How did your last internal quality audit go?
Internal audits can be a bit of a scramble in some companies. They’re often inconvenient, and can be kind of nerve-wracking too. However, they’re also a good educational exercise and a great way to “take the temperature” of your quality management system at your company.
If you want to put your focus on quality rather than just ensuring that your company meets regulatory requirements, then putting the time into effective internal auditing is essential. I recently caught up with a partner of our, Kyle Rose, President of Rook Quality Systems based in Atlanta, and had a chat about what effective internal auditing entails.
Let’s get into it:
Best practices for effective internal audits
Many people get nervous at the thought of an impending audit, but they are helpful for your company in the long-run if done well. Here are some best practices:
- You should always make sure that you have a documented process for internal audits. Within that, document the scope of regulations, noting which ones apply (for example ISO, FDA, CE Mark, Health Canada etc). This is how you build what goes into your process.
- Plan ahead! A particular horror story comes to mind; a company I know suddenly realized on November 15th that it hadn’t yet done an internal audit, which was required in the calendar year according to the company's SOPs. The company went into panic-mode and hired an external consultant. Don’t get me wrong, there are great consultants out there and many valid reasons to use them, but in this case, the consultant didn’t even set foot on site. They looked at the procedures from afar and made judgments based on what they saw from those. Did the company learn anything? No, because the people that run the processes day to day weren't even involved in the internal audit.
- Don’t take the attitude of satisfying a procedural requirement, look at the internal audit as an opportunity to improve your company and constantly get better.
Creating an audit Schedule
Having an audit schedule in place is an essential tip for ensuring that you don’t end up with that “horror story” scenario, trying to cram everything in at the end of the year.
As your company grows, the task of internal auditing becomes bigger and tends to involve more people and moving parts. For that reason, a good tip is to set your audit calendar to audit a couple processes every few months. This way you knock out what you need to during the year and avoid any panicked rush.
How to be more thorough than the FDA
One thing I always talk to companies about is that I want to see them be more thorough than even the FDA will be on an audit. This ensures that they are as ready as they can be for someone to come in and inspect.
One key tip for how you can be more thorough is to create an inspection checklist. Rook uses these when going into a company. Kyle says that within each checklist item, there is a number of tasks that must be checked off. For example, within design controls, there is a list of relevant procedures, then the associated records for each of those procedures. This is their way of ensuring that nothing gets left out.
Implementing auditing in your Device startup
Many device startups struggle implementing effective internal auditing. There’s a lot on your plate and for many people, it’s their first time dealing with the regulatory side of medical devices.
It is important to figure out how soon you need to start with internal auditing. This will vary depending on which market(s) you are entering and the regulations that apply. For example, with ISO audits, these usually happen prior to your device hitting the market, so it’s important to start that internal process early.
If you are dealing with the FDA, typically you want to start internal audits when you’re getting ready to go through the submission process. This helps to ensure that you’re ready for that initial audit with a robust quality system in place. This should all be spotless before approval and launch of the device. The day you go to market, theoretically, you’re now open for inspection.
Don’t rely only On outsourcing, or one person
Many companies hire a consultant to help with their internal audits, but don't take the view of, “oh great, I don’t have to do internal audits now.” The whole idea is that you need to keep your own finger on the pulse as well. The regulatory risk falls on you, not an external consultant, so while you might want to hire someone to make sure that you’re hitting all of the right points, you still need to be well within the loop.
The same can be said if you’re relying on just one person within your company to deal with internal audits. Essential people might be out of the loop with what’s happening, not only that, but that one person might not have all of the required knowledge and experience to understand whether you’re following your SOPs.
One of the big things that Rook sees a lot is that the person conducting the audit is also the person that wrote most of the procedures. This is a big no-no. You need someone who is objective to conduct the audit according to regulation, which is another reason many in a consultants. Auditors should never audit their own work, which can get tricky in smaller companies.