Can remote auditing provide the rigour of an on-site visit?
Richard Jenkins, Chief Executive of the National Security Inspectorate, explains some of the challenges and opportunities involved in protecting staff and facilities in a post-COVID-19 world and how security buyers can best approach this.
The operational demands involved in enabling the return to work of furloughed and remote working employees following the COVID-19 pandemic have been a sizeable learning experience for all employers. Unprecedented health and safety measures to ensure safety of staff and visitors and make premises COVID-secure have been implemented, including upgraded cleaning procedures, ventilation, PPE provision, social distancing and some limiting occupancy of premises.
Naturally and properly these safeguards have been prioritised, as befits the importance of the measures required. But it’s also important to be mindful that the coronavirus pandemic simultaneously presents other challenges with wider repercussions looking forward, including escalating security threats.
In this context the independent global risk advisory consultant Sibylline has recently warned organisations to mitigate a variety of risks that have been exacerbated by the COVID-19 pandemic, such as the potential for cyberattack, terrorism and organised crime.
Rising unemployment, potential civil unrest and related societal tensions are also driving concern.
In the context of such heightened security threats, careful attention to the socio-economic impacts of COVID-19 is appropriate. This situation demands attention is given to relevant protective measures to effectively deter, detect and in the event, be ready to respond to any incident. In this way an organisation’s staff, assets, sites, reputation and business continuity planning are secured and allow day-to-day business activity to proceed safely.
Operational challenges
A key way in which buyers of security services including guarding services and security systems, can meet the demands imposed by these circumstances is through selecting providers with suitable credentials. Independent third party certification can offer as much, and so plays proxy for the discerning buyer. It serves to give confidence in the capability and integrity of providers, with the reassurance of quality services supplied by companies which meet relevant standards and operational codes of practice. In practice, benchmark certification is attained through a rigorous ongoing audit programme, a not insignificant investment cost for the provider.
The continuing delivery of audits since the start of the COVID-19 pandemic lockdown has in itself proved challenging. Where certification body auditors have no longer been able to visit firms in person, attention has instead turned to the potential of remote audits – utilising known but until now less widely used communications technologies.
The obvious key question is of course: does a remote audit provide the essential rigour of a traditional on-site audit? Is remote audit an adequate answer to the public and businesses reliant on this discerning buyers’ proxy and does it ensure services meet the competency requirements laid down in standards and codes of practice benchmarks?
Remote audit potential
Coronavirus ‘lockdown’ has seen collaboration technologies being put to far wider use across society – not least in the auditing community.
Interest in remote auditing has risen exponentially over the last six months. COVID-19, so the headlines have it, means that in the world of auditing the time for remote audit has come. Where audit programmes require a focus on reviewing and a reliance on documentation, the now widely familiar technologies of Skype, [Microsoft] Teams, Zoom and the like go a long way to making this possible. Of course, user familiarity with technology and resilient communications are essential to the success of remote audit, as is the availability of key personnel. Any unreliable network or VPN connectivity causing interruption in interviews and meetings can be hugely wasteful and limiting in the completion of successful audits. Yet it’s clear that remote audit – some call it a ‘dynamic desk top review’ – is here to stay. The COVID-19 crisis has given it a traction previously possible, but not adopted, and where Quality Management System audits are concerned the results have proved positive.
It’s also equally true that nothing beats ‘getting out in the field’, ‘seeing for yourself’, and ‘kicking the tyres’. In a variety of situations remote audits are neither practical nor desirable. They do not make best use of the expert auditor scrutiny of the unexpected, the cross-checking of good practice and interviewing staff to verify management’s ‘party line’; put simply, when it comes to product (and service) standards, only on-site audit can tick all of the boxes all of the time.
NSI has accordingly adopted a blended audit programme strategy – a carefully considered combination of remote and on-site audit capability fit for a future post-pandemic world.
Working with current Government COVID-19 guidelines it is delivering for the security industry and its customers, with on-site audits gathering evidence of compliance to technical product (and service) standards. Meanwhile, remote audits are routinely utilised at NSI’s discretion for assessing ‘Management System’ requirements where process and control has a greater emphasis on documentation, and so delivers a complete audit jigsaw.
Conclusion
The all-important confidence of security buyers in services provided by independently audited third party certificated companies should be upheld through a blended remote and on-site strategy designed to ensure robust and trustworthy certification for buyers.
In the current COVID-19 climate new and potentially significant risks may emerge. In this context the reassurance provided to security service buyers through comprehensively certificated services is all the more valid.
Richard Jenkins
Chief Executive
National Security Inspectorate
