ISO 13485

Remote internal audits – How to

ISO 13485 · Internal Audits · Remote Methods

Remote Internal Audits

An audit is an audit—whether on-site or remote. This guide shows how to execute internal audits using remote methods with clear planning, secure information handling, and crisp evidence collection.

ICT Readiness Evidence Capture Security-by-Design Contingency Plan Efficient Scheduling

What Do We Mean by “Remote Auditing”?

The audit principles don’t change. What changes are the methods. Remote audits use information and communication technology (video, screen sharing, secure repositories) to perform activities that would otherwise occur face-to-face: document review, interviews, and observation.

Plan the Methods (Before You Schedule)

Choose the platforms: agree on video, screen sharing, and a secure file drop. Avoid mixing tools mid-audit.
Define access: who uploads, who views, and what permissions expire when the audit closes.
Time zones & cadence: set short, focused blocks (60–90 min) with breaks for evidence prep.
Roles: identify a “remote guide” on the auditee side to coordinate people, documents, and camera work.
Dry run: 10-minute tech check one or two days prior (audio/video, screenshare, repository access).

Information Security Considerations

Use accounts with least-privilege; disable guest recording unless agreed.
Prefer read-only links with watermarking and expiry for sensitive records.
Confirm whether a VPN or specific network is required; document any restrictions in the audit plan.
Agree up front on what can be captured via screenshots and how those images are stored and purged.

Tip: Treat remote access and evidence handling as part of the audit scope. Record decisions in the plan and keep them with the audit file.

Contingency if Technology Fails

Fallback dial-in numbers and a secondary video room.
Protocol for switching to audio-only while file access continues.
Named alternates for each interviewee and a reschedule window pre-booked.
For paper-only records: high-resolution document camera as a backup to scanned PDFs.

Remote vs On-Site — What Changes?

Activity	Remote Method	Common Risks	Mitigations
Document & Record Review	Secure repository, read-only links, screen share	Version confusion, missing metadata	Index with IDs/revisions; lock a snapshot for the audit
Interviews	Video call with shared agenda	Audio clarity, distractions, role mix-ups	Headsets, waiting room, named moderator, 10-min pre-brief
Process Observation	Mobile device as roving camera	Poor angles, unstable connection	Assign a camera operator; test routes; use Wi-Fi/5G handoff
Evidence Capture	Screenshot policy; controlled recordings	Unapproved capture or data sprawl	Written consent, watermark, secure storage & purge timeline

Reviewing Documents & Records (Remote-First)

Request a document list with IDs, titles, revisions, and locations one week prior.
For hybrid systems (digital + paper), agree whether items will be scanned or shown via a document camera.
When sharing live on screen, display the file path and revision to anchor the record in the system of truth.
Decide whether screenshots are allowed and where they will be stored within the audit package.

Interviews & Listening (Make Them Count)

Send the interviewee’s time slot and topics in advance; keep each session focused on the process being audited.
Open with the objective and criteria; confirm that recording (if any) is consented to.
Ask to see the record in the live system rather than a local copy whenever feasible.
Close with a quick recap of what was shown and any follow-up artefacts to upload.

Observations & Walkthroughs (Roving Camera)

Nominate a camera operator; agree the route and pause points (labels, gauges, batch records, equipment IDs).
Use a device with image stabilization and an external microphone where possible.
For critical steps, ask the operator to hold the frame for 3–5 seconds so you can read labels and verify IDs.
If connectivity is weak, switch to a staged approach: photos uploaded first, then a short live Q&A.

Audit-Ready Checklists

Remote Audit Readiness

Platforms agreed and tested (video, screenshare, file drop, messaging back-channel).
Security rules documented (who can record, screenshot policy, purge dates).
Document index delivered and confirmed complete.
Contingency contacts and backup room in calendar invites.

Evidence Capture Etiquette

Announce before capturing screenshots; store only in the audit folder.
Reference record IDs and revision in your notes; avoid personal data unless in scope.
Tag follow-ups by owner and due date during the session to prevent drift.

Templates You Can Copy/Paste

Remote Audit Agenda (example):
09:00–09:15 – Kick-off: scope, criteria, methods, security rules
09:15–10:00 – QMS documentation overview (screen share)
10:15–11:00 – Process A interview & record sampling
11:15–12:00 – Roving camera walkthrough: Area B
13:00–13:45 – Process C interview & CAPA sampling
14:00–14:30 – Evidence upload window (no meetings)
14:45–15:15 – Clarifications & hold-points
15:30–16:00 – Close-out (preliminary findings)

Contingency Script:
“We’ve lost video at [time]. Switching to audio-only via backup line. Please upload records R-101 to R-105 to the secure folder. We will resume video in 10 minutes or proceed with audio if necessary.”

Do / Don’t — Quick Guardrails

Do	Don’t
Lock methods and security rules in the plan.	Ad-hoc tool switching during the audit.
Use short, focused sessions with scheduled upload windows.	Run a single multi-hour call without breaks.
Verify records in the live system where feasible.	Rely solely on emailed screenshots.
Practice the roving camera route.	Attempt a live tour without testing coverage or audio.

Bottom Line

Remote methods don’t change what an audit is—only how you execute it. With clear platforms, defined security controls, rehearsed observation techniques, and a solid contingency plan, remote internal audits are efficient, defensible, and every bit as effective as on-site work.