Willing to conduct off-site/remote and virtual audit in COVID 19 era? A simple decalogue

Now, looking at the situation nowadays, many certification bodies have in place procedures in order to accomplish remote audit and are sometimes strictly requiring staff to work from home and banning staff travel. Clients are telling auditors not to come on site visits too. And as you now in many places, most businesses are legally prohibited from opening their doors.

As you know with ISO 19011:2018 this stuff is much more feasibile.

Off site audit

remote auditing. Audits can now be fully and easily (and with much less costs  involved) performed on-site, remotely or as a combination. (“On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance. Interactive audit activities involve interaction between the auditee’s personnel and the audit team. Non-interactive audit activities involve no human interaction with individuals representing the auditee but do involve interaction with equipment, facilities and documentation.”)

virtual audits.Virtual audits are conducted when an organization performs work or provides a service using an on-line environment allowing persons irrespective of physical locations to execute processes (e.g. company intranet, a “computing cloud” ;“A virtual audit follows the standard audit process while using technology to verify objective evidence”, this represents an opportunity for aligning auditing processes, sometimes perceived as “old-fashioned” by young startuppers as an up-to-date management and control process.

This is important because, when is feasible, postponing audit is definitely not recommended… the risk is having a terrible congestion of urgent audits in Autumn!! What about their future quality?

YES BUT…how to practically engage with off site auditing?

1. Talk with customers and auditees. It’s not just a matter of kindness, is NECESSARY to reinsure and make people involved in your audit schedule confident over the effectivness of this activity and on its results. Don’t forget that now more than ever people you’ll interview is working in pretty stressy situation! Don’t foget either to ask and try to combine the most favourable moments in order to perform the interview.  Concentration, when not performing an on site audit and there fore no havong eye contact and physical interaction, is much less in such a situation and is decreasing very fast!

2. Plan the audit much more in advance…your audit schedule should be communicated timely (at least 2 wks). Sometimes firms are working with reduced time schedule and reduced staff: who and when is gonna answer your questions?Do it, especially if don’t know personally anyone in the structure you’are going to audit and neither you have a clue of the physical lay out of customer’s offices and facilities. And by the way, try to understand how many key roles are using smart working procedures.

3. Perform a pre audit risk assessment: in order to be feasibile the audit should take well into account the connected risks..You need to be clear and professional with all involved parties. Look at your audit plan: how many steps are risky according to elements such as, availabilty of key resources, poor IT infrastructure, slow internet connection, ? is everythong feasible or istead unfortunately there are no alternatives, the audit to be definitely postponed?

4. IT infrastructure and business continuity: it’s not just about company’s infrastructure, is also about yours!  Have you timely defined with audited organization how this audit will look like? which  supports are you going to use? Skype, Hangouts, ZOOM etc etc. everything is good when previously agreed and TESTED!!! don’t rely too much on technology and perfom a test beforehand. And by the way…do you have an alternative? In these days all the free and business platform are experiencing a dramatic overload…take care of some alternative when coonnecting with the auditee!!

5 Videos: Can we use videos ? Of course the answer is “yes.” But how well trained the personnel using the video equipment and technology are and what type of video you are going to use? and not just in terms of video capabilities. A lot of warehouses have security cameras that record and can be remotely controlled to focus in on different areas of the warehouse. If its live there is no problem at all. In facts, if  someone from the client, righ during a dialogue/interview, is on-site and can send a live video feed back to the auditor for them to watch, that makes it easier to determine authenticity.  You can also easily  recognize the client location. Not the same can be true for recorded videos. Try to avoid them.

6. Collecting evidences: how are you going to echange and jointly view documents and files?  Best, especially considering privacy and confidentiality, is having a sychronous procedure, so that all information are exchange real time onnly during audit time together and under the supervision of the auditees. Ideal is not using e mail but a temporary acces to a cloud area/partition especially meant for audit execution.  Make sure the procedure you imagine is compliant with company’s privacy and confidentiality policies

7 Share with auditees your opinions/conclusions as much as possible. This will help their internal coimmunication  (sometimes difficult nowadays) in timely clarifying and adressing non conformities/issues/corrective actions)

8. Update regularly the audited organization about the progress of your agenda and in possible problems in respecting the schedule. It takes much more time in a offsite audit to re-schedule an activity/interview.

9. Invest time and take special care of the initial meeting, in order to reassure everybody on audit schedule and fixing issues.

10. Previous audit non conformities and following corrective actions: take special care of them, well in advance. See till wich degree they can be addressed and verified using remote audit or if an onsite verification is mandatory.



Quality, ISO 9000, QSM, what is what? (Quality concepts made simple)

by Ouijdane El Arabi (A graduate of the national school of management and trade Oujda Morocco, a current student in EMUNI University Slovenia in Euro-mediterranean entrepreneurship diploma (EMED). Worked previously in several non profit organizations but also interned in many businesses.

quality systems 

ISO 9001, quality, QSM quality management, certification… Many terms and concepts that have been talked about for the last 10 years and many new entrepreneurs, managers, business students and public get mixed between these concepts and others and find it hard to understand exactly what is about!

In this article we will explain in very simple words what quality is about and what are the most important concepts that we have to know about as students, consumers, entrepreneurs, present or future managers.

Quality, is it about price or about the best product in the market?

Quality can be defined by the International Standards Organization (called also ISO) in ISO 9000 (2015) as “degree to which a set of inherent characteristics  of an object  fulfils requirements

In other very simple words, quality is the degree of which the organization presents the object (product, service, process, system…) the way it was exactly demanded by the customer.

The concept of quality is dedicated towards the customer and not for the businesses or for the marketing as lot of people think

Before continuing on other concepts I must clarify something: A Product coming from China is not a product of a small quality, and another product coming from Germany is not a product of a high quality In fact there is NO high , medium or small quality: There is only QUALITY or  0 QUALITY (or NO quality). It all depends on what the customer REQUIRES.

For example if, as a customer,  I am asking for a pink long sleeves shirt with a high black neck made of pure cotton  and there are 3 companies telling me that they have what I want, when I go and meet with the sales managers of the two businesses I found out that:

Company A’s offer Company B’ offer Company C’ offer
A PINK T-SHIRT with a  high neck made of cotton A PINK SHIRT with HIGH BLACK NECK made of cotton A GREEN shirt with high GREEN neck made of polyester

So, after reviewing the 3 offers, I figure that Company B is the one who executed what I required: that is QUALITY

Companies A & C have offered different things than what I required: that is 0 QUALITY or NO QUALITY.

And of course the quality issue depends on what I want as a customer, how I want it, when and using which tools.

This subject is strictly related to another important and critical topic, especially for startups and SMES’: writing down product specifications, written statements of an item’s required characteristics, documented in a manner that facilitate its procurement or production and acceptance. Understanding the real meaning of quality assurance and writing down accurate product specifications, may represent the key to success for many firms.

QMS, certifications what are these concepts ?

A quality management system (QMS) on the other hand is a set of policies, requirements, standards, rules needed to accomplish the execution, production through a particular process in the company.

For example, ISO 22301 (business continuity) is a standard to create a BCMS (Business continuity management system).

We hear often that the organization X or the Process Y is certified ISO 9001, and we often do not understand what it means or how it can help us as customers. First of all,  the term certification or conformity is a set of processes that show your product, service or system meets the requirements based on ISO’s definition. So when we say that X or Y are certified means that they follow the requirements of a standard (ISO 9001 for eg).

In very simple words, it means that the organization respects the rules of ISO 9001 in making a certain product, service or system. This is verified by an independent, third party competent Organization (http://www.bulltek.com/registrar_assistance/registrarassistance.html). Anyhow, you can internally use the standard references as a guideline even without being certified”

ISO 9001, 27001, 22000,14000…., what is the difference ?

Each of these standards is designed in most cases for a particular type of industry, service… Let’s see which is which:

ISO 9000: is related to quality management (ISO 9001 means that the business have respected the quality required by the customer from the very first stages of concepts to the very last steps of production and beyond. ISO 9002 means that quality was respected from the production till the after sales services….)

  • ISO 22000 is about food safety management
  • ISO 27001 is related to data and information management
  • ISO 14000 is related to environmental management
  • ISO 4217 is a standard for currency codes.

The list goes on and on (please check the ISO website for popular standards https://www.iso.org/popular-standards.html ) , and ISO has put a standard for various numbers of disciplines, industries and areas and that are very specific, however ISO 9000 is one of the standards that can be applicable to every industry or process and has become very important in many aspects of business life.

How can ISO 9000 helps my business as an entrepreneur?

Being certified as ISO 9000 family does help the organizations in many ways:

  • Works positively towards image building and good reputation of the business.
  • Gives quality insurance to the customer.
  • Facilitates having funds and cooperation.
  • Facilitates growth capital and the search for new shareholders and investors.
  • Positions the business I a good rank when compared with competitors.
  • Keeps a continuous track of the business audit (Please check DR Max’s article about audit and quality).
  • The employees are very concerned of the customers, so they keep being dynamic towards customer helping and customer services.
  • The business is up to date and has numerous actions towards its inner and external business environment.



Is 9001 2015 viable for startups?



Not many young entrepreneurs are familiar with ISO 9001 standard.

All they think they know is sometimes is that:

-it may be useful on a later stage…but definitely not now!

-it’s most of the times an expensive obligation, a condition to have access to certain markets or for approaching some industrial partner that compulsory require the application of this standard in order to do business with them

-it’s somehow perceived as against the spirit of a startup… a pioneer doesn’t shave to spend times drawing maps, his task I conquering unexplored territories. Startups process are liquid and constantly changing, it’s against this flexibility-mantra to tighten-up processes like ISO 9001 seems to suggest

– …ISO 9001 what?

Well, an expert will probably tell you (There are endless articles like that on the net) that ISO 9001 certification is really essential because:

  • Brings into your organization a continuous improvement culture
  • Helps you to formalize and document your processes; the idea behind is: if you can do that, then you can easily explain them to third parties/stakeholders and if a process is formalized, is also under control
  • Teaches you how to approach the concepts of risk and opportunity management
  • Makes you sensitive to customer needs and issues because with ISO 9001 you have to pay attention to customer satisfaction and customer experience, having therefore the chance to boost your sales
  • Shows you the importance to setting goals and objectives for all your processes…in the end performance is everything

NO. Is too simple and unrealistic. That’s just part of the truth…when it comes about ISO 9001 certification you have to think carefully about the following aspects:

PREVENTING COMPANY’S FAILURE ? Startup fail for many reasons, but they are definitely Not failing because they don’t have ISO 9001 certification! First contents, then the framework….if processes are working you are always in time to formalize them into procedures. Start with knowing the standard, and then with applying internally its principles. Your firm will benefit from it.  Undergoing a certification process request defining a clear certification-purpose and having in place a consistent organization… both thing request a mature and well aware organization, with a strong identity and company culture.
CONTINUOUS IMPROVEMENT It’s ISO 9001 DNA, through the plan-do-check-act approach, that is naturally improvement .oriented Improvements can be defined and realized with many alternative methods Get familiar as soon as you can pdca continuous improvement cycle: in the end is a very good management method in every stage of your startup development. Is the best way to get in contact with ISO 9001 world  (and also with other standards of the ISO family such as ISO 20000, 14001, 27001 etc)
PROCESSES DESIGN AND FORMALIZATION It’s true, this represent a weakness for many startups…they just don’t document and write down enough their processes; but establishing uniform and well defined process is essential for:

– transform a craftsman, like sometimes a startupper really is (producing products with sometimes unacceptable erratic quality) into a business man (able to guarantee always the same quality standard)

-make yourself understood and appreciated to potential partners and investors

Process design and formalization is costly, takes a lot of time and needs to be kept properly updated and therefore well understood by everyone into your organization. Briefly, it needs also a lot of (expensive and time demanding) training Do it in steps:

-set this point as, f.i., a specific Business plan’s goal

-start with core processes, the “heavy ones” that really make your organization looking unique and special… that’s a good point for developing a good business plan too!

-get gradually to reach a full documentation of primary and secondary processes in a two years approach


RISKS AND OPPORTUNITY Getting familiar with the concept of risk since the early development stages is very important. Not being enough  risk-aware is a very significant reason of failure for many startups. ISO 9001 tell to perform a risk analysis, but it doesn’t tell you how to do it, which kind of techniques are appropriate for a startup. Performing a risk analysis and using it as a management tool on a regular basis request time and a mature and consistent management culture. A startup is by definition a risk taking organization. Use first the ISO 9001 risk approach in developing some parts of your business plan (f.i 5 forces model) and get familiar with it. Then fully develop it with the help of some skilled advisor who can provide the most appropriate frameworks and tool to perform the risk analysis
GETTING FAMILIAR WITH CUSTOMER ISO 9001 is, since the very beginning of its history, customer oriented. Being aware of the importance of developing skills, processes and tools to hear the “customer voice” is certainly extremely important Sometimes customer voice can be hard or too expensive to be detected by a startup alone; sometimes can be even misleading, especially when it’s about bringing to market some potentially disruptive and unexperienced change There are many methods and chances (direct, f.i. asking questions directly to your customers, and indirect, like f.i. analysing claims and behaviours) to detect customer satisfaction and the effectives of the provided customer experience.

–          Start with simple and not too much structured methods, gathering timely the first basic feedbacks.

–          Learn how to use it in improving your organization

–          Refine your research and analysis from time to time investigating some specific elements (f.i. connected with some commercial initiative such as the launch of a new product

SETTING GOALS AND OBJECTIVES ISO 9001 provides a really important  and widely used framework for setting, reviewing, and taking action against objectives etc etc It can be difficult, especially in an early stage, to follow efficiently the many changes and the variations a startup  may have to undergo; moreover, goals and objectives may be enforced by partners, investors, customers etc Use first the ISO 9001 just as a framework able to inspire and make your work consistent. Then refine your work from time to time, following the progressive formulation of your firm’s identity


It can be concluded that:

  • the implementation of ISO 9001 standard into your organization is important but probably not in an early stage of development: at this stage training (also about ISO standards) is instead essential to get familiar with this specific world;
  • at an intermediate stage, you can use ISO 9001 framework for internal application to build your quality system and trying to organize people, resources and process inside your business;
  • you can then think about ISO 9001 third party certification when your firm is sufficiently mature to implement and most of all improve and maintain such a quality system growing consistently and coherently with your business development; you can also think, in order to make costs sustainable, to obtain ISO 9001 certification as part of a cluster, a joint venture or a network of firms.






La molecola del rischio

la molecola del rischio

La gestione del rischio diviene ufficialmente la base per la progettazione di processi con un sistema di gestione. Ciò significa intraprendere misure di gestione sulla base di una corretta valutazione dei rischi: a ben vedere questo è già l’approccio che caratterizza la gestione delle aziende più virtuose e dei manager più competenti.

L’approccio per processi, la loro gestione ed interazione devono avere come principale obiettivo il  raggiungimento dei risultati attesi in accordo con la politica della qualità e la direzione strategica dell’organizzazione.
La gestione complessiva dei processi e del sistema di gestione per la qualità si avvale come di consueto della metodologia del Plan-Do-Check-Act (PDCA) con un focus sul “Risk-based thinking” mirato a prevenire effetti indesiderati.


Il RISCHIO è “l’effetto dell’incertezza” rispetto ad un risultato atteso” e la nuova Norma ha reso esplicito ed ha incorporato tale principio nei requisiti della norma per la definizione, implementazione, mantenimento e continuo miglioramento del sistema di gestione per la qualità. E’ facile comprendere dunque come la gestione del rischio sarà il motivo conduttore dell’intera norma, per il raggiungimento degli obiettivi.
Servirà ad identificare non solo i rischi, ma anche le opportunità; quali rischi ed opportunità vi siano in un’organizzazione dipende dal contesto in cui opera.

L’ approccio alla norma deve dunque abbracciare tutte le componenti tipiche del rischio, ovvero l’incertezza, le relazioni causa-effetto e le possibili conseguenze.

Il rischio è infatti associato alla probabilità che un evento possa accadere, apportando determinati impatti ad un determinato contesto. Ma di ogni evento che si verifica non si è portati a cogliere e valutare neutralmente caratteristiche e dimensioni, ma spesso solamente l’aspetto negativo il suo potenziale di rottura degli equilibri.
Non quindi i lati positivi, l’opportunità e/o la necessità di un cambiamento.

Ecco perché preferiamo identificare ogni rischio in ultima analisi come opportunità:

– di gestire il cambiamento gestionale, operativo, e in ultima analisi, strategico, invece che subirlo;

– di business, in termini di sua difesa, consolidamento o espansione;

– di “difendere”, eliminare o ripensare un processo per renderlo più efficace ed efficiente;


E quindi suggeriamo di accostare intimamente la gestione del rischio alla creazione del valore. L’opportunità potrà a sua volta distinguersi in opportunità di (aumentare) leadership e di (consolidare) esperienza

Tutto questo arricchirà l’azienda aumentando costantemente la sua resilienza, ovvero alla capacità di una organizzazione di assorbire adattandosi sollecitazioni (e danni) trasformandole in opportunita’ di cambiamento.

Cosa potranno fare dunque le organizzazioni?

La risposta più scontata, anche se corretta, sarebbe:

• Identificare e ordinare i rischi
• Pianificare e attuare specifiche azioni per affrontarli
• Controllare l’efficacia delle azioni attuate
• Apprendere dall’esperienza (miglioramento continuo)

Essa è tuttavia parziale e per così dire “monodimensionale”, in quanto tende a rendere la gestione del rischio uno dei tanti automatismi aziendali e non tiene affatto conto dell’equazione rischio=opportunità.
Inoltre, spesso questo favorisce un approccio slegato e quindi scarsamente efficace tra le tre tipiche direttrici di AZIONE ovvero:

– intervento sull’EVENTO;
– intervento sul DANNO;
– intervento sulle conseguenze economico-finanziarie;

L’approccio più corretto e a maggior valore aggiunto  pertanto propone di:

Identificare e classificare le opportunità in rapporto alla strategia aziendale;

Pianificare e attuare specifiche azioni per gestire le incertezze legate alle opportunità;

• Controllare e monitorare il tasso di raggiungimento delle opportunità e la loro trasformazione in business a valore aggiunto;

• Consolidare la leadership e l’esperienza aziendale aumentando la resilienza dell’organizzazione.