Picture source: http://independentaudit.com/tweeting-audit-findings-colour/

How to avoid audit findings in Risk-based Monitoring (RBM) and risk management environment? What are the most common findings in RBM? What are auditors looking for in risk management plans, SOPs and RBM guidance?

If we can imagine a pharma hell, this would be full of audit findings. Let us admit, we are all afraid of auditors. However, the most of them are normal people. Their job is just to follow the logic of regulatory documents and check if a company or institution implements the rationale in its clinical research practice. Still, RBM is rather a new procedure in clinical trials. That is why auditors could feel lost.

There are four main guidelines for regulating the RBM to date. What auditors do is checking if the implementation of RBM fulfills the logic of these guidelines.

The underlining principles of RBM are straightforward and could be seen as common sense. However, in many cases, RBM implementation is lacking certain vital elements. One of the main reasons of gaps is a lack of company’s experience and attention to all aspects of a holistic risk-based approach to quality management.

This article covers the most common audit findings, which are avoidable. It is based on the Cyntegrity’s real experience of helping the companies with RBM re-launch after the audit findings happen.

There are four main groups of audit findings:

  1. Common deficits in RBM-related SOPs & their Implementation

The problem is that SOPs were created before the RBM regulatory documents appeared. Still, not all aspects of risk management or centralized monitoring are covered in the updated versions of SOPs. Keep in mind, that the following  SOPs are very probably must be updated:

  • Quality Management SOP
  • Risk Management SOP
  • Writing Monitoring Plan SOP
  • Monitoring SOP
  • Source Data Verification SOP
  • Clinical Trial Adverse Events Reporting SOP
  • Protocol Deviation SOP

By the way, check the study protocol for RBM issues as well.

  1. Failures in risk assessments and its connection with the actions

The risk assessment is the initial and one of the most important aspects of RBM. It starts with the identification of the most important processes and data points. Cyntegrity witnesses organizations separating risk assessment from the data quality evaluation or key risk indicators (KRIs) or mitigation action. This is a common mistake.

A risk in its classical definition is “a probability of an event and impact of its consequences”.

The key-word is probability. The risk assessment should be followed by the mitigation actions aimed at reducing the probability of a risk event happening.

Later, if a risk event still occurs, despite on attempts to reduce chances of its happening, a root cause analysis with a contingency plan, would be a good solution, which could satisfy auditors. Even if a company decides not to create CAPA, some elements of it are expected to be seen.

  1. Technology & IT Issues

This category covers mistakes with incorrectly validated tools or Excel sheets, the validation of which a company did not document based on standards for software validation (e.g., GAMP 5).

“The top three challenges in implementing GAMP are establishing procedural control, handling management and change control, and finding an acceptable standard among the existing variations.” [1]

Think if your company is capable covering these requirements or it is better to devote to specialized vendors.

  1. Patient safety issues

Reduction of monitoring without corresponding changes in the processes and further actions is the most widely spread pitfall. We wrote a lot about it in our previous blogs. This pitfall leads to disconnected strategies of Source Data Verification (SDV) reduction with the risk evaluation and risk control and, as a result, insufficient quality assurance in a trial. No wonder that auditors react allergically to such situations and this usually results in a number of critical findings.

Summing up, in order to be ready for an RBM-related audit, you should be aware of the logic of the regulatory landscape, define a company-wide RBM strategy in the SOPs and role descriptions, define the risks and risk hierarchies, plan mitigation actions to reduce the probability or impact of a risk event, define the RBM success metrics and apply them.

Adjust your monitoring only when you are absolutely sure that patient’s safety and data integrity are not jeopardized. Configure the corresponding metrics to monitoring the adequacy of monitoring and data quality. Moreover, do not forget about “residual risk” or “unknown unknowns”.

Finally yet importantly, the discussed common failures, some of the audit findings happen due to discrepancies in interpretation of guidelines between a company or institution and an auditor. In these situations, there is no right or wrong answer because of a certain range of opinions about aspects of regulatory documents. The best strategy is – a respectful argumentation.

We wish to a reader successful audits and future inspections and hope this article helps to be better prepared.


[1] pharmpro, “GAMP Standards For Validation Of Automated Systems,” 11-Mar-2008.