Remote certification processes during global pandemic times

. Research background: Conformity assessment as defined in the ISO/IEC 17000 standard shows that the specified requirements for the product, process, system, person or entity have been met. A special type of conformity assessment is certification, in which the assessment is carried out by independent organizations, which has been confirmed by an accreditation body. The current crisis related to the development of the COVID-19 global pandemic has forced many organizations to change traditional forms of operation and, where it was possible, switch to a remote mode of work. Purpose of the article: The need to adapt to new realities did not bypass the certification bodies that adapted to the emergency situation, using the possibilities of remote work, including as part of certification processes. The purpose of this publication is to indicate the context of the certification bodies' operation and the impact of such proceedings on trust in the results of their work as well as to show the changes of the way of conducting certification audits by the certification bodies. Methods: For above mentioned matter, four certification bodies were analysed in the area of remote certification processes. The used methodology was a case studies including a direct interviews with certification bodies representatives. Findings and Value Added: The main findings are related to the following issues concerning that remote auditing processes ensure business continuity; there is an increased confidence in results among customers of certification bodies; changes in process costs.


Introduction
The ongoing COVID-19 pandemic has had a significant impact on the certification and auditing services of voluntary standards. The traditional approach to auditing and certification processes on-site visits has been significantly curtailed, and it is unclear when, and under what conditions, it might resume in full [1]. Certification is a special type of conformity assessment, in which the assessment is carried out by independent organizations, which has been confirmed by an accreditation body [2,3]. Conformity assessment in accordance with the definition given in the ISO / IEC 17000 standard is a demonstration that the specified requirements for a product, process, system, person or unit have been met [4,5]. As part of their activities, certification bodies issue certificates of compliance, which confirm that certain clearly defined requirements are met by a product, system or person [6]. Certification results can be used both in the obligatory area, e.g. as part of the conformity assessment of products (CE mark), and in the voluntary area. Regardless of the area in which certification is used, one of its cornerstones is to ensure the confidence of all stakeholders in its results [7,8]. Depending on the adopted model, various methods of certification are possible. Regardless of the differences, there are several basic elements that may occur both in the certification processes of management systems and product certification. These stages can be described as [6,9,10]: 1. Selection containing an indication of what is the subject of certification and compliance with which criteria. In practice, this stage will be related to the submission of an application for certification.
2. Determining the properties through: system audit, testing, inspection, process or service evaluation. At this stage, the certification of management systems uses a two-stage system audit process. In the case of product certification, this stage may concern a combination of system audit and laboratory sampling and testing, inspection as well as evaluation of selected processes.
3. Review of all gathered information in the earlier stages and the decision on certification with granting permission to use certificates and marks.
4. Supervision over the issued certification, if applicable in a given certification scheme. As part of supervision, it is possible to repeat all or some of the steps indicated above.
Taking into account the stages of the certification process and the possibility of using remote techniques, it can be assumed that the most sensitive of them is the stage of determining the properties. The submission of the application or the activities related to the review and decision are elements that can be performed using standard communication channels, e.g. traditional mail or e-mail, or are entirely conducted at the certification body. The stage of determining the properties by auditing the management system or assessing production processes is much more difficult to assess at a distance. This does not mean that it is not possible. On the other hand, elements of the product testing (e.g. assessment of the product's taste and smell) or inspection may turn out to be impossible to perform remotely.
Requirements for auditing management systems included in the ISO/IEC 19011:2018 standard indicate the possibility of using both direct and indirect contact with the auditeetable 1. Although it is not a very popular way of conducting activities, it is permissible under the existing conformity assessment system. In the case of remote audits, the activities carried out may be a personal interaction, where the audit team contacts the auditee. In the absence of personal interaction, the audit team uses the information contained in the documentation, equipment or available infrastructure [11]. As a result of the challenges and restrictions arising from COVID-19, certification bodies as well as certified organisations have had to either postpone audits (and extend the validity of existing certifications) or introduce remote auditing. Remote auditing (or remote assessment) is defined as "the SHS Web of Conferences 9 2, 010 (2021) Globalization and its Socio-Economic Consequences 2020 facilitation of assessment of a Conformity Assessment Body from a location other than that being physically present" (IAF Informative Document Principles on Remote Assessment) and is enhanced by using information and communication technology (ICT) "for gathering, storing, retrieving, processing, analysing and transmitting information". Source: [11] Additional requirements for remote auditing processes are included in the IAF (International Accreditation Forum) MD-04 guidelines, the purpose of which is to ensure the consistent application and use of ICT in audits or assessments by certification bodies. A risk-based approach [12 -14] has been adopted as a basis for these activities, where the opportunities and threats of conducting remote audits should be assessed prior to their use. Examples of activities that can be implemented as part of remote audits include [15]: -meetings conducted using teleconference devices, including audio, video and data sharing; -conducting audit / evaluation of documents and records via remote access, synchronously (in real time) or asynchronously (when there are delays); -recording information and evidence by means of still images, video or sound recordings; -providing visual / audio access to remote or potentially unsafe locations. The applicability of remote audit techniques depends, on the one hand, on the confidence of all interested parties in the results of such processes. On the other hand, the costs of certification that must be incurred to carry out such processes need to be taken into account. As Stoma et al. [16] indicates, the use of computer-assisted audit techniques (CAAT) may shorten the audit time and thus lower the costs of certification. In addition, the dissemination of ICT [17] should improve the evaluation process and significantly affect its effectiveness. Improving effectiveness is also meeting the requirements of the main audit principle, i.e. ensuring confidence in their results.
The use of remote techniques, as Stoma et al. [16] points out, in the certification process of a management system compliant with the requirements of ISO 9001 is difficult, e.g. in the case of such areas as: assessment of customer location and location-specific conditions, assessment of leadership requirements or assessment of the implementation of the main processes in the organization. In addition, the use of remote audit methods should rather SHS Web of Conferences 9 2, 010 (2021) Globalization and its Socio-Economic Consequences 2020 37 https://doi.org/10.1051/shsconf/20219201037 complement direct methods, as is the case in auditing the organization's branches. For example, in order to audit the management system in a bank, it is possible to carry out onsite assessments in several branches, and then conduct additional ones as part of remote audits. The obvious benefit of remote auditing is more efficient use of resources. Remote auditing techniques can save auditors travel time and expenses while improving efficiency [18]. Travel restrictions, as well as the practice of social distancing, that have emerged throughout the COVID-19 crisis have affected the very core of certification bodies operations, i.e., on-site auditing and inspections, which are the foundations of certification and accreditation [19]. Those restrictions in movement introduced in order to minimize the effects of the global COVID-19 pandemic resulted in the need for certification bodies to introduce significant changes to the certification processes carried out. While the use of remote audit/evaluation techniques as a supplement to on-site work does not raise major doubts, the complete cessation of direct activities is a significant threat to confidence in the effects of certification. The guidelines for dealing with emergency situations are regulated in the IAF ID3:2011 document, according to which certification bodies are introducing appropriate actions. Activities undertaken by conformity assessment bodies (certifying and accrediting) should be characterized by mutual understanding, due diligence and trust. Extraordinary events are events that are beyond the control of the organization, such as: war, strike, riots, political instability, geopolitical tensions, terrorism, crime, pandemics, floods, earthquakes, cybercrime, other natural or man-made disasters. Actions that can be taken by the certification body in an emergency are limited in time and their use may be introduced for a maximum of 6 months. In a situation where it is not possible to conduct activities on site, recommended activities carried out by units should include [20]: 1. Risk assessment of the current and future situation of the assessed organization before deciding on further actions.
2. Consider introducing non-standard assessment methods assuming that previously assessed risk is low. These methods should, in particular, include activities such as: • proactive communication with the organization, • planning further activities, • definition of a maximum period for which specific operating conditions will apply, • criteria for the renewal of normal procedures, • possible changes in organization supervision plans, • ensuring that any deviations from the accreditation requirements and procedures of the certification body are justified and documented, • re-establishment of oversight / recertification activities in line with the entity's oversight plans when access to the site is restored.

Methods
The purpose of this publication is to indicate the context of the certification bodies' operation and the impact of such proceedings on trust in the results of their work as well as to show the changes of the way of conducting certification audits by the certification bodies due to global COVID-19 pandemic. In this investigation, a case study is defined as, "an empirical inquiry that investigates a contemporary phenomenon within its real-life context; when the boundaries between phenomenon and context are not clearly evident; and in which multiple sources of evidence are used" [21]. The case study approach is useful in exploratory modes of research and can provide initial understanding of particular situations which may then be utilized inductively to create better theory. The case studies analysed are not meant to be generalizable but rather they are utilized here to gather information about the reality of spa organizations regarding the topic investigated [22]. Generalization and reasoning within the case study was done with the use of the combination of inductive and abductive mode of reasoning. The main focus of this research was to on understanding the cases not on generalizing the theory [23]. The research on which this paper draws involved four case studies of certification bodies organizations from Poland. The case studies illustrate the organizations' approach to manage auditing processes during lockdown while global COVID-19 pandemic in the year of 2020. A case study approach was adopted to allow causes, processes and consequences of behaviour to be investigated [21]. A multiple case study approach was preferred because it enabled the collection of more accurate and comparative data [22].

Data collection and analysis
Fieldwork has been a fundamental part of this investigation. The initial contact with the case study organizations was established by telephone or by email during the months of June and July 2020, and the interviews were conducted at the turn of August and September of 2020. Regarding the interviews with mostly the certification managers, a semi-structured questionnaire which included questions about how the organizations dealt with certification processes and whether they used a remote auditing for certification purposes. While we stuck to our interview protocol, we allowed respondents to answer widely for questions to get more information on the analysed subject. All interviews lasted between 45 and 60 minutes and were recorded, transcribed, and included in a case study protocol [24]. In addition, there secondary data from organization reports, annual results, web pages, academic articles and other company information were collected that the authors had access to when studying the organization and which were available internally and publicly, thus allowing for empirical triangulation of the data. A within-case interpretation was the first level of data analysis, analyzing each case separately, and compiling a case study history based on the interviews and secondary data [21]. The second step was a cross-case search for patterns, our second level of interpretation, which involved all of the researchers looking for within-group similarities coupled with intergroup differences. Conducting cross-case analysis has been supported by researchers including Stavros and Westberg [25] as it increases the validity and reliability of the case-study methodology. According to this methodology, in the next sections of the paper, we proceed to perform the analysis of the case studies. Because the studied companies did not allow using their names, they have been replaced with the numbers [22].

Case organizations characteristics
In table 2. the organizations included in this investigation and the main characteristics are presented. The initial contact with the case study organizations covered 11 leading certification bodies, however only four out of them agreed to take part in this research. Three out of four of the organizations are big international certification bodies and the fourth is operating only in Poland.  The first question asked to the companies representatives concerned whether remote auditing was implemented before the COVID -19 pandemic or just during it. In the organization 1 and 3, the remote auditing process had been implemented before global pandemic, but it was used occasionally. Therefore it began to be used to its full extent during the pandemic. The representative of organization 1 said that when there was a decision to do the remote audit they were conducting it up to 30% of foreseen time in the audit plan before pandemic. Both of those organizations conducted those type of audits according to IAF MD 4:2018. In this area, the organisation 2 and 4 implemented remote audits during global pandemic precisely while lockdown, but the time of implementation differed on the particular certified standards. Within those organisations they still conduct remote audits but only for few standards. Rest of them has been conducted in traditional way on site.
Next question concerned the rules of auditing. The representatives were asked which of them are the biggest challenge in remote audits as well as what are the threats and ways to minimize the risk in these areas. The all representatives pointed out the most important rules as follow: evidence-based approach, reliability that underpins the auditor's professionalism as well as confidentiality. Additionally representative of organization 4 pointed out a risk-based approach.
Considering the second part of the question, representatives pointed that the biggest difficulty and a threat at the same time is auditing of production part of the auditee through remote audits. This relies to the rules of auditing mentioned above. Representative of organization 3 additionally explained that within the reliability, the auditor must have enough experience to be able to design the "audit trail" that will be followed during the SHS Web of Conferences 9 2, 010 (2021) Globalization and its Socio-Economic Consequences 2020 37 https://doi.org/10.1051/shsconf/20219201037 audit to examine those areas that should be in this particular audit. This is especially important in organizations that produce something. In such cases, it is necessary to predict what the auditor has to see remotely, i.e. through a camera or by viewing photos taken. And if the photos were taken, at what point they were taken, whether in the presence of an online auditor, or not necessarily, which is also related to the principle of "Risk-based approach". In case of evidence-based approach representative of organization 3 said that there is apparently easier, because it is easier to "record" evidence during an online audit for example by executing PrtScr. But then there is the problem of maintaining the trust that the auditee places in auditor. For this purpose, before the audit, it is necessary to explain and declare exactly how the screenshots will be taken and whether at all. Some industries, the so-called "sensitive" will not accept any screenshots. Therefore, a lot of experience of the auditor (but also of the certifying body's office staff) is needed here to establish the boundaries and methods of collecting evidence online. Regarding confidentiality he said that, just carrying out an audit, that is viewing people and documents can be a challenge. Some auditors do not take the need to audit in isolation seriously enough so that no one is listening or watching the screen. The next mentioned threat is collecting evidence that are screenshots mentioned above. Keeping them in the auditor's computer is even more dangerous than taking a paper copy from a "classic" audit. Here, precise rules of conduct between the auditor and the certification body should be established. A good solution is to immediately delete screenshots, after saving document features in the post-audit documentation, i.e. prohibiting the storage of screenshots by both the auditor and the certification body.
Following, the representatives were asked about the way of conducting of remote audits. All investigated organisations based on a video calls operated by different platforms. Thy were using MS Teams, Zoom or Clickmeeting for the purpose of remote auditing process, while the employees of the auditee were presenting compliance evidence. If some of them were invisible, the documents had to be sent by e-mail or through a secured file sharing platforms. Representatives also mentioned, that all interviews were conducted with all the necessary employees, it could not be that the answer had been given by one person only.
The next area concerned the audits results. The representatives were asked whether audits results determined as the number and type of detected non-conformities has changed after switching to remote certification processes. Representatives of organization 1, 2 and 3 did not notice a significant differences in audits results. According to them, in this cases auditor can collect more evidence (screenshots are made faster than notes). Additionally within those organizations auditors regularly undergo so called "calibration" training and try to be very careful and reliable in assessing facts and evidence. Slightly different was an organization 4 where during remote audits there were noticed a fewer of non-compliances. At a later stage, additional incompabilities arose during the site visit. So because of that, all certified standards by them required an additional site visit at the time specified by the owner of the standard.
Last investigated area for the purposes of this publication was auditors' assessment. The representatives were asked whether the auditors' assessment was carried out by granting the authority to conduct remote audits, or they were all automatically recognized as competent in the area of remote auditing. According to representatives of organizations 1 and 4 there was no need to grant auditors for remote auditing, however there was access to technical assistance during the audits. They have been providing training for those who need it. In case of organization 2 and 3 participation in remote audits has been possible for each qualified auditor. However, all auditors had to pass training in online audit techniques as well as the principles and risks associated with it before. In organization 3 only the Lead Auditor must always initiate, conduct and terminate online audits.

Conclusions
Summing up the results obtained from the above studies, it can be concluded that to ensure the continuity of operations, the certification bodies have applied the elements of remote evaluation to a very wide extent to fulfil their obligations. All the tested certification bodies consciously approached the difficulties of quickly adapting to new realities during the global COVID-19 pandemic. Although differences were observed in the individual approach to changing the conduct of audits, however, as a result, both the certification bodies and their clients had the possibility of maintaining the continuity of a valid certificate. All investigated certification bodies after the end of the extraordinary period will additionally introduce the previously planned on-site evaluations, as a result of which the effectiveness of such activities will increase. Planned on-site activities for most of the tested certification bodies will still take place, and additionally, a remote form of assessment will be performed. Such action gives an opportunity to extend the duration of the assessment and it should be directly related to the increase in confidence in the certification results.
According to the authors, there is also a good outcome from the global pandemic that there will be a possibility for certification bodies' customers to choose what kind of audits they prefer on site or remote. Of course this will be possible not for all kind of audits, but in some cases or standards this will be an opportunity as well as a way to reduce the cost of certification processes firstly for certification body, secondly, depending on certification bodies for customers.
Despite the limited possibilities of on-site assessments, it seems that the introduction of remote assessment procedures in the short term, while re-performing physical assessments, should contribute to reducing the risk of wrong decisions and increasing confidence in the certification results.