There are ways to prepare for on-site and remote audits that make them as efficient and hassle-free as possible. Here are some best practices from the USDM Audits team.
Summary
Whether an audit happens on-site or remotely, the difference between a clean visit and a list of findings usually comes down to preparation. This guide walks through the practices the USDM audit team relies on: planning ahead for the audit cycle, treating the agenda as a contract, naming a qualified backup, rehearsing with mock audits across every department, and using a secure content management system so documents and permissions are ready before the auditor arrives.
The audit team at USDM determined that more than 90% of audits contain some type of issue, so good preparation doesn’t always yield a completely “clean” audit, but it should significantly reduce the number of findings. These findings typically are not showstoppers; for example, in the past nine years, the USDM audit team had only five audits with findings that were critical enough to stop using the vendor’s services. There are also audits with absolutely no findings or recommendations.
The following advice was extracted from the Best Practices for Virtual Audits and Regulatory Inspections white paper released in January 2021.
Watch our on-demand webinar Virtual Audits & Inspections
Prepare in Advance
If you recently added a service or product to your core business and it’s aligned with your sales and marketing activities, then there is a good chance you will be hosting audits for the customers who are using these new services. There is also a good chance that you will be audited by your current customer base.
As your customers’ external qualification programs mature, there will be an increasing number of audit requests. If you have a history of audits from one particular customer, look at their frequency. If they are on a two-year cycle, then you will probably be audited every two years.
If you are new to your position and responsible for hosting audits, do your research and know what to expect for the upcoming year. Because so many of these audits are vendor and supplier qualifications, it helps to align your preparation with a broader third-party risk management program so the questions you answer for one customer are already documented for the next.
Preparation reduces findings, it doesn’t eliminate them. The goal of advance work isn’t a perfect audit, it’s an audit where every finding is minor, expected, and already on a path to resolution.
Take the Agenda Seriously
An agenda requests very specific items, including a list of documents that must be reviewed. If you do not make these items available to the auditors, they can recommend to their client that they stop using your services because you failed to comply. Take the agenda seriously! Don’t think that what YOU want to give an auditor is what THEY want to see.
Review the Agenda
Ensure that all items on the agenda are relevant; you have the right to challenge areas that you feel are irrelevant. Anticipate auditor requests based on the agenda and be prepared with documentation, demonstrations, and examples. Also, send the auditor a confirmation of the agenda with links to where the content is located and make sure that access to the content management system is granted in advance of the meeting.
Don’t think that what YOU want to give an auditor is what THEY want to see. The agenda is the contract — meet it on its terms.
Have a Qualified Backup
No matter how much time and effort you may have put in to preparing for an audit, there is always a chance that something will come up that prevents you from being available for the actual event. In case you can’t make it for the audit, or your internet goes down, designate another quality person or a manager who is aware of everything surrounding the areas of focus for the company. Implementing this best practice will give you peace of mind and it will provide the opportunity to mentor another employee in the audit process from beginning to end.
Overcoming Technological Interruptions
Whether it’s an on-site audit or remote, there is always the chance for technological interruptions. Our experience with audit interruptions includes internet and Wi-Fi issues, and not enabling permissions for the auditor to access your systems. Be sure to consider these and related possibilities during your mock audits.
Practice with Mock Audits and Include All Departments
When you conduct a mock audit, you are researching everything pertaining to your customer (for example, recent complaints, history of purchases, interactions with other departments), and notifying relevant departments of your findings.
Frequently, when environmental monitoring, laboratory, and warehouse employees are asked questions during an audit, they are surprised that they are part of the process. To prevent this and to enable them to be prepared, use a flip chart or whiteboard to write down everything the auditor needs to see that day. That way, they can be notified and ready for auditor inquiries. This “trick” works and it keeps the auditee and the auditor on the same page so there isn’t a litany of items to provide spur of the moment.
For remote audits, a content management system lets you share access to documents and assign tasks and deadlines. Establishing this workflow process during a mock audit is beneficial for all employees and ultimately the auditor. It also helps to ensure a good user experience and correct permissions are in place. We have had a lot of success with Box as our content management system in virtual audits. Box is a great solution for managing GxP and non-GxP content in one platform with security and compliance built in.
If AR/VR are being used for a remote audit, it’s wise to practice with the equipment during a mock audit to determine limitations and alternate options if there are issues, so be sure to include the IT team, and even your on-site safety officer.
A Four-Phase Audit Readiness Routine
- Plan. Map your audit cycle by customer, anticipate frequency, and align prep with your vendor qualification and risk program.
- Stage. Load SOPs, procedures, and records into a secure content management system and set the right permissions before the agenda confirmation goes out.
- Rehearse. Run a mock audit that pulls in every department the auditor may question — quality, lab, warehouse, environmental monitoring, and IT.
- Host. Clear your schedule, keep your qualified backup on standby, and have a plan for technological interruptions.
Send a Procedure Index to Your Auditor
Auditors appreciate an index of procedures in advance of the audit. Send them an index of the SOPs and procedures that are available. For remote audits, a content management system continues to prove its worth by enabling the uploading and sharing of documents ahead of time. The more prepared you are, the more prepared your auditor can be. When the records you share are electronic, make sure they hold up to 21 CFR Part 11 expectations and that your data integrity controls are demonstrable, because auditors will look closely at audit trails, signatures, and record completeness.
Clear Your Schedule
For on-site and remote audits, reduce interruptions by clearing your schedule for the designated time period. The whole process goes much smoother when the auditor can quickly find you to ask questions. Organizations that treat readiness as an ongoing state rather than a once-a-cycle scramble — the goal of a continuous compliance approach — tend to walk into every audit with documentation already current.
Read the Best Practices for Virtual Audits and Regulatory Inspections white paper in its entirety to learn how technologies like electronic/cloud content management systems, secure conference services, augmented reality, virtual reality, and 360-degree view cameras fit into the ever-changing audit environment.
For more information about navigating global regulatory requirements, visit the Audits and Assessments page on our website.
Here is a preview of our May 2021 webinar. Watch the full-length on-demand webinar Virtual Audits and Inspections
Access the full-length on-demand webinar: Virtual Audits and Inspections
FAQ: On-site and Remote Audit Best Practices
How far in advance should we prepare for an audit?
Start with your audit history. If a customer audits on a known cycle — say every two years — plan for it well before the request arrives. If you are new to hosting audits, research what to expect for the upcoming year so the first request isn’t a surprise.
What is the most common mistake during audit preparation?
Giving the auditor what you want to show instead of what the agenda asks for. The agenda specifies the exact documents and areas to be reviewed; failing to make those items available can lead an auditor to recommend their client stop using your services.
How do mock audits help?
A mock audit surfaces gaps before the real one. It also prepares departments — lab, warehouse, environmental monitoring, IT — that are often surprised to learn they are part of the process, and it lets you validate that your content management permissions and workflows actually work.
What makes remote audits different from on-site audits?
Remote audits depend heavily on a secure content management system to share documents, assign tasks, and grant access ahead of time, and they introduce technological risks like connectivity or permission failures. Some also use AR/VR or 360-degree cameras, which should be rehearsed during a mock audit.
Why does electronic record compliance matter during an audit?
Auditors scrutinize audit trails, electronic signatures, and record completeness. Records shared electronically should meet 21 CFR Part 11 expectations and have demonstrable data integrity controls so reviewers can trust what they see.
Make Audit Readiness a Standing Capability
USDM helps life sciences companies turn audit preparation into a repeatable, continuous practice — from vendor qualification and content management to data integrity and electronic records compliance. Contact us to talk through your next on-site or remote audit, or explore our Audit Readiness and Continuous Compliance services.