Remote Auditing Guidelines
Remote Auditing Guidelines and Procedures for Remote Audits (ICT, Security)
Remote Auditing Guidelines: 10 Commandments for Conducting Remote Audits and offsite inspections
Frequently asked questions about Remote Auditing techniques, procedures and guidelines
FAQ1: Are remote audits as effective as onsite audits and site inspections?
The success of a remote audit depends on numerous factors, including the product type/classification, the risks to consumers or patients, and the history of the organisation being audited. So the answer to this question is ‘yes and no’.
- Companies previously found to be in serious breach of regulations may be better suited to an onsite audit or hybrid audit.
- Some compliance issues may also be more readily spotted while conducting an audit onsite, versus conducting a remote auditing procedure.
Yet remote audits and offsite inspections can offer certain advantages over onsite inspections when planned and performed to a certain standard.
With adequate planning and remote auditing procedures, remote audits can be an effective way of staying on schedule for self-inspections as well as external audits by Regulatory Authorities.
- Offsite audits offer an Auditor the chance to delve deeper into procedure documentation gaps, e.g. where good recordkeeping practice (GRP) is a crucial component of the quality management system or PQS (Pharmaceutical Quality System).
- Remote audits may also improve the Auditor’s focus on the items being reviewed, by eliminating site distractions and conversational diversions from the audit topic.
Comparison of Onsite vs Offsite Auditing
The general view in regulated sectors is that conducting an onsite audit (or hybrid audit) is better than an audit conducted entirely offsite. But only where feasible and safe to do so.
In times like these, where the current pandemic is wreaking havoc on supply chains and delivery schedules, the consensus is as follows.
- Remote audits, performed effectively, are a far better option than allowing auditing programs to fall months (or years) behind schedule.
- Remote audits help reduce the risks to consumers/patients of a major compliance breach, most of which may be discovered using carefully planned remote auditing techniques or remotely performed self-inspections.
- Order our online training course on Remote Auditing Techniques (procedures and guidelines)
Remote audit requirements
Remote audits offer opportunities to continue with internal and external audit programs:
- When travel interruptions and other pandemic risks are wreaking havoc on an auditing schedule.
- When there is a higher demand for pharmaceutical products and medical equipment due to spikes in infection rates across the globe
- When there is a backlog of pharmaceutical product applications
- In relation to the pandemic
- In relation to rapidly evolving technologies
There are also cost and time-saving benefits for remote auditing (offering greater auditing capacity or auditing frequency and/or lower travel costs).
There are benefits and drawbacks to conducting an inspection or audit remotely vs an onsite audit.
However, remote auditing is a necessity in our current scenario where travel is subject to disruptions and potentially dangerous to Auditing personnel.
Benefits, risks and limitations of Remote Auditing methods & procedures
FAQ2: What are the benefits and risks of conducting a remote audit or offsite inspection/compliance evaluation?
Remote auditing benefits
Enhanced Auditor focus by minimisation of onsite distractions
Conducting a remote audit may help to minimise the typical ‘onsite’ distractions, and interruptions, experienced during a site inspection.
By reducing the distractions and interruptions that commonly occur during an onsite inspection in a manufacturing plant, a remote audit may enable an Auditor to focus more steadily on regulatory compliance gaps.
Auditing efficiency gains (cost savings/auditing time frames)
There are also efficiency gains from conducting an audit using ICT versus an onsite visit, such as:
- Shorter time frames due to not needing to arrange travel and accommodation (which can be beneficial if the audit is being scheduled due to a safety signal, product recall and/or manufacturing tip-off)
- Cost savings / budget considerations
- Ability to conduct a greater number of remote audits due to not needing to arrange travel and accommodation for Auditors
- Ability to schedule an audit that isn’t vulnerable to cancellations due to sudden border restrictions and/or airline travel interruptions
So there are benefits to remote auditing experiences, as well as significant savings in terms of travel time, travel disruptions, accommodation costs, and safety risks.
The priority of any auditing program, however, is to reduce the risks to patients and consumers. Risk management relies heavily on adhering to quality standards and GMP regulations; which must be monitored internally and externally to ensure compliance.
FAQ3: What are the limitations of conducting an audit remotely?
Risks and limitations of remote auditing:
- Planning the ICT and file-sharing components gives Quality Managers/Auditees a “heads-up” to prepare for the Audit
- Fewer opportunities for unannounced auditing, unless
- previous audits were conducted remotely and
- ICT/file-sharing systems are already in place
- ICT failures, internet dropouts, and system compatibility issues can wreak havoc on Audit day(s) and disrupt the schedules (it can also be difficult to identify the actual source of the ICT/audit disruption)
- File accessibility (IT considerations including data security)
- Personnel shortages
FAQ4: What guidelines should be followed when conducting an audit remotely?
Remote Auditing Guidelines
Insights from Quality Managers and Regulatory Auditors
Planning is a crucial component for remote auditing success.
Globally accepted guidelines for Remote Audits are currently in development.
Because globally accepted guidelines for Remote Audits are still in development, we developed an insightful Remote Auditing training course to provide practical tips and guidelines for conducting an offsite inspection.
The new training course on Remote Auditing techniques for Auditors, Regulators and Quality Managers will help you understand the typical requirements of conducting an offsite compliance audit (whether you are auditing an organisation for their compliance with PIC/S GMP regulations, ISO qualifications/standards, ISPE requirements, and/or other globally recognised standards).
Order the Remote Auditing Techniques training course.
Procedures for Remote Audits: What Auditors and Auditees need to know
The course provides helpful tips for establishing effective Remote Auditing procedures. It includes remote auditing guidelines compiled from industry experts, external Auditors, and Quality Management personnel.
The course discusses important concepts:
- how to decide between auditing methods (e.g. remote audits vs onsite inspections vs hybrid audits)
- risk assessment documentation requirements
- how to plan for a remote audit or ‘remote interactive evaluation’ (the FDA’s term for remote auditing during the pandemic)
- back up plans for technological failures
- data integrity and file security considerations
- and more!
Our recently released course on guidelines for conducting a remote audit is based on:
- insights from Regulators, GMP Auditors, ISO auditing experts and GMP audit response consultants
- tips from GMP compliance experts
- Quality Managers’ experiences with remote auditing
Remote auditing technologies, procedures and risks
What can go wrong with a remote inspection or remote audit?
There’s a lot to consider when you are switching from onsite audits to remote inspections (remote GMP audits), ISO audits or ISPE / CFR compliance audits.
For example, offsite inspections and remote audits rely on:
- various forms of information and communication technology (ICT)
- video conferencing technologies and bandwidth/internet speeds
- secure access to highly confidential information
- verification of the persons and sites being audited (e.g. ID or GPS verification of the site location)
- ability to view the facility and equipment using video technologies
- the integrity of the person/s being interviewed where non-verbal communication, such as body language, can be more readily hidden
So remote auditing is fraught with challenges for auditors and auditees. But remote auditing also offers a safer and cost-effective way to investigate levels of compliance with regulations and standards, from GMP regulations to ISO requirements to ISPE requirements and compliance with the FDA regulations (21 CFR Parts 210 and 211).
Why ‘remote GMP audits’ (offsite inspections) are necessary
Remote auditing offers:
- enhanced safety for employees, inspectors, and Regulatory Authority representatives
- reduced risks of exposure to viruses
- lower risks of cross-contamination from conducting an onsite inspection or ‘walk through’
- more reliable auditing scheduling during times of border closures and flight disruptions
With the pandemic limiting travel, while simultaneously increasing demand for pharmaceutical products (with an increase in counterfeit product risks across the globe), remote auditing is currently the ‘go to’ auditing method for auditing.
Where onsite visits present unacceptable safety risks to Auditors and regulatory officials (or where travel restrictions make an onsite visit impossible), Remote Auditing methods should be implemented where identified as feasible based on thorough, well documented risk assessment.
Risks of remote auditing and virtual site inspections
Synopsis of the 3 key risks of remote auditing
BLIND SPOTS / HIDDEN INFORMATION
- Visual inspections may enable an organisation to hide (or disguise) compliance breaches that onsite inspections might readily uncover
- Risks of not meeting auditing objectives may be unacceptably high where a facility/site location (and/or manufacturing process) was not previously audited via an onsite, in-person inspection
- Lack of body language cues during a video-based ‘walk through’, e.g. the video may not capture awkward glances between personnel, facial expressions, body postures that would give an auditor additional auditing questioning ideas
- System incompatibilities / ICT issues
- Internet disruptions
- Slow internet connections, WIFI dropouts, or bandwidth issues, low signal strength in different rooms of the manufacturing facility
- Increased data usage for video conferencing (higher data usage costs for Auditors or Auditees)
- Auditor eye strain (e.g. from staring at the computer for several hours at a time)
DATA / SYSTEM SECURITY
- Agreements and permissions may have legal implications / must be documented
- Firewall issues/system access issues and risks must be assessed and managed
- Security risks of enabling remote documentation access
- Potential for interception of records or passwords or ‘leaked images’
Lower travel costs, a reduction in onsite cross-contamination risks, and minimisation of person-to-person virus transmission risks are some of the many benefits of conducting remote auditing and virtual site inspections during a global pandemic. But proper planning for a remote audit is essential. A risk assessment is required.
Remote Auditing Techniques, Procedures and Guidelines (Resources)
Remote Auditing Techniques, Procedures and Guidelines (Resources)
Certificate training course for Remote Auditing (online training)
PharmOut’s online training course for Remote Auditing Techniques (remote auditing procedures and planning guidelines) available to complete online, 24/7 access for 12 months from the date of purchase.
Certificate training course for Remote Auditing (facilitated, live-streamed training option)
PharmOut’s live-streamed Auditor training course for Remote Auditing by Maria Mylonas, select training dates.
Have a group of Regulatory representatives, Quality Management personnel or 3rd party Auditors to train in Remote Auditing skills and procedures?
Train groups of 10 or more personnel by contacting our GMP compliance training experts for a quote for training groups of 10 or more).
The 10 Commandments of Remote Auditing and Virtual GMP Inspections
1) Communication (your #1 priority)
- This includes clearly written documentation about the audit or inspection
- All potential hazards and items of concern for conducting a remote audit or third-party inspection ‘virtually’ via the internet, must be risk-managed with clear, thorough and timely communication about how the process will work
- Auditors must verify that the communication is received AND understood
- Auditees must ask questions, and inform and involve the appropriate onsite personnel (e.g., cybersecurity managers, IT teams, production personnel, HR managers, etc)
2) Adequate preparation time
- Never rush your preparation time for a remote audit
- Draft your backup plan as soon as you set the date for conducting a remote audit / third-party inspection
- The backup plan should over potential technical difficulties and include a backup auditing date or dates, names of alternative team members (for the Auditor and the Auditee) if one of these people were to become ill and/or otherwise unable to participate in the AUDIT (OR in the event of an internet meltdown at either location – think TEXAS SNOW STORM meant that millions of facilities in Texas were without power, internet or water for nearly a week’s time in February 2021!)
3) Technology checks
- Ideally check technology requirements, equipment availability and internet capacity data requirements BEFORE you set the date for the remote audit
- Be sure you include all necessary devices and accessories, such as high-capacity computers, digital cameras and microphones, secure electronic document transfer methods (legal, reliable, and secure)
4) Trial runs and backup plans
- Trial your connections, logins, communication methods, and other access issues related to confidential documents and discussions (cybersecurity risk management) with a ‘preliminary audit meeting’ – ideally a few days before the audit
- Set your Auditee at ease by:
- establishing rapport so that the process runs smoothly and is neither ‘antagonising’ nor draining for the people involved
- ensuring the Auditor and Auditees use secure data systems and that access and cybersecurity risks are managed by appropriately trained personnel / IT teams
5) Organisation structure and job descriptions
- Include signature registers/signature logs if required/appropriate – note cybersecurity risks of sharing signature registers or logs
- Consider how access will be granted and removed, e.g. access period and credentialing of people accessing records and virtual live-streaming of site inspections/clean rooms/etc.
- Is GPS verification of the facility site required?
6) SOPS and access to other relevant documentation
- Auditees should ensure the Auditor can access the current list of SOPs including version numbers/change management records and documentation logs
- Give access ability to these records during the audit/inspection, or before the inspection (as arranged)
- Provide access to the external auditor and share the time frames during which access will be granted vs removed
7) Personnel training records
- Confidential and secure records must be protected; consider cybersecurity risks and potential risk of payroll files and employment records being seen by unauthorised personnel
- May need to be de-identified depending on regional privacy laws and security risks (consider potential for data theft or data tampering)
- Access to personnel to verify they understand processes/ current SOPs and other procedures
8) Have a checklist
- The preparation for the audit checklist (take the Remote Auditing Techniques course, online)
- What documents and areas you will be auditing / which SOPS you need to review
9) Remote auditing notes (auditing records and audit reports)
- Audit records and discussion notes must be kept
- Ensure agreements are in writing
- Remote auditing reports must be submitted in a timely manner, including
- Follow-up recommendations and monitoring
- How compliance gaps are going to be addressed and reported
- Who is or isn’t copied into report distribution lists
- Security of the Auditing Report, especially if new personnel or Auditors are involved in the process due to a change in personnel or other impacts of the pandemic
10) Refresh your knowledge of all current regulations and standards
- Ensure you are properly trained for conducting a remote audit
- Understand how to conduct yourself as an Auditor
- Learn how to conduct yourself as a client or contract holder performing a remote audit of a Supplier or Vendor
Recommended reading for Remote Auditing
FDA checklist on Remote Auditing Practice
FDA publication on Remote Interactive Inspections (April 2021)
Overall, remote auditing is a necessity during a global pandemic. But there are remote auditing ‘pros and cons’.
In terms of the evolution of remote auditing:
- Remote auditing trends were expanding long before the pandemic
- Remote audits and video inspections were increasing in scope and frequency due to:
- using overseas suppliers
- the evolution of global supply chains/global distribution of pharmaceutical products and other goods
- other digital technology evolutions and trends including video conferencing, handheld devices, and global online shopping
Remote inspection methods are expected to be a mainstay auditing approach for several years.
- Remote audits can also provide some assurances of compliance levels.
- Yet Auditors must understand the pros and cons of conducting a remote inspection/remote interactive evaluation.