On May 31st, the China Certification & Accreditation Association (CCAA) officially released the Guidelines on Remote Auditing for Certification Bodies 2022 (hereinafter referred to as the Standard). The current issue of the Standard is a revision based on its 2020 predecessor. In the two years between the release of its former type and the current edition, drafters learned and applied experiences from remote auditing through the pandemic and were able to apply these changes to the new standard accordingly. The International Accreditation forum (IAF) and the China National Accreditation Service for Conformity Assessment (CNAS) also released a series of documents that provide references used for the revision. 

Remote auditing, a way of auditing based on information and communication technology (ICT), is trending and can help certification bodies manage an ever-changing environment caused by the pandemic or other unpredictable factors. According to the Standard, remote auditing refers to the systematic, independent and documentation process of ICT to obtain objective evidence for auditing.

Listed below are the major adjustments from the newly revised standard:

1. Refinement of the definition. Compared with the last version, the new definition is more refined and fills the more previously ambiguous gaps of information. It clarifies that remote auditing is not only an effective method for auditing but is also a complete auditing process with requirements. For example, the definition specifies that remote auditing aims at obtaining objective evidence offsite and needs to be conducted systematically and independently. Even more, the definition also recognizes partially offsite auditing (in the last version, though specified in the classification of remote auditing, “partially offsite” is not clearly indicated in the definition).

2. Emphasis on information security and confidentiality. The Standard focuses more on information security and confidentiality in the process of applying ICT.  For example, any external support/involvement (especially in terms of ICT) in the auditing process shall be under great restriction. It’s also clearly stated in the Standard that information safety is one of the core responsibilities for certification bodies. More importantly, information safety is now a necessary consideration that decides if remote auditing is applicable. Namely, the Standard asserts that if information safety cannot be guaranteed, certification bodies are unlikely to be able to conduct remote auditing.

3. Removal of redundancy in contract signing. Previous instruction to sign a written contract in order to begin remote auditing has been deleted. The new Standard states that as long as both parties agree on the methods used to conduct remote audits, they may proceed.

4. Emphasis on risk reduction. The Standard also emphasize that certification bodies cannot apply remote auditing more than twice in a row. It also requires that all the information collected through remote auditing be well-preserved to ensure its integrity and effectiveness.

5. Refinement of preparation work. The revised version of the Standard adds more preparation work for references, including further assessment of evidence's availability, the establishment of communication channels between auditors and auditees, and more thorough planning on the presentation of information and documentation provided by auditees.