Value and efficiency using data and remote auditing
The Covid-19 pandemic has brought stark awareness to organizations globally about their preparedness to handle operational challenges and risks. This provides an opportunity to strengthen and future-proof internal systems.
The disruption or severe reduction in the movement of people and goods has resulted in gaps within global value chains. Delayed shipping and transport schedules have impacted the flow of commerce and has severely affected a population of workers dependent on location to carry out their responsibilities. The impacts of these disruptions for businesses and organizations have included quick adaptation of internal operating policies which affect stakeholders and clients. Access to good information and data about internal operations performance and the risk management measures of governments and businesses is now essential for organizations to make informed decisions in a landscape of new operating risks.
Sustainability standards systems are being affected by the pandemic and face operational and reputational risks in assurance.
Traditional certification business models rely on the movement of auditors across national borders to execute in-person audits of certified operations. With limited movement of auditors and differing national and regional health risk measures, certification programs have adopted interim policies to manage the daily work of certification audits. Where annual or bi-annual in-person audits were the norm, measures to face new conditions are being taken including the issuance of audit delay policies and the implementation of remote audits. Changes to certification audit rhythms will have other impacts on audit planning. Impacts include a greater need to forecast audit demand and auditor capacity while evaluating the conditions for certificate validity and renewal.
These circumstances require certification systems to adapt how audits are planned and executed. They also create an opportunity for organizations to strengthen internal data and risk management systems that will ease current operational burdens and prepare them for future disruptions.
The ways that standards systems are coping with pandemic conditions reveal how collaboration and best practices in data and risk management could help organizations not just survive current challenges, but thrive in the future.
Let’s look at some examples:
Innovation and change: Trialing broad implementation of remote and hybrid audits
Standards accustomed to deploying auditors to conduct annual in-person audits are now relying on derogation policies to delay audits and/or supplement them with remote desk audits to keep certification cycles on schedule. ‘Hybrid’ audits combining in-person visits and desk-based documentation reviews are also being implemented.
These practices bring to light important challenges and opportunities for assurance. Remote audits carry several challenges, from ensuring that clients feel confident in sending large document files to auditors (instead of having auditors review them in person), to ensuring the reliability of virtual worker interviews and factory tours used in evaluating social compliance requirements.
Implementing remote or hybrid audits requires assurance systems to adapt how they operate. These audit types require additional training for auditors to ensure consistency and competence while adhering to good data handling processes. Data handling becomes more essential when important audit documents and data are being exchanged digitally. Additional communication and reassurance across a range of stakeholders from certified operations to certification bodies are also needed so that assurance system actors feel they can trust the procedures and outcomes of these audit types.
The glue ensuring the rigor and consistency of remote and hybrid audits is data and information which immediately grow in importance when digital exchange is essential to audits.
While most organizations may be using stopgap measures to manage pandemic conditions, many also sense that the use of different audit types is here to stay.
The implementation of remote audits at greater scale across many third-party sustainability certification systems provides useful insights to accelerate the digital transformation of certification. What needs to be in place to ensure the credibility of these audit types? What determines the optimal mix of audit types for different scenarios?
Strengthening: Best practice tools and guidance are already available
How can standards systems address auditing challenges while minimizing the risks in assurance posed by auditing conditions during the pandemic? Beyond practical auditing challenges, there are broader risks and effects for assurance system performance. Standards must be careful to maintain the rigor and credibility of remote and hybrid audits while accommodating their clients through audit delays in order to maintain their certification status. These conditions create compounding operational stressors on clients, certification bodies, and assurance staff since they are new and require a different set of skills and processes.
The good news is that tools, approaches, and guidance already exist for standards systems to build and deploy the systems needed to use assurance information effectively to manage risks. In 2018, the ISEAL Alliance revised its Assurance Code of Good Practice and strengthened the Code’s risk management and information management requirements and guidance.
Practical tools are available to support certification systems and other types of verification programs in strengthening their assurance information management and risk management systems. ISEAL Alliance members can access guidance notes on these topics. Tools include:
- Specific steps and templates to build data governance practices (traceability for data). See this framework to explore ways to address your assurance data pain points.
- Steps and guidance on how to develop an assurance risk management plan
More specific activities where information and data can be used to improve the success of remote and hybrid audits include:
- Updating the assurance system risk register– Capture information on specific assurance risks and their severity (e.g. auditor knowledge for conducting remote audits, physical auditor capacity in different geographies, certification cycle disruptions). This register can be used to inform assurance audit policies and improve audit processes.
- Defining business challenges in the context of the data that is needed to make key decisions
- Identifying and creating an inventory of key data useful for addressing business challenges
- Mapping key data from source to value creation (e.g. reports for decision-making)
- Brainstorming how the data and information from remote audits can be used for improving assurance and adapting auditing policies.
Is your organization already implementing the above activities that can ease the burden of pandemic audit conditions? How is your organization using the data collected in audit reports from remote and hybrid audits?
Thriving in uncertainty: Sustainability organizations are using data and risk management for success
In the first months of the pandemic, data-savvy organizations quickly deployed data and risk management tools to face new operating conditions. It was quickly evident that different geographies and countries had fluctuating risk management approaches regarding the movement of people and goods.
In early 2020, NEPCon, a large certification body for forestry and agriculture certification, shared its risk management policy and approach. NEPCon published its risk policy which included a risk profiles map across the geographies where their auditors are active in conducting audits. Having the risk management policy in place and a data-driven approach to visualizing audit risks enabled NEPCon to respond in an agile way to assurance challenges posed by the pandemic. Using these tools, they were able to identify high-risk certified operations and determine where to accept risk in deploying auditors while monitoring the evolution of operational risks in different countries as the pandemic evolved.
There is an opportunity for assurance systems to collaborate on sharing these maps and other similar information to avoid duplication in risk monitoring functions within the sustainability standards community. NEPCon’s risk policy and monitoring of country risk status for auditors likely provides useful information for other standards. The global risk profiles map alone is information useful for other standards as a basis for refining their own risk policies. Beyond managing pandemic conditions, sharing this information could also encourage broader collaboration across standards in using data and information for risk management across a range of topics including sustainability goals and issue areas.
How could standards collaborate by sharing risk policy and mapping information to create efficiencies in managing current auditing conditions?
The pandemic is creating opportunities for innovation in assurance and the conditions to innovate have never been better because all organizations are exploring forced change to the status quo. Some organizations are seizing the opportunity to build dialogues on how pandemic audit conditions can create greater value at lower cost for certification clients. This can be achieved if remote audit information could provide the basis for better ongoing performance monitoring and information management processes for certification. Assurance Services International shared more on the role of technology and data to enhance audits and whether the conditions of the pandemic mark the end of the traditional audit.
How is your organization seizing this opportunity to innovate, gain efficiencies, and provide greater value to certification clients?
Contact me to discuss assurance system improvements and data governance best practices so that your organization can emerge from the pandemic more innovative and future-ready.