Remote auditing went from emergency measure to standard practice in about eighteen months. If your last ISO 9001 audit was conducted entirely on-site, you may not recognize what the next one looks like — and the preparation required is genuinely different.
The International Accreditation Forum's MD 33 document, issued in 2021, formally established that certification bodies must conduct remote audit activities with the same rigor as on-site visits. That document, combined with updated requirements from accreditation bodies like ANAB, UKAS, and DAkkS, changed what auditors can ask for, how they collect evidence, and what your organization needs to be ready to show. In my view, most quality managers still haven't fully internalized those changes. They're preparing for an audit format that no longer quite exists.
This article covers exactly what shifted, what stayed the same, and how to prepare for your next audit — whether it's fully remote, fully on-site, or the hybrid format that's now most common for recertification.
Why Remote Auditing Became Permanent
The IAF had actually begun formalizing remote audit methods before COVID-19 arrived. IAF MD 4:2018, "Use of Computer Technology in Auditing," laid early groundwork for technology-assisted audit activities. The pandemic compressed years of gradual adoption into a matter of weeks. Certification bodies that had used remote methods occasionally began using them almost exclusively by mid-2020.
By 2021, the IAF had enough operational data to move from emergency guidance to a permanent framework. IAF Informative Document ID 12, issued in March 2020, provided the emergency scaffolding. IAF MD 33:2021 — formally titled "IAF Mandatory Document for the Application of ISO/IEC 17021-1 for Audits Conducted Using Information and Communication Technology (ICT)" — replaced that temporary guidance with binding requirements that every accredited certification body must now follow.
The numbers reflect how permanent this shift became. Before 2020, remote audit activities were a small minority of overall certification activity globally. By 2022, IAF member data indicated that remote and hybrid methods had become a substantial component of certification auditing worldwide, with many accreditation bodies reporting that over half of their surveillance audits included significant remote elements. That trend has stabilized rather than reversed as travel normalized. Remote auditing is no longer an accommodation — it's a standard service offering that every accredited certification body must be equipped to deliver.
IAF MD 33:2021 formalized remote audit requirements and established that certification bodies must maintain audit effectiveness whether conducted on-site, remotely, or through a hybrid combination of both. That sentence is worth sitting with, because it shapes everything downstream.
The Three Audit Formats and When Each Applies
Understanding which format you're in — and why — shapes how you prepare. The current landscape has three distinct options.
On-site audits remain the baseline for initial certifications, for organizations with complex manufacturing or safety-critical processes, and for situations where physical inspection is genuinely necessary to verify conformity. If an auditor needs to observe equipment in operation, examine physical product condition, or verify environmental controls through direct presence, on-site time is required. IAF MD 33 is explicit that remote methods don't substitute for physical observation when the process demands it.
Fully remote audits work well for surveillance audits of organizations with mature, documented QMS implementations — particularly in service industries, software, professional services, and administrative-heavy operations. Document review, records verification, and personnel interviews all translate cleanly to video conferencing and screen sharing. In my experience working with clients across industries, fully remote audits tend to work best when the "product" is primarily information rather than a physical item.
Hybrid audits have become the most common format for recertification and many surveillance audits of manufacturing organizations. A typical hybrid might open with a remote phase covering document review and management interviews, then conclude with targeted on-site time for production observation, equipment inspection, and floor-level worker interviews. The auditor determines which activities require physical presence, usually in discussion with you during audit planning — and that conversation is worth having early.
What Auditors Are Actually Doing Differently
The shift to remote and hybrid methods changed how auditors collect evidence, not what they're looking for. A few specific changes are worth knowing before your next audit.
Document access has become a live activity. In traditional on-site audits, auditors often reviewed documents in advance or worked from printed copies during the visit. In remote audits, document review typically happens via screen sharing, with the auditor observing your QMS in real time. They're watching how you navigate your system, whether revision histories are visible, whether controlled copies are properly maintained, and whether your team knows where things live. The experience is more transparent than most organizations expect going in.
Facility walkthroughs now happen on camera. Auditors conducting remote audits of physical operations request live camera tours of relevant areas — production floor, storage, calibration equipment locations, safety controls. Some organizations set up fixed cameras; others walk through with a smartphone. The quality of that tour matters. If an auditor can't clearly see what they need to verify, they may flag that area as requiring on-site follow-up, which extends the audit process.
Interview dynamics have shifted in a specific direction. When an employee is asked to pull up a record and share their screen during a video interview, the gap between what the QMS procedure says and what someone actually does becomes apparent quickly. I've seen this pattern consistently across my engagements — remote interviews tend to surface documentation gaps faster than in-person conversations, because there's no way to physically redirect attention or retrieve the right document from another room. Preparing your process owners for the remote format is as important as the documentation itself.
Evidence submission has moved upstream. Many auditors now request evidence packages in advance: recent internal audit reports, corrective action records, customer satisfaction data, management review minutes. This front-loading can shorten the real-time audit session, but it means your evidence needs to be in exportable, shareable form before the audit date. Password-protected files, broken document links, or records only accessible from a specific workstation create problems that are much harder to resolve mid-session.
On-Site vs. Hybrid vs. Remote: A Practical Comparison
| Audit Activity | On-Site | Hybrid | Remote |
|---|---|---|---|
| Document review | Physical review or shared screen | Typically conducted remotely | Screen share or file transfer |
| Process observation | Direct observation | On-site for key processes | Camera tour or not applicable |
| Personnel interviews | In person | Mix of in-person and video | Video conferencing |
| Evidence collection | Real-time during visit | Mixed | Advance submission + screen share |
| Scheduling flexibility | Low — travel required | Moderate | High |
| Typical session length | Full days on-site | Reduced on-site time | Shorter sessions, often split over two days |
| Cost to organization | Higher hosting and preparation costs | Moderate | Lower |
| Auditor visibility into operations | High for process; moderate for records | Balanced | Lower for process; higher for records |
One pattern worth noting: remote audits often produce more thorough document reviews than on-site audits, precisely because the auditor is working directly with your live system rather than a curated selection of printed records. The trade-off is reduced visibility into how processes actually run day to day, which is why hybrid formats persist for organizations where operational observation matters most.
Technology Requirements Under IAF MD 33
IAF MD 33 places the primary technology requirements on certification bodies — they must verify that the technology used maintains audit integrity, preserves evidence, and confirms participant identity. Your organization isn't directly responsible for meeting IAF requirements, but in practice, you need to support certain technical conditions for the audit to function.
Minimum readiness for most remote audits includes:
- Stable video conferencing with screen sharing capability — Zoom, Microsoft Teams, and Google Meet are all widely used by certification bodies
- Live access to your document management system, not just static exports
- The ability to produce and share records quickly during the session, not just after
- A designated audit coordinator who can navigate your QMS in real time and locate records on request
- A backup communication channel in case the primary connection drops during the session
Some certification bodies specify their technology preferences in the audit plan they send you ahead of time. If yours doesn't, ask before the audit date rather than discovering the platform mismatch when the auditor calls in.
Security and confidentiality deserve explicit attention. IAF MD 33 requires that remote audit methods protect confidential information. Practically, this means thinking through what's visible during screen sharing, whether shared documents contain sensitive data beyond what's relevant to the audit, and whether your IT policies permit external screen sharing for particular systems. These aren't complicated questions, but most organizations don't think through them until they're mid-session — and that timing creates avoidable friction.
Preparing for a Hybrid or Remote Audit
The single most important preparation step is making your QMS genuinely navigable by someone who isn't in your building. A lot of quality management systems are maintained by people who know exactly where everything is but couldn't explain it clearly to someone who doesn't — remote audits expose that gap directly.
Audit your own document access first. Can someone find your quality policy, process procedures, calibration records, and recent internal audit results in under five minutes, starting from scratch? If the answer is no, fix that before the auditor shows up.
Build your evidence library. Identify the records most likely to be requested — recent corrective actions, management review minutes, training records, customer satisfaction data, calibration logs — and confirm they're accessible, current, and exportable. Don't wait for the auditor to request them.
Brief your process owners on the format. Anyone who might be interviewed remotely should know how to share their screen, how to access the records for their area, and how to explain what they do clearly on camera. Briefing them on the technology is not coaching them on answers — it's preventing format friction from getting in the way of a genuine evaluation.
Test your setup before the audit date. Run a trial call on the platform your certification body uses. Check screen sharing, audio quality, and connection speed. A dropped connection during an audit isn't disqualifying, but it wastes time that could have been used to demonstrate conformity.
For hybrid audits, clarify the division of activities early. Ask your certification body during audit planning which activities they plan to conduct remotely and which require on-site presence. This shapes how you allocate preparation effort and prevents the kind of last-minute surprises that make audits harder than they need to be.
Organizations that prepare their documentation systems, access protocols, and process visibility for remote review typically find hybrid audits less disruptive than traditional on-site visits — because that preparation forces a level of QMS organization that should have been there all along.
What Your Certification Body's Obligations Look Like Now
Your certification body's job got more complex with remote auditing, and understanding their constraints helps you work with them more effectively. Under IAF MD 33, they must document how they verified that evidence was authentic, that interviews were conducted with the right individuals, and that the remote session itself was conducted in a controlled manner. They must demonstrate audit effectiveness equivalent to on-site methods — and their accreditation body checks for it.
This means auditors conducting remote audits are typically more explicit about what they're verifying and why. You may receive more detailed findings notes, more specific document requests during the session, and clearer explanations of what was observed versus what was inferred. In my experience, that transparency is a net positive — it tends to produce more actionable audit outcomes than the sometimes opaque findings that came out of traditional on-site visits.
IAF MD 33 also includes auditor competency requirements specific to remote methods that go beyond standard audit training. Certification bodies must verify that their auditors are competent in the technology and the remote audit format. If your auditor seems comfortable with screen sharing and virtual evidence review, that competency is by design — accreditation bodies are checking for it during their own audits of your certification body.
What Hasn't Changed
The ISO 9001 standard hasn't changed because the delivery method of auditing changed. Clause 9.2 still requires internal audits at planned intervals. Clause 9.3 still requires management review. Clause 8.1 still requires operational planning and control. Remote auditors are checking for the same conformity, looking for the same evidence, and reaching conclusions using the same criteria as their on-site counterparts.
The burden of proof is identical. You still need to demonstrate that your quality management system functions as documented, that controls are operating effectively, and that you're using your QMS to drive improvement. A remote auditor who can't see your process clearly isn't going to extend benefit of the doubt — they're going to note that conformity couldn't be verified and flag it accordingly. Remote and hybrid audits do not reduce the scope or rigor of ISO 9001 conformity assessment — they change the method of evidence collection, not the standard of evidence required.
The organizations I've seen struggle most with remote audits are those whose QMS lives primarily in one or two people's heads rather than in documented, accessible systems. Remote auditing didn't create that problem, but it does make the problem harder to conceal.
Frequently Asked Questions
Can initial ISO 9001 certification be conducted fully remotely?
Generally, no. Most accreditation bodies require at least some on-site time for initial certification audits, particularly to verify physical processes, facilities, and product handling. IAF MD 33 permits remote activities as part of the overall certification process, but certification bodies typically require on-site observation for initial assessments of organizations with physical operations. Some service-sector organizations have completed initial certifications with minimal on-site time, but this is determined case by case and depends on the nature of your operations.
What technology does my organization need for a remote ISO 9001 audit?
At minimum, stable video conferencing with screen sharing capability, live access to your document management system, and the ability to produce and share records quickly during the session. Your certification body should specify platform preferences in the audit plan. IAF MD 33 requires that the technology maintain evidence integrity — your job is to support those conditions technically, not to meet the IAF requirements directly. Testing your setup in advance is strongly recommended.
Do remote audits take less time than on-site audits?
Remote audit sessions are often shorter in duration, but may span more calendar days. A two-day on-site audit might translate to two half-day remote sessions conducted across a week, with an advance evidence submission period beforehand. Hybrid audits typically reduce on-site time significantly without eliminating it. Overall calendar span can be similar; concentrated on-site days are what shrink.
What happens if I can't access a document during a remote audit?
Inaccessible documents during a remote audit are treated the same as unavailable documents in an on-site audit — the auditor notes that conformity couldn't be verified for that item. Depending on what couldn't be accessed and how significant it is to the clause being audited, this could result in an observation, a nonconformity, or a requirement for a follow-up session. Document accessibility is worth testing explicitly before your audit date, not assuming.
Is a hybrid audit easier to pass than a fully on-site audit?
No. The audit criteria and conformity requirements are identical regardless of format. Hybrid audits sometimes produce more thorough document reviews because auditors work directly with your live systems, which can surface gaps that might have been less visible with printed records. Organizations with strong, accessible documentation tend to do well in hybrid and remote formats. Those with informal or underdocumented systems often encounter more findings than they expected, because the format offers fewer places to compensate with in-person explanation.
For a deeper look at how auditors evaluate each clause during any audit format, see our ISO 9001 internal audit guide. If you're approaching initial certification and want to understand the full process from gap assessment to audit day, our ISO 9001 certification overview covers the end-to-end process including how audit formats are determined.
Last updated: 2026-06-16
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.