Transcription
Risk-Based Auditing
Risk-Based AuditingBackground1Risk-based Auditing versusTraditional Compliance-based Auditing2When and why RBA should beconsidered3RBA across various audit types4Preparing for RBA5Benefits of RBA
BackgroundEffective auditing of clinical, manufacturingand laboratory processes, systems, andpractices is imperative as it ensures not onlythat quality standards are met, but that therequirements for human safety are upheld.The use of risk- based auditing maintainsthese same objectives while making theauditing process more efficient andeffective.In recent years, the need for risk-basedauditing has become apparent. The FDA hasconcluded that modern quality systemscoupled with effective risk managementpractices mitigates potential risks, resultingin shorter and fewer FDA inspections (1).As the need to manage risks within thepharmaceutical, biotechnology, tissueengineering and medical device industriesincrease, it places pressure on theseindustries to identify the areas that posethe greatest risks.Managing risks through risk-based auditingplays a central role in maintaining theintegrity of the auditing process by allowingfor higher quality audits in a shorter periodof time. ClinAudits believes that risk-basedauditing complements its mission ofproviding high quality compliance auditing.
What is Risk-Based Auditing?Risks are defined as circumstances thatthreaten organizational objectives. Internalprocesses can manage these risks.rather than the controls. The emphasis isplaced on the synergies of the overallsystems in addition to the individual systemsin place.Risk-based auditing (RBA) evaluates riskfactors relating to internal processes todetermine whether these internal processesare managing risk at acceptable levels. Thisapproach seeks to improve the quality andeffectiveness of audits by determining theareas of risk requiring attention. These areasinclude data that are most significant to theorganization, concentrating on the objectivesThe auditor, when conducting an audit, isresponsible for understanding the entity andits environment to appropriately identify andassess risks. Once these are established, theauditor can respond to the identified risk anddetermine if current processes sufficientlymanage risk.RiskBasedAuditingWhat are theorganizationalobjectives?What risksthreaten theseobjectives?What are theinternal processesthat addressThese risks?(1) “Guidance for Industry: Quality Systems Approach to Pharmaceutical cGMP Regulations.” Food andDrug Administration. September 2006. Web. Retrieved March 2016 at http://www.fda.gov/Are theseprocessessufficient?
Risk-Based Auditing VersusTraditional Compliance-based AuditingRisk-based auditing and traditional compliance-based auditing areboth necessary auditing approaches that serve different purposes.Risk-Based AuditingTraditional Compliance-BasedAuditingEvaluates risksEvaluates complianceIdentifies risks associated withachieving quality objectivesIdentifies breaches ofprocedural adherenceIdentifies operational inefficienciesleading to higher risksIdentifies noncompliancewith governmental authorityregulationsProactiveReactive1
Risk-Based Auditing VersusTraditional Compliance-based AuditingTraditional Compliance-Based AuditingTraditional compliance-based auditing(TCBA) is a documentation review to ensurethat controls and procedures meetgovernmental authority requirements, inaddition to providing assurance thatactivities have been performed properly.TCBA is a gap analysis between thegovernmental authority requirements andoperational procedures. Any non-compliantresults afford the company the opportunityto rectify their procedures.Significant drawbacks of TCBA are that itdoes not challenge the rules, and it provideslittle to no room for judgment. Whiletraditional1auditing ensures SOPs are compliant withgovernmental authority regulations, it doesnot necessarily mean that the SOPs areeffective.Risk-Based AuditingRisk-based auditing is a progressive approachthat can be applied to any function. It focuseson higher risk activities that are of significanceto the organization. By concentrating oncompany objectives and threats to thoseobjectives rather than just controls, it is oftenmore efficient than TCBA. It is also morecomprehensive than TCBA by emphasizing abroader system view rather than individualsystem views. Furthermore, RBA identifieswhere accountability could be blurred, such aswhere interfaces between functions occur.
2When and Why RBAShould Be ConsideredA range of factors should be considered prior to conducting risk based audits:v The complexity of the risks.v The goal or purpose of the service beingaudited, which can determine what risksare most relevant and the degree ofseverity for each risk in question.v The geography of the service or programbeing audited, due to regional variationsof regulatory standards.v The level of experience of vendors andinvestigators.v The level of use of informationtechnology for document managementsystems, training systems, compliantsystems, and the quantity of data.v The relative safety of a drug/device,particularly considering if there is noprior experience in human clinicaltrials.v The stage of the study, consideringstudies in later stages often haveadditional risks emerge during thecourse of the study.
3RBA Across Various Audit TypesRisk-based auditing can be applied toGMP, GCP, GLP, or GTP auditing once theareas of risk for the organization areidentified and prioritized. RBA can beperformed efficiently to audit some ofthe following audit types: clinicaloperations of the organization, datamanagement, drug safety, trainingmodules, investigator sites, andvendor/service providers within a shortperiod of time based on priorities setforth by the linicalSite oviderClinicalOpsTrialMasterFileDrugSafetyGCPGMP21 CFRPart 11
Preparing for Risk-Based AuditingIn general, to prepare for an RBA audit,there is prospective identification ofcritical data and processes. These caninclude factors that threaten the qualityof the drug, may pose problems ingetting the drug approved by agovernmental authority, the protectionof human subjects, or the integrity ofthe data. Risk identification identifiesthe types of activities to be audited andthe data to be collected. It alsoconsiders the range of potential risksinherent in these activities so as to bestclassify the overall risks in the system.The RBA process considers the risks thatapply first and foremost to the criticaldata and processes to ensure that theserisks are sufficiently mitigated. Other4ways in which risks are prioritizedinclude the likelihood of risks occurring,the impact of such errors on quality,safety and integrity, and the extent towhich such errors are detectable.The risk assessment part of thediscovery audit process results in thedevelopment of an audit plan, whichspecifies the risks that should beaddressed by the audit and the criticalparameters to be assessed. It may bedecided that some risks are bettermanaged through other activities ratherthan auditing, or that some areas arebetter serviced by traditionalcompliance-based auditing over RBA.
Benefits of Risk-Based AuditingRisk-based auditing is a proactiveapproach to identify serious risks thatmay jeopardize an organization’s abilityto achieve their objectives. Risk-basedauditing focuses on areas of identifiedrisks, prioritize the risk (high, medium,low) and suggest effective ways tomitigate them. Risk-based auditing alsoprovides an opportunity for clients toidentify and map out risks if they havenot done so earlier. While both riskbased auditing and traditional auditingare necessary auditing approaches, riskbased auditing provides the clients5several benefits that are not maximizedin the traditional approach.For risk-based auditing, auditors arerequired to understand both the programgoals beforehand and the systemenvironment as a whole, which allowsefficient allocation and utilization ofresources. With a focused agenda forauditors, risk-based auditing frameworkenables effective auditing within a shorttimeframe with strategically alignedeffective deliverables for the clients goingbeyond compliance.
Visit us at www.clinaudits.com
Effective auditing of clinical, manufacturing and laboratory processes, systems, and practices is imperative as it ensures not only that quality standards are met, but that the requirements for human safety are upheld. The use of risk- based auditing maintains these same objectives while
