achieve supply chain sustainability stakeholders should take a risk-based approach. Coupled with a remote supplier audit process, this will minimize supplier and, ultimately, patient risk. 

---

Zillery A. Fortner is the product marketing manager of Life Sciences at Sparta Systems, a Honeywell company. She earned a bachelor’s degree in health science from South University.   Fortner has 20 years of experience in the medical device arena related to quality assurance, regulatory affairs, and JACHO. She served 10 years in the military as a certified surgical technician. Fortner is an active member of ASQ and AAMI.