Virtual audits prove to be useful after COVID-19 despite ongoing challenges.
It is best practice for life sciences companies to audit their medical affairs (MA) functions at least every two years—whether those services are provided in-house or by a third-party vendor. Audit frequency is risk-based and the typical industry standard for vendor/supplier audits is 3-5 years. The regulations do not specify time frames, only that an audit is required.
Before COVID-19, audits were mostly conducted in person. The pandemic forced companies to look for other ways to meet their audit obligations, and a virtual (remote) approach was generally seen as preferable to delaying the audit. When properly designed, companies found that virtual MA audits, conducted live, produced the same depth and breadth of observations as in-person audits. Virtual access is now firmly established as a viable alternative, even with the easing of COVID restrictions.
There are several challenges inherent with virtual audits, most of which can be addressed during the planning process:
- Creating an effective auditor-auditee relationship. As home workers around the globe know, it’s harder to establish working relationships through Teams or Zoom than when you can look someone in the eye and read their body language. While this is something to be aware of, auditor-audited interactions are collegial in nature, but not overly friendly, and this is likely not a significant detriment.
- Lack of physical proximity requires additional planning. If there is more than one audience, it is likely that they will not be in the same location. The same applies to those who are audited. Communication channels, such as a group chat, should be established for private “sidebar” conversations (between auditors; between auditees) during the audit. Additionally, a separate Teams or Zoom meeting should be set up by each entity to chat during audit downtime.
- Nature of initiation and cessation of auditor-auditee communication. As with a personal audit, an auditor will only require time to review the documents. This means that all participants will log in and out of the Teams or Zoom meeting multiple times. A way should be devised for the auditor to notify all participants that it is time to return (eg a group text).
- The possibility of technical problems. An IT person from each organization should be on standby in case addressable issues occur. On a related note, home audit participants should be encouraged to set up their smartphone as a mobile hotspot in the event of an internet outage.
Planning is key to a successful virtual audit:
- Define the purpose of the audit. The objective of any audit is to gather documented evidence that the auditee is following established procedures and is in compliance with all applicable regulations. Possible elements of a Medical Affairs audit include handling Medical Information queries, Medical Science Liaison procedures, and the documentation and reporting of Adverse Events and Product Complaints.
- Identify key contacts (auditor and auditee). These are the people who will maintain communication at all stages of the audit. (It is essential that participants on the auditee side have in-depth knowledge of the processes being audited.)
- Create an audit plan to send to the auditee’s primary contact. Typical audit plans include:
- Audit date(s).
- Start and end times (taking into account time zones)
- The purpose of the audit
- Audit scope
- Company initiated audit (if services are provided by a third-party vendor)
- Name, title and contact information of the lead auditor (and co-auditor if applicable)
- Name, title and contact information for the primary contact (and other audit participants as provided by the primary contact)
- Audit location (on-site or virtual)
- Outline and timing of audit preparation activities, including documents required prior to the audit
- Agenda for the day(s) of the audit
- Outline and timing of post-audit activities (audit report; auditee response)
- Test the communication platforms and channels that will be used in the audit. This is best done two or more weeks before the start date of the audit.
- Identify an observer/writer. Share role expectations and guidelines for effective audit logging.
With in-person and virtual auditing, the required documents are usually shared in a PDF format over a secured private network. If the audit is by a third-party vendor, auditor access is read-only (no printing or downloading of documents) and is for a limited time only. This approach is convenient for the auditor, allows the auditee to control access, and is environmentally friendly.
Permanent storage of documents should be in a private, secured and authenticated repository that uses file indexing and OCR (Optical Character Recognition) for easy document retrieval.
The most obvious advantage of virtual audits is that they save time and money. Conducting an audit virtually eliminates travel expenses and reduces the time auditors have to devote to audit activities.
Although audits can be effectively conducted virtually, in-person audits are not a thing of the past. If services are provided in a location geographically close to the auditor, an on-site audit eliminates the challenges associated with virtual audits. A hybrid approach can also be taken—in which most of the auditor’s document review is done remotely and an on-site Q&A meeting is held.
Alena Galantedirectory, quality and compliance, and Denise Dixon, global chief operating officer; both with Diligent Health Solutions