Introduction Approaching the Response to Audit Observations One of the first things consistently drilled into my collective memory was the statement that we should always be prepared for an audit. It was a number one priority prevailing over our activities as a quality unit. The reason was simple always being prepared prevents (or at least minimizes) the peaks and valleys of audit preparation. This can be demonstrated by the graphic below: Audit complete company at a high state of compliance Audit Announced Cycle Repeats! Low Level of Compliance Now that the audit is over, we can get back to some real work Overtime, extra help, replace items, conduct training RUSH, RUSH High Level of Compliance As experience was gained not only at the front end (audit preparation) but at the back end (audit response), it was evident that if Always be Prepared was a number one priority, then a number two priority was Respond Systemically to any observation. If done properly, systemic resolution to issues should eliminate the peaks and valley syndrome outlined above. Quality should be built into the process and auditing alone cannot be relied upon to ensure quality. Your actions before, during and after the audit will ultimately determine your level of compliance. Compliance Insight, Inc. 2014 Page 1 of 15
Some Definitions Before proceeding further, it is always best to define some of the main points being discussed. Without a base of understanding for these points, misunderstandings and confusion is bound to happen. Audit Planned, independent and documented assessments to determine whether agreed upon requirements are met. Compliance Affirmative indication or judgment that the supplier of a product or service has met requirements. Conformance An affirmative indication or judgment that a product or service has met the requirements of the specs or regulations Observation An item of objective evidence found during an audit Quality Audit A systemic and independent examination and evaluation to determine whether quality activities and results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives. Note: This last section of underlined text is very important to understand if one is to respond systemically to an audit finding. The auditor is looking for current implementation of programs AND how you plan to implement corrective actions to observations. Systemic Audit A means of conducting an audit that evaluates the systems implemented by a firm to control their operations. Although the auditor or firm may divide their systems into various classifications, a good standard is provided by the US FDA (attachment I). Compliance Insight, Inc. 2014 Page 2 of 15
Understand Your Observations It is essential that the observations be understood and evaluated in the context in which they were given. Personnel involved with the audit should have input into the reasoning behind the issue. Hopefully, the auditor will provide feedback either when the observation was made or on a daily basis. This is an opportunity to understand the point being made. Typically, the last prospect for obtaining feedback directly from an auditor is during the close-out meeting. The close-out meeting is a review of the observations made by the auditor. For the US FDA, if a Form 483 is issued, the firm will receive it during this close-out. For the MHRA, the firm will receive a verbal list of observations. The written list will follow in about two weeks. For internal, corporate or external auditors, there is usually a verbal close-out meeting followed shortly thereafter with a formal report. During the close-out meeting (especially during formal or governmental audits), it is important to have the appropriate personnel in attendance. These people usually represent Quality Assurance, Regulatory Affairs, Operations and a member of senior management. It is important to keep the number of personnel in attendance to a reasonable level. Too many people and the auditor may become uncomfortable. Too few, it may seem that you are not taking the audit seriously. Decide in advance how you are going to approach the close-out meeting. Will you question every observation and attempt to get them removed analogous to a Scorched Earth Policy? Will you accept every observation even if there are errors present? Who will comment on the observations everyone? Will people debate or disagree with valid observations? A good approach is typically one that abides by the following outline: The head of quality is the one who hosts the audit and will be the representative during the close-out. That person alone will be the one who questions any observation unless a person hears a point that is blatantly in error. The head of quality can, and often does, ask for assistance from other key representatives of the group. Review each item with the auditor. Understand what they are citing. Don t guess or speculate your response could be far off target if this is the case. If errors are present, comment on them. Ask for clarification. Auditors are human and make mistakes. Compliance Insight, Inc. 2014 Page 3 of 15
If you have already made corrections decide if you will indicate that fact during the close-out. There is a concern that should be noted on this point If the firm has a knee-jerk reaction and implements corrective actions too quickly, the auditor may be concerned that you are reacting without truly evaluating the systemic nature of the observation. If the points are minor or easily rectified, you could make the comment that actions have already been implemented to correct the problem but be cautious with this approach. Many questions can be raised such as How did you get the change control implemented so quickly?, Did you train personnel already?, Did you evaluate all the systems? or That s not what I meant by the observation. If there are true points of contention, discuss them but don t argue directly with the auditor. You should not argue every point or even a large percentage of them. It should be understood that these observations are simply points made during an inspection by an auditor. The firm has an ample amount of time to respond to the issue in a written format, citing examples of compliance, references, guides, testimony, etc. Be cautious in committing to anything during the close-out. The auditor is taking notes and will indicate that the firm committed to a particular action or time frame. This is particularly important during a governmental audit and may result in further actions. There are other means of gaining an understanding of the observations, including, but not limited to, obtaining the EIR (Establishment Inspection Report) or contacting the inspector directly for questions. The Response Re-establishing Credibility Once observations are given, particularly critical or major points, the firm has a limited amount of time to respond. Generally the response must be received by the auditor within 15 days from the date of the 483. The firm should have a policy in place and adhere to it diligently. This is the firms chance to re-establish credibility with the auditing body client, potential client, MHRA, etc. The last thing an auditor or auditor body wants to do is chase down a firm for corrective actions or to conduct extensive follow-up. Any issues with the response such as lack of clarity or detail will only result in a request for further information, followed by more details, followed by another review, etc. This loss of time in Compliance Insight, Inc. 2014 Page 4 of 15
obtaining a conclusion to the audit can result in delays in contracts or governmental approvals. An approach for formulating a response on each observation is recommended as follows: 1. Evaluate the current state of compliance in light of the audit observation. If possible, indicate what is compliant. 2. Review prior commitments. Are any issues a repeat observation or a repeat observation for the same type system issue? This is critical to know and understand. If you have made a commitment in the past regarding an observation but the corrective actions were not implemented or did not resolve the issue, the inspecting body will evaluate the current observations in a more critical light. Repeat observations also greatly increase the likelihood of further regulatory actions. 3. Relate each observation to the appropriate Quality System. Understand the area of impact of the issue in relation to the functions impacted by that system. 4. Identify the root cause of the issue, as appropriate. Understand how the firm will resolve the issue systemically. This is a fundamental principle in the FDA s view of systemic audits and is certainly used widely in Europe as a format for inspections. 5. Develop a corrective action plan around the entire scope of the issue(s) noted. 6. Secure the required resources needed to complete the job in the time frame indicated. DO NOT underestimate the forces needed to complete a job within schedule let alone evaluating the outcome of the work. 7. Verify that responsibilities are assigned to key people and make them accountable. Assignments given to departments or groups of people are almost doomed to failure. Someone has to be in charge, assign work, track and modify the assignment as needed. Just as important, a single key individual, typically the head of quality, will need to be responsible for the overall work. Compliance Insight, Inc. 2014 Page 5 of 15
Note that in the steps provided above, points 1 through 6 are directly related to formulating a response to the observation. It is critical to understand that points 5 and 6 directly relate to the response letter in that these actions determine the time frame in which actions can be accomplished. Without knowledge of the requirements needed to complete the actions, the events following the response will fall into one of three categories: I. Actions needed to finish the task will be completed significantly earlier than the date indicated in the response. The risk here is that the reader of the response will know that it does not take that long and will consider your reaction inappropriate. II. Actions needed to complete the task are performed prior to the date indicated in the response. This position can be great if planned out and performed in a compliant manner. As some have discovered, much to their chagrin, some response time frames are not that well thought out and in order to complete the task necessary, monumental actions have to be taken. This may include significant overtime, hiring temporary staff, not completing routine activities or completing the task with shortcuts or in a non-compliant manner. III. Actions needed to complete the task are performed after the date indicated in the response. Most audit bodies (even governmental auditors) understand that things happen and sometimes tasks cannot be completed in the time indicated. The audit body should be notified immediately (best time is BEFORE the due date of the action). Explain the situation, what has happened, the tasks completed and the new due date. That being said if missed commitments are frequent enough or happen not once but two or three times, the audit body may become concerned and inquire into the situation further. An overview of the process for responding is provided in Graph I and subsequent actions are provided in Graph II. Compliance Insight, Inc. 2014 Page 6 of 15
Graph I Process for Responding to Observations Analyze Observations Determine the Timeline Review and Re-write Write the Response Letter Graph II Post-Audit Action Flow Systemic Verification Audit Observations are received at this point Systemic Analysis Systemic Execution of the Plan Systemic Implementation Plan Response to the audit observations is made at this point Compliance Insight, Inc. 2014 Page 7 of 15
Writing The Response There are several basic rules that can be established regarding writing a response letter. Many or all of these rules may apply depending upon the particular situation of the firm e.g. lengthy list of observations from a governmental body, client audit, warning letter pending, etc. 1. Someone in a high level in the Quality Department should write the response. 2. Personnel copied on the response should include high-level management. This shows that management at the firm is aware of the issues and the commitments being made. 3. Include a cover letter or opening statement. Thank the auditor(s) for being professional, providing insight or other appropriate remarks as warranted. State the site address of the audit and the dates. 4. Always remember that you are writing the response to the auditors management governmental auditing bodies as well as clients. Do not assume that the person reading the report understands the context of the observation or your reply. 5. Re-state the observation and reference number in the response. Typically, the observation goes directly above the response. 6. If possible, indicate the related compliant systems. This shows that you are in control and that some operations were functioning within acceptable GMP parameters. 7. If the action item is going to take some time to implement, state what will be done in the interim to be compliant with GMPs. Don t simply indicate that actions will be taken in six months to correct the issue in which you are currently out of compliance without addressing what you will do to be compliant from the current date until the corrections are implemented. 8. If corrective actions have already taken place, indicate the following: a. Dates implemented b. Training performed (copies of training sign-up sheets included) c. Copies of Purchase Orders, installation work, etc. d. Copies of updated SOPs indicating what was changed. Compliance Insight, Inc. 2014 Page 8 of 15
9. Define how enhancements will prevent recurrence of the issue observed. Don t assume that the reader will understand this fact. 10. Explain what will be done to expand, enhance or streamline the compliance system. 11. Don t forget about training. Allow sufficient time to implement changes to incorporate training that may include proficiency testing. 12. Describe how the firm will monitor the progress and effectiveness of the corrective actions. 13. It may be helpful to explain that despite the issues noted, there has never been an issue. It is not advisable to use this response tactic each time but it can be advantageous for critical observations to state something on the order of the product has always met predetermined quality parameters 14. Revise, Revise, Revise. Allow other people not directly involved with the audit to review and comment on the response. They may have insight on response wording that would assist in clarification or strengthening of points. When initially formulating a response, a 4-Stage Inspection Approach may be helpful to develop perceptive on the format of the response and contribute to a better understanding of what actually needs to be implemented to be compliant. This approach includes the following steps: 1) Restate the Observation 2) Define Root Cause 3) Indicate Corrective Actions 4) Develop a Due Date If the 4-Stage Inspection Approach is completely followed, any corrective actions will be systemic as they should address the root cause(s) defined. This will also aid in the development of due dates as the firm will be more informed as to what actually need to be accomplished. Response Strategies to Avoid Although the information below is not an exhaustive list, there are some strategies taken by firms that indicate the firm s unwillingness to change or inability to make appropriate corrective actions to an auditor. If a firm does not have the capability, Compliance Insight, Inc. 2014 Page 9 of 15
time or experience to respond appropriately to an audit (especially a government audit), a prime directive should be to seek outside assistance. Pathways to Disaster: 1. During the closeout or in the response letter, argue every point in that they are not appropriate or we have never had an issue with this point from other auditors. This is called a scorched earth policy and will ensure that the auditor has a strong message of non-compliance to the auditor body. 2. State that the corrective actions being requested will put the firm out of business or drive jobs to a foreign country. It is a scare tactic that has been used for at least 20 years and has not proven to be the case. 3. The rain forest or overwhelming response. Include massive amounts of data that is not warranted with the hopes that the reviewer will be impressed with the work. This type of response sends an immediate warning signal to the auditor that issues are being glossed over. 4. Implement changes immediately. Either during the closeout meeting or with a quick response, all changes have been implemented for complex issues. If the issue is simple, great no problem. However, for complex observations, a rapid response indicates that the firm has taken a knee-jerk reaction and implemented corrective actions without thinking of the root cause. 5. Not responding to the audit. Actions may be taken but no formal letter is sent indicating what was performed. This approach indicates that the firm does not take the audit seriously. 6. The enigmatic response. The firm indicates that actions are going to be taken but does not address what these actions include. Such an example would include: Actions Taken Records were updated. When? How were they updated? 7. Promise without substance. Similar to the enigmatic response, this approach does not indicate any specifics. An example includes: Deficiency Detailed investigation not performed in a timely manner. Response Investigations will be carried out in a timely manner. Compliance Insight, Inc. 2014 Page 10 of 15
Managements Role The role of management cannot be understated in its importance with a successful audit outcome. The auditor must get the impression that management is informed of issues and is vested to resolve issues. Some of the roles include: Hosting the inspection. Up front, this will be the first impression that an auditor receives of how the firm actually operates. If no one from management is available or even attempts to participate in the audit, there is a lost opportunity to indicate that the firm is willing to listen and learn from the experience of the auditor. Management does not have to be present during the entire audit, but should be there during the opening and to discuss any key observations. Participate in the exit meeting. This will indicate that the firm s management is accountable for decisions being made and actions taken. Should be aware of or participate in the response letter. Indication of copy of the response letter should be included. The most critical role of management after the audit is the commitment of resources to accomplish the task in the allotted time frame. This could range from more money to more people. Beyond the Context of the Direct Observations A systemic response to any audit observations must equate to a systemic resolution to any issues within the firm. This action requires further evaluation than just actions in a system at a company site. The FDA in particular will require that all company sites implement corrective actions along the same plan of action. Failure to do so may result in further regulatory actions. Programs need to be established which require any observations and the responses to be circulated for evaluation within a company to determine if other areas are non-compliant. Graph III illustrates this approach. Compliance Insight, Inc. 2014 Page 11 of 15
Graph III Approach to CAP Evaluation Departmental Corrective Actions on a Specific Observation Departmental Corrective Actions on Other Points in Relation to the Specific Observation Site Wide Corrective Actions on a Specific Observation Contract Firms, Third Parties, Vendors Site Wide Corrective Actions on Other Points in Relation to the Specific Observation Corporate Wide Evaluation Helpful Hint #1: EIR Evaluation The FDA will write an EIR (Establishment Inspection Report) on the audit. This report along with any observations and the response are submitted to FDA Management for final inspection conclusions and closeout (or further action from the District). It is highly recommended that the EIR be obtained by the auditee and evaluated for correctness/accuracy. Any discrepancies should be diplomatically handled via a letter to the auditor. Compliance Insight, Inc. 2014 Page 12 of 15
Helpful Hint #2: Prepare to be Re-inspected After the audit, there is a tenancy to drift back into an operational mode. Along with other daily issues, some commitments can be dropped and forgotten. It is QA s role to assure that the firm has met their commitments in the anticipation of a re-inspection. During this re-inspection, the auditors will almost consistently verify actions taken and timeline adherence. QA should substantiate GMP compliance by assuring the resolutions encompassed root cause, were systemic/comprehensive and actually worked to resolve any issues. Conclusion Although sometimes comprehensive and seemingly overwhelming, the audit response can be accomplished successfully. This report offers a wide variety of points and options for success. The firm should consider these options when addressing all audit observations and systemically concentrate on any actions. If completed, the firm and auditor are both in a win-win scenario whereby the firm resolves root cause problems and the auditor has fewer repeat observations. Compliance Insight, Inc. 2014 Page 13 of 15
Attachment I FDA Systemic Approach Production Production Resources Procedures Maintain Validation Controls Training Facility/Equipment Resources Procedures Maintain Qualify Controls Training Calibrate Clean Packaging/Labelling Control Resources Procedures Maintain Qualify Training Quality Control Procedures Disposition Authority Investigate (CAPA) Material Training Control Resources Qualify Laboratory Resources Control Procedures Procedures Training Disposition Authority Qualify Maintain Calibrate Resources Training Compliance Insight, Inc. 2014 Page 14 of 15
Reference: US FDA, Guidance for Industry, Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations, Final Guidance, September 2006 Compliance Printing, Preparing for Audit and The Quality Audit, Operational Booklets, 2012. Compliance Insight, Inc. 2014 Page 15 of 15