Planning and Conducting the Audit

The inspection itself is a formal process that should follow a written procedure that is part of your quality management system. The basic objective of the audit is to confirm the presence of the quality systems that are claimed to be in place, and to assess the capabilities of the firm's facilities. It is then necessary to measure these systems and facilities against the required standards and establish the extent of compliance with regulatory requirements.

The audit should be seen as a risk assessment. The questionnaires or memory aids mentioned above are useful in planning the audit and to help ensure that all the relevant areas are covered and assessed. Questionnaires may also lend themselves to the risk assessment process, because each question may be assigned a numerical score on a sliding scale of risk. By such means, it may be possible to score assessment outcomes, and this can be useful in justifying the approval of provider.

It is often helpful to divide the inspection into two parts: 1) an evaluation of the existing quality system, including process-specific documents, and 2) the on-site inspection of the facility to confirm the level of operational compliance with the systems and processes described in the documents. During the first part, the documents evaluated should include the quality manual, standard operating procedures, training records, facility equipment records (including qualification, validation, maintenance, and calibration histories), manufacturing specifications, and any record identified as relevant (e.g., out-of-specification results and subsequent investigations). It is often during the review of quality documents that the selection of what is to be inspected can be made, and a basic understanding of the processes can lead to a much more focussed audit.

The on-site inspection will then be carried out in the presence of representatives of the provider. It is important to ensure that all necessary safety precautions are observed. There may be a safety policy document, which should be acknowledged. As the inspection progresses, any observations should be made known as they are encountered. This will allow feedback from the provider's representatives and ensure that no misunderstandings or errors are made by either the auditor or the audited firm.

Communication is a vital element of the audit process, and the attitude and approach of both parties during the inspection can have a significant impact on the success of the audit and the ultimate outsourcing relationship. The audit process should be seen as the start of a working relationship, so part of the auditor's role is to facilitate good communication and, subject to the success of the audit, begin the establishment of a working partnership. Clear lines of communication will be essential in such a relationship to ensure the smooth and problem-free provision of services.

At the end of the audit day or days, depending on the scale of the outsourcing requirement, there should be a close-out meeting between the auditor and facility management during which any observations can be reported and discussed. This is an opportunity to summarize the audit inspection process. There should be no surprises at this point because all the concerns will have been raised throughout the audit and clarified between the auditor and the audited. At this stage, the auditor should state the outcome of the audit. The management of the outsourcing firm should be given an opportunity to respond, but this should be limited to clarification and agreement on any observations that may require corrective action.

Audit Report and Approval

Following the completion of the audit, a written report should be produced summarizing the process, listing any observations, and stating the outcome of the inspection (i.e., approved, not approved, or approved subject to a satisfactory response to any observations made). The report should accurately reflect the audit carried out, and it is common to issue a draft report to the provider to identify any potential inaccuracies. The report should be issued within a defined time scale to the designated outsourcing contact and the to auditors' facility management. A target date should be set for any responses required and a tracking system should be used to follow up on any consequent action plan. Once each item has been completed, the audit will be formally closed.