Standards Institute-Registrar Accreditation Board
of Accredited Registrars
Organization for Standardization’s Committee
on Conformity Assessment
Board for Conformity Assessment
System of Australia and New Zealand
Council (Raad Voor Accreditatie)
per l’Accreditamento degli Organsimi di Certificazione
for Accreditation (Traegergemeinschaft fuer Akkreditierung
As a growing number of businesses
conduct Web-based conferences, sales transactions, training
sessions and seminars, it’s not difficult to imagine
that online auditing to quality management systems such
as ISO 9001:2000 may soon be common practice. In fact, it’s
not just a whim in the minds of technologically savvy quality
professionals--it’s a reality.
Earlier this year, members of the International Accreditation
Forum and QMS application providers convened to discuss
the complexities of achieving a sound and successful remote
assessment process. The meeting produced several points
of concern, such as the security of the system itself, technical
expertise required of the assessors, different maturity
levels of e-based systems and knowledge gained from pilot
projects. Although the specifics are still very much in
the works, all the participants agreed that creating guidelines
for remote assessment would be a successful venture.
Stanley Salot, president and CEO of Business & Quality
Process Management LLC and a participant in the IAF’s
knowledge-sharing session, first toyed with the idea of
remote assessment back in 1997. “I was working for
Hitachi implementing ISO 9000,” he remembers. “When
the assessors came into the facility, they spent about 80
percent of their time in front of the computer. That was
The benefits are clear, says Salot. First, it makes sense
technologically. “Industry has the tools to set up
e-based quality management systems, and it’s up to
the assessor to support those systems,” he says.
Second, it makes economic sense. With the repercussions
of Sept. 11 affecting everything from air travel to stock
prices, many companies are asking, “Why am I flying
an assessor to my site when the entire process is visible
via an Internet connection?”
Moreover, remote assessment has the potential to offer
auditors access to much more information than previously
available. Traditionally, organizations are audited at one
point in time, whereas assessment via the organization’s
e-based system could offer continuous monitoring of certain
preselected performance indicators. This is advantageous
to the assessor because it provides a better idea of the
company’s process as a whole.
However, skepticism and opposition to the idea of remote
assessment exists: How can you assess a facility you’ve
never set foot in? How can you ensure that the information
you see on the screen is a true reflection of the quality
process? “About nine out of 10 people who learn about
this are skeptical,” admits Salot. “They’re
part of the old guard of quality professionals who basically
say, if you can’t see the person and the process,
you can’t assess conformity.”
Whatever the criticism, Salot believes that the industry
is inevitably headed toward remote assessment--if not for
first-time auditing, at least for recertification or surveillance
audits. “When you implement a solid e-based management
system, it’s already measuring your quality, your
processes and your pulse, in real time,” he asserts.
“Companies are taking more ownership of their quality
processes, and the assessors must respond by educating themselves
on e-based audit procedures.” The question is, how
do you go from thinking about remote assessment to actually
carrying it out?
Those interested in developing e-based assessment guidelines
are looking closely at Japan Quality Assurance, which remotely
audited several of NEC Corp.’s facilities for ISO
14001 re-registration. NEC developed an e-based document
control system that could distribute regulations throughout
the company in real time. According to NEC, the system has
saved about 700,000 sheets of paper and 30,000 hours of
management time per year.
This led to a partnership with JQA, and Net Audit, an
environmental auditing system available over the Internet,
was formed. Through Net Audit, JQA was able to check NEC’s
documents and records, review records for all of the organization’s
facilities at once and obtain preliminary information that
would cut on-site auditing time by 60 percent.
JQA plans to expand its e-based auditing practices to
include ISO 9000. Experts are looking at this example not
only as a model for automating document control but also
for creating an all-inclusive system that can track workflow,
corrective/preventive action, audit trails and all other
ISO standards requirements.
“Although the NEC and JQA accomplishment is compelling,
it really only represents document control and the availability
of documents over the Internet,” says Salot. “It
doesn’t address the total business process, and it’s
not clear whether they have true workflow management. However,
this is definitely a step in the right direction.”
Participants of IAF’s knowledge-sharing session
identified four key areas that must be recognized and accommodated
in order for remote assessment to be successful: guidance,
audit competence, recommendations for assessment mechanics
and potential certification/registration body business models.
It wasn’t the intention of the session to offer direction
in these areas but rather identify them as key points for
Attendees included representatives from ANSI-RAB, SCC,
RvA, SINCERT, JAB, UKAS, JAS-ANZ, TGA, IAAR, IqNET, and
ITIC, Vintara, EtQ Inc. and BQPM.
The following outline gives a general overview of some
of the topics covered at the meeting. These points are outlined
in an IAF report written by Randy Dougherty of ANSI-RAB
and Dale Misczynski of ITIC:
Guidance. Because of the velocity of technological change,
participants agreed that any guidance developed concerning
remote assessment should be kept at an IAF level, rather
than to create ISO/CASCO documents. Furthermore, a higher
level of technical expertise is required of both quality
system implementers and assessors.
- Stand-alone or annex. Guidance documents should
be applicable to ISO guides 61, 62, 65, 66 and 17025.
Potential application to ISO 17799 and ISO 13485 should
also be considered.
- Definitions. E-based management systems come
in varying levels of complexity, and definitions must
be developed for each. The management systems should contain
document control, corrective and preventive management,
application configuration management, security, audit
trails, and visible workflow.
- Maturity of implementation. Maturity (i.e.,
robustness, security and integrity) of the system must
be considered in order to determine how remote the assessment
should be. The certification/registration body must make
a judgment concerning the maturity of a client’s
e-based QMS in order to customize an appropriate certification
- Remote assessment. Remote assessment is possible
using existing technology. A key concern is the way in
which the certification/registration body gains secure
access to the client’s system. The client may have
to develop security nondisclosure agreements before allowing
Additionally, because certification, recertification and
surveillance audits vary, so must the method of e-based
auditing in order to accommodate the client’s needs.
- Formats. IAF should not standardize formats
or terms. This may present a potential handicap for the
assessor and can be mitigated by requiring the client
to keep a controlled data dictionary and/or data flow
diagrams. The dictionary/diagrams should be open at a
user level and should never be considered confidential
- Information validation. The certification/registration
body would not be responsible for validating information
flows; rather, it would be in charge of reviewing the
client’s process for validating information flows.
- Process validation. The certification/registration
body must be confident in the validity of the client’s
process. The body should not be responsible for process
validation but rather ensure that process validation is
- Functionality. The client should provide the
assessor with a system search engine, a guidebook, a site
map, a data dictionary, an ad hoc report generator and
any other tools to help the assessor perform the audit.
- Sampling vs. total analysis. E-based environments
may lend assessors the ability to search for discrepancies
in a large number of records, as opposed to performing
a spot-check, as is done in paper-based environments.
- Point-in-time vs. continuous analysis. An
e-based environment offers the ability to continuously
monitor a QMS.
Auditor competence/education. Auditor education should cover
e-based management. The report states: “It is doubtful
that the current lead auditor training courseware can simply
be upgraded to meet the requirements. Rather, a new curriculum,
potentially from new unaccredited providers, will evolve
to meet the requirements.” Application providers of
e-based management systems may be of assistance in training
auditors how to assess e-based QMSs.
- Systems/process thinking. A systems/process thinking
approach must be taken.
Recommendations for assessment mechanics. A minimum requirement
of tools and facilities is needed to assist the assessor.
- Bandwidth. Higher bandwidth offers a more time-efficient
way to audit a system.
- Orientation to the system. The client should
provide orientation to the assessor about how its e-based
QMS is set up.
- Facilitator. A client-provided facilitator
would significantly benefit the auditor.
Potential certification/registration body business models.
Although remote assessment offers the potential for flexibility
in the auditor/client relationship, it may also create the
need for better oversight by the accreditation body.
- System provider/operator. The certification/registration
body may be a system provider, given that the systems
are developed to be compliant to the standard. A model
for Web-based packages is also feasible. However, this
idea may not be commercially viable and may not provide
The knowledge-sharing session also covered the desire
to apply remote assessment techniques. The report states:
“Pilots composed of clients, certification/registration
bodies, accreditation bodies and potential application providers
should be structured to gain wide visibility and experience.
They should be encouraged to experiment, to test the limits,
to provide ample opportunity to develop a solid structure
for the future.”
Kennedy Smith is Quality Digest’s associate
editor. Letters to the editor regarding this article can
be e-mailed to firstname.lastname@example.org.