External providers, audits

Hosting external customer audits within the company provides an opportunity for information interchange. 

For example, first-in-man studies and pivotal trials are more likely to be audited than phase IV trials, and external providers selected for the first time who are responsible for key areas in clinical trials should be audited with a higher priority than CROs with a long history and reliable performance. 

Systems audits focus on the verification of quality control steps incorporated in the procedures, on interfaces between different functions and departments and on relationship to external providers. While noncompliance may be detected in systems audits, such audits aim to assess the capability of a system to deliver a quality output. 

A multitude of external providers are used to deliver services in clinical trials, for example CROs, site management organizations (SMOs) and academic research organizations (AROs). To ensure that they are capable of providing the services in a reliable manner and to the standards expected in compliance with current regulatory requirements, capability audits are conducted at service providers prior to contracting. 

Apart from systems audits conducting to assess the capability of an external provider, such audits can also be conducted to verify compliance throughout the clinical trial or retrospectively after trial termination. 

Provide audit team members with appropriate training conducted by an external objective party. This party i ould work in concert with plant personnel and OEMs but not be focused on any specific party s interests. 

The document availability requirement applies to both internal and external documents alike. Customer documents such as contracts, drawings, specifications, and standards need to be available to those who need them to execute their responsibilities. Often these documents are only held in paper form and therefore distribution lists will be needed to control their location. If documents in the public domain are required, they only need be available when required for use and need not be available from the moment they are specified in a specification or procedure. You should only have to produce such documents when they are needed for the work being undertaken at the time of the audit. However, you would need to demonstrate that you could obtain timely access when needed. If you provide a lending service to users of copyrighted documents, you would need a register indicating to whom they were loaned so that you can retrieve them when needed by others. 

This confirmation is often provided by an external audit or assessment (u.s.). Quality management systems are often certified for conformation with ISO 9000. Probably the most common term with respect to our topic here is certified reference materiaT (CRM). 

Access to electronic records should be restricted and monitored by the system s software through its log-on requirements, security procedures, and audit trail records. The electronic records must not be altered, browsed, queried, or reported by external software applications that do not gain entry through the protective system software. In addition to the logical security built into the system, physical security must be provided to ensure that access to computer systems and, consequently, to electronic records is prevented for unauthorized personnel. 

Access to records at the primary and secondary repositories must be restricted and monitored through the system s software with its required logon, security procedures, and audit trail. If remote access is provided via external software, the applications must enter through the same protective security software as that used for local access. 

In providing guidance on setting SQSs (environment and human related) 3 main principles must be preserved 1) standards need to be set in a consistent manner, 2) standards need to be transparent, and 3) standards should be audited by an external reviewer. 

New owner conduct Supplier Audit on divesting organization as external service provider Formal contract of supply required Service Level Agreement established for maintenance and inspection support... 

The validation was performed according to the Roche Computerized System Validation Policy and Guidelines. This comprised the definition of a Validation Plan, the performance of the planned activities, and the creation of a Validation Report. In addition, the project was accompanied by external consultants providing knowhow regarding the validation-specific aspects of the development, including the management and auditing of the software developer. The scope of the validation activities was defined by GMP Analysis (also known as a GMP Assessment). The system... 

For each individual audit, it is useful to prepare an audit plan to provide the auditee with an overview on the audit components and the conduct of the audit. An audit plan may also be useful as a basis for agreement between the sponsor, the (external) QA auditor and the audit team. It is common practice in clinical research to draw up an audit plan and distribute this information prior to the audit. 

Authentication is usually performed by entering a unique user identification (ID) and password. If data are transferred automatically from external software, the source system either must provide a similar mechanism to identify a valid user or the external system has to log on to the record manager with a unique identifier. In any case, data that are entering a compliant-ready record manager require this identification. The authentication needs to be logged with a date and time stamp in an audit trail. The same requirement applies to the modification of data that already exist in the record, if the user is not already in an authenticated session. In fully regulated environments, a reason for the modification has to be supplied before changes can be made. 

It is evident that many companies have detailed internal auditing procedures. However, given the low level of trust in industry information by the public, there is also a need to have in place independent external verification of the whole of the CER just as the annual report has to be audited. In order to obtain a yes score, firm evidence must be provided of the external verification by means of a certificate or by naming the verifier. 

Audits are reported on quarterly at an HS E board-level committee, and Arthur D. Little Inc. participates in 10-15% of HS E audits, and provides an external oversight. A graph showing worldwide audit ratings since 1995 is also included. 

This is one of the less clear areas. There is often plenty of information in the CERs on internal environmental auditing, accompanied by frequency and performance evaluation. However, true independent external verification of the CER as a whole, confirmed by the availability of an appropriate certificate or naming of the actual verifier, is provided by less than 50% of the companies, as demonstrated in Table 7.11. 

The role of this council is essentially to provide ideas and propositions concerning the great scientific problems, as well as an external and independant audit, ready at any moment to notify the General and Scientific Management of any new discoveries or advances likely to modify the direction of our research. 

Turn around time can be increased by situations such as workload distribution (i.e., delay while other samples are processed), analysis difficulties, weather interruptions, employee absence, and external audits. These issues may increase the minimum time by a factor of two or three. Such eventualities must be considered in providing your client with a reasonable turnaround time. 

The next step in the audit process is to create a standard or protocol. With regard to risk management and PSM, the standard is generally provided by an external organization such as a regulator or corporate office. 

---