Confident Audit Defence

By Dean Logie

The last few years have marked the onset of compliance fervour across most industries. Life sciences corporations are struggling to support compliance with ever more stringent manufacturing regulations, as well as corporate governance issues such as those relating to the Sarbanes-Oxley Act. In addition, there are newer regulations to contend with including the USA Patriot Act and the Health Insurance Portability and Accountability Act.

Companies are beginning the search for tools to support their compliance maintenance in all of these different areas. Rather than just focusing on complying with individual requirements, it is now recommended that companies look at retooling IT systems and business processes from a broader perspective so they will be in a better position to comply with current and future regulations. The plethora of seminars/training sessions on “coping with,” “preparing for” or “surviving an FDA audit” is a bellwether of what leaders of the pharmaceutical industry currently consider a priority. Probably the greatest surge of interest in the compliance topic in general has stemmed from the highly publicized prosecutions of corporate-governance violators.

Whether you are defending the soundness of your LIMS validation documentation or the adequacy of your methods and testing, an audit can be a daunting task. The poor audit defender must ensure they have enough caffeine in them to recall what documentation was used to support the regulatory question posed. Then, they have to recall where the supporting documents are located. Or, more typically, they point the finger to some other poor unsuspecting soul, bringing them into the fray.

It is often difficult to tell whether the stone-faced auditors have been appeased until that frightening close-out meeting. This is where everyone hears about all the shortcomings found, shredding the once confident demeanour of the auditee. Of course, any shortcoming found will result in the executive saying, “Why haven’t we been doing this?” The auditee knows that months, or years ago, funding was requested to resolve these precise issues but was refused on the grounds that it was not in the budget. In other cases, it may come to mind much later that a particular policy or procedure does in fact include a statement that counteracts the particular citation of non-conformance; this typically happens after a week has been spent crafting a new precise standard operating procedure to address the citation.

So what technology would facilitate this process? One tool that may help would be to arm those tasked with regulation fulfillment or compliance with a regulation support check and balance sheet. The ability to create the “many to many” linking of the interrelated supporting documents is beyond the capability of the regular spreadsheet. What is needed is a tool with the ability to associate, or “link,” a specific regulation to supporting policies, procedures, training records, job descriptions, etc. An additional example, related to validation, is the linking of functional requirements of the project in question to its designs and variety of tests and procedures.

An occasional shortcoming is having an individual realize they are the one responsible for the audit comment only after it has been written up as a non-conformance citation. Another of the tool’s useful features would be its ability to clarify responsibilities for policy or procedure sufficiency and regulation fulfillment. A simple solution to this scenario is to ensure that an approver is aware that by electronically approving a policy or procedure, they are accountable for not only ensuring the accuracy and completeness of the document content, but also that the policy or procedure fulfills the requirements of the regulation(s) associated or linked with it. Having this type of solution also alleviates a policy being short-circuited from its original raison d’être, something that may happen easily when a policy or procedure that has been around forever comes under the scrutiny of an “efficiency expert.” This expert succeeds in having the existing process or procedure changed because no one recalls the original rationale for having that second check done or remembers that a manual file is retained because a legacy system doesn’t maintain audit trails, etc.

There are now some new technology tools available that can make the whole audit questioning under a hot lamp seem more like relaxing under the sun on a beach.

The available touted solutions to compliance needs are derived from the various, often narrow, slants or perspectives a particular software vendor brings to bear in determining a remedy for these issues. For instance, document management companies will try to address the compliance issues by workflow solutions; database-centric solution providers focus on the absolute assurance that all data will be tracked for revision history, and not even the Lord above will be trusted!

There are a few vendors, typically from within the validation services niche, who approach the problem of presenting documented evidence from a fresh perspective. One example is The Validation Manager™ by PENSA Technology Solutions Inc. (Brockville, ON). PENSA’s approach is to focus on the needs of those individuals obliged to defend a company’s compliance efforts and readily present related information. It accomplishes this by creating electronic “links” between “anything and anything.” A sample of its mechanism is displayed in Figure 1.

When looking at solutions to bolster your company’s compliance confidence, it is important to begin by asking those colleagues who are on the front line defence, what they dread most during initial audit interrogation questions. The responses will point to or highlight the data and/or people needed most for this front line defence.

For any data concerns, you should then review the confidence that you have in that particular data. Then ask: are you, or anyone else that may be questioned about it, sure it is the current data? Is it secure and controlled, and by whom?

For any identified people concerns, you should review responsibilities and how they are assigned, and ensure that folks know and have acknowledged that they have these specific responsibilities. Figure 2 displays an example of the responsibility assignments mechanism.

From reviewing and answering these questions, you will have identified the second line of troops defending your compliance stance. This second level of audit defenders should similarly be asked what they dread most during these secondary interrogation questions, be they direct questions from the auditor or questions from the sweaty war-weary front line defender. This may identify further key data availability needs and responsibility clarifications.

Depending on the size and complexity of your compliance needs, or if you are lucky enough to have Mr. Spock defending your compliance position, your company’s compliance solution may vary. Live long and be confidently compliant.

Logie is the president of PENSA Technology Solutions Inc. (Brockville, ON), a company that has focused on providing consulting services and compliance tools to support the compliance requirements of life sciences manufacturers since 1997. The primary projects have been related to validation activities surrounding the implementation of enterprise-level, computer-related systems around the world. Details of PENSA’s focus and background can be reviewed at www.GMPs.com or Dean Logie can be reached directly at ean_Logie@GMPs.com”> Dean_Logie@GMPs.com.