The word "audit," in the broadest sense, refers to a variety of activities. It may refer to an accounting firm examining the financial statements of a public corporation, or a consultant checking the process of lid sealant dispensing in a semiconductor package assembly line. It may even refer to a mystery shopper testing the patience of sales clerks in an upscale department store.
The fact that the audit process casts auditors on one side and the people being audited on the opposite side has created a general impression that auditing is adversarial. While this is true in some cases, an audit does not have to be a negative experience or a dreaded event. When implemented properly, it can be one of the most effective means for improvement. From financial institutions to manufacturers to hospitals, audit is being utilized as an important management, compliance and quality tool.
For life science companies or other regulated industries that follow ISO quality standards, auditing — both for compliance and performance — is critical. Considering the type of products that the U.S. Food and Drug Administration (FDA) and other regulatory agencies monitor and the diversity of the industries where ISO quality standards are applicable, auditing for the purpose of maintaining high quality standards directly impacts public health and safety. In these environments, the audit process is closely associated with quality and directly related to regulatory compliance.
Enjoying this article? You may also enjoy this White Paper:
Audit Toolkit from MasterControlDownload Free White Paper
The International Organization for Standardization (ISO), the world's leading developer of international standards, boosted interest in quality audits when it published the ISO 9000 standards in 1987. Today, popular standards such as ISO 9001:2015, ISO 14001:2015 and ISO 13485:2016 all require internal audits of the quality system (or the environmental management system in the case of ISO 14001). Under these standards, audit serves as a mechanism for evaluating and improving quality.
The same principle is reflected in a number of regulations enforced by the Food and Drug Administration. Under the Quality System Regulation (21 CFR Part 820), medical device manufacturers are required to conduct audits to ensure that the quality system is compliant (Sec. 820.22).
The Current Good Manufacturing Practice (CGMP) regulations for pharmaceuticals (21 CFR Parts 210-211) and for blood and blood components (21 CFR Part 606) include general requirements for regular evaluation of quality standards. Guidances for the pharmaceutical industry and blood establishments also emphasize the importance of audits. For example, the "Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations" recommends internal audits and supplier audits. The "Guidelines for Quality Assurance in Blood Establishments" call for comprehensive audit of the quality assurance program.
In general, there must be a basis (specific requirements) for an audit and a systematic method for gathering facts or evidence. An auditor compares the evidence with the requirements and comes up with observations, which can be either positive or negative. Up to this point, the process is similar to inspection. But an audit entails much more. The auditor analyzes his or her observations for patterns — also called findings — in order to draw conclusions. The auditor then presents the observations, findings and conclusions in a report to all parties involved.
The focus of an audit can be a product/service, a process or a system. Going back to the example of the mystery shopper, the focus was customer service in just one store. A product audit of a vacuum cleaner may entail randomly pulling out a box from the assembly line and taking the vacuum cleaner apart to examine it from a consumer's perspective. In both cases, the audit has a narrow focus.
A process audit focuses on a single activity. For example, a process audit at an ISO-certified car manufacturing plant might examine the process of welding body panels together, or of installing doors and windows. The audit is likely to be short but intense. It must be conducted several times in order to analyze patterns. This kind of audit is useful in troubleshooting and in solving specific issues.
A system consists of related processes with a common goal. Using the example of the car manufacturer, an audit of the quality system will cover not just the process of welding body panels, but all other processes, from design to assembly to safety tests, etc. This type of audit is longer and broader, covering not only different processes but also their controls.
Audits can be categorized by purpose. The following two categories are particularly relevant to life sciences and ISO-certified regulated companies.
Audits may be categorized according to the parties auditing and being audited, such as:
For audit to be an effective improvement and compliance tool, it must be conducted on an on-going basis. And this can be daunting for companies that rely on a paper-based or a partially electronic system. Coordinating multiple audits, tracking remediation efforts, and trying to find anything about the audit after the fact are struggles of auditing on paper. COVID-19 has presented its own set of challenges to audits. Social distancing, working from home, and limiting travel have made it difficult to conduct or host audits. Companies that use digital solutions have partially solved this problem.
Remote audits are becoming just as big as remote work. If a company uses a digital quality management system (QMS), they can give an auditor remote access to their documentation. Standard operating procedures (SOPs), corrective and preventive actions (CAPAs), and training records can all be reviewed remotely. In some cases, auditors have done remote tours of facilities by someone on-site walking around with a mobile device. The FDA is even starting to come around to this approach and allowing remote audits under certain circumstances.
Gone are the days when auditors and auditees treat each other like adversaries. More and more companies now see audit as an occasion for auditors and auditees to work together in achieving a common goal — improved performance. Forward-looking organizations recognize that the audit process is one of the best tools for continuous improvement of the quality system and for making sure that the system is always compliant.