Calvin London (calvin@thecomplianceconcierge.com) is the Founder and Principal Consultant of The Compliance Concierge.
Companies operating in the regulated environment of pharmaceuticals, medical devices, and biopharmaceuticals are used to audits. However, the mention of an audit by a government regulatory agency such as the Food and Drug Administration (FDA), the Department of Justice, or the Securities and Exchange Commission will still send a shiver down the spine of even the most resilient. Most employees find an internal audit stressful enough, but these are no match for the anxiety associated with an external audit.
The most desirable outcome of course is to have a peaceful and productive short audit with no observations. To do it, the company must have pristine data, mature systems that run like a Swiss train, and employees that are so well trained, they enjoy being audited. Very few companies can boast such credentials.
I have been fortunate (or unfortunate) enough to have been on the front line of many external audits by government regulatory agencies in Australia, Asia, Europe, and the United States. Some of these have been a delight, others not so much—and one in particular was a disaster ending in the recall of thousands of batches of product. Five auditors, auditing every day for over five months, and the eventual closure of the facility. Direct from the front line, here are five of the best and five of the worst things that you can do when faced with an audit. Note this is not a recipe for guaranteed success, rather comments that in my experience have helped to make an audit run smoothly.
Auditing to-dos
1. Prepare and get off to a good start
Perhaps the most critical key to taking the sting out of audits is to assume that you will be audited. In this respect, a systems approach to compliance reduces the element of surprise, because you will already have some ongoing review process for all your policies and procedures. Nothing gives away a shelf-style compliance program that is not used in a company more than having a set of policies and procedures that are reviewed within a few weeks before the audit.
Review the other aspects of your program such as investigations, deviations, change requests, or whatever the components are to make sure they are complete. They may not be perfect, but at least you will know where there might be problem areas going into the audit, and you will have had the chance to consider a defense.
The education of employees is another important prelude to a potential audit. Giving employees a taste of what to expect will help them get over the initial nerves. It is also an opportunity to remind them of the content of your policy or procedure on audits and the expected behavior (some of which are elaborated on in other sections of this article).
Your audit preparation should culminate with putting together a plan of who is going to be the person from the company in charge of the running of the audit (we will call them the master of ceremonies, or company MC) and who the different subject matter experts are (see the fifth point under “Auditing don’ts”).
All external audits should commence with an opening meeting, regardless of the type of audit. This is an important event for your company to display an element of confidence, knowledge, and cooperation, but also to determine the terms of engagement. This opening meeting is where the scope of the audit is reinforced, whether it is specific and for cause, a general review, or a qualification/registration audit. Auditors like to see the most senior person on site attend these meetings as a show of support and depth for the compliance program. It is also an opportune time to alert the auditors to any special requirements such as training they need to undertake to enter certain parts of a manufacturing facility, taking photographs of the facility, or any requirements you have for copying documentation.
2. Be courteous and nonconfrontational
The expected employee behavior during an audit is something that should be explained to employees as part of ongoing training. As a general principle or even a value of the organization, being courteous and nonconfrontational should be a given. If you have ever been exposed to an audit that has gone wrong, you will know what I mean. I have been in audits where I have had to take employees out of the audit and explain to them that their behavior is not acceptable, and that all it is doing is agitating the auditor. That can only end up one way. An angry auditor is not a friendly auditor who will be prepared to negotiate possible findings should they arise.
3. Provide documentation as requested
Auditors will operate in a number of different ways when it comes to documentation. Some will provide a list of requested documents on a formal request list, and others will just ask verbally. However the request is made, the keys to keeping an audit on track are to (i) provide the documentation that is asked for, (ii) provide it in a timely manner, and (iii) keep the auditor appraised of any delays and the reasons why. The longer it takes to fulfill the requests of the auditor, the longer they will be at your company.
I have worked in companies where a large proportion of the expected documentation is retained in a room reserved specifically for the audit and in close proximity to the actual audit room. There is someone designated as the document manager, who has the responsibility to maintain a log of all documents provided to the auditors and to review all documents prior to giving them to the auditors. They record when they were provided to the auditor, when they were returned, and whether a copy is required by the auditors.
This process ensures that documents are provided in a timely manner and that an exact copy of the document provided to the auditor is also retained as a record by the company. The latter will avoid any misinterpretation when the audit has been completed.
FDA auditors, for example, will more often than not record the time of document requests and the time they receive them. Once the company has demonstrated it is not trying to delay the progress of the audit, this may stop. However, in those situations where the flow of documents is not as required, auditors can become very aggressive, which adds unnecessary tension.
I have been part of an audit where the level of trust around documentation had eroded to such a point that an excess of 30,000 sheets/week were being photocopied, much of which was done under the supervision of additional auditors from the agency.
4. Answer only what is being asked, and answer honestly
A common audit technique is to try to rattle an employee by asking the same question in different ways followed by body language that expresses dissatisfaction with the answer. The aim of this is to draw out further information from the employee that is not required to answer the question but may lead the auditor down a different pathway—one that you do not want them to go down.
There is no harm in asking an auditor to clarify what exactly their request is, or to say that you do not know the answer. This may be because it is not your area of expertise or appropriate for your level in the company. The company MC should then jump in and provide a better contact point for the auditor that can answer the question.
Another problem that companies face when employees make up or guess an answer is that astute auditors will sense if something does not add up and will then ask the same question of different employees in different sessions of the audit. Clearly, different answers from different employees demonstrate a process that is not understood or likely to be effective, and may lead to observations.
Similarly, there is a danger when employees move away from the question and provide too much information if they think the auditor is sympathetic to a problem they may have with something that is done. Frustrated employees can undo companies very quickly. For example, how would you deal with an employee that made statements to an auditor such as “That’s the way we have always done it”; “I knew it was wrong, but my supervisor told me to do it that way”; or “I probably shouldn’t say this, but…”?
While these may seem improbable and even comical, from the company MC perspective, they are certainly not productive comments.
5. Assume a position of knowledge and power, and connect the dots for the auditor
One of the most empowering things you can do for your employees is to continually remind them that they know more about their processes than the auditor does, and that the mission of the auditor is to understand these processes better. This does not mean employees have free rein to argue the point with an auditor; misinterpretations should be reserved from the close-out meeting and discussed in a calm and constructive manner. Auditors will have seen many different policies, processes, or procedures, and it is not unreasonable to think that they may require some guidance to interpret yours.
For example, in reviewing a particular process for preventing corruption, an auditor will need to connect the dots to make sure that the appropriate employees are involved, at what stage, and whether there are sufficient controls in place to prevent fraud or misconduct, bribery, or abuse of the system.