Assessments verses Audits

Identifying Them as Two Different Activities

By: Judy Fox, PDMA Practice Lead & Compliance Specialist
judyfox@cis-partners.com

In pharmaceutical industry the terms, Assessments verses Audits are often used interchangeably. In response to such, this article is intended to provide clear delineation and definition around the two terms. By way of summarizing, an audit will test actual implementation and processes against existing documentation and current activities, while an assessment involves an evaluation of existing operational methodologies and documentation to ensure alignment with government and regulatory requirements. The differences may seem obvious, but with the trend to use the terms “audit” and “assessment” as one in the same, a disservice may be occurring if clarity is not made between the two. In determining the level of compliance in an organization, there are some important considerations before initiating an audit or an assessment.

In an audit, industry experts are often called upon to review the current policies and procedures and determine the level of compliance when it comes to actual implementation of policy and procedure documentation. An internal audit is a mean to test corporate readiness for a government audit through monitoring company activities and adherence to policies and procedures. A vendor audit is necessary to ensure business partner activities are not putting a company at risk. While internal and vendor audits serve an important and necessary role in the pharmaceutical industry, some audits may put a company at risk by only testing implementation and not identifying the policies and procedures that fall short of current regulatory requirements. As an example: an audit for a paper based sampling program was conducted on a sample accountability vendor. The vendor was very proud of the fact that it had been audited many times and had passed with flying colors. Some of the previous audit reports detailed how the auditor was greeted upon arrival, whether the waiting area was clean and whether or not the auditor received a name badge as per the vendor procedures. While it is important to note compliance related to the activities outlined in the SOPs, the same report neglected to mention that the client’s documentation integrity was being compromised by a lack of controls over document handling and archival procedures and data entry procedures lacked a system of checks and balances.

In situations like the example previously mentioned, one must ask why are risk areas being ignored? The auditors may have followed an all too common protocol that is rarely challenged and difficult to change: to ensure that the vendor SOPs were being followed, and most likely, they were, but that’s where the auditor’s responsibilities ended. The pharmaceutical company may have also followed a common trend: allowing a vendor with an existing relationship with the company to provide or recommend their own auditor. A thorough audit report should include compliance risks and gaps, but the expectations of the auditor are not always spelled out in advance.

Aside from a lack of objectivity when a vendor provides their own audit team, problems also stem from the fact that vendor’s SOPs that are used to manage the client-vendor relationship are not always written with the client’s compliance needs in mind, but more or less a cookie cutter approach that lacks specifics, in order to easily apply the procedures across their client base.

While some audits lack in compliance surveillance, an assessment is meant to identify deficiencies and assist in getting a company “audit ready”. An assessment can be particularly helpful as an internal corporate exercise as it offers a more relaxed environment for employees than the dreaded audit. A good assessment approach allows employees a certain level of comfort in that the assessment is a means to evaluate the value of the policies, procedures, and not necessarily to determine how well policies and procedures are being followed. It makes one wonder, if the terms “assessment” and “audit” are being used interchangeably due to the fact that employees are often intimidated by an audit and any interviews with relevant personnel are stifled by the threat of an audit.

External or vendor assessments are critical in determining how well the client’s compliance needs are being met by the third party. In identifying areas of activity that may need to be re-evaluated and offering industry benchmarks to guide new policies and procedures, the assessment not only identifies areas of risk, but offers recommended solutions to the complex world of compliance. Ideally, a vendor assessment should be completed prior to a pharmaceutical initiating a relationship with the vendor.

Industry experts are usually qualified to conduct both audits and the same expert can be utilized to conduct an external or vendor audit or assessment, as long as the expert is independent from the vendor; however it is important to consider timing when initiating internal audits and assessments. An internal assessment or audit can be performed by the same industry expert but if an audit is scheduled to immediately follow an assessment, it is a good idea to utilize a different auditor, keeping in mind that employees were exposed to the expert conducting the assessment in a different climate than one would expect during an audit.

When determining the value an audit or assessment would bring to the company, consider the results of the last audit or assessment, examine the thoroughness of the reports and if any corrective and preventative actions have been completed. In addition, determine if the existing policies and procedures provide the appropriate level of content to mitigate compliance risk, and whether the existing procedures are current - documents should be reviewed and revised on a regular basis to reflect changes in laws and regulations. Finally, compliance issues and efforts across various departments in the organization have to be evaluated and coordinated. The pharmaceutical company’s vendor audit plan will dictate the timing of the next audit, but an assessment of vendor activities can be beneficial separate from the schedule, especially when a vendor is managing an entire program. By interchanging the terms “audit” and “assessment”, we not only diminish the roles each plays in the pharmaceutical industry, but we run the risk of complacency where compliance may be lacking.