Quote from VigiServe Admin on November 24, 2020, 3:22 PM

Tactical level audit planning

An audit programme is a set of one or more audits planned for a specific timeframe, normally for a year. It should be prepared in line with the long term audit strategy. The audit programme should be approved by upper management with overall responsibility for operational and governance structure.

The risk-based audit programme should be based on an appropriate risk assessment and should focus on:

• the quality system for pharmacovigilance activities;

• critical pharmacovigilance processes

• key control systems relied on for pharmacovigilance activities;

• areas identified as high risk, after controls have been put in place or mitigating action taken.

The risk-based audit programme should also take into account historical areas with insufficient past audit coverage, and high risk areas identified by and/or specific requests from management and/or persons responsible for pharmacovigilance activities.

The audit programme documentation should include a brief description of the plan for each audit to be delivered, including an outline of scope and objectives.

The rationale for the timing, periodicity and scope of the individual audits which form part of the audit programme should be based on the documented risk assessment. However, risk-based pharmacovigilance audit(s) should be performed at regular intervals, which are in line with legislative

requirements.

Changes to the audit programme may happen and will require proper documentation.

Strategic level audit planning

The audit strategy is a high level statement of how the audit activities will be delivered over a period of time, longer than the annual programme, usually for a period of 2-5 years. The audit strategy includes a list of audits that could reasonably be performed. The audit strategy is used to outline the areas highlighted for audit, the audit topics as well as the methods and assumptions (including e.g. risk assessment) on which the audit programme is based.

The audit strategy should cover the governance, risk management and internal controls of all parts of

the pharmacovigilance system including:

• all pharmacovigilance processes and tasks;

• the quality system for pharmacovigilance activities;

• interactions and interfaces with other departments, as appropriate;

• pharmacovigilance activities conducted by affiliated organisations or activities delegated to another organisation (e.g. regional reporting centres, MAH affiliates or third parties, such as contract organisations and other vendors).

This is a non-prioritised, non-exhaustive list of examples of risk factors that could be considered for the purposes of a risk assessment:

• changes to legislation and guidance;

• major re-organisation or other re-structuring of the pharmacovigilance system, mergers, acquisitions (specifically for marketing authorisation holders, this may lead to a significant increase in the number of products for which the system is used);

• change in key managerial function(s);

• risk to the availability of adequately trained and experienced pharmacovigilance staff, e.g. due to significant turn-over of staff, deficiencies in training processes, re-organisation, increase in volumes of work;

• significant changes to the system since the time of a previous audit, e.g. introduction of a new database(s) for pharmacovigilance activities or of a significant upgrade to the existing database(s), changes to processes and activities in order to address new or amended regulatory requirements;

• first medicinal product on the market (for a marketing authorisation holder);

• medicinal product(s) on the market with specific risk minimisation measures or other specific safety conditions such as requirements for additional monitoring;

• criticality of the process, e.g.:

− for competent authorities: how critical is the area/process to the proper functioning of the

pharmacovigilance system and the overall objective of safeguarding public health;

− for marketing authorisation holders: how critical is the area/process to the proper functioning of the pharmacovigilance system. When deciding when to audit an affiliate or third party, the marketing authorisation holder should consider the nature and criticality of the pharmacovigilance activities that are being performed by an affiliate or third party on behalf of the marketing authorisation holder, in addition to considering the other factors included in this list;

• outcome of previous audits, e.g. has the area/process ever been audited (if not, then this may need to be prioritised depending on criticality); if the area/process has previously been audited, the audit findings are a factor to consider when deciding when to re-audit the area/process, including the implementation of agreed actions;

• identified procedural gaps relating to specific areas/processes;

• other information relating to compliance with legislation and guidance, for example:

− for competent authorities: information from compliance metrics, from complaints,

from external sources, e.g. audits/assessments of the competent authority conducted by

external bodies;

− for marketing authorisation holders: information from compliance metrics (as described in the Commission Implementing Regulation on the Performance of Pharmacovigilance Activities

Provided for in Regulation (EC) No 726/2004 and Directive 2001/83/EC), from inspections (see

GVP Module III), from complaints, from other external sources, e.g. audits;

• other organisational changes that could negatively impact on the area/process, e.g. if a change occurs to a support function (such as information technology support) this could negatively impact upon pharmacovigilance activities.