High-level executives and their teams rarely succeed at every audit, and yet, for 16 years, that is what my colleagues and I were able to accomplish—between internal audits, due diligence external audits and regulatory inspections from multiple government agencies. In this article, I lay out five time-tested tips to avoiding inspection troubles and miscues.
Tip #1: Develop a Regulatory Radar
The typical approach to compliance is reactive—waiting for final rule publications and enforcement actions before planning any improvements. This places control in the hands of regulators. Is placing your business in the hands of regulatory inspectors a good business strategy?
To comply cost-effectively while increasing flexibility and minimizing effort and risk, I show my lean compliance clients a proactive approach that includes developing what I term a “regulatory radar.” This involves establishing processes with legal counsel and regulatory affairs to be aware of and notify other appropriate company personnel, of upcoming regulations, guidance documents, and international harmonization activities.
Executives can then use this regulatory radar to identify and evaluate each new or proposed rule and guidance. Prioritization of risk posed and control needed is essential to avoid firefighting after the fact.
Tip #2: Transparency Breeds Confidence
When I conduct a mock FDA audit, I always like to see clients whose employees and executives have confidence in themselves, their processes and their product. Not an arrogant confidence, but a level of surety and familiarity that comes with consistently reviewing data while looking for ways to improve.
Information to consider sharing with employees, colleagues, investors and shareholders includes early safety and efficacy findings, risk assumptions and the risk minimization & compliance controls you are putting in place. You can only control and improve what you measure and share. If you are being audited on security, share the dollar amount or budget percentage you devote to security.
Tip #3: Do Not Underestimate the Auditor
As I note in my corporate workshops and conference speeches, the only good inspection is a completed inspection. In general, the faster the audit, the better your results. The more minutiae examined (counting the twigs and the leaves, not just the trees in the forest), the more auditors will find.
Therefore, because you cannot know ahead of time where on the scale of “big picture” versus “tiny details” the auditor will be focused, consider two tactics:
1. Hire an Independent Auditor
The best companies hire an outside auditor to review their situation, including a random sampling that delves into the details. Out of this independent mock FDA inspection, a company will know where they are strong, where they are weak, and where they have the greatest risk. Ideally, the auditor will also provide insights into best practices from other clients that might be relevant.
2. Use Previous Audit Findings
Earlier audits—including the one from the independent third-party—can and should be used to demonstrate both awareness and continuous improvement. Audits are designed, in large part, to assess a company’s level of control. There is no greater demonstration of control than showing awareness of your strengths and opportunities to improve, and then demonstrating progress made to date.
Tip#4: Summarize to Define Scope
If such previous audits did not come with a single page summary, then craft one. When an audit is announced (or if it’s unexpected and the auditor simply arrives), give a copy of the summaries to the auditor. While the auditor may not indicate they want the summaries, it’s always a good idea to provide them for three reasons:
- Human nature being what it is, inevitably the auditor will review them. Assuming you have made good progress in any earlier findings, this review will help you
- The preponderance of previous audit opinions and recommendations is a hard thing for the current auditor to ignore
- Previous audit findings can be used by you to help channel the audit to your advantage
Tip #5: Show Metrics
A further method to demonstrate your control while narrowing the scope of the audit is to provide—upfront—a set of metrics and trending in the area (or areas) of relevance to the auditor. I counsel my clients that the more they can demonstrate metrics with a real impact to their firm’s bottom line and its adherence to compliance, the greater the value the auditor will place on those metrics.
For instance, IT departments typically measure “up-time” – the amount of time a system has been up without crashing. The reality is, unless this is specific to a manufacturing line where every lost moment can be physically measured as lost product, “up-time” tends to be a fairly poor indicator of control if for no other reason than much of computer up-time has little or nothing to do with IT department effectiveness.
Instead, one of the recommendations I make to my lean Part 11 compliance clients is to have their IT department measure and track electronic data integrity (of files stored on the network, on backup tapes, etc.). There are a number of ways to do this, but the important point is that it clearly shows a command of what is critical to the business and, most often, important to the auditor.
Final Thoughts
Rarely is an audit straightforward. When I conduct supplier due diligence and mock FDA audits for my clients, my high-level audit outline is backed by a subtle, behind-the-scenes set of cross-referencing points to observe, questions to ask, answers to listen for, and facts to check. It’s a bit like detective work, but in reverse, figuring out what was done and why.
If you’d like to take a proactive approach to your compliance and quality, consider bringing in an outside expert to conduct an audit protection best practices workshop and then help you prepare an audit response plan. Both the workshop and the plan should take a broad, holistic view to give you the maximum benefit for the minimum effort and investment. In this way, you’ll be best prepared to succeed.
Inspections and audits can be a learning experience for everyone involved. Auditors can learn new methods and solutions; company executives can hear about other approaches and new best practices; and investors can rest easy knowing today’s audit success is indicative of tomorrow’s positive bottom line.
Are you ready?
Adapted from an article published in SmarterCompliance 1(9), September 2007