Virtual Audits: How to Provide Objective Evidence to Support Quality Medical Devices

Audit (formal) – the annual ritual of providing objective evidence that a quality system is established, followed and effective. A good quality system will support regulations and ensure a company has consistent accuracy and precision across all products.

Audit (informal) – the annual ritual of hosting vendors-turned-acquaintances on-site to provide them with procedures, documents, reports and records going back several years even though you are not currently operating under the same versions of the procedures (or, anything in the vicinity of similar). This is a time when you spend your entire day—or days—sitting at a conference table answering questions and fetching more documents while your work continues to pile up.

The fact is: audits are necessary. However, just as many pharmaceutical companies learned during the COVID-19 pandemic that many their employees could perform their jobs perfectly well from the comfort of their own home, we have learned that audits can also be managed virtually and that there is a place and time for both virtual and on-site audits.

What types of audits do pharmaceutical companies perform?

1. Internal Audits: Not all companies are large enough to have an internal audit team that can satisfy conflict of interest requirements across departments. Although some companies audit departments individually, a full company quality system audit can satisfy the annual requirement for all departments without any conflict of interest.
2. Supplier Audits: Not all suppliers are equal. Based on risk and a company’s procedures, critical suppliers may be audited annually and high- or medium-risk suppliers may be audited every two to three years. Contract manufacturers are always considered “critical” suppliers, and self-audits and questionnaires are not always appropriate for these suppliers.
3. Pre-Agency Audit: This preventative audit is performed before the FDA or notified body to make sure the organization addresses any issues before the agency audit. When FDA issues non-conformances, they may be published on the FDA website or the company may receive a warning letter. A pre-audit can identify issues before they become agency non-conformances.
4. GAP Assessment Audits: These are generally performed when a company decides to market their medical device in another country or a new standard has been released (for example, the EU’s Medical Device Regulation). GAP assessment audits are performed after updates have been made to ensure the company is ready for their next agency audit.
5. Medical Device Single Audit Program (MDSAP) Audits: This audit is performed to decrease the number of countries that can audit a legal manufacturer. The United States, Australia, Brazil, Canada, Japan and the EU have agreed to accept the results of an MDSAP audit performed by any of the other countries. When an auditor performs an MDSAP audit, none of the above country auditors should request to audit the manufacturer. A typical MDSAP audit lasts four to five days, which can save the company a total of up to 20 days of being in an audit.

How to Organize a Virtual Audit

• Step 1: Select a qualified auditor by asking for their resume/CV, training certificates and the number of virtual audits they have performed.
• Step 2: Agree on the audit schedule based on the size of the company and its number of products.
• Step 3: Submit an audit plan to the auditee prior to the audit so they can plan accordingly.
• Step 4: Grant the audit access to your quality system and documents necessary for the audit. Begin uploading the most recent version of the procedures, based on the agenda, into this space.

Performing a Virtual Audit

An Opening Meeting should be conducted each morning at an agreed upon time via Teams, Zoom or some other platform. Attendees should be documented.

• The initial Opening Meeting will generally identify principal employees, company history, device descriptions, facility tours or descriptions, identify the functions performed at the facility or any other facilities in scope of the audit and any other information deemed necessary. This is no different than what is discussed during an on-site audit.
• Subsequent Opening Meetings will follow-up on any nonconformances from the previous day, provide time for Q&A from both the auditor and auditees, and outline the activities for the day.

After each morning’s Opening Meeting, the auditor should spend time reading procedures applicable to the area being audited and taking notes. A list of questions and request for documentation / records to support compliance can be requested via e-mail. Audit trails should be followed just as if you were performing an on-site audit and the auditor should always be specific as to what records they wish to see. It is not acceptable to allow the company being audited to choose. If there was a previous audit report provided, the auditor should verify any previous nonconformances have been addressed.

A Closing Meeting should be conducted each afternoon/evening at an agreed upon time via Teams, Zoom or some other platform. Attendees should be documented.

• Any identified nonconformances should be discussed during the afternoon Closing Meeting to ensure that all objective evidence was presented and the requirements of either the regulation/standards or procedure was not met.
• During the Closing Meeting, the auditor may want to ask for a few documents / records to start the next day.

On the last day of the audit, a closing meeting is conducted to review the non-conformances to ensure all parties are in agreement.

Conducting a Virtual Audit Report

Virtual audit reports are essentially the same as if an onsite audit was performed. The auditor will either use a company’s audit report template or one of their own. The report should clearly identify the audit as having been managed virtually, and that all documents, titles and revisions were reviewed, and include the determined conclusion. When writing, keep in mind that regulatory agencies will be reviewing this report.

Should Your Company Use an On-Site or Virtual Audit?

Virtual audits are a cost-effective means to save money on auditor travel. They can also allow company staff to continue working while the audit is being conducted so long as the company has a good electronic documentation system. A virtual audit will not run smoothly if it auditors cannot easily find and upload, not only procedures, but when requested reports and records take hours to be found, scanned or uploaded.

During a virtual audit, an auditor must ensure they are requesting objective evidence just as they would during an on-site audit and following audit trails. If necessary, they may need to schedule virtual meetings in addition to the opening and closing meeting.

For deep dive audits, companies should probably stick with on-site audits, however, if the audit has the proper amount of days and the company can quickly and easily provide requested documents, a virtual audit should run smoothly.

DSI Consultants Can Help Your Virtual Audit Run Smoothly

Our team of experienced consultants can bring a minimum of ten years' experience to your company's next audit: on-site or virtual. Contact DSI today to learn how we can help launch your product quickly and seamlessly.