RAPS is closely monitoring developments in the Coronavirus (COVID-19) outbreak. See our public safety page for the latest updates.

Regulatory Focus™ > News Articles > 2020 > 4 > Optimizing remote internal quality audits

Optimizing remote internal quality audits

Posted 23 April 2020 | By Tammy M. Pelnik, MS 

Optimizing remote internal quality audits

Credit: NIAID-Rocky Mountain Laboratories

This article provides tips and techniques for effective, risk-based remote internal quality auditing methods in a good manufacturing process (GMP) quality management system. The author covers the circumstance in which a “virtual” audit may be necessary or desirable as opposed to an on-site audit and discusses potential challenges when auditing off-site and how to overcome them. She emphasizes good communication skills, discusses the characteristics of various internal audit methods, how to prepare for remote internal audits and concludes remote internal auditing can support ongoing operations and improve audit effectiveness during unusual times or in the normal course of business.

Introduction

Internal quality audits are an essential aspect of the checks and balances in a medical device or pharmaceutical quality management system (QMS). Whether by design or by happenstance, manufacturers may need to start planning a remote internal auditing process. Fortunately, there are methods and techniques for bolstering the effectiveness of remote internal audit program and embracing the nature of remote audits can help a company not only maintain GMP compliance, but also discover hidden issues in the QMS. While remote internal audits are somewhat different in terms of logistics and planning, they can be equally insightful as on-site internal audits.

Internal quality audits allow a manufacturer’s executive management to determine if its established QMS is effectively supporting the organization’s overall quality objectives. Evaluating consistency of high-quality product and service delivery to customers depends on access to data and objective assessments of compliance. Medical device and pharmaceutical GMP compliance relies on internal quality audits as a means of objective self-assessment. Internal quality audits, also known as “first party audits,” entail independent evaluation of both compliance of established procedures to baseline GMP requirements and also effective implementation of the QMS.1 For manufacturers with mature QMSs, internal audits reveal exceptional performance in instances where the baseline is surpassed.

Internal quality auditing is a regulatory requirement established in regulations, standards and guidance by FDA (Quality System Regulation, Guidance on Quality Systems Approach to Pharmaceutical CGMP Regulations), ISO 13485:2016 and ICH Q10, among others.2-5 Good practices in internal audits include planning for comprehensive QMS audits, independent evaluation of objective evidence, use of qualified, independent auditors, clear communication and assignment of audit follow-up/improvements to management of audited areas and formal reporting of audit results.6

While basic principles of internal quality auditing are universal, auditing practice varies widely across organizations. The auditing program in small, single-site companies is typically simple in comparison to large, geographically dispersed firms. Factors contributing to the design of the auditing program include scope and maturity of the QMS, product risk and variety of product lines, numbers of facilities, amount of outsourcing in development and in product realization and quantities and capabilities of staff. Risk-based QMSs account for these factors to define comprehensive, appropriate internal auditing processes.

Approaching auditing can be a matter of preference or necessity. When faced with the challenges of remote work for all but essential employees, a manufacturer’s quality management team has the option of incorporating remote internal audits, or delaying planned audits, unless remote auditing has already been implemented. Maintaining the planned audit schedule during a period of changing work practices may be the best choice. Internal audit results can offer objective proof that work is proceeding within the QMS and can highlight areas needing immediate improvement. Sometimes a rapid change in work practices, such as a quick decision to revert to most employees working from home, can lead to creative approaches to “make do” with less than ideal circumstances. In the moment of “making do,” performance may suffer. How will a management team have assurance that work is proceeding under the intended QMS controls? Internal audits offer a solution.

Opportunities to exploit remote internal auditing abound and the approach could prove to be both a benefit, from an audit effectiveness perspective, and a cost-saving approach for the company. However, a company’s QMS may need adjustments to adopt remote internal auditing, depending on how the audit program is defined and the capability of available resources.

Basis for remote internal quality audits

Various tools for working remotely, including teleconferencing, provide an opportunity for implementing remote auditing as a part of the internal quality auditing program. Remote auditing depends on availability of technology to support live, interactive conversation/interviews and being able to review documents and data. Technology can facilitate eye contact between the auditor and auditee and support simultaneous viewing of static documents and dynamic data management systems. Current international auditing guidelines address remote audits, in contrast to historical auditing guidelines that preceded commonly-available teleconferencing tools (i.e., ISO 19011:2018 vs ISO 19011:2002). 7 The Medical Device Single Audit Program (MDSAP) recently launched a pilot hybrid remote and on-site auditing program.8 Further, both the EU Medical Device Coordination Group and International Medical Device Regulators Forum recently issued guidance for remote Notified Body Medical Device Directive audits and remote MDSAP audits under certain circumstances, all due to travel restrictions related to the COVID-19 pandemic.9,10 These developments illustrate an emerging change in the presumption that every audit necessitates an in-person, on-site experience. In a risk-based internal quality audit program, remote audits can play a substantial role.

A remote internal audit, sometimes called a “virtual” audit, is not the same as a “desktop audit.” Table A illustrates the differences between these audit methods. Throughout the remote audit, the auditor(s) is guiding the process, using risk-based criteria to direct the auditees to produce and display data and documents according to sound sampling principles. If operational area “walk-throughs” are a part of the audit scope, the auditor describes what to display and where. A remote audit will include dynamic adjustments to the auditor’s interview questions and subsequent records requests based on the information gleaned. Remote auditors are “following an audit trail” once the information presents a trail to follow. A desktop audit is most often driven by a pre-existing checklist focused on procedural compliance, not on effective implementation of those procedures. A desktop audit can happen in isolation, whereas a remote audit cannot.
Table A. Characteristics of Various Internal Audit Methods
Remote Audit Desktop Audit
  • Contemporaneous, guided interview with auditee(s), using teleconferencing
  • Guided review of documents and data conducted with screen or file sharing
  • Records and data selected by the auditor using a risk-based approach and sound sampling techniques
  • Guided walk through of operational work areas using appropriate live, mobile technology (where appropriate to audit scope)
  • May incorporate aspects of desktop auditing (i.e., review some documents or data in isolation to prepare for or refine interviews and records requests)
  • Review of a documents versus a set of regulatory requirements conducted without Subject Matter Expert interaction
Every Internal Audit Method
  • Risk-based process prescribed by procedure
  • Approach is based on shared objectives of auditor(s) and auditee(s) to evaluate their own QMS according to the audit scope
  • Scope and schedule pre-defined
  • Conducted by independent, qualified auditor(s) in a professional, ethical manner
  • Findings based on objective evidence
  • Produce written reports
  • May lead to corrections, corrective actions, preventive actions, or other follow-up (e.g. re-audit or changes to audit intervals)
 
Is the organization ready for remote internal quality audits?

If the company has not previously employed remote internal quality audits, several aspects of organizational readiness should be considered. They include audit process definition, infrastructure and auditor competence. Each plays a role in supporting the ongoing effectiveness of an internal audit program.

Depending on the specificity of internal audit procedures, the QMS may need updating to address the company’s choices in adopting remote internal auditing. Figure 1 illustrates some of the questions to consider related to QMS readiness. If any of the questions have a “yes” answer, the QMS needs to be updated to remove stipulations presuming a physical presence of auditors, auditees, documents and records.

Figure 1: Considerations for QMS readiness





If the company has a significant work-from-home culture, its infrastructure may be fully suited to remote auditing. A mature “tele-work” infrastructure might exist in companies with a geographically dispersed workforce, those that are virtual and rely on suppliers to perform most GMP activities, and those producing software as a medical device products and where the development and production processes are electronic and often cloud-based. When virtual meetings are routine, or when a company has a fully electronic document management system, the infrastructure may be capable of supporting remote auditing. In other cases, the existing support for remote work, and thus for remote auditing, may be rudimentary. Infrastructure adjustments to support remote auditing could include:
  • providing secure teleconferencing tools for staff
  • ensuring staff have sufficiently robust internet services for remote access
  • evaluating security for remote intranet access
  • establishing a secure document sharing location for auditors
  • updating policies and procedures related to document and data access, sharing, and related controls

If substantial infrastructure improvements are necessary, this may lead the organization to pursue a specific resource planning activity and prepare a quality plan for the infrastructure improvement effort. Company information security is paramount and using open source teleconferencing products may violate company policies and good practices, so planning should not be avoided.

Auditor competency is a basic QMS requirement regardless of audit method. Assuming that the internal auditor(s) is fully qualified to conduct audits, competency for remote auditing also includes technology fluency and communication skills. For a successful remote audit, the auditor needs to be capable of both establishing meetings using the tools defined by the company and trouble-shooting the tools when issues arise, such as when Internet connections are intermittent or have insufficient bandwidth to support an effective audit.

Further, every successful audit relies on the auditor’s ability to establish trust with auditees. The auditees must trust the audit will be conducted professionally, the auditor is objective with no hidden agendas, the audit purpose and scope reflect what the auditor will be reviewing and the results will be a fair assessment based on objective evidence. Without trust, the auditor has little chance of achieving a meaningful and accurate assessment of QMS effectiveness. The remote aspect of an audit challenges an auditor’s communication skills, requiring the auditor needs to build rapport and trust through a computer monitor’s screen.

Similarly, an internal auditor working remotely has increased reliance on the auditee to manage the electronic access to information, as directed by the auditor. From afar, the auditor needs the ability to direct the auditee in a manner that results in a meaningful evaluation of the auditor’s selected information. Strong communication skills are an essential capability for remote internal auditors.

Audit scheduling and planning

Internal quality auditing is a risk-based process. As such, an audit schedule is typically based on several factors, such as product risk and complexity, maturity of the QMS, structure of the organization and previous audit results. Higher risk areas may have more frequent audits or larger audit teams assigned. Considering the remote audit method as another risk factor may result in more robust audit schedules. For example, if an organization is initiating use of remote audits for the first time, the schedule might start with several audits that do not include an area walk-through component, reducing the auditor and auditee’s technology start-up burden. In every QMS there are some processes where the audit entails interviewing staff who perform and manage the process, and evaluating the documents, records and data related to the process. Processes such as supplier management, corrective and preventive action, or management review are easily audited without observing a review board or executive management review meeting. These types of processes are good candidates for initial remote audits, as the primary difference with an on-site audit is the experience of the audit interactions through a screen. As long as the records and data are accessible remotely, either audit method applies in the case of a purchasing controls audit.

Similarly, an audit schedule could separate audit scopes in such a way that records-based activities take place separately from work area-based activities (i.e., sequentially). Alternatively, schedules might reflect a hybrid of remote and on-site audits or might establish audit teams which include both a remote and an on-site presence to reduce the on-site facility impact. Sequential or hybrid scheduling schemes may be necessary when auditing certain product realization processes, such as production or product testing. When close observation of the work being carried out is an important aspect of the audit, but environmental controls prohibit introduction of additional technology to maintain environmental conditions, sequential or hybrid scheduling is an option. When an organization’s scope makes a fully remote internal auditing program impractical, a combination of methods is possible and, perhaps, even desirable.

Once the audit schedule is established, each audit needs a clear plan, including the purpose, scope, basis of requirements, timing, method and auditor role(s).11 Table B illustrates some additional considerations for remote audit planning when the auditor is a part of the site under audit, versus when the auditor normally works elsewhere and is unfamiliar with the corporate office or sister company staff.

Recognizing any additional logistical support needed to adopt remote internal audits is important for ensuring audits continue to be effective and objective assessments of the QMS.
Table B. Planning Implications of Auditor Site Familiarity
Internal Auditor With Site Familiarity Internal Auditor Without Site Familiarity
Auditor knows staff and can identify relevant managers and subject matter experts (SMEs), is likely to know where records are stored and how data is accessed. Auditor needs support to identify relevant staff for the audit.
Auditor needs access to SME while planning to identify relevant record-keeping systems in advance of audit.
Auditor has access to calendar system and can schedule audit time blocks based on availability of all parties. Auditor needs support to coordinate between auditees and to schedule audit time blocks
Auditees are familiar with auditor and can address subsequent scheduling issues directly. Auditees need an intermediary or additional contact information to coordinate rescheduling.
When auditor is remote and auditee is “on site,” auditor’s familiarity enhances any work area walk-through activities.
Auditor familiar with on-site infrastructure and can help trouble-shoot if needed during audit.
When auditor is remote and auditee is “on site,” auditor may need additional information such as floor plans to support any work area walk-through activities.
Auditees have all responsibility for on-site infrastructure trouble-shooting during audit.
 
If the site under audit is not the remote auditor’s normal work site, the auditor needs a site facilitator to help define and arrange audit logistics. In addition, if the auditees are at a work site while the remote audit is underway (i.e., essential employees unable to work remotely), they bear the responsibility of resolving technology glitches at the site during the audit.

Audit conduct

Remote audits introduce a few practical but atypical issues for an on-site audit. The first issue is in defining the “audit “day.” Consider a two-person audit team with a very full one-day audit scheduled. Auditor A is on Eastern Standard Time, Auditor B is on Mountain Standard Time and the Auditee is on Central Standard Time. If the audit were happening on-site, the auditors would convene at the audit location at the designated time in the Central Time zone. Being spread out across the nation, how do the auditors now address their very full audit day? In this scenario, the concept of a “standard” workday will not apply for two of the three people involved. Clearly, coordination and flexibility are needed from the start of planning through audit conduct.

Second, enabling remote access to proprietary information is a business risk requiring careful cybersecurity consideration. This includes determining how auditors will address technology issues during the audit. On-site auditors may have options available that are not prudent remotely (e.g., “I’ll just email this file to you instead” bears a different risk from a remote location). During an audit, the auditors need to be aware of inherent risks in their work, based on the audit method and tools.

Third, it is especially important to consider the practical nature of communicating across technology for hours a day. Scheduled, regular breaks become even more important when computer-mounted cameras have a smaller field of view and non-stop sitting is a requirement.

Impact of remote auditing

Depending on the structure and maturity of a manufacturer’s QMS, there could be a near-term remote internal audit “start-up cost.” Figure 2 illustrates the activities previously described that may be necessary to prepare for remote auditing where addressing any necessary changes requires resources.

Figure 2. Preparing for remote internal audits



Remote audits, versus the traditional on-site audit method, also present additional opportunities. For example:
  • When faced with unplanned contingencies that render on-site internal audits impossible, remote methods support continued objective evaluation of QMS effectiveness.
  • When operational contingencies result in rapid, unanticipated changes in key QMS areas (e.g., qualifying new sources of raw materials to localize the supply base), remote internal audits can provide agile, near-term assurances of adequate controls regardless of work-site restrictions and potentially reducing business and personnel risks in a rapidly changing situation.
  • For manufacturers with geographically dispersed or substantially outsourced GMP activities, audits of product realization can be more easily scheduled based on a product’s lifecycle (i.e., from raw material through finished product distribution), regardless of the entity or location accomplishing each step in the lifecycle. Planning for an audit scope that spans product realization activities provides a broader evaluation of the interrelationships of QMS processes, departmental functions, suppliers and the information exchanged between them. This approach is often impractical and not considered when auditing in person.
  • Similarly, manufacturers of software as a medical device (SaMD) products and providers of services that are delivered virtually (e.g., complaint handling, production and delivery of electronic products and product labeling) often rely solely on electronic tools to complete and record activities. Their QMSs are good candidates for remote internal quality audits and present opportunities to reduce audit overhead.
  • For corporate-level QMSs, a traditional internal audit focuses one site at a time. When remote auditing is adopted, internal audits might be scheduled to focus on a single QMS topic (e.g., design and development) but across multiple sites simultaneously. This approach may reveal systemic QMS deficiencies not evident when focusing on one site at a time.
  • Larger companies with physically dispersed audit teams can realize significant reduction in travel time and expenses by incorporating remote internal audit into their program.
  • With dispersed audit teams, including a technical expert or translator, whose contribution may be helpful for a few hours during an audit, is less costly for the company when travel is eliminated, and more efficient for the expert.
Conclusion

Sporadic geologic events, such as volcanic eruptions have grounded air travel in the recent past. At the time of this writing, the COVID-19 pandemic is causing extensive changes in work practices, with employees deemed nonessential required to work from home in many companies. These types of events can render typical in-person, on-site internal quality auditing impractical or impossible. Nonetheless, for a company that is continuing critical operations, internal audits are an invaluable tool in maintaining assurances of consistent QMS compliance. Remote auditing can mitigate increased compliance risks of on-going delays in planned internal audits. Further, additional benefits from innovative audit scheduling approaches, expanded options for involving experts to augment auditor teams, and reduced overhead are possible with remote auditing methods regardless of periodic crises or world events.  Adopting remote internal auditing can support ongoing operations and improve audit effectiveness both during unusual times and in the normal course of business.

References
  1. International Organization for Standardization (ISO). Guidelines for Auditing Management Systems. ISO 19011:2018(E). Third edition.
  2. Quality System Regulation: Quality Audit. 21 CFR 820.22. FDA website. https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=820  Accessed 23 April 2020.
  3. Guidance for Industry, Quality Systems Approach to Pharmaceutical CGMP Regulations. September 2006. FDA.
  4. International Organization for Standardization (ISO). Medical Devices: Quality Management Systems—Requirements for Regulatory Purposes. ISO 13485:2016.
  5. ICH Harmonised Tripartite Guideline: Pharmaceutical Quality System—Q10, 4 June 2008. European Medicines Agency.
  6. Op cit 1.
  7. International Organization for Standardization (ISO). Guidelines for Quality and/or Environmental Management Systems Auditing. ISO 19011:2002(E). First edition.
  8. MDSAP Regulatory Authority Council. Remote Auditing Pilot Program. MDSAP AU P0036.001. January 2020.
  9. EU Medical Device Coordination Group (MDCG). Guidance on Temporary Extraordinary Measures Related to Medical Device Notified Body Audits During COVID-19 Quarantine Orders and Travel Restrictions. April 2020.
  10. MDSAP Regulatory Authority Council. Temporary Extraordinary Measures Related to MDSAP Audits During COVID-19 Quarantine Orders and Travel Restrictions. Remote Audits. March 2020.
  11. Op cit 1.
About the author

Tammy M. Pelnik, MS, has spent more than 27 years working in quality management and quality assurance for medical device and drug-device manufacturers. She is president of St Vrain Group, Inc., a Colorado-based consulting firm, providing cost-effective QMS implementation, creative QMS strategic planning, QMS auditing and innovative compliance training. Pelnik is an IRCA principal QMS auditor and an ASQ certified manager of quality/organizational excellence and quality engineer. Pelnik may be reached at pelnik@stvrain.com or through LinkedIn.

Cite as: Pelnik T M. “Optimizing remote internal quality audits.” Regulatory Focus. April 2020. Regulatory Affairs Professionals Society.
 

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe