By Natalie Weber
Unlike COVID-19, remote audits aren’t unprecedented. Remote audits didn’t start with the pandemic, although it has forced more companies to use them than previously. At MasterControl, we’ve been doing remote audits for years for our international customers. It saves time and expense, and it’s every bit as effective as an in-person audit.
However, this is only true because we operate in a digital environment. Using a paper system would significantly hinder remote audits.
This is largely still the case. The difference between pre-pandemic remote audits and those of the “new normal” is the sheer number that are being done, in many cases by those who have never done them before. Doing a remote audit is difficult to wrap your head around if your audit usually requires scouring binders for paperwork and completing a site walk. Mastering remote audits now will be worth it even after the pandemic is over.
The more things change, the more they stay the same
How an audit is conducted has changed significantly. Why audits are conducted is exactly the same. Regulators or customers still want to see evidence that you maintain high-quality standards and conform to regulations. Quality departments should still have one set process for all remote audits and require a detailed audit scope and agenda. Mock remote audits are also important, especially when it comes to testing technology before an actual audit.
Speaking of technology, therein lies the vast majority of the changes. Just like in-person audits, remote audits revolve around documentation. It is possible to still conduct one if a company uses paper, but it’s much more difficult. Scanning documents and attaching them to emails or secure file sharing will give auditors the access they need. Much more efficient is an electronic quality management system (QMS) that allows digital control of documents. Not only does this kind of document control save time tracking down papers and files, it also can allow auditors limited access to the QMS.
Then there are the technical difficulties that come with a conference call. One of the worst times to have technical problems would be during the middle of an audit. To prepare, make sure IT is available during the call in case something goes wrong, that both parties agree on the platform to be used, and that the platform is secure. Do as much as you can beforehand to make the call as efficient as possible.
The remote audit itself
The actual audit still covers three basic areas: documentation, processes, and facilities.
- Documentation. A company that runs on an electronic QMS has pretty much won the remote audit battle. Remote audits can work to a company’s advantage if most or all of the requested documentation is provided beforehand. In this case, a company can authorize remote, limited access for an auditor. If the QMS doesn’t have this functionality, it’s still possible to find and export the necessary documentation. Rather than frantically hunting down documents when the auditor is on site, companies can compile and send them beforehand. This helps both sides by removing the time pressure from the hosting company and the auditor.
- Processes. It’s true you can’t exactly email your processes to an auditor. Or can you? That kind of depends on what the auditor is looking for. The auditor is interested in whether your company is following processes as dictated by procedures. Sometimes, this can be shown by records, which follow the same ease of transport as procedures. For processes that an auditor would normally watch, there are other options. Some remote audits use security cameras to observe processes, or test sessions may be recorded. Subject matter experts (SMEs) can also talk through processes and show evidence that procedures are being followed.
- Facilities. A focal point of audits is touring the facility. Fortunately, mobile devices are just that—mobile. This makes a tour fairly easy as long as the hosting company has a reliable internet connection. However, it does restrict the auditor’s view to what the person on site chooses to show. If the hosting company has a good audit record, the facility tour may simply be postponed. The necessity of a tour may also depend on the process or product being audited.
Although time may not be as much of a constraint, it’s still of the essence. Keeping to a schedule is just as important for a remote audit. This protects both parties by ensuring the audit doesn’t go on indefinitely, and that the hosting company gives timely responses. All of this should be outlined in the audit scope and agenda. In some cases, remediation may take longer than usual if a company has fewer resources or employees.
Auditors are especially interested in how companies are adapting to the new work environment, and how they’re maintaining quality and digital security. Any proactive measures that can be employed beforehand will be favorable, and those measures should have been part of an existing business continuity plan. Even though the pandemic was unexpected, businesses should have had plans to deal with changes. Part of the audit may include showing those plans as well as that any gaps that might’ve resulted from the pandemic were closed.
Regulators are going remote
Doing anything new in a regulated industry can be daunting, but in this case, regulators have already jumped on board. Not every audit or inspection is remote, but multiple agencies are showing the willingness to make exceptions.
- U.S. Food and Drug Administration (FDA). The FDA has authorized remote inspections under certain circumstances. In the case of inspections related to Foreign Supplier Verification Programs (FSVP) for Importers of Food for Humans and Animals, the FDA is increasingly asking for records to be submitted electronically or “by other prompt means” instead of visiting the business in person. They’re also conducting some FSVP inspections remotely if they’ve had to postpone the business’s inspection due to COVID-19. Another area in which the FDA has shown flexibility is in Medical Device Single Audit Program (MDSAP) audits. Some facilities are now allowed to have their surveillance or recertification audits done remotely. However, these facilities must have a good record of standing, and the FDA outlines the specifics for how the remote audit is to be conducted.
- European Medicines Agency (EMA). The EMA deemed that good clinical practice (GCP) inspections can be conducted remotely, as determined on a case-by-case basis. Ensuring that proper technology is available and functions well is an important point in the EMA’s guidance. Inspectors should be given direct remote access to the electronic trial master file (eTMF) and electronic case report form (eCRF). It’s worth noting that remote inspections aren’t an option for investigator sites.
- Therapeutic Goods Administration (TGA). The pandemic is having a significant effect on global supply chains. Travel restrictions make it impossible to physically visit overseas manufacturing sites, which is the TGA’s reasoning for its guidance. Remote good manufacturing practice (GMP) inspections for medicine and biologics manufacturers can now be conducted. Although GMP remote inspections began as an arrangement for domestic manufacturers, the TGA has recently expanded its guidance to allow remote inspections for overseas manufacturers as well.
Regulatory adaptation of remote audits and inspections shows the feasibility of conducting audits mostly via technology. Although some aspects of audits are simply being postponed until after the pandemic, other remote audit practices may continue well beyond that. Audits look very different under COVID-19, but the purpose is still the same. Electronic document management systems can give auditors the remote access they need, and videoconferencing allows for flexibility when it comes to site tours and interviews. Even when things get back to “normal,” this is one side effect of the pandemic that may stand the test of time.
About the author
Natalie Weber is a quality engineer at MasterControl. She has experience in converting paper-based laboratory systems to an electronic system, validating laboratory equipment and processes, qualifying new cleanrooms, and environmental monitoring of cleanrooms. In her current position at MasterControl, she is responsible for hosting customer and ISO certification audits, CAPA and customer complaint processes, software validation, supplier evaluations, document control, change management, and internal audits. She is an ASQ-certified quality auditor and registered microbiologist.