preparing for an audit - ul compliance to performance · pdf fileface compliance challenges...

Preparing for an Audit MANAGING US FDA INVESTIGATIONS

Based on a UL EduNeering eLearning course, authored by the experts at EduQuest (www.eduquest.net)

Few business sectors are as closely regulated or scrutinized as the Pharmaceutical,

Biologics and Medical Device industries (Life Science). The growing complexity of

technologies and the continued globalization of markets and supply chains will only

intensify the attention of regulators, particularly in the area of product quality.

All Life Sciences facilities, regardless of location or product risk, will be inspected. The

majority will be inspected multiple times by inspectors with significantly different

approaches, areas of expertise and regulatory responsibilities. According to federal law,

FDA has the right to inspect all drug, biologic and medical device manufacturing facilities

and all equipment, materials, documentation, and packaging and labeling, at reasonable

times and in a reasonable manner.

FDA will conduct an inspection of a company for several reasons.

Pre-approval Inspection (PAI) - FDA conducts inspections prior to the approval of a New

Drug Application (NDA) or sometimes for an Abbreviated New Drug Application (ANDA).

In the case of medical devices, the PAI may precede the approval of a Premarket Approval

(PMA) or 510k Application. For biological products, the PAI will be conducted prior to the

FDA approval of the Biologic License Application (BLA).

General GMP - FDA requires that general GMP inspections be performed on a periodic

basis to ensure a company is operating in accordance with cGMP regulations.

For Cause - These inspections are performed as a result of complaints, recalls, or regulatory

actions and focus on specific areas of concern. For cause inspections tend to be very

intense and detailed.

Quality System Inspection Technique (QSIT) - Manufacturers of biomedical products,

especially medical equipment, are subject to routine inspections of their quality systems by

FDA. These inspections do not initially focus on specific problems within a facility. Instead,

the QSIT employed by FDA examines the quality control procedures as designed by facility

management and implemented over the whole of the manufacturing process.

Expecting an Unexpected Inspection

PART ONE: Preparing for an Audit – What You Need to Know

Preparation is essential for any audit or investigation, especially because of the escalating

complexity and overlap of global quality regulations. Life Science companies that

serve multiple national markets or rely on dispersed supply chains will commonly

face compliance challenges from regulatory agencies including the US Food and

Drug Administration, European Commission, international organizations such as the

International Committee on Harmonisation, the International Standards Organization and

national governments.

The FDA’s Quality System Regulations (21 CFR 820 for Medical Devices and 21 CFR 210-211

for Pharmaceuticals) are generally considered the most stringent and serve the basis for

many other countries’ regulations. As a result, they can have the greatest impact on a Life

Science company’s ability to market and sell its products. Notwithstanding that common

use, it is important to recognize that different countries impose additional regulatory

requirements.

Although the FDA often provides notice in advance of a planned audit, it is not required to

notify managers within the US. In Europe, FDA inspectors routinely give companies three to

four weeks notice that they intend to inspect a specific facility.

Trends in Regulatory Enforcement

Regulations do not remain static. Rather, they are continually redefined and readjusted by

issues as diverse as legislative pressures and technology advancements. Since 2010, three

important trends that have affected global regulatory compliance are the FDA’s foreign

inspection program, the heightened attention to adverse events and pharmacovigilance,

and quality in the supply chain. Importantly, the Food and Drug Administration Safety and

Innovation Act (FDASIA), which was signed into law in July 2012, enables FDA to identify

facilities involved in the manufacture of generic drugs and associated APIs. Unti that time,

FDA hadn't a formal list of facilities manufacturing APIs globally.

In the United States, the FDA has been under pressure by the US Congress to increase the

stringency of its approval process, especially for medical devices and inspection frequency,

both domestic and foreign. By the end of 2014, FDA had foreign offices in China, Europe,

India, Latin America, and in the Asia-Pacific.

Recent, highly-publicized product recalls and legislative attention has called product safety

and quality into question by regulators, legislative bodies and the public at large. The

result has been expanded regulations related to after-market adverse events. Companies

are being held to higher standards for pharmacovilance through defined reporting and

recordkeeping requirements. Manufacturers should expect the trend to continue and

intensify.

A related issue of growing concern to regulators is the manufacturer’s supply chain. The

vast majority of Medical Device and Pharmaceutical companies rely on supply chains that

cross national borders. The company’s suppliers may, in turn, use multiple subcontractors

KEY TOPICS

PART ONE: What You Need to Know:

• Expecting an Unexpected Inspection

• Trends in Regulatory Enforcement

• What to Expect From an Auditor

• The Starting Point: Knowing What to Expect

PART TWO:What to Do ………………… Page 6

PART THREE:What YouShould Learn ……………… Page 12

Preparing for an Audit: PART ONE – What You Need to Know

that the brand manufacturer rarely knows or has direct control over. Despite that, the

brand company has ultimate responsibility for product quality and safety, making careful

oversight of suppliers and contractors imperative.

What to Expect From an Auditor

Audits have vastly different backgrounds and approaches. Understanding what to expect

from an auditor is an important step in undergoing a successful investigation. A former

FDA inspector with extensive experience conducting investigations and working with

counterparts in other regulatory agencies offers insight about the auditors assigned to

inspect Medical Device facilities.

An auditor will typically hold one or more advanced degrees (PhD or MSc level) and

five years of experience as a physician, pharmacist, scientist, microbiologist or chemist.

Increasingly, for Medical Device companies, an auditor may be a chemist/chemical engineer

or engineer. Above all, the vast majority of auditors will be highly professional and should

be treated as such.

FDA auditors in particular are trained in diverse areas. Some of those areas are expected

– drugs and devices, FDA law, Code of Conduct and ethics – but other areas of training

may not be. FDA auditors are trained in evidence gathering, techniques for obtaining

information, sample collection and sterilization and validation. Auditors may also have

specialized expertise in a broad range of subject areas including mechanics and electronics,

plastics, chemistry and biocompatibility, clinical evaluation, ionizing radiation, clinical

evaluation, software and process validation. In particular, many auditors have become

expert in validation.

It is critical that manufacturers assign people to the audits who are equally capable in

the auditor’s area of expertise. Remember that a manufacturer has the right to ask about

the educational and professional background of the auditor who is assigned to conduct

the audit. The auditor does not have to provide that information but it is worth asking. A

company armed with that basic information may be able to focus their preparation activities

on areas in which the auditor is likely to be most interested and knowledgeable.

Manufacturers can expect auditors to arrive at each inspection well-armed with information

about the history of the facility and the company’s other operations. An FDA auditor, for

example, will routinely review previous inspection reports to determine the focus of earlier

audits and findings of noncompliance. If the company has had a noncompliance issue in the

past, the auditor will concentrate on the Corrective Action Plan (CAPA) that it developed to


address those issues. Critically, the auditor will want to determine the current status of the

company’s compliance with the CAPA.

Companies can expect the inspections to last from four to five days, with each subsystem

flowing into the next. Auditors may also examine material control, document/record/

change control, and facility and equipment control. Controls over suppliers and

subcontractors have become an area of heightened scrutiny. That scrutiny is expected

to intensify going forward and companies are encouraged to develop risk-management

strategies for their supply chains.

An overriding rule of thumb: inspectors will be professional and prepared. It is critical

that the company approach the audit with equal professionalism and preparation.

The Starting Point: Knowing What to Expect

A regulatory audit can be challenging, even for a well-operated facility with no history of

noncompliance. Preparation for an audit is essential, beginning with a base of knowledge

about prevailing regulations and trends, the audit components and the preparation of the

auditor. From this base, companies will be able to move forward in a systematic process that

includes things to do before the audit, key considerations during the audit, and important

activities to conduct after the audit.

Audits represent an inescapable reality for Life Science companies. Many companies

view them simply as a necessary evil. More forward-looking organizations recognize the

value audits can bring to their operations by focusing attention on areas of improvement,

identifying emerging issues, and introducing policies and procedures that proactively

address industry and regulatory trends. In a fast-changing world with growing competitive

and performance challenges, the way a company views an audit may well signal how it

achieves its larger business goals.


An overriding rule of thumb: inspectors will be professional and prepared. It is critical that the company approach the audit with equal professionalism and preparation.

What the Auditor Already Knows

When a regulatory auditor arrives at your door, he or she will be prepared. The auditor

will have reviewed the facility’s product specifications, its production processes and its

compliance history. Before the first “Hello,” the auditor will know the focus and findings

of the last auditor, any recalls of products from your plant or even a nonrelated facility

using the same suppliers, and any quality problems noted at your company’s other

facilities. You have to be just as well-prepared. Good preparation for a regulatory audit

involves practical actions that extend from the CEO’s office to the shop floor and loading

dock.

Step 1: Knowing the Rules

In most cases, audit preparation must be completed within a tight schedule. At

the same time, the facility must continue its operations with minimal disruption.

Meeting both objectives requires a systematic approach to a multifaceted endeavor.

Ensuring that none of these multiple tasks “fall through the cracks” begins with a clear

understanding of the scope and range of the upcoming audit.

All regulatory organizations define the range and scope of their audits. The FDA,

for example, requires that its auditors be given access to a broad cross-section of

materials and sites within the organization. It is important to understand what you

must show and what can remain confidential. To complicate things, sometimes both

types of information are contained in the same document. For example, a company’s

competency forms may include the salary paid to the employee. Auditors have the

right to see the competency form but salary information is privileged. Before you hand

an auditor a document or open an area of a facility, make sure you are not exposing

confidential or privileged information.

PART TWO: Preparing for an Audit – What You Should Do

Based on the audit scope, you may be able to identify areas of the facility likely to come

under scrutiny. It is important to remember that auditors typically have considerable

leeway in conducting their investigations. Some auditors will simply pop their heads

into an office as they walk past, stopping to ask the person behind the desk a quick

question. That small aside may not have been part of the auditor’s plan but the

possibility should be part of your preparation.

Step 2: Training Everyone

Training is a fundamental component of any preparation plan. Everyone in the

organization requires training about what the audit means, why it is important, what

the auditor may be looking for and how to respond. Some of the most important points

to make during training include:

• Which regulatory agency is conducting the audit and what is the scope of the audit? Employees should be advised about the regulatory authority, the applicable

regulations and the type of audit (routine, surveillance, for cause or for approval of a

new product).

• What are the consequences to the company from a report of noncompliance? You

should explain why the audit is important and what the consequences are to the

company from noncompliant activities. An audit involves everyone in the company

and depends on the actions and compliance of everyone.

• How does an audit work? Training should outline the audit process, particularly

when a significant number of employees have never experienced one. A virtual

walking tour can help to clarify the actual procedures. It can be helpful to describe

the most likely procedures: document review, interviews, process inspections and

equipment examinations. Employees should know what to expect and the

variations that might occur. We know of some auditors who prefer to use a central

office, bringing in documents to review and individuals to interview. Other auditors

choose to move around the facility, stopping in at offices to speak with personnel

and asking to see where documents are stored. The more information employees

have about the auditor’s background, areas of expertise and past approach, the

better prepared they will be to handle the inevitable pressure of an audit.

• What types of information must be made available to the auditor? Everyone in the

organization needs to understand what the auditor is entitled to see. The company

must make clear that it is not attempting to “hide” information or activities from the

auditor; rather, it is arming employees with the information they need to respond

appropriately to the auditor’s requests.

KEY TOPICS

PART TWO: What You Should Do

• What the Auditor Already Knows

• Step 1: Knowing the Rules

• Step 2: Training Everyone

• Step 3: An Internal Audit

• Step 4: Starting Off on the Right Foot

PART THREE:What YouShould Learn ………………Page 12

Preparing for an Audit: PART TWO – What You Should Do

• Do employees have to answer the auditor’s questions? In most cases, yes, but

employees are not required to provide additional information. Many employees

are justifiably proud of their work and, when asked a specific question, may want

to explain far more than is necessary. It is important to remind employees that they

should answer questions without providing extended, unrequested explanations that

might trigger new questions in the auditor’s mind.

• Are employees required to do anything different, such as wear different clothing?

For example, you may want to stress the professionalism of the auditor and the

company’s expectation that personnel look and act equally professional. Similarly,

it important to stress regular housekeeping. An open package of snacks on a

desk, an office with stacks of papers on the file cabinet, a pair of dirty boots by the

door – all can give the impression of carelessness or sloppiness. Housekeeping is

important! An auditor might conclude that the same attitude and conditions extend

to the production line. Managers in areas likely to be under scrutiny should also be

reminded to check drawers and cupboards. Auditors have been known to open both,

often to the chagrin of the department manager.

• What is the company doing to prepare for the audit? Employee training should

include an explanation of what will occur before the regulatory audit, particularly if

the company plans to conduct a thorough internal audit. The company may also

consider “refresher” training before the scheduled audit, both to remind employees

of key points and to update them about relevant issues uncovered during the

internal audit and actions the company has taken to resolve those issues.

A subject that has proved uncomfortable for many is training for corporate officers. Often,

the decision is made to retain an outside organization to train senior executives and

board members as a way of ensuring the most objective, straightforward presentation

possible. Corporate officers need to understand the parameters of the audit, any past

compliance violations or issues, and the auditor’s area of expertise. Like every other

member of the organizations, corporate officers should be reminded of their roles in

creating a good impression of the company through their interactions with the auditor.


Step 3: An Internal Audit

An internal audit can be invaluable in identifying and resolving potential noncompliance

issues before the regulatory inspector arrives. An effective internal audit adheres to several

key principles. First, an internal audit is not synonymous with a “mock audit” designed

to serve as practice for a regulatory audit. Second, SOPs must comply with the entire

relevant regulation, not merely one small piece of it. Third, even though the regulatory

audit may be part of the company’s quality management system or adherence to good

manufacturing practices, audits frequently include assessments of compliance with other

requirements.

There are a number of factors that will determine the accuracy and value of an internal

audit. First and foremost, the company’s standard operating procedures (SOPs) must

include how an internal audit will be conducted. Armed with a robust internal audit,

a company should not have major surprises during an audit by the FDA or another

regulatory agency. Such an audit will have components that include the following:

• Effective SOPs: Standard operating procedures must be checked in content and in

execution. Often overlooked is the physical location of SOPs and the access employees

have to them. Consider, for example, an SOP that is located too far away from the

employee’s work site to offer easy reference. Similarly, consider an auditor’s reaction if

an employee simply didn’t know where a particular SOP was stored or if it were simply

missing. No matter how well crafted, an SOP will fail compliance if it cannot be readily

accessed.

A related issue can emerge when “the way it’s done” is not the way the SOP is

written. Most often, the difference between the two is a cause for renewed training

of employees in SOP compliance. Companies may want to consider another

possibility, however. In some cases, employees with the greatest experience with

a particular process have found a better way to accomplish the task. Companies

may want to consider an alternative to compliance with the SOP. In some cases,

firms have discovered that changing the SOP makes more sense than changing the

employee-developed procedures to comply with a less effective SOP.

• Review of Regulations: Compliance requires adherence to a complete regulation,

not merely one section of a regulation. With limited resources, however, companies

have often focused on specific portions of a regulation and developed SOPs to address

those sections. As a result, important pieces of the regulation may be overlooked and

critical requirements can be missed. The oversight might be expected to occur mainly at

smaller, less-experienced companies, but well-established global companies have also

demonstrated incomplete compliance with regulations.

• Auditor Expertise: An internal audit will necessarily include multiple elements and

should be conducted by trained auditors with experience in the areas they audit.

A global Pharmaceutical or biologic company may require specialized expertise in


An open package of snacks on a desk, an office with stacks of papers on the file cabinet, a pair of dirty boots by the door – all can give the impression of carelessness or sloppiness.

chemistry, microbiology, engineering, software and water treatment. A Medical

Device company might require additional expertise in mechanical engineering

or materials engineering. Calibration and validation of equipment is critically

important and particularly difficult when it has been crafted for an individual

process or application. Perhaps most important, an internal audit is best performed

by someone inside the company – someone who can “find the dead bodies”

because of an intimate familiarity with the organization.

• Resolving Problems: A good audit will identify potential and existing problems.

Failing to resolve those problems will risk compliance. Auditors have little patience for

companies that know about problems but do nothing to address them. In particular,

companies that have been notified of noncompliance and submitted a corrective

action plan must be able to demonstrate completion of any corrective action required

by a previous audit.

• Review Documentation: A routine requirement of an internal audit is a thorough

review of any required registrations, licenses and certifications. Areas of special

interest to auditors are documentation confirming that the company is operating

within the scope of any quality management system (QMS) certification. Even

in routine surveillance audits, the auditor will want to confirm that any change

in the company’s products or processes have not violated the QMS certification.

Documentation related to recalls, product complaints or adverse events will be closely

examined and, if a recall has occurred, the auditor will scrutinize records about how

the company is responding. Electronic signatures and software validation should be

documented to 21 CFR Part 11 and/or 21 CFR 820.70(i) standards.

• Supplier Relationships: Recent recalls involving medications and devices have put a

company’s supply chain squarely in the spotlight. Because of the growing regulatory

focus on the supply chain, companies must ensure that supplier evaluations and

quality surveillance records are up-to-date. Similarly, QMS certificates and supply

agreements must be current. Companies should advise major suppliers in the area

about the scheduled audit, since an auditor may decide that the supplier should

be included in the audit. Finally, check your Authorized Representative agreement,

if applicable, and make sure it is current. Auditors will question any document that

appears to be improperly maintained or updated.

• Audit Information Package: Collect important documents in an audit information

package that can be presented to the auditor early in the audit process.

• Check the Quarantine Area: Make sure to check the quarantine area because you can

expect the auditor to check it. Make sure there is as little as possible in the quarantine

area.


Step 4: Welcoming the Auditor

In-depth preparation can still fall victim to small details on the day of the audit. Creating a

positive impression can be hammered if the auditor is left waiting in a reception area for

an hour, ignored by managers who were never advised of the audit, or unable to obtain

an outside phone or Internet connection. There are simple procedures to prevent these

avoidable and potentially damaging situations.

Auditors and investigators should be treated like all facility guests — they must follow the

appropriate procedures for signing in on the guest register and must be accompanied by

company personnel at all times. When the Investigator arrives at a company’s facility, the

receptionist, or the first person to greet the Investigator, should ask for the Investigator’s

name and identification, and immediately contact the employee designated to accompany

the Investigator. After the designated employee is contacted, the Investigator should be

asked to wait in the reception area or lobby until that employee arrives.

The designated employee should be a knowledgeable person in the company, such as

an individual from operations, regulatory affairs, the quality department, or the legal

department. This person is responsible for escorting the FDA Investigator throughout the

inspection and should be designated long before the Investigator arrives.

Early on, book a meeting room or rooms for the duration of the audit and ensure that

phone and Internet connections are available. (A word of caution: make sure the Internet

connection does not link to the company’s internal file system, leaving corporate

information open and available for scrutiny.) Assign an audit leader, preferably with

expertise similar to that of the auditor, to work directly with the auditor. Agree on who

will be at the initial meeting and brief the most senior person in attendance. Arrange for

one or two assistants to be available throughout the audit to run errands, find materials

or fulfill requests by the auditor. Have on hand the files and documents most likely to

be needed, such as quality manuals and registration documents. Create a suggested

agenda for the audit; the auditor might have a different opinion, but the proposed

schedule will serve as a guide for discussion. Make sure the security and reception staff

are expecting the auditor and have made the necessary arrangements for entry.

Give the auditor the prepared audit information package with the proposed agenda on top.

If you have a very short, high-quality video of the company, offer to show it to provide the

auditor with an overview of the company and how your facility fits into the big corporate

picture. Be aware that the auditor may not want to see the video. Certainly, if it is too long or

contains too much puffery about the company, the auditor is likely to stop the viewing.

Most often, the initial meeting will be followed by a facility tour, which can be fairly lengthy

depending on the auditor. The tour can also open the company up to some risk if the

auditor stops to ask random employees questions.


An internal audit can be invaluable in identifying and resolving potential noncompliance issues before the regulatory inspector arrives.

The Audit as Opportunity

The regulatory audit will demonstrate the effectiveness of your preparation. It can also

open the door to better operations, cost-control and compliance. Companies that insist

on seeing regulatory audits as necessary evils to be endured and promptly forgotten

will miss out on those opportunities to improve their competitiveness and performance

going forward.

During the Audit

Audit leaders will have to balance transparency with unnecessary exposure. At any

point throughout the audit, staff members may be asked questions by the auditor,

which can have a dramatic effect on the auditor’s opinions about the company. Many of

these points will have been addressed through training conducted before the audit, but

they deserve greater specificity here. These points may be reinforced through targeted

“reminder” training conducted shortly before the audit:

• Be open – but not too open. No staff member should attempt to hide anything from

an auditor but neither should they offer answers to questions that have not been

asked. The balancing act between “too much” and “not enough” can be especially

difficult on the shop floor. Many employees are justifiably proud of the work they do

and the benefits their work provides to patients around the world. Their enthusiasm

can sometimes produce unhelpful, long-winded explanations. Without thinking, an

employee may describe how the rank-and-file employees developed an alternative

process because of earlier quality issues – not something the auditor may need to

hear. At the other end of the spectrum are the one-syllable “Yes” and “No” answers,

which are also unacceptable. Staff is required to answer the auditor’s questions

but they are not required to offer unsolicited information. Training should remind

employees (and corporate officers) to think before they answer.

PART THREE: Preparing for an Audit – What You Should Learn

• Don’t “Fill the Silence.”: An auditor’s temporary silence is not an invitation for staff

to fill the space. The silence may be because the auditor is formulating the next

question. It may be because he or she is processing information already obtained.

Regardless, it is not your staff’s job to fill the silence with unrequested information.

Staff should simply remain quiet until the auditor asks another question.

• Know the Answer: Employees can often feel unnecessary pressure to know all the

answers. If you or anyone else in the organization doesn’t know the answer to an

auditor’s question, say so and offer to find someone who does know the answer. In

addition, the audit leader should not be afraid to help out a colleague who might be

unsure of the answer. Most important, everyone has to be reminded not to answer

until he or she understands the question.

• Follow the Auditor’s Lead: Most often, an auditor will expect to work in a meeting

room, requesting specific materials and asking specific individuals to come in for

interviews. Some auditors will do the opposite, watching an employee on the shop

floor perform a task, unexpectedly asking questions of individuals in the hallways,

and asking to see where documents are kept. If the auditor wants to stay in an office

or meeting room, make sure you assign one or two people to find any requested

information or an individual for an interview. Before anyone photocopies or

photographs material, be sure the document contains no privileged information. If

the auditor wants to see part of the facility, don’t be afraid to alert the manager of

that area that the auditor is on the way over.

• Remain Professional: An auditor is not a friend or a confidant. All employees

(including senior managers and officers) should remember that the auditor is an

experienced professional on-site to do a job. Good manners should prevail: don’t

lie, volunteer information, guess what the auditor wants, “interpret” the auditor’s

questions or comments for other people or conduct side conversations. There is no

value in a groan and complaint that “… I told them to fix that and it hasn’t been done.”

• Take Notes: Company personnel should have an accurate and complete knowledge

of what the Investigator has done in an inspection. The best way to accomplish

this is to take good notes during the inspection. Taking notes will allow personnel

to maintain a record of all comments and suggestions made by the Investigator

throughout the inspection. Personnel can also maintain a record of all areas of the

facility the Investigator visited, and to whom he or she spoke.

KEY TOPICS

PART THREE: What You Should Learn

• The Audit as Opportunity

• During the Audit

• Nonconformity Risks

• Using Audit Information

• Post Audit Pitfalls

• Moving Beyond the Audit

Preparing for an Audit: PART THREE – What You Should Learn

Nonconformity Risks

An audit effectively gives regulators an open door to your plant’s operations, people and

compliance program. It’s important that everyone in the organization understand how

serious the audit is, what can go wrong, and what the consequences can be. One or more

“major” nonconformities (NCs) can result in withdrawal of an essential certificate or it can

trigger a shipment hold that can cost a company millions of dollars a week. Several “minor”

NCs in the same area can produce the same result and similar NCs at one of the company’s

other plants can trigger compliance questions throughout the enterprise.

A quick review of FDA Warning Letters to Life Science companies clarify the most

common problems noted by the agency:

• Corrective and Preventive Actions (CAPA): During the audit, expect to be asked

for the current status of any corrective action plan – and expect a severe

response if the CAPA produced after the last audit has not been completed or

properly documented.

• Internal Audits: The FDA places particular emphasis on the status of an internal audit

and, as with the CAPA, on the status of rectifying issues identified in the audit.

• Quality Records: Recordkeeping and document storage are basic regulatory

requirements and can trigger warning letters. Ensure that records are complete,

accurate, current and properly stored. Documents that are misfiled, whether in

cabinets or on computer disks, will produce a NC or Warning Letter. Effective

document management is especially important when they relate to adverse events.

• Data Integrity: FDA expects the lab, the production floor, and QA personnel to be

in a “state of control.” FDA expects companies to have valid data, and this spans the

labs, the clinical trials, and of course, the manufacturing process. The FDA requires

companies to validate any application that’s part of the overall quality system.

Not all NCs are major, but even “minor” NCs can become big problems. Is the NC isolated

or is it repeated throughout the organization? Has one of the company’s other facilities

demonstrated the same type of NC? Was the same type of NC noted in a previous audit?

If so, the minor can be expected to grow into a major. There are a number of behaviors

or evidence that will signal potential problems to the auditor, including the use of pencil

or white-out fluid on quality records, undated or unauthorized hand amendments to

documents such as work instructions, and different versions of the same document in use

at the same time. Auditors may find evaluations of design and process changes before

implementation inadequate because the check boxes are not marked on the document.

Data that are pre-entered on test records and check sheets, such as identical dates and

signatures, are favorite hot buttons for auditors. Other problems are illegible signatures


without accompanying printed names, uncompleted forms, nonexistent validation for Excel

spreadsheets, the use of expired adhesives and inadequate batch record reviews.

SOPs are the basis of compliance, yet many companies fail to enforce SOP-related policies.

Auditors are notorious for following up on an overheard conversation or an explanation

of a specific procedure by asking, “You mentioned SOPs. Where is the one you spoke of?” If

the individual doesn’t know where the SOP is, or it is not where it is supposed to be, or it is

located so far away from the individual performing the related task as to be inaccessible, an

auditor will see a problem, even if the employee knows the SOP and is compliant with those

procedures. SOPs have to be properly written and followed. They also have to be accessible.

Using Audit Information

The auditor will gain as much information as possible about your facility. You should use

the time gaining as much information as you can about the regulatory agency’s current

thinking, common pitfalls and effective responses. At the end of each day, ask the

investigator about any problem areas and, if at all possible, resolve the problem. If that

means working through the night, do it. There is no substitute for telling the auditor the

next day, “That problem you mentioned the other day, we’ve worked hard to address it

quickly. This is what we did to rectify the problem. I’d like to make sure we addressed the

issue in the right way.” Schedule a strategy meeting with your staff at the end of each

day to go over problem areas and correct as many of those issues as possible during the

audit. In addition, keep senior management informed at the end of each day about any

problem areas and corrective actions. No corporate officer wants to be caught unaware

of problem areas by an auditor.

During the audit, keep your own notes – and include issues you identify during the audit

that have been overlooked by the auditor. You should go back and rectify those issues

quickly, even though they do not appear in the auditor’s report. As the audit proceeds,

you may disagree with a specific comment or observation noted by the auditor. You can

challenge those observations but don’t forget that at the end of the day, what goes into

the audit report is the auditor’s decision. Be firm, but polite in stating your disagreement

and be prepared to locate any objective evidence to support your position. It is perfectly

acceptable to call the Human Resources Department, for example, and explain that you

and the auditor are on the way up to look at specific information. The advance notice will

calm the nerves in HR. It will also enable those individuals to collect whatever materials

you request or to make sure that an individual is available to discuss the subject. The

auditor may continue to disagree with you but a reasoned, respectful case may make the

difference between a recorded instance of nonconformity and a simple observation.

Closing the audit provides a framework for a company to work directly with the auditor

on any observations or nonconforming issues. Listen carefully to the auditor’s report

SOPs are the basis of compliance, yet many companies fail to enforce SOP-related policies.


and hold any questions or comments until the auditor has finished speaking. There

will probably be no surprises in the auditor’s report. You may already have resolved

some issues as you learned of them during the audit and, most likely, you will already

be planning a corrective action plan for each remaining issue. When you are assured

that you have all relevant information about the auditor’s findings, agree to meet the

corrective action plan deadline, close the meeting and escort the auditor from the

facility.

Following the auditor’s departure, you should conduct a debriefing of the audit with

the senior management group, identify action items and the individuals who will be

responsible for completing each item, and set a timetable for follow-up meetings with

the same group to review intermediate progress and the company’s final response.

Add the nonconformities to the CAPA program and ensure that they are dealt with

appropriately. You should also follow up on the nonconformities you noticed during

the audit that were not included in the auditor’s report and maintain careful oversight

on progress in meeting the established timeline. Your response letter should be

carefully crafted to fully answer the issues raised by the auditor. Limit responses to the

nonconformity issues raised and avoid sending extraneous materials or information. If

a corrective action is complete by the time your response is finalized, provide objective

evidence of its completion, such as a revised SOP, completed forms or training records.

Craft the letter in language that is acceptable to the auditing body. If translations are

required, ensure that the translation is accurate and appropriate.

Three points warrant specific mention. First, the FDA will want to see that any training

required by your corrective action plan is effective. It is important for you to conduct the

appropriate training and audit it for effectiveness. Second, the FDA wants companies

to address the root causes of nonconformities. Make sure that your corrective action

plan addresses the root cause of the issue, not simply the individual violation. Third, an

auditor may extend his or her observations about nonconformity across a multi-site

corporate enterprise. Nonconformity at one facility may suggest a systemic compliance

issue, so you should check whether the same or similar issue has surfaced at other

corporate facilities. If it has, you should learn the corrective actions taken by that facility

and the response of regulators to the resolutions.


The Close-Out Meeting

The audit is completed and the corrective action plan has been submitted. What could go

wrong? Recent FDA Warning Letters point to risk areas for companies that submit corrective

action plans subsequent to regulatory audits. The risks are not limited to small companies

with limited resources. Large, multinational companies have also been on the receiving end

of an FDA Warning Letter for noncompliance. Two FDA warning letters shine light on what

can go wrong after an audit:

Case 1: A medical device company had opened a corrective action report in 2013 to address

a large number of complaint investigations that had been open for greater than 90

days. The CAPA identified numerous action items with specified target due dates.

When the FDA investigation ocurred in 2014, the particular CAPA was still open and

FDA did not see any documentation that all action items had been completed or

deemed to be effective.

Case 2: During an FDA investigation of pharmaceutical company, an investigator observed

cobwebs between an Oxygen Analyzer and an adjacent wall in facility, and the

company admitted it had not been using the analyzer as part of its testing, which

contradicted the company's batch production records. In the company's response it

stated that the company had created a Policy and Procedure Manual, which includes

Batch Production and Control Records and an Equipment Calibration Schedule. FDA

noted, however, that the response did not discuss any "retrospective reconciliation"

of prior batch production records.

To ensure that proper action is taken following the audit, the appropriate personnel should

attend the close-out meeting so that qualified personnel can properly respond to 483

observations, if appropriate. In the same vein, senior management should participate in the

meeting to be informed and to impress upon the FDA, management’s concern for quality

and compliance.

The close-out meeting provides all parties an opportunity to explain any observations, or

correct any misunderstandings. During this meeting the auditor will discuss with company

management any conditions or practices, which in his or her judgment, are objectionable.

A list of “Inspectional Observations,” also called an FDA 483, may be used by company

management to correct issues of noncompliance.


The close-out meeting provides all parties an opportunity to explain any observations, or correct any misunderstandings.

Moving Beyond the Audit

Audits are short-term events; regulatory compliance is the basis of product quality, patient

safety and corporate competitiveness. Companies cannot refuse an audit but they can

choose to use it as a highly cost-effective learning process for improved compliance and

operational efficiency.

Preparation for a mandatory regulatory audit can provide a Chief Compliance Officer

with resources and tools that might otherwise be postponed or restricted because of

harsh economic conditions. Consequently, an effective program of audit preparation and

response can provide added value through improved long-term compliance and risk

mitigation.


About UL EduNeering

UL EduNeering is a business line within UL Life & Health’s Business Unit. UL is a premier global

independent safety science company that has championed progress for 120 years. Its more

than 10,000 professionals are guided by the UL mission to promote safe working and living

environments for all people.

UL EduNeering develops technology-driven solutions to help organizations mitigate risks,

improve business performance and establish qualifi cation and training programs through

aproprietary, cloud-based platform, ComplianceWire®.

For more than 30 years, UL has served corporate and government customers in the Life

Science, Health Care, Energy and Industrial sectors. Our global quality and compliance

management approach integrates ComplianceWire, training content and advisory services,

enabling clients to align learning strategies with their quality and compliance objectives. Since

1999, under a unique partnership with the FDA’s Offi ce of Regulatory Aff airs (ORA),

UL has provided the online training, documentation tracking and 21 CFR Part 11-validated

platform for ORA-U, the FDA’s virtual university. Additionally, UL maintains exclusive

partnerships with leading regulatory and industry trade organizations, including AdvaMed,

the Drug Information Association, the Personal Care Products Council and the Duke Clinical

Research Institute.


uleduneering.com

202 Carnegie Center Suite 301 Princeton, NJ 08540 609.627.5300

UL and the UL logo are trademarks of UL LLC © 2013.

WP/10/080515/LS

http://www.uleduneering.com