Internal audits might be inconvenient and a bit nerve-wracking, but they’re also educational.
The objective of an internal auditing program is to help you understand your processes and learn about opportunities for improvement. It also protects your company and ensures that your procedures are on par with the regulations.
Today’s guest is Kyle Rose, the President of Rook Quality Systems. Rook is a company based in Atlanta which helps medical device companies in the pre-marketing and marketing phases. Kyle specializes in structuring internal audit program and today provides tips and pointers to our listeners.
Topics you’ll hear about today include:
- Best practices for effective internal audits.
- Why an audit plan is necessary and helpful.
- Things companies can do to make their internal audits more thorough than an FDA audit.
- Tips for startups who have not yet implemented an internal auditing procedure.
- Why it’s important not to outsource all of the tasks necessary to conduct the internal audit, nor to rely on one person to handle the entire internal audit.
- How Rook Quality Systems can help medical device companies with the internal audit process.
Links and Resources:
“Make sure you have a dedicated procedure that outlines your internal audit process.” - Kyle Rose
“One of our best practices is to create an internal audit checklist.” - Kyle Rose
“Auditors should not audit their own work.” - Kyle Rose
And folks if you found today's podcast valuable, you're really going to get a lot out of the upcoming webinar we're hosting with Kyle and Rook Quality Systems on How to Perform Successful Internal Quality Audits.
Kyle is going to be diving deep into this topic of Internal Quality Audits to give you a step-by-step formula for conducting them at your medical device company. Live seats are limited. Click here to sign up.
Announcer: Welcome to The Global Medical Device Podcast where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.
Jon Speer: "I love having audits," said no medical device professional ever. However, audits are a moment in time at a medical device company where you can learn a lot about your process, learn about opportunities for improvement, and really that's the whole objective of a sound, robust, internal auditing program. On today's episode of The Global Medical Device Podcast, we have guest, Kyle Rose, from Rook Quality, to talk to the audience a little bit about structuring your internal audit program, provide some tips and pointers. So, sit back, relax, and enjoy this episode of The Global Medical Device Podcast.
Jon Speer: Hello, this is Jon Speer, the founder and VP of quality and regulatory at Greenlight.guru, and welcome to another exciting episode of The Global Medical Device Podcast. Today, I have special guest, Kyle Rose. Kyle is the founder and CEO of Rook Quality Systems. Rook Quality Systems provides quality foundation for any medical device company or startup. The consultants at Rook work with the entire team to develop and implement a simple, yet compliant quality system to improve efficiency and maintain traceability. Rook Quality Systems has proven effective for multiple devices regulated by FDA, ISO 13485, the CE European Union process, the CMDR process, and JPL. Kyle, welcome to The Global Medical Device Podcast.
Kyle Rose: Hello Jon, thanks for having me.
Jon Speer: Well, Kyle, I think you know, today, you and I are gonna have a brief conversation. We're gonna talk a little bit about certainly a quality system topic, but specifically, we're gonna dive into internal auditing. I know you're a fan of internal auditing.
Kyle Rose: I think everybody's a fan of internal auditing, Jon. [chuckle]
Jon Speer: [chuckle] I don't know about that. I remember early on in my career that I worked for a bigger company, and there was a group of people that all they did was internal audits, and whenever we'd see them walking in the hallway, we used to throw paper at them and boo as they were walking down the hallway. I don't think everybody's a fan of internal auditing, but I'm guessing you're gonna tell us why we should be a fan of internal auditing.
Kyle Rose: Definitely, yeah. There is... I'm sure a lot of people have had the experience when they hear the audit or internal audit coming, they get a little scared, a little nervous, but hopefully, with today's podcast, we'll get some more information on why internal audits are important, and how they will help your company, all employees included, in the long run.
Jon Speer: Sure, well, yeah. I'm guessing that from time to time, you're brought in to help set up internal auditing programs or maybe even conduct internal audits for companies. Talk a little bit about maybe some of the horror stories or maybe some of the best practices that you've seen from an internal audit perspective. What should companies be doing, or what should they be looking out for as they start to turn on and implement effective internal audit programs?
Kyle Rose: Yeah, well definitely what's some of the best practices is to make sure that you have a dedicated procedure that outlines your internal audit process, and within that procedure, you wanna make sure that you have identified the scope of your regulations, whether the FDA, ISO 13485, CE Mark, whatever scope is applied is defined within your procedure. And from that procedure, you start to build what goes into your internal audit process.
Jon Speer: Now, I can share a horror story that I got exposed to a couple years ago. I was doing some work for a med device company, and they had outsourced their internal auditing function, which is perfectly acceptable, right? You can outsource internal auditing, with someone like you and Rook Quality Systems. So that part was okay, but their internal procedure had mandated that all internal audits be completed by the end of a calendar year, and it was November the 15th and they had one of those moments, one of those "Oh crap" moments where they realized they hadn't started their internal auditing for the year. And so they had about, I don't know, 20 or 30 different procedures that their internal auditing procedure required at an internal audit on an annual basis. So, they sent, yeah, all of these things to a third-party resource who never came even on-site by the way, to look at their procedures. And crammed all of those in before the end of the year. So, the last four to five weeks of the year, they did their higher internal audit activities for the year, and I'm gonna guess that you're gonna advise against some sort of practice like that.
Kyle Rose: Yeah, we definitely, at Rook, have had some of the same experience, where companies will call us in a bind, be the end of the year or scheduled for their yearly audit, and need to get everything done in a week, a weekend. So, we'll be involved in the same thing, reading documents, reading records hours on end to make sure this audit gets complete in time. One of the things that you wanna have in your procedure is an audit plan, especially if your company starts to get larger and your different divisions start to expand. You wanna have a defined plan for when those are gonna get audited throughout the year, so you're not trying to cram the whole audit in in a few weeks.
Jon Speer: Right. Yeah, 'cause let's be real. When people are trying to cram all those things in in just a very short period of time, they're getting very little value out of the internal auditing program. All they're doing is satisfying a procedural requirement. All they're doing is getting a checkmark. That's all they're doing. They don't really get value out of it, and the whole purpose of internal auditing is there should be value, should learn something.
Kyle Rose: Exactly, yeah. The idea that the internal audit is created to protect your company and make sure that you have control over all the processes internally, so you're reviewing those on an annual basis to make sure that everything is up to speed, they're within your procedures, and that your procedures are up to spec with the regulations. So it really helps you to make sure that this process is done thoroughly and completed on time.
Jon Speer: Right. Let's talk about some other best practices and maybe some tips that you might have for the audience. And I'm gonna throw one out there that it's "A favorite activity" that I always share and see. And that's, whenever you learn that an audit is about to happen, suddenly you change your behavior. Suddenly you sit up a little bit straighter and you go around, make sure things are cleaned up. I've seen it happen, whether FDA's coming in for an inspection, or you have an ISO audit, and even from an internal audit perspective, that suddenly now you have to behave differently. So can you talk a little bit about that?
Kyle Rose: Yeah, that's definitely something we see as the audit readiness, make sure that everybody's on their best behavior. And that's typically not what you wanna encourage. You wanna be ready for the audit at any time. Just like your FDA audit can show up, you're gonna make sure that you have that same type of preparation built into your processes so you're ready for an audit at any time. Really, one of the things we like to do, as a quality system, is to simplify the quality system to make it more efficient, easier to use, so you are more audit ready whenever the internal audit or FDA audit does come.
Jon Speer: Right. As you mentioned, FDA can show up any time and even when it's ISO certification these days, you can have an ISO audit at any time, too.
Kyle Rose: Exactly. With the CE unannounced audits, those are becoming very popular. I'm sure some of our listeners would have the pleasure of doing those, and I've assisted with some of those as well, supporting the companies through that audit process. Yeah, audits can happen at any time. And really, that's good for the whole industry, to make sure that everything we're doing is kept up to spec and within regulation all the time, not just during the audit.
Jon Speer: Yeah. Yeah. I think that's really good advice because you shouldn't suddenly behave differently because you know there's an audit. This should be standard operating procedure. It should be the way you're running your businesses is you're following your quality system. Now, if your quality system becomes maybe a little bit challenging, or soon to be requiring certain things that are no or low-value add, then that might be a sign of something completely different. And I'm guessing, Kyle, that would be a great use of, or a great outcome, of an internal audit program.
Kyle Rose: Exactly. Really, the audit should have both of those covered. The internal audit will check your procedures themselves to make sure the procedures are up to spec with the current regulations, and then if there's anything that can be reduced to make it a little bit more efficient, that's done as well. And then the second part of the audit will be going into the actual records to make sure that the testing is completed correctly, the incoming inspection, all those files that you generate within the quality system have been completed and verified within your system.
Jon Speer: And one of the things that I get... From time to time, I've advised companies on quality system initiatives, and sometimes the topic of internal auditing comes up. One of the things I always advise is, I want your internal auditing program to be more challenging, to be more strict. I want it to be more thorough than any other audit or FDA inspection you're gonna be a part of. So what are some things that companies can do to ensure that?
Kyle Rose: Definitely, yeah. I think that's... What you want the hardest part of your audit to be internally, so you're making sure you're catching everything that needs to be changed or fixed before an external or FDA auditor would find the same thing. One of our best practices is actually to create an audit checklist, and within these audit checklists, we'll go through each part of your applied standards, whether it be the ISO standards, the FDA regulations, CE Regulations, Health Canada, and we'll define within each section for incoming inspection, design control. We'll have a specific section that you have to check off to make sure that each part of that regulation and standard was verified during the audit, and that includes listing procedures and the records that go along with those procedures.
Jon Speer: I know you do a lot of work with start-ups and earlier stage companies, and I'm guessing you engage some companies who maybe aren't quite to market yet, so do you have any words of advice, or tips, or pointers that you can offer to a company that's in that situation, specifically around their quality systems, and also about how, and when, and if to implement their internal auditing program.
Kyle Rose: Yeah, definitely. Like all the other things that go into a start-up, there is a tightrope game to start when you wanna do your internal audit, and when it's required, when it's necessary. Obviously, if you're going for ISO Certification or a CE Mark, you wanna start that internal audit process sooner because you'll probably get audited before your device is even on the market. With companies that are just in the FDA scope, typically, we wanna have an internal audit around the same time as you're doing submission. So you wanna have your quality system in place, you wanna make sure that the initial audit will go through your design history file, your risk management, any initial manufacturing records to make sure all that stuff is in place and compliant before you get ready for the actual approval and launch of your device.
Jon Speer: Yeah, and the reason for that seems pretty straightforward. You wanna make sure that the day you go to market, theoretically, that day you go to market, you're open now. You could get a knock on the door, the FDA inspector could show up. So, no time to go back and correct things when the best time to do that is kinda as you're going through it.
Kyle Rose: Yeah. And this applies even to companies that aren't doing manufacturing. So a lot of start-up companies that we work with are just more of the virtual manufacturers, so they still handle the procedures, the distribution, marketing, stuff like that. All that will be involved with the internal audit process as well. So, they still have a lot of risk and compliance issues related to their scope with the FDA, even though they're not doing the manufacturing. So they still need to have their internal audit in place as well.
Jon Speer: Right. Let's segue then to a slight variation of the topic. If I am that company that's outsourcing my manufacturing and outsourcing other services, one view is, "Oh, great. I don't have to do internal audits of those processes because that's handled by that contract manufacturer, and that contract manufacturer, ISO 13485 certified. So I don't really have to do anything." So I'm guessing this... [chuckle]
Kyle Rose: Yeah. The whole idea of, "I don't really have to do anything," kinda goes out the window with medical device. You wanna make sure that you have your hands in a little bit of everything to make sure everything is done to your specifications, your procedures. 'Cause once again, all of the regulatory risk falls on you. So the FDA is holding you up to make sure you have control over your entire device. Things like supplier audits, audits of the material you're receiving, audits of the actions that the manufacturer is conducting. All those are very valuable as well.
Jon Speer: Right, right. So, Kyle, you have companies you work with all over the country and other parts of the world as well, so share a few stories. Give us some perspectives on things to look out for, or some things that you saw that just caused you to shake your head or whatever. Share a few stories on internal audit.
Kyle Rose: One of the big things that we see a lot, especially with the smaller companies, is the one person conducting the entire audit is the same person that's done the majority of the records, written the majority of the procedures, and then they're conducting the audit themselves. And that's a big no-no, especially both in the FDA and ISO standards, 'cause you have to have somebody else that's objective and not responsible for their actual work to conduct the audit. So, that's really when it's a good idea to bring in somebody like an external consultant to conduct your audit. Audits, again, shouldn't... Or auditors should not audit their own work. It's very clear in the standard, and that does get very tricky when you have a company of only four or five people, and typically only one person's handling the quality system.
Jon Speer: That's right.
Kyle Rose: That's a big thing we've seen a lot. Another one is just proper training to be able to handle the audit. ASQ, RAC, they all offer training programs to certify you as an auditor as well.
Jon Speer: Yeah. And on that topic too, I know that's come up with some of the companies I've worked with in the past, is how do you ensure that internal auditors have appropriate training. And of course, the ASQ and the RAC, they have the certified quality auditor programs that you can go through. And some experiences I've had, I've been doing this for quite some time and, like you, I'm sure you can provide training to people on the process of internal auditing. I don't know if the Rook Quality Systems carries a certification program, but you can provide training and you can provide oversight to companies that wanna do some of this in-house too. Talk a little bit about what that would look like. Like that company, let's go back to that company of four people, the one person who's had the responsibility for writing the quality system, but it's possible that those other three people could assist or play a part, as part of the internal auditing. So what would that look like?
Kyle Rose: Yeah. You definitely want to have a defined training procedure to make sure somebody's able to conduct the internal audit. And then the audit process itself has to be audited or reviewed by an independent person who's not responsible for the audit. Once you've been trained or you've established a training procedure for people within the company to conduct the audit, you could either send it higher to the CEO, or have the Rook Qualities or consultants in the world review that audit for you and provide the additional feedback on the entire audit process.
Jon Speer: Sure, sure. Kyle, tell us a little bit more about Rook Quality Systems, how companies engage you, how they can benefit from your support and services.
Kyle Rose: Definitely. Yeah, Rook Quality is located in Atlanta, Georgia. We specialize in helping both the small and start-up medical device companies, both in the pre-market phase, so they're doing the design control, the risk management, the regulatory submission. And then once they've reached the market, when their quality system really gets going, when they have to maintain control over suppliers, they have to have records of customer feedback, corrective action as well, we help with all those as well as a contract, quality manager role. We have four consultants on our team. We do a lot of help with the software validation. We're finding a lot of med device companies now, all of them have software or an app or something tied to their device, so we've got a great software validation regulatory team as well.
Jon Speer: Great. And I want you to know another thing about Kyle and Rooks Quality. They're a fantastic partner with Greenlight.guru. And a little bit about Greenlight.guru, we provide software services, we provide support services, and we're able to leverage people like Kyle, experts in the field. And really, it's all about making sure that companies have the proper infrastructure in place to manage and maintain their quality system, document their methods.
Kyle Rose: Yeah, and I've been doing the device development for 10 years now, and Greenlight really has been the best tool I've ever seen. We've been working together for a little over a year now, and I've got about six or seven companies that are using Greenlight and Rook Quality, and it's been a great relationship.
Jon Speer: Yeah, absolutely.
Kyle Rose: Makes the whole process much more easier to communicate, much more simplified. So yeah. We love Greenlight.
Jon Speer: Absolutely. Well, Kyle, thanks for being our guest today and sharing some of your insights on internal quality audits, and tips and pointers for the listening audience. And of course, if anyone has any questions or comments and wants to learn a little bit more about you and internal quality auditing and Rook Quality, how do you recommend that they get ahold of you?
Kyle Rose: Yeah. Definitely. Our website is rookqualitysystems.com or @RookQuality on Twitter. And then email@example.com as well, for any email questions.
Jon Speer: Alright. And of course, if you aren't able to track it down from Kyle's directions on where to find him, just let us know at Greenlight.guru, and we will make that connection as well. So again, my guest has been Kyle Rose from Rook Quality. And this has been Jon Speer, the Founder and VP at the Quality and Regulatory at Greenlight.guru. And you have been listening to The Global Medical Device Podcast.
The Global Medical Device Podcast powered by Greenlight Guru is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.