“Oh no, not another audit!” This is a phrase most professionals in Quality have either heard uttered in staff meetings and huddles or have actually spoken themselves. Audits, whether you embrace them or not, are a staple of every regulatory environment, and how you conduct and handle audits can impact all aspects of your business. When viewed as a means of continuous improvement and preparation, audits can also provide deep, meaningful understanding of your systems and expose gaps when they are embraced as a Quality tool to utilize.

Audits come in a variety of types, but the three main audit types that will be covered here are Regulatory Audits, Internal Audits, and Mock Audits. The ways a company handles, conducts and views these three categories of inspections will set them up for success.

Regulatory Audits – Know Your Regulations to Best Your Regulations

Regulatory audits are some of the most common audits to be had in regulated industries and therefore are also the most common type to need to be prepared for. There are several steps involved with being prepared for a Regulatory audit: Knowing the regulations, having a process, and having people assigned to that process.

The first step seems like it shouldn’t need to be stated out loud, but it does. Knowing the regulations, and more importantly, how those regulations apply to your business and how you can show compliance to those regulations is absolutely critical to ensuring your best chances of a smooth regulatory inspection when the time comes. Take the time to not only read the full text of the regulation you will be inspected against, but step through it clause by clause asking how the clause applies to the business and what would need to be shown documentation wise to an inspector to show compliance. Additionally, remember that regulations periodically update, so the first time you step through your regulation should NEVER be your last. Always keep up with how the regulation has updated year over year and ensure you are not behind the curve on a new or enhanced clause.

The second and third steps go hand in hand: Have a process and have people assigned to it.  Having a written procedure on how to handle regulatory inspections will help ensure trained staff are consistent and prescriptive in how an inspection is handled. This goes a long way to showing an inspector, for many of whom it will be their first time in your business, that you are ready, willing and able to show compliance to the regulatory standards. The written process should cover every aspect of an inspection from greeting an inspector, opening meetings, facility tours, handling of documentation requests including roles and personnel for back action rooms for documentation review prior to entering the audit room, and inspection follow-up.

The procedure should describe for each of these steps who is responsible for executing the step in the process as well as list potential backup personnel for responsibility in order to ensure smooth and complaint execution of your procedure should personnel be unavailable due to vacation, illness, or other leave of absence. Once this process is in place, all staff should be trained on the process and procedure, including personnel not necessarily involved with the process as they will need at least an awareness of what will occur during the inspection.

Once you have completed a review of the applicable regulations, and written and completed training for a procedure to follow, remember that the core mission of agencies like the FDA is public safety, and that inspections, while potentially stressful, are opportunities to engage with the agency and mitigate gaps in compliance with regulations.

Mock Audits – Practice Makes as Perfect as Possible!

Mock Audits are, as the name implies, practice audits against the applicable regulations and implemented processes and procedures to ensure compliance.  Mock audits follow the same cadence as a normal inspection would and should test each aspect of your procedure to ensure compliance. Mock audits, along with Internal Audits discussed next, are a great way to probe and test your Quality Management Systems and unit operational activities to expose and correct any compliance gaps before an actual inspection occurs.  Conducting Mock Audits on a regular basis will also reduce anxiety and uncertainty among your staff in preparing them for an actual regulatory inspection and how normal inspector interactions flow, especially staff members who might be new to the regulatory landscape.

A difference with a Mock Audit versus an Internal Audit will be that the “inspector,” who is a staff member or person contracted by your firm, should be in character at all times during the audit, and should expect to receive responses and documents as if they were not an employee. You will want your auditor in this case to have experience with both the regulations they are auditing against as well as the normal cadence and flow of a regulatory inspection. The auditor should not rely on standardized checklists but instead focus on open ended questioning of processes and procedures and speaking with employees at length to have them talk through the process they are performing. Doing this will benefit everyone involved in that compliance gaps will be identified and addressed, and employees who might not normally spend large amounts of time in the presence of a regulatory auditor or inspector will have the opportunity to learn the best ways to engage questioning.

Internal Audits – Better Me Than Them!

Finally, let’s cover Internal Audits. Internal Audits and associated internal audit programs are not only a good idea to have in place they are a requirement of several regulatory standards. Like Mock Audits, Internal Audits are a great way to identify and address any regulatory gaps you may have in your processes and systems before an actual inspection takes place. The approach here can be simplified down to “Who would you rather find this compliance gap: Me the internal auditor, or a Regulatory Inspector?” Additionally, Internal Audits provide a clear path for deep, thorough analysis of processes and procedures, allowing for processes and systems to be evaluated from a variety of standpoints throughout the internal audit cycle.

For an Internal Audit program, there should be a written defined procedure that covers not only the scheduling and cadence of internal audits but also defines the areas to be covered under the schedule (including Quality!), the process for the issuance of observations, reporting timelines, and auditor qualifications (an item that is often overlooked!).

As internal audits are often a deeper, more meaningful dive into a subject, it is best if possible, to have audit teams for internal audits consisting of a member of Quality as well as various subject matter experts versus a single auditor.  Caution must be taken in this team approach, however, to ensure that an auditor does not audit their own work.  This is especially important when auditing Quality, including an inspection of the Internal Audit Program. It is also a good idea to utilize checklists for audits to ensure that every clause of the applicable standard is reviewed, leaving nothing overlooked to ensure full compliance.

In conclusion, audits and inspections in the various forms they come in are not a requirement to be feared or dreaded.  Audits and inspections are a great tool that when utilized correctly via documented and implemented processes and procedure can help provide deep, meaningful insight into all aspects of a business and help prepare both a facility and the staff for complete compliance to any auditing situation that may arise.