Note: The views expressed in this article are those of the author and do not necessarily represent those of his/her employer, GxP Lifeline, its editor or MasterControl, Inc.
The word "audit," in the broadest sense, refers to a variety of activities. It may refer to an accounting firm examining the financial statements of a public corporation, or a consultant checking the process of lid sealant dispensing in a semiconductor package assembly line. It may even refer to a mystery shopper testing the patience of sales clerks in an upscale department store.
In these examples, there's a systematic attempt to take a closer look at something - whether financial statements or a factory process or customer service - for the purpose of evaluation and, ultimately, decision making.
The fact that the audit process casts auditors on one side and the people being audited on the opposite side has createda general impression that auditing is adversarial.
The fact that the audit process casts auditors on one side and the people being audited on the opposite side has createda general impression that auditing is adversarial. While there may, indeed, exist a point-and-blame atmosphere in some cases, more and more organizations recognize that an audit does not have to be a negative experience or a dreaded event. When implemented properly, it can be one of the most effective means for improvement. From financial institutions to manufacturers to hospitals, audit is being utilized as an important management, compliance, and quality tool.
In the FDA and ISO environments, audit - both compliance and performance - is critical. Considering the type of products that the FDA regulates and the diversity of the industries where ISO quality standards are applicable, auditingfor the purpose of maintaining high quality standards directly impacts public health and safety. In these environments, the audit process is closely associated with quality and directly related to regulatory compliance.
This article is related to the toolkit:
Audit Toolkit from MasterControl.
To get the full details, please download your free Toolkit.
The International Organization for Standardization (ISO), the world's leading developer of international standards, is instrumental in boosting interest in quality audits among manufacturers and other types of businesses when it published the ISO 9000 standards in 1987. Today, popular standards such as ISO 9001: 2000, ISO 14001:2004, and ISO 13485 all require internal audits of the quality system (or the environmental management system in the case of ISO 14001: 2004). Under these standards, audit serves as a mechanism for evaluating and improving quality.
The same principle is reflected in a number of regulations enforced by the Food and Drug Administration. Under the Quality System Regulation (21 CFR Part 820), medical device manufacturers are required to conduct audits to ensure that the quality system is compliant (Sec. 820.22).
The Current Good Manufacturing Practice (CGMP) regulations for pharmaceuticals (21 CFR Parts 210-211) and for blood and blood components (21 CFR Part 606) include general requirements for regular evaluation of quality standards. Guidances for the pharmaceutical industry and blood establishments also emphasize the importance of audits. For example, the "Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations"recommends internal audits and supplier audits. The "Guidelines for Quality Assurance in Blood Establishments" call for comprehensive audit of the quality assurance program.
In general, there must be a basis (specific requirements) for an audit and a systematic method for gathering facts or evidence. An auditor compares the evidence with the requirements and comes up with observations, which can be either positive or negative. Up to this point, the process is similar to inspection. But an audit entails much more. The auditor analyzes his or her observations for patterns - also called findings - in order to draw conclusions. The auditor then presents the observations, findings, and conclusions in a report to all parties involved.
The focus of an audit can be a product/service, a process, or a system. Going back to the example of the mystery shopper, the focus was customer service in just one store. A product audit of a vacuum cleaner may entail randomly pulling outa box from the assembly line and taking the vacuum cleaner apart to examine it from a consumer's perspective. In bothcases, the audit has a narrow focus.
A process audit focuses on a single activity. For example, a process audit at an ISO-certified car manufacturing plant might examine the process of welding body panels together, or of installing doors and windows. The audit is likelyto be short but intense. It must be conducted several times in order to analyze patterns. This kind of audit is useful in troubleshooting and in solving specific issues.
A system consists of related processes with a common goal. Using the example of the car manufacturer, an audit of the quality system will cover not just the process of welding body panels, but all other processes, from design to assembly to safety tests, etc. This type of audit is longer and broader, covering not only different processes but also their controls.
Audits can be categorized by purpose. The following two categories are particularly relevant to FDA-regulated and ISO- certified companies.
- Compliance Audit: This type of audit is about conformance to rules and regulations. The goal is to see if activities, processes, and systems meet requirements. The result is usually black or white - a product or process or system being audited either passes or fails. When the FDA conducts a CGMP (post-approval) inspection at a pharmaceutical company, it is essentially conducting a compliance audit. A conformance assessment for the purpose of ISO certification is another example. In both cases, the outcome is directly tied to compliance or certification. The companies being audited are primarily concerned about passing the audit with flying colors.
- Performance Audit: In the third edition of Quality Audits for Improved Performance, Dennis Arter writes that a performance audit looks at three things: compliance to the rules, effectiveness of those rules for use, and suitability of those rules for achieving an organization's goals. Going back to the example of the car manufacturer, a performance audit may be conducted not only to make sure that the plant's quality system will pass an ISO conformance assessment, but perhaps to see how the system's efficiency can be improved in order to boost production and profitability. A performance audit is usually conducted internally to look at a company's business results, or it can be applied to a supplier to help a company decide whether to sign or renew a contract with the supplier.
Audits may be categorized according to the parties auditing and being audited, such as:
- First-Party Audit: In this type of audit - also known as internal audit or self-audit - those auditing and those being audited all belong to the same organization. Taking the case of the car manufacturer, the headquarters in Detroit may be concerned about productivity of a plant in Ohio and may send an internal audit team to help find ways for improvement. An ISO-certified supplier may also conduct a first-party assessment to make a self-declaration of its conformity with specific ISO standards.
- Second-Party Audit: A second-party audit refers to a customer conducting an audit on a supplier or contractor. For example, a medical device company that contracted a laboratory to do sterility testing may conduct a second-party audit to make sure that the lab meets QSR requirements and to be able to demonstrate to FDA investigators that the contractor is compliant. The same company may audit a parts supplier to make sure that it conforms to ISO 9001 or ISO 13485 standards. It may also evaluate a potential raw materials supplier through an audit, although some auditors might argue that such a process is more of a supplier survey than an audit.
- Third-Party Audit: Neither customer nor supplier conducts this type of audit. A regulatory agency or an independent body performs a third-party audit for the purpose of compliance or certification or registration. An example would be an FDA investigator conducting a CGMP inspection at a pharmaceutical company. Another example is a College of American Pathologists (CAP) team inspecting a blood bank for the purpose of accreditation. ISO conformity assessments are not carried out by ISO itself, but by private-sector third parties or regulatory bodies in countries where ISO standards have been incorporated into law.
For audit to be an effective improvement and compliance tool, it must be conducted on an on-going basis. And this can be daunting for companies that rely on a paper-based or a partially electronic system. The following are some of the biggest challenges faced by such companies.
- Poor Communication and Scheduling: Starting with planning and scheduling, a paper-based or hybrid process would entail face-to-face meetings and conference calls to bring together the auditors, auditees, corporate management, and others involved. Follow-up work would entail uncoordinated phone calls, e-mail, and personal reminders. Scheduling of audit-related tasks would depend on someone remembering to send assignments at certain dates. The situation may be manageable if there's only one audit being conducted at a time and if the parties involved are 100 percent attentive. It can be downright problematic if there are multiple customer audits happening at the same time that either an ISO audit or an FDA inspection is taking place, especially if the same teams are involved in all audits. And if the scenario happens several times a year, it is likely that tasks will fall through the cracks, and the company might fail some audits.
- Inefficiency: Most internal auditors are out in the field inspecting facilities. They might use paper forms and either paper or electronic spreadsheet to collect data. Then they enter all data in the computer as soon as they return to the office. The process is pretty straightforward if there's only one auditor conducting one audit once a year. However, if there are several auditors working as a team, using large checklists, generating voluminous paperwork, and conducting multiple audits under tight deadlines, then the inefficiency of the process becomes a serious problem.
- Poor Tracking: Even when a company performs only a small number of audits annually, each audit typically results in numerous findings and related corrective/preventive actions (CAPAs) that all need to be addressed and managed. Under a manual or hybrid system, tracking these findings and related documents, evaluating risks, verifying findings, and ensuring proper closure could mean combing through voluminous paperwork and a lot of legwork, both of which could result in delayed CAPA completion.
- Lack of Oversight: It's difficult to generate accurate and timely reports and trends using disparate tools (electronic spreadsheets, flowcharting software, paper documents). Without an effective reporting tool, managers are unable to see the big picture that audit findings may reveal. When audit is not connected to other quality processes (change control, CAPA, training control, etc.), such as in a paper-based system, it is almost impossible to monitor the entire quality system.
Gone are the days when auditors and auditees treat each other like adversaries. More and more companies now see audit as an occasion for auditors and auditees to work together in achieving a common goal - improved performance. Forward-looking organizations recognize that the audit process is one of the best tools for continuous improvement of the quality system and for making sure that the system is always compliant.
Jason Clegg is the Marketing Director at MasterControl, Inc. MasterControl produces software solutions that enable regulated companies to get their products to market faster, while reducing overall costs and increasing internal efficiency.