Different types of audits can be performed to support your vendor qualification and management program. These audits should be conducted using a risk-based approach. In this blog, we outline the difference between these types of audits and how to identify vendors that have the most potential risk for your program.
Some common terms used to describe vendor audits include routine audits, qualification audits, requalification, and in-process audits. In all of these cases, the regulations and guidance provided at 21 CFR 312.52 and ICH 5.5.2 apply.
Routine and qualification audits are conducted to assess and evaluate the qualifications and capabilities to meet sponsors’ expectations and industry standards of a new, previously unqualified vendor, or a vendor who hasn’t done work for your organization in a number of years. Such audits of third-party vendors are typically systematic and done before a protocol starts. Vendors that might be assessed in this way include contract research organizations (CROs), laboratories, electronic data capture (EDC), imaging, interactive response (IRT)/interactive voice/web response system (IxRS), and data management service providers.
Note that qualification questionnaires are not the same as qualification audits, as questionnaires don’t typically get into the details of standard operating procedures (SOPs) and actual process information.
Vendor requalification and in-process audits are examinations of results related to specifically contracted services, to determine whether the vendor’s activities, resources, and behaviors are being managed efficiently and effectively. These audits are also conducted to ensure the vendor is complying with their quality documents and SOPs. Vendors may be required to submit to an ongoing audit to ensure current standards are maintained and client requirements are met. This type of audit may also include a review of sponsor data being processed or managed by the vendor. Your organization’s quality assurance (QA) procedures or Quality Management System may dictate the frequency and expectations surrounding requalification audit timelines and procedures.
A requalification audit will assist you in making sure your program is not at risk and the vendor is complying with the regulations, protocol requirements, and/or if previous observations have been addressed.
If a qualification audit is not done prior to study initiation and occurs soon after a study starts, it may be called an in-process audit and can include a review of sponsor/study-specific information, such as study team members, qualifications, training, study documents, and data generated by the vendor.
When Should You Audit Your Vendors?
Qualification audits should ideally be conducted before any protocol work begins so you can identify risks or learn if any remediation is needed before starting the study. If any significant issues arise, the findings can determine if the study should be started with that vendor.
However, sometimes a vendor is selected and engaged before the QA team is informed, and work begins before the vendor has been fully qualified. This can complicate the audit process, but it’s not impossible. In this case, the audit should be performed as early in the study conduct as possible so any remediations can be made and there is minimal impact to study data and participant safety.
Requalification audits occur, as defined by organizational SOPs or at key points during the study. Such audits assist in making sure your program is not at risk, and the vendor is complying with the regulations, protocol requirements, and if previous findings have been addressed. Essentially, a requalification audit seeks to confirm that the vendor is doing what they said they would do.
Preparing for the Audit
As you plan your next audit, here are some questions to consider:
- Can you assure the regulators you have oversight of your vendors?
- What do you have in place to comply with the regulations?
- Do you have documented transfer of obligations with all your vendors?
- Do you have an annual audit plan?
- Do you have a risk management plan?
- What areas and what vendors are your high-risk vendors?
- Have you qualified the vendors you are currently using?
- Are you having issues, high amount of deviations with your vendors?
- When was the last time you audited them?
- If you audited them previously, were corrective actions completed accordingly?
- Are you confident the data is accurate for submission?
- Is your data secure, and if so, how?
- What are your oversight plans with your vendors?
- Do you have SOPs detailing your oversight of your vendors?
Given the unique situation with COVID-19, many vendors are supporting the qualification/requalification process by supporting remote audits. These types of audits may include uploading documents to secure shared spaces, virtual interviews, and even virtual tours. Each remote audit is slightly different, but with good collaboration between the Sponsor, Vendor and Audit Team, these can be quite successful.
If the sponsor is unable to conduct the vendor audit, many third-party firms like Advarra can provide vendor auditing services. Sponsors are ultimately responsible for verifying their vendors have appropriate processes and procedures in place and are qualified to perform the tasks they have been contracted to perform on the sponsor’s behalf.
Need assistance planning or conducting your next vendor audit? Contact Advarra for global virtual and on-site support.