Auditing in Today's Changing Environment


Published on

1. What does today’s clinical environment look like?
2. Remember, data is our first product!
3. Key principles and considerations regarding risk planning before planning an audit
4. Typical factors affecting risk
5. Some risk factors often overlooked
6. Leveraging Quality Auditing best practices to mitigate risk to data, systems and services

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Auditing in Today's Changing Environment

  1. 1. DATATRAK Auditing in Today’s Changing Environment Walt Townsend International Director Quality Assurance
  2. 2. Disclaimer 7/16/2013 2DATATRAK Confidential The views and opinions expressed in the following PowerPoint slides are those of the individual presenter and should not be attributed to Drug Information Association, Inc. (“DIA”), its directors, officers, employees, volunteers, members, chapters, councils, Communities (formerly known as SIACs) or affiliates, or any organization with which the presenter is employed or affiliated. These PowerPoint slides are the intellectual property of the individual presenter and are protected under the copyright laws of the United States of America and other countries. Used by permission. All rights reserved. Drug Information Association, Drug Information Association Inc., DIA and DIA logo are registered trademarks. All other trademarks are the property of their respective owners.
  3. 3. Key Topics: Focus on Data • What does today’s clinical environment look like? • Remember, data is our first product! • Key principles and considerations regarding risk planning before planning an audit • Typical factors affecting risk • Some risk factors often overlooked • Leveraging Quality Auditing best practices to mitigate risk to data, systems and services 7/16/2013 3DATATRAK Confidential
  4. 4. Clinical Trial Electronic Data Environment 7/16/2013 4DATATRAK Confidential Protocol Development Site Selection Data Collection Tool Development IRB Review & Approval Subject Enrollment Subject Visit & Data Collection Data Analysis Clinical Study Report Submission High-level View
  5. 5. Data is Our First Product • Electronic data are the fastest growing segment of the pharmaceutical industry’s information resources • Electronic data systems, services, and processes are growing in number and complexity • The importance of electronic data requires the incorporation of data as a “product” in a pharmaceutical company’s QMS 7/16/2013 5DATATRAK Confidential
  6. 6. Critical Considerations • Software is a foundational component of processes used to manage products and services • Software enables functionality • Software facilitates business operations • Software fuels the engine of globalization 7/16/2013 6DATATRAK Confidential
  7. 7. But There are Some Risks Steady increase in the relative risk to data • System size and complexity • Outsourcing and the use of un-vetted software supply chain (COTS) • Sophistication of attack • Software and data re-use • Number of vulnerabilities and incidents 7/16/2013 7DATATRAK Confidential
  8. 8. Bad Data Can’t Hide – Or Can It? • Vulnerabilities increase if the underlying quality of software, data, data capture/production processes, and data storage is defective – Unchecked, these vulnerabilities allow bad data to hide or systems to be exploited – The cost of bad data can be extreme • Delayed product launch • Non-approval • Adverse safety impact 7/16/2013 8DATATRAK Confidential
  9. 9. Data Risks in a Changing Environment • With today’s technology and cloud-based computing, traditional approaches to system development and validation may not fully address risks posed exploitable software • Risk mitigation requires a deeper understanding of all suppliers’ practices, processes and products • What is the supplier’s acquisition process? • Does the supplier have a vendor audit/assessment process? How effective is it? • Supplier assessment must go broader and deeper • Effective auditing becomes ever more critical 7/16/2013 9DATATRAK Confidential
  10. 10. Integrated Quality Processes Risk Management is a component of overall Quality Management System (ICH Q9) • Develop appropriate documentation (SOPs, etc.) • Determine and implement training and education • Identify, evaluate, communicate quality to facilitate risk communications and determine appropriate action • Develop and implement comprehensive internal and external audit/inspection process 7/16/2013 10DATATRAK Confidential
  11. 11. Focus of Audit Program • Existing legal requirements • Overall compliance status • Robustness of quality risk management activities • Complexity of site, processes, products, systems • Number and significance of quality defects • Results of previous audits/inspections • Major changes of building, equipment, processes, key personnel 7/16/2013 11DATATRAK Confidential
  12. 12. Risk Factors Often Overlooked • Impact of technology changes – Processes – Training – Organizational structure • Impact of growth – Process quality and effectiveness – Training – Resources 7/16/2013 12DATATRAK Confidential
  13. 13. Criticality as a Dimension of Risk ICH Q9 defines risk as the combination of the probability of occurrence of harm and the severity of that harm – Assessing the criticality of processes, tools and systems to prevent harm and strengthen quality provides a framework for measuring risk 7/16/2013 13DATATRAK Confidential
  14. 14. Risk & Criticality Assessment 7/16/2013 14DATATRAK Confidential
  15. 15. Quality Auditing Best Practices • Audit Preparation and Planning • Conducting the Audit • Audit Reporting • Audit Follow-up and Closure 7/16/2013 15DATATRAK Confidential
  16. 16. Audit Preparation and Planning • Define the Purpose and Scope – Informed by Risk and Criticality Assessment • Identify the audit team – Responsibilities – Task distribution • Develop a risk-based audit plan – In an environment of increasing complexity, focus is key • Develop an audit agenda/timeline • Identify/define data collection methods 7/16/2013 16DATATRAK Confidential
  17. 17. Audit Preparation and Planning • Identify audit-related documentation – Current QMS documents • Policies, manuals, procedures, work-instructions – Records • Training, validation, problem resolution – Quality history • Previous audit reports, • Understand previously noted strengths and deficiencies 7/16/2013 17DATATRAK Confidential
  18. 18. Key Areas to Consider for Auditing • Configuration Management • Quality attributes of requirements • Traceability – From requirements to training materials • Testing – Robust, multi-tiered, failures and resolution • Defect Management – When are defects discovered • Metrics gathering and reporting 7/16/2013 18DATATRAK Confidential
  19. 19. Conducting the Audit Basic activities performed during audit – Meeting the auditee – Understanding the process and system controls • Complexities, risks – Verifying that controls and processes are appropriate and executed consistently • Do they produce consistent quality outputs? – Communicating with representatives of auditee organization – Communicating with audit team members 7/16/2013 19DATATRAK Confidential
  20. 20. Organization of Audit Activities • Opening Meeting • Data Collection and Analysis – Documentation review, record review, observation of work activities, interviews, tours, physical examination • Maintain Working Papers – Planning documents, checklists, audit /attendance logs • Objective Evidence – Physical, testimonial, documentary, observations • Close-out meeting 7/16/2013 20DATATRAK Confidential
  21. 21. Audit Reporting • Communicates audit results • Correct, clear, concise, accurate – Aid to management in addressing important organization issues • Identify system deficiencies – Focus on risk and criticality 7/16/2013 21DATATRAK Confidential
  22. 22. Audit Closure and Follow-up • Begins after the formal report is issued – Corrective Actions: assignment, evaluation, verification – Effectiveness check – Implementation of strategies for when corrective action is not done, or is ineffective – Establishment of criteria for audit closure – Audit closure/follow-up audit • Continuous Correcting is not Continuous Improvement! 7/16/2013 22DATATRAK Confidential
  23. 23. Keys to Success • Integrate Quality Risk Management into Overall Quality Management • Use proactive risk assessment and audit execution as management/decision support tools • Avoid continuous correction and evolve to continuous improvement • Identify and analyze trends – Although each audit stands alone, audit results can indicate key quality trends. 7/16/2013 23DATATRAK Confidential
  24. 24. Thank You! Walt Townsend International Director of Quality Assurance DATATRAK International 7/16/2013 24DATATRAK Confidential