In life science and other regulated environments, audit is necessary to comply with regulations and to ensure the quality of products. Regulated companies recognize not only the importance of audit, but the value of frequent audits. However, in these economically challenging times, frequent on-site audits can be costly.
Fortunately, it is now possible to conduct an audit without being physically present at the facility under audit. The development of web-based systems, video conferencing and desktop share technology allows auditors to see information from virtually anywhere in the world.
This practice has many names: virtual audit, online audit, desktop audit, or remote audit. For this article, let us call it 'remote audit'. The purpose remains the same: the auditor and the auditee do not have to be at the same location. With remote audit, an auditee can be 'out of sight', but not out of the auditor's mind. In fact, conducting remote audits is proving to be a viable option for companies that not only need to comply with regulations, but also need to reduce the cost of the audit process.
Audit requirements can be found in a number of regulations and standards, including: the EMA's Directive 2003/94 EC(e.g. article 14 talks about self-inspections or first-party audits as part of the quality assurance system); ISO standards (e.g. ISO 9000, ISO 13485); ICH Q9 Quality RiskManagement Guidance; ICH Good Clinical Practice guidelines and U.S. FDA regulations (e.g. 21 CFR 820.22 for medicaldevice manufacturers and 21 CFR 211 for pharmaceutical companies).
Given these requirements, the regulated company must be inspected or audited by regulatory authorities. These requirements extend to the inspection and auditing of the company's contractors and suppliers to ensure that they are also in compliance for the products or services which they are required to provide. In addition, the regulated company may also be audited by its customers for the same reason(compliance).
Regulated companies conduct and also undergo any or all ofthese types of audits: first-party audit, second-party audit andthird-party audit. But not all audits are created equal. Therefore,not all audits can or should be performed remotely. Remoteaudits should be based on risk.
Third-party audits, which are conducted by regulatoryagencies or independent bodies, are generally not doneremotely. Inspectors not only want to review documents, butmay require a physical inspection of the company's systems,facilities and equipment; in some cases, inspectors may want toobserve personnel performance.
Remote audits are generally considered more suitable forfirst-party audits (conducted internally by a company) andsecond-party audits (conducted by a customer) that involve low riskprocesses. This article will focus on how to support thesetypes of audits.
An Electronic Document Management System (EDMS) canbe an effective tool in supporting remote audits. Using EDMShelps reduce the cost and burden of supporting a remote auditby providing secure links limiting the access of the remoteauditor only to pertinent documents.
The advantage of secure links is that they offer a number ofalternative viewing options, such as prohibiting the printingof documents, or in circumstances where printing is notprohibited, watermarks, headers and footers can be configuredto mark the document 'confidential', or assign an expirationdate to the document.
Is remote audit possible for companies without EDMS?Perhaps, but with a certain level of difficulty. For a start, acompany that relies on paper documents will need to scanvoluminous documents just to enable them to be presentedremotely to the auditor. The quality and readability of thescanned documents might also be an issue.
At MasterControl, we are frequently audited remotely bycustomers and have conducted internal audits remotely. Ourquality and compliance software is designed to facilitate andstreamline both on-site and remote audits. Audit, as a keyquality process, is an integral part of what we do as a business.
The core of our customers belongs to life science,manufacturing and service-oriented industries throughoutthe world. They comply with some of the most rigorousregulations and standards that exist today. A majority of ourcustomers have audited us remotely and we have been ableto support these audits by allowing controlled access to ourdocumentation.
In accordance with industry practice, a company that is aboutto purchase MasterControl software may want to audit us toensure that we, as a company, not only meet the customer'sstandards and compliance requirements, but are able todemonstrate this to regulatory agencies. The purpose of theaudit is to assess and evaluate our policies, procedures andprocesses in order to assist the company in making its ultimatevendor selection. Follow-up audits may also be periodicallyscheduled as part of the company's corporate policy and vendoroversight programme.
In practice most companies that audit MasterControl submita list of detailed questions about our processes: our qualitysystem, CAPA process, our SOPs, manuals, etc. Based on ourresponse, the company will determine if it needs to do anon-site audit or not.
Over the years, MasterControl has prepared all theinformation that an auditor usually asks for in a singledocument. Within this document, we provide secure links fromour EDMS to policies, SOPs and other information. With justone click, the auditor will be able to view the latest policies,procedures and other documents they require. Web-basedtechnology allows the entire audit process to be conductedremotely. No need to travel. No need to spend unnecessarily(resource or expenditure) on conducting an on-site audit.
If additional information is needed, a video conference canbe scheduled to answer any additional questions.
A similar process is replicated when MasterControl conductsan internal audit of its own quality system. MasterControlhas offices in both Europe and Asia. Recently, our officein Basingstoke, England performed a remote audit of thecompany's departments based in the corporate headquartersin Salt Lake City, Utah. With remote audit, the distance of 7,799kilometers (4,846 miles) between the two offices was not anissue. The company was able to effectively conduct the audit,and save considerable time, effort and money in the process.
Is remote audit the wave of the future? Absolutely. It's the future forconducting first-party and second-party audits of low-riskprocesses that consist of documents, forms and records thatcan be reviewed from a desktop. Remote audit is a convenient,fast and cost-effective method of establishing compliance,making it suitable for follow-up and regular audits.
David Ade is the Customer Success and Reference Manager at MasterControl Inc. He has served as the company's Quality Manager and currently assists in overseeing MasterControl's quality system. He has also served as a Product Manager, specialising in training and validation products. He has over 17 years of quality assurance and IT experience in the life science industry. MasterControl provides software and comprehensive services (consulting, education and training, validation, implementation and project management, integration, hosted, technical support and configuration) to regulated companies world wide. The company has corporate headquarters in Salt Lake City, Utah; offices in both Europe and Asia; and international partners and resellers in Japan, South Korea, Thailand and the Netherlands.