The word “audit” can strike panic in poorly prepared medtech companies. However, audits serve an important purpose in ensuring a compliant and effective quality system and production of safe and effective medical devices. And organizations can limit the stress and risk around audits through proper preparation. 

The key to a positive audit is to ensure that your organization’s focus is on building and implementing quality processes and procedures that cover the entire product life cycle and are continuously evaluated and improved upon. Not only is it the right thing to do, but focusing too closely on simply passing an inspection or audit may leave gaps in your processes and present a false sense of compliance. This article covers audit basics, how to prepare for them, and what to do when you receive an audit finding.

What is an audit?

Per ISO 19011 an audit is a systematic documented and independent process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Audits can be internally conducted, externally conducted by interested parties (i.e., customers/ suppliers), and externally conducted by government agencies and notified bodies to ensure that product design, manufacturing, safety, and documentation requirements are being met. Audits will verify compliance with regulatory and quality system/GxP (Good Manufacturing Practices, Good Distribution Practices, etc.) requirements. GxP standards are dictated by the US FDA, European Medicines Agency (EMA), the UK Medicines and Healthcare Products Regulatory Agency (MHRA), and other regulatory bodies which rely on country-specific regulations as well as standards developed by the International Organization for Standardization (ISO). 

Audits are required regardless of device class, but audit requirements in the EU and US, along with most other markets, can be dependent on the device classification. For most medium to high-risk devices in the US and EU, the following audits take place:

• Audits by EU Notified Bodies: Audits by EU Notified Bodies focus on compliance with MDR 2017/745 or IVDR 2017/746. Notified Bodies are also responsible for certifying quality management systems (QSR) against the requirements of ISO 13485:2016. Periodic “surveillance audits” will also be performed, based on the classification of the medical device(s).
• FDA Inspections: The FDA will conduct inspections to ensure compliance with the quality system regulation, 21 CFR 820, and to confirm that a facility is capable of manufacturing the medical device. The FDA will conduct pre-approval inspections to verify data included in a market submission, along with periodic routine inspections, following the Quality System Inspection Technique (QSIT) as required by regulation (currently every two years for Class II and Class III USA-based device manufacturers and every five years for international device manufacturers).
• Unannounced and “for cause” inspections: Manufacturers in the US and EU, and many other markets, are subject to different types of inspections triggered by consumer complaints, reported non-conformities, or other issues. These “for cause” inspections may be scheduled or unannounced.

How to prepare for an inspection

Audit preparation is a continuous process that should be built into your quality system and regulatory processes. Some items to consider:

Internal Quality audits

The best way to prepare for an upcoming audit or inspection is to use the internal audit program to your benefit. The FDA QSR, FDA 21 CFR 820, calls for medical device manufacturers to perform regular internal audits of their systems and to provide evidence of these audits and their effectiveness. When possible, conduct internal audits as if you’re the regulatory body and take them seriously. Internal audits should find the issues before the regulators do. Issue nonconformances and address them in a timely manner.

Performing “mock” audits is another great way to prepare for external inspections/audits from the FDA, notified bodies, and other regulatory authorities. Mock audits are a rehearsal for your team to prepare them for the real thing. They can act as try-outs to determine who is equipped to handle being audited and those that are too nervous or offer too much information when asked a question, requiring additional training. Mock audits are typically separate from the internal audit program since they are conducted based on different objectives and for training purposes.

It’s common to contract an independent third party to perform mock audits. Consider conducting unannounced mock audits to get the truest picture of your company’s preparedness. In short, the tougher medical device manufacturers are on themselves while preparing for the audit, then the less stressful the actual audit will be.

Self-identify issues as they appear and do not wait for the internal audit. If an issue is identified during the audit preparation or mock audit, implement corrective and preventive actions (CAPA) to address the issue. This is vital to demonstrate that you are aware of an issue and have begun remediation or corrective actions if and when those issues are uncovered during the real inspection or audit.

Choose the right audit host

When you have an upcoming audit or inspection, you must choose the right company representative to host the auditor(s). The person you choose will represent your company, so be deliberate about selecting those who know the company, its quality management system, and its products well. It should also be someone you’re confident can perform well under pressure and remain mission-focused in managing the audit and not necessarily answering every question immediately. The audit host can significantly impact the audit for the better or worse, so be certain that you have the right person in place who will be able to represent the organization’s values and facilitate an efficient audit.

While the person or people working directly with the auditor(s) are often from your quality team, they will need to be supported by subject matter experts (SMEs) from other functions for the duration of the audit – this will include the regulatory, engineering, operations, and marketing teams – who can answer specific questions and gather requested documents. These SMEs must be pre-identified along with alternates as part of the audit preparation. They should be comfortable facing an auditor and answering the auditor’s questions.

Gather all the necessary documents

As part of the audit process, the auditor(s) will expect access to information that they need to determine your organization’s compliance with all quality system and regulatory requirements. Based on the requirements, audit guidance, and previous audits, commonly requested documents should be known. This documentation should be pre-identified, compliant, and available before the start of an audit. This can be in the form of hard copies or electronically through files or links. The goal is to have documents readily available to avoid audit delays.

"If it takes too long to get documents to the auditor when they ask for them, you’re not making a good overall impression that everything is under control, making things more difficult for the auditor(s). Auditors have schedules to meet and follow certain audit trails. The last thing you want is your auditor getting agitated because they are spending a lot of time waiting for information." - Bruce McKean, Rimsys Director of Regulatory Affairs

It is critical that all regulatory information related to your products is readily available during an audit, such as registration status, certificates, regulatory impact assessments, and essential principles, along with submission content and post-market data. A central RIM system that stores all regulatory data and links to (or references) the current versions of records from other systems, such as PLM, eQMS, and ERP systems, can smooth the audit process significantly.

During an audit

As an organization, you will want to manage as much of the audit process as possible. Your audit host will greet the auditor(s) and give them a brief overview or presentation of your company, and most likely conduct a facility tour. After this, while the auditor(s) will direct the process, the more your host can assist and guide them, the better.

In the case of unannounced inspections/audits, there must be a procedure in place that defines how to receive and handle these types of audits. This will include who is the primary contact during such an inspection (often a Quality Management team member or representative), as well as Executive Management, and alternates when those people are not available.

Ideally, you should have more than one company representative with the auditor(s) during the audit and auditors should not be left alone at any point. Most companies have a team in the “front room” with the auditor(s) led by the audit host. The main job of this team is to transcribe every question, answer, and activity that occurs during the audit. The “front room” team will communicate with other team members in the “back room” in real-time (often via instant messaging), relaying to them any open questions, requested documents, or queuing up SMEs the auditor(s) need to speak with.

Best practices for sharing information with auditors

During an audit, employees should be cooperative and helpful, but should only share information that is specifically requested by the auditor. If information is requested that seems outside the scope of the audit, such as corporate strategic or financial documents, employees should notify the appropriate executive before providing such information.

Auditor(s) should be given access to requested information through photocopies or limited computer system access. Original documents can be presented if requested, but should never be kept by the auditor(s). All information provided should be prepared, verified, and recorded in the “back room” and then passed through to the audit host so that it can be controlled. The “back room” should mark the copies “Confidential” or “Proprietary,” as appropriate. They should also make an extra copy for the audit file, so the exact documentation given to the auditor(s) is known for future reference.

Addressing missing or incorrect information

Ideally, any potential issues with the existing quality system and related procedures are identified before an audit and corrective actions are identified and put in place. Even in cases where an issue has not been fully resolved, being able to point to awareness and appropriate actions is important.

Some findings may be able to be corrected during the audit. These findings are typically isolated issues (one-offs) that do not pose significant risks. For instance, a missing revision number, missing signature, or outdated reference. If corrected during the audit, it may negate a finding, but the auditor may want to understand why the issue occurred and what actions you have or will be, taking to ensure that it does not recur.

In cases where you are unable to produce the information requested by an auditor, or when there are questions about the validity or accuracy of the information, your internal team should acknowledge the issue but should not immediately speculate on the cause or the effect of the missing or inaccurate information. A discussion of appropriate actions under the existing quality system may be appropriate.

What to do in case of a finding

Be prepared to receive findings from any inspection. Ideally, the auditors should be working to ensure that you are compliant with regulatory requirements and that your records accurately state what you do. However, “By the nature of the beast,” says Bruce McKean, “they’re there to find instances of noncompliance.” This means that auditors will be focused on documentation that can prove or disprove adherence to your stated procedures and policies.

All findings should be disclosed before the audit closing meeting. There should be no surprises. Ensure that the findings are understood by both parties. If they are not clear, perhaps the auditor misunderstood or did not see specific objective evidence and you should discuss or review the issue with the auditor as this may negate a finding. Be sure to debrief upper management before the closing meeting. At the audit closing meeting, there should be no debate over findings. Any finding, whether major or minor, should be addressed diligently.

Audit findings or observations will result in the regulatory body in charge of the audit issuing a document that lists those findings. In most cases, you will have limited time to respond with a satisfactory plan for correcting and preventing the recurrence of the identified issues.

In the case of the FDA, multiple enforcement actions are available to the agency, ranging from warning letters to criminal prosecution. Note that many regulatory agencies will not respond further to your actions if they agree with the actions you prescribe for addressing audit observations. However, additional actions may be triggered if your response is not found to be satisfactory.

Rimsys is a holistic regulatory information management system designed for and by regulatory affairs professionals. Rimsys makes it easier to create and track submissions, keep up with product registrations and certificates, and even share pertinent data across ERP, PLM, and eQMS software platforms to ensure data integrity. Learn more about how Rimsys can help you face audits with the confidence that you have all of your regulatory ducks in a row.

‍