Audit (formal) – the annual (at a minimum), ritual of providing objective evidence that a Quality System is established, being followed, and is effective. A good Quality System will support the regulation(s) and ensure that a company has consistent accuracy and precision in all they do.
Audit (informal) – the annual (at a minimum), ritual of hosting complete strangers or those who have been on-site so many times they are now acquaintances and providing them with procedures, documents, reports and records going back several years even though you are not operating under the same versions of the procedures now. This is a time when you spend your entire day(s) sitting in a meeting room answering questions and fetching more documents while your work piles up.
The fact is audits are necessary. However, just as we learned during the COVID-19 pandemic, that many people could perform their jobs perfectly well without getting in their car or on a train to come to the office, we have also seen that many audits can be done well…virtually. There is a place for both virtual and on-site audits.
So, what types of audits are being performed?
- Internal Audits. Not all companies are large enough to have an internal audit team or can satisfy the “no conflict of interest” requirement across departments. Internal audits are performed, at a minimum, annually. Although some companies audit departments individually, a full company Quality System Audit done over a few days can satisfy the annual requirement for all departments without any conflict of interest.
- Supplier Audits. Not all suppliers are equal. Based on risk and a company’s procedures, suppliers that are critical may be audited annually and high or medium-risk suppliers may be audited every 2-3 years. Self-audits and questionnaires are not appropriate for these suppliers. Contract manufacturers are always considered “critical” suppliers.
- Pre-Agency Audit. This audit is performed before the FDA or Notified Body scheduled audit to make sure the organization is ready and can fix any issues BEFORE the Agency Audit. This audit is preventative. When FDA issues nonconformances they may be published on the FDA website or the company may get a Warning Letter. A pre-audit can identify issues before they become Agency nonconformances.
- GAP Assessment Audits. These are generally performed when a company has made a decision to market their medical device in another country OR a new standard has been released (ex. EU’s new Medical Device Regulation). The audit is performed after updates have been made to ensure nothing was missed and the company is ready for their next Agency/NB audit.
- MDSAP Audits (Medical Device Single Audit Program). This audit is performed to decrease the number of countries that come to audit a legal manufacturer. The United States, Australia, Brazil, Canada, Japan and the EU have agreed to accept the results of an MDSAP Audit performed by any of the other countries. When an auditor performs an MDSAP Audit, none of the above country auditors should request to audit the manufacturer. A typical MDSAP Audit is 4-5 days. This can save the company 16-20 business days of being in an audit.
Setting Up a Virtual Audit
- Step 1: Choose a qualified auditor. Ask for a resume/CV, training certificates and the number of virtual audits performed.
- Step 2: Based on the size of the company and the number of products, agree on the number of audit days and dates.
- Step 3: Prior to the audit, an Audit Plan should be submitted to the auditee so they can prepare, or move things around, if necessary.
- Step 4: Agree upon Google folders, DropBox or some other repository so the auditor can have access to Quality System Documents that will be needed for the audit and start uploading the most recent version of the procedures, based on the agenda, into this space.
Performing a Virtual Audit
An Opening Meeting should be conducted each morning at an agreed upon time via Teams, Zoom or some other platform. Attendees should be documented.
- The initial Opening Meeting will generally identify principal employees, company history, device descriptions, facility tours or descriptions, identify the functions performed at the facility or any other facilities in scope of the audit and any other information deemed necessary. This is no different than what is discussed during an on-site audit.
- Subsequent Opening Meetings will follow-up on any nonconformances from the previous day, provide time for Q&A from both the auditor and auditees, and outline the activities for the day.
After each morning’s Opening Meeting, the auditor should spend time reading procedures applicable to the area being audited and taking notes. A list of questions and request for documentation / records to support compliance can be requested via e-mail. Audit trails should be followed just as if you were performing an on-site audit and the auditor should always be specific as to what records they wish to see. It is not acceptable to allow the company being audited to choose. If there was a previous audit report provided, the auditor should verify any previous nonconformances have been addressed.
A Closing Meeting should be conducted each afternoon/evening at an agreed upon time via Teams, Zoom or some other platform. Attendees should be documented.
- Any identified nonconformances should be discussed during the afternoon Closing Meeting to ensure that all objective evidence was presented and the requirements of either the regulation/standards or procedure was not met.
- During the Closing Meeting, the auditor may want to ask for a few documents / records to start the next day.
On the last day of the audit, a Close-out Meeting is conducted to go over all nonconformances and ensure everyone is in agreement. There should be no surprises in the Audit Report.
The auditor will either use the company’s Audit Report Template or one of their own templates. The report should clearly identify the audit as having been “virtual”. All documents reviewed, their titles and rev #s should be recorded. In addition to nonconformances, positives should be documented and recommendations. There should be a clear conclusion. When writing, keep in mind, Regulatory Agencies will be reviewing this report. The report is essentially the same as if an onsite audit was performed.
On-site or Virtual?
Virtual audits obviously save money on auditor travel. They can also allow company staff to work while being audited as long as the company has a good electronic document system and can easily find and upload, not only procedures, but requested reports and records. A virtual audit will not run smoothly if it takes hours for a protocol and report to be found and scanned or uploaded.
During a virtual audit, an auditor must ensure they are requesting objective evidence just as they would during an on-site audit and following audit trails. If necessary, they may need to get on a Zoom call more than just during the Opening and Closing Meeting.
For deep dive audits, companies should probably stick with on-site audits, however, if the audit has the proper amount of days and the company can quickly and easily provide requested documents, a virtual audit should go smoothly.