If you have received or conducted an audit by videoconference, this standard concerns you directly.

Guide — Photo by Aron Visuals on Unsplash

ISO/IEC TS 17012:2024 is the first international technical specification devoted exclusively to remote audit methods in management systems.

It was published in July 2024, and ISO 19011:2026 refers to it directly.

An important clarification: this is a technical specification (TS), not an international standard (IS). It does not establish new certification requirements. It provides guidance that auditing organizations and auditees must use to ensure a remote audit achieves the same objectives as an on-site audit.

Who this standard applies to

Clause 1 is clear: ISO/IEC TS 17012 applies to all organizations that plan and conduct audits of management systems: internal (first party), at suppliers (second party), or by certification bodies (third party).

If you are being audited, this standard gives you the basis to know what your auditor is supposed to do before, during, and after a remote audit. If you are an auditor, it describes your obligations.

Before you start: eight conditions to meet

Clause 5.2.2 lists the conditions that must all be met before using remote audit methods:

  1. Remote methods do not compromise achieving the audit programme objectives.
  2. Their use is appropriate and accepted by the parties concerned.
  3. Technologies have been selected and their management defined.
  4. Available information is sufficient to apply them.
  5. The scope and limits of remote use have been defined in the programme.
  6. Both parties’ ability to use the methods — personnel competence, technical and physical capabilities — has been confirmed.
  7. Differences in understanding of remote methods between auditor and auditee have been resolved.
  8. An agreement provides for how to modify the method if necessary.

Point 6 is often ignored. The auditee must also be capable of using the tools. If that is not confirmed before the audit, it is a risk that must be managed according to clause 5.3.

The risks the standard identifies

Clause 5.3 requires a risk assessment specific to the use of remote methods.

The standard provides a risk table in Table 1. Here are the most critical:

Processes requiring physical observation. Some processes cannot be audited effectively at a distance. Smell, vibration, temperature, humidity conditions cannot be observed by videoconference. The standard says so explicitly.

Integrity of evidence. Reduced document legibility, poor video resolution, or partial visibility of a process can compromise the reliability of audit conclusions.

Absence of a contingency plan. If tools fail and no alternative has been planned, audit objectives are compromised. This is not optional; it is a requirement.

Data protection. Requirements specific to data protection and information security when exchanging digital documents must be defined before the audit. A potential breach of data protection legislation is identified as a concrete risk.

Real benefits, according to the standard

Table 2 also lists opportunities. They deserve to be named:

  • Reduced travel time: direct savings, reduced carbon emissions.
  • Scheduling flexibility: technical experts can be involved easily for short periods, even outside the local time zone.
  • Expanded scope: processes covering multiple sites can be audited simultaneously without travel.
  • Short-notice audits: in case of sudden deviation, a group can meet quickly to clarify a problem.
  • Auditor health and safety: no exposure to dangerous on-site conditions, conflicts, health risks, or transport risks.

This last point is rarely highlighted. Remote audit is also a tool for protecting auditors.

Preparation: what must be agreed with the auditee

Clause 6.3.2.3 is one of the most operational in the standard. Before the audit, the following must be confirmed and agreed with the auditee:

  • Audit duration per day, taking time zones into account.
  • Alternative communication means if the primary tool becomes unavailable.
  • Protocols for using audio and video platforms.
  • Technology functionality: platform access, availability of documents in electronic format, audio/video quality, access to virtual breakout rooms.
  • Agreements on confidentiality, data security, and access rights.
  • Information the auditee must make available in advance.
  • Intellectual property, retention of recordings, security clearances.
  • Whether recordings, transcripts, or photos will be used — and the legal basis for doing so.

Remote evidence collection: limits to know

Clause 6.4.7.3 lists considerations specific to collecting information remotely. Two deserve particular attention.

The auditor must verify that the documents they see are those they requested, not those the auditee wants to show them. In an on-site audit, the auditor can request a document directly from a filing cabinet. Remotely, they depend on what the auditee shares. Clause 7.2.3.2 d) makes this a distinct auditor competence.

Data integrity must be established. When the auditor consults databases or systems remotely, they must ensure the data they examine has not been manipulated. Clause 7.2.3.2 f) makes this an explicit obligation.

Three types of remote audits

Annex A.1 distinguishes three configurations:

Fully remote (A.1.1): no on-site activity is planned. Feasibility depends on the risk assessment related to the nature of products and services, remote access to processes, and documentation.

Hybrid or mixed (A.1.2): at least one part is conducted on site. For example, one auditor covers production on site while another reviews documents remotely. This is often the most realistic and robust approach.

With substitute or delegated auditor (A.3.3): a new concept. A substitute auditor is a person physically present at the auditee’s premises who acts as the eyes and ears of the remote audit team. They are not responsible for asking questions unless guided by the lead auditor. They must meet the same impartiality requirements as auditors. This model can be useful when full remote access is not possible but travel is not justified.

What the audit report must now include

Clause 6.5.2 is direct: the audit report must document the remote methods used, their scope, and their effectiveness, including benefits and limitations encountered.

The standard goes further: if artificial intelligence was used to generate part of the report, that fact must be declared and demonstrate that confidentiality and due professional care principles were respected. The extent of ICT use in conducting the audit must appear in the report and associated records.

What this changes for you

If you receive remote audits: you can ask your auditor to document the methods used and their limitations in the report. That is not an excessive request; it is what clause 6.5.2 requires.

If you plan remote audits: the list of items to confirm with the auditee (clause 6.3.2.3) is a planning tool you can use directly. Every unconfirmed point is a risk to document in your programme according to clause 5.3.

Source

ISO/IEC TS 17012:2024 is available from ISO at iso.org.