Quality audits are often very focused in their performance and in the distribution of the findings. Quality assurance, operations,
and procurement departments review the results. Realistically, that information never leaves the protection of operations
and rarely reaches the executive level — the very people who are on the liability firing line.
Printout and electronic record differences. As we find more processes that can be linked to electronically generated records and documentation, auditors will encounter
new challenges. Electronic data are intangible, a series of magnetic or optical–magnetic impressions on durable media that
require machine transposition to become readable by humans. And auditors are human, not cyborgs. Fingers, although tactile
and soft-wired to a central neural ganglion, cannot plug into a machine and upload data to the brain. The logical alternative
is to print hard copies and verify data points between the database and the source document. But that is not truly auditing
the electronic record. A printout of an electronic record is not the actual electronic record. An electronic record has search and sort capabilities, can have algorithms, and contains metadata
about the users' changes and the time and date those changes were made. These metadata are not present in the printout.
That difference is particularly problematic in audits of development processes in which many participants generate quantities
of data. The complexities associated with product development and design control with the increasing reliance on computer-generated
drawings, spreadsheets, reports, and test data exacerbate the difficulties facing auditors when they wade through an organization's
knowledge architecture, attempting to verify data integrity.
An Audit SolutionSo how can you audit electronic data? It cannot be seen; it cannot be touched; and special devices are needed to interpret
it. Very simply, you do not: You do not audit electronic data. You must audit the process and ensure that all the supporting systems are properly validated so that they generate verifiable,
FDA's acceptance of data from electronic records for decision-making depends on the agency's ability to verify the quality
and integrity of that data during on-site inspections and audits. To be acceptable, the data should meet certain fundamental
elements of quality whether collected and recorded electronically or on paper. Data should be attributable, original, accurate,
contemporaneous, and legible. Electronic data are generated using computers and computer systems. FDA has long required that
all computer systems be properly validated, and the agency intends to apply the same validation concepts and standards to
electronic records and signature systems as it does to computer systems.
FDA defines computer validation as providing documented evidence and assurance that computer systems that "touch" the process
perform in a reliable and repeatable manner. That requires written proof that the computer system is suitable for use, is
reliable and will continue to be so, functions as it purports to do in the system’s documentation, is secured and protected
from unauthorized access, is maintained in a controlled manner, and is protected against uncontrolled change. In manufacturing,
"Failure to comply . . . shall render the drug adulterated . . . and such drug, as well as the person who is responsible for
the failure to comply, will be subject to regulatory action" (4).
The audit process, therefore, is a systems audit like any other system audit. The exception is that this audit requires specialized
information technology (IT) and technical skills to evaluate the quality and the fiduciary and security requirements of the
information system. Those skills are in addition to the audit skills mentioned and required for other system audits. The "ERES
Checklist" box lists typical questions and tasks involved in the data system audit.
Dynamic Knowledge ArchitectureOrganizations must establish a knowledge architecture that acknowledges changing needs, meets compliance requirements, and
engenders a new paradigm using and managing the complex information highway. The task before management is to effectively
bridge the gap between the objectives and values expressed by upper management and the processes and behavior exercised at
lower levels into a coherent compliance risk management strategy.
A successful effort must ensure protection of the organization and its personnel from regulatory sanctions. You cannot inspect quality into a product, and you cannot audit integrity into data. You need to build in quality and integrity at the design stage — and that design process can be audited
and evaluated to ensure that risk exposure is appropriate and cost-effective.
Organizations and people do not like surprises. Just as there are financial audits to reduce business risks, there need to
be audits to reduce electronic and computer risks. FDA has the authority and the power to maintain the public welfare through
its inspection program. Recently, the agency exercised its power and authority by assessing multimillion dollar fines and
withholding new product approvals until manufacturing and validation problems with products already on the market were resolved.
Regulatory issues, therefore, have been escalated to business financial issues.
Although the 21 CFR Part 11 regulation does not appear on the surface to be that challenging, and many organizations have
adopted a "wait and see" philosophy, it is a major event worthy of action to avoid unnecessary risk exposure. This is because
any violation of 21 CFR Part 11 equates to a violation of FDA predicate GMP, GLP, or GCP regulations. Therefore organizations
must think about new ways of acting, or unanticipated exposure could materialize.
References(1) Code of Federal Regulations: Food and Drugs, Title 21, Part 11, "Electronic Records; Electronic Signatures" (U.S. Government
Printing Office, Washington, DC, July 1999). Also Federal Register 62(54), 13429–13466.
(2) Office of Regulatory Affairs, "ORA Field Management Directive 146: Electronic Records: Electronic Signature Certification,"
Inspection References: Field Management Directives (FDA, Rockville, MD, 20 August 1997).
(3) Code of Federal Regulations: Food and Drugs, Title 21, Section 210.1, "Current Good Manufacturing Practice for the Manufacture,
Processing, Packing, or Holding of Drugs," (U.S. Government Printing Office, Washington, DC, June 1997).
(4)Code of Federal Regulations: Food and Drugs, Title 21, Section 820, "Quality System Regulation" (U.S. Government Printing
Office, Washington, DC, revised April 2001).
For Further ReadingJ.F. Noferi and D.E. Worden, "Auditing Electronic Data in Clinical Research," Applied Clinical Trials 10(5), 58–64 (2001).
J.F. Noferi and D E. Worden, "Where Has Quality Gone?" Risk Management 48(5), 35–38 (2001). BPI