Picture source: http://independentaudit.com/tweeting-audit-findings-colour/

What Are Auditors Looking For?

How to avoid audit findings in a Risk-based Quality Management (RBQM) and risk management environment? What are the most common findings in RBQM? What are auditors looking for in risk management plans, SOPs and RBQM guidance?

If we can imagine a pharma hell, this would be full of audit findings. Let us admit, we are all afraid of auditors. However, auditors are people just like you and me. Their job is to follow the logic of regulatory documents and check if a company or institution implements the rationale in its clinical research practice. Still, RBQM is a relatively new procedure in clinical research and that’s why auditors may feel “lost in translation”.

To date, there are four main guidelines for regulating RBQM. What auditors do is checking if the implementation of RBQM fulfills the logic of these guidelines.

The underlining principles of risk-based quality management are straightforward and could be seen as common sense. However, in many cases, RBQM implementation is lacking certain vital elements. One of the main reasons of gaps is a lack of a company’s experience and attention to all aspects of a holistic risk-based approach to quality management.

This article covers the most common audit findings, which can be avoided. It is based on Cyntegrity’s real life experience of helping clinical organizations with the re-launch of RBQM after the audit findings happen.

There are four main groups of audit findings:

  1. Common deficits in RBQM-related SOPs & their implementation

The audit finding is that SOPs were created before the RBQM regulatory documents appeared. I.e., not all aspects of risk management or centralized monitoring were covered in the updated versions of SOPs. Keep in mind, that the following  SOPs most likely must be updated:

  • Quality Management SOP
  • Risk Management SOP
  • Writing Monitoring Plan SOP
  • Monitoring SOP
  • Source Data Verification SOP
  • Clinical Trial Adverse Events Reporting SOP
  • Protocol Deviation SOP

In addition, check the study protocol for RBQM issues as well.

  1. Failures in risk assessments and its connection with the actions

Risk assessment is the first activity and one of the most important aspects of RBQM. It starts with the identification of the most important processes and data points. Cyntegrity observes organizations disconnecting the risk assessment from the data quality evaluation or key risk indicators (KRIs) or mitigation action. This is a common mistake.

A risk in its traditional definition is “a probability of an event and impact of its consequences”.

The key-word is ‘probability‘. The risk assessment should be followed by the mitigation actions aimed at reducing the probability of a risk event happening.

Later, if a risk event still occurs, despite the attempts to reduce chances of its happening, a root cause analysis with a contingency plan, would be a good solution, which could satisfy auditors. Even if a company decides not to create CAPA, some elements of it are expected to be seen.

  1. Technology & IT Issues

This category covers mistakes with incorrectly validated tools or Excel sheets, the validation of which a company did not document based on standards for software validation (e.g., GAMP 5).

“The top three challenges in implementing GAMP are establishing procedural control, handling management and change control, and finding an acceptable standard among the existing variations.” [1]

Evaluate if your organization is capable covering these requirements or it is better to devote to specialized vendors.

  1. Patient safety issues

Reduction of monitoring without corresponding changes in the processes and further actions is the most widely spread pitfall. We wrote a lot about it in our previous blogs. This pitfall leads to disconnected strategies of Source Data Verification (SDV) reduction from the risk evaluation and risk control and, as a result, insufficient quality assurance in a trial. No wonder that auditors react allergically to such situations and this usually results in a number of critical findings.

Summing up, in order to be ready for an RBQM-related audit, you should be aware of the logic of the regulatory landscape, define a company-wide RBQM strategy in the SOPs and role descriptions, define the risks and risk hierarchies, plan mitigation actions to reduce the probability or impact of a risk event, define the RBQM success metrics and apply them.

Adjust your monitoring only when you are absolutely sure that patients’ safety and data integrity are not jeopardized. Configure the corresponding metrics to monitoring the adequacy of monitoring and data quality. Moreover, do not forget about “residual risk” or “unknown unknowns”.

Finally, yet import, the discussed common failures, some of the audit findings happen due to discrepancies in interpretation of guidelines between a company or institution and an auditor. In these situations, there is no right or wrong answer because of a certain range of opinions about aspects of regulatory documents. The best strategy is – a respectful argumentation.

We wish you successful audits and future inspections and hope this article helps to be better prepared.


[1] pharmpro, “GAMP Standards For Validation Of Automated Systems,” 11-Mar-2008.