The art of managing an unexpected regulatory audit or inspection
by Les Schnoll
Picture yourself, an organization executive, meeting with your staff regarding an important business decision that requires your undivided attention. You are interrupted and informed there is a U.S. Food and Drug Administration (FDA) investigator in the lobby requesting you meet with him or her immediately.
What do you do? It’s too late to develop a compliance program. It’s too late to audit your compliance records. It’s too late to delegate compliance to a responsible subordinate.
There will, of course, be several questions requiring an immediate answer:
- Must I give this investigator my valuable time, or can I ask him or her to come back at a more convenient time?
- What are my rights?
- What are the investigator’s rights?
- Whom should I notify?
- How do I proceed?
"Hi, I’m from the [insert regulatory agency]. I’m here to help you!" Having an unannounced visit from the FDA, U.S. Department of Agriculture (USDA), Occupational Safety and Health Administration (OSHA) or any of the myriad other agencies is not a great way to start the day. Your not knowing the agency’s limitations and restrictions, however, can result in the agency obtaining information it has no right to access and that can be used against the organization and management team.
On the other hand, knowing how to effectively manage the visit and ensuring that your rights are clearly understood and protected will go a long way toward making the process less nerve-wracking.
Before the inspector arrives
When dealing with a federal, state or local regulatory auditor, investigator, inspector or compliance officer, you must be prepared before they arrive. You should have already been trained on the regulatory requirements, consulted knowledgeable people about the regulatory requirements applicable to your facility, products and processes, and appointed dependable managers to coordinate compliance programs and interact with investigators.
The appointed managers should become familiar with your facility’s regulatory requirements and develop appropriate compliance programs. You also should have developed and communicated to employees an inspection procedure designed to minimize employer errors that typically occur during regulatory inspections.
The first requirement of a regulatory inspection procedure should be visitor control. All visitors, including representatives of regulatory agencies, must be directed to a central processing center, such as a reception desk or guarded gate. Adequate signs along each road or walkway should direct visitors to the processing center. Employees should be instructed to challenge unescorted visitors observed within the facility and to courteously lead or direct them to the central processing center.
The second requirement is to provide your receptionist and security personnel with a responsibility call list containing names and phone numbers of managers assigned primary and alternate responsibilities.
Every visitor should be asked to sign a guest register noting his or her name, the agency represented, whom he or she is calling on, and the date and time of the visit. Your receptionist and security personnel should be provided written procedures for processing visitors. If applicable, you also should have a brief written welcome with minimal rules your guests are expected to follow.
The site manager must designate an employer representative and at least one alternate to interact with the inspector. The designated representatives should be members of management and familiar with the applicable laws, regulations and ordinances, organization policy and the site’s compliance efforts. The representative must have access to all required records. The management individual responsible for compliance with the regulatory area is usually the logical choice.
Proper processing of the inspector must include checking credentials and notifying the appropriate site and corporate personnel. Credential checks confirm investigators are actually who they say they are. The facility representative must ask the investigators to properly identify themselves, present their credentials and provide copies of legal service papers (a warrant), notices of inspection (FDA Form 482) or complaints. If there is any question about the investigator’s authenticity, call the investigator’s office or supervisor for confirmation.
As soon as the facility representative has determined the reason for the audit or inspection, he or she should notify the site manager and the responsible organizational contacts. If the investigator has served a warrant, or if there is some question as to the authenticity of the audit or inspection, the facility representative must immediately contact the functional head of quality assurance (QA) and regulatory affairs or a designated local counsel.
How do we get started? When appropriate, the facility representative should escort the regulatory investigator to a conference room or available office and assemble all personnel who may be involved in the inspection. Following introductions, the regulatory investigator should be questioned about the purpose and mechanics of the proposed audit or inspection.
During the opening meeting, the organization should attempt to obtain answers to the following questions:
- What is the reason for the audit or inspection?
- What is to be audited or inspected—area of facility, records or both?
- How long will the audit or inspection take?
- What are the normal work hours of the auditor or investigator?
- What sampling may be done?
- Who may be interviewed?
- Will the investigator need copies of records, licenses or certifications?
The investigator should be informed of:
- Location of restrooms, break areas, lunchrooms and exits.
- The site’s emergency response plan, including emergency alarms, and the response required.
- Restricted areas in the facility.
- Major hazards in the facility, including hazardous chemicals to which he or she may be exposed.
- Personal protective equipment requirements, such as safety glasses with side shields and hearing protection.
- Facility work hours.
- Smoking restrictions in the facility.
- Confidentiality of organization documents and photos that may be taken in the facility.
- Clear information in cases when photos and use of recording devices are not permitted per organization policy.
Be sure the auditor or investigator knows the name and title of the organization representative responsible for coordination of the audit or inspection and the roles of other organization personnel attending the opening conference. Make it clear that all questions and requests must be directed to the responsible organization representative.
The investigator also may provide required information regarding the audit or inspection and will be asking questions about the facility and the site’s compliance programs. Provide factual responses to all questions.
If you don’t know the answer, it is better to leave the question unanswered. You may respond that you are not sure and will provide an answer later. Most importantly, do not volunteer information, avoid detailed responses that may provide the inspector information that was not requested, and always tell the truth.
To expedite the audit or inspection, the facility representative should assign responsibility for preparing or copying organization records for the audit to other organization personnel and identify specific personnel to accompany the investigator during the site visit.
Arrangements also should be made for continued communication with assigned personnel during the inspection. Periodic debriefing sessions should be held in private with all organization participants to discuss events and to communicate directions for the continued inspection.
The audit or inspection
There are several types of audits and inspections conducted by various regulatory agencies. Questioning during the opening meeting should have revealed the exact purpose and type of audit or inspection involved.
The organization being audited or inspected should provide the required information and site access to facilitate the process as rapidly as possible. An organized effort is required to provide an auditor or investigator with required information and to allow observation of specified areas of a facility without expanding the scope of the audit or inspection.
If it is an audit of records, the auditor should be provided an isolated office or space to limit exposure to employees and production areas not directly involved. Affected employees should be advised of the auditor’s presence, but instructed to confine their contact with the auditor to the purpose of the audit. Employees not directly involved do not need to be advised.
If a limited inspection of specified equipment or process is involved, the investigator should be guided by the most direct route possible, avoiding work areas unrelated to the inspection.
The site representative must take extensive notes of an audit or inspection. Notes should be dated and identified as to the type of audit or inspection. They should include records reviewed, equipment and processes inspected, photos taken, names of individuals interviewed, and requests, recommendations and comments made by the organization, auditor or investigator. Notes should be retained until all actions and dispositions of the regulatory agency have been completed.
Regulations specify the permits, licenses, records, reports and documentation that must be maintained by manufacturers and employers. FDA investigators, for example, have a right to examine and, in certain instances, copy documents specified by regulation, but this does not give them unlimited access.
The site representative must be familiar with the regulatory requirements relating to required records, and provide only those records required. When in doubt, call the functional head of QA and regulatory affairs for clarification of record-keeping requirements and accessibility limitations.
The auditor or investigator should not be informed of additional records (those not required by regulation) maintained by the facility. Exposure to such unrelated records may unnecessarily expand the inspection’s scope.
All requests for copies of facility records should be directed to the responsible organization contact. An appropriate response to such a request for copies is:
"Our corporate policy requires that requests for copies of organization records be submitted to the functional head of quality assurance and regulatory affairs. Requests for copies must include the records requested by name and identifying codes or numbers, the number of copies requested, and the code or regulation specifying requirements to maintain the records requested."
All copies of organization records supplied should be marked, "[COMPANY NAME] CONFIDENTIAL RECORD." Do not leave an auditor or investigator alone with organization records or leave records open and accessible to a casual reader.
Pictures and videos
Regulatory investigators prefer to use photos and videos to document conditions found during their inspections. Recorders also may be used during interviews. All requests for photos, videos or recordings must have written approval from the functional head of QA and regulatory affairs. Ideally, organization policy is that no photos or recording is permitted without this approval—if at all.
Environmental sampling is often required to determine compliance. If samples are to be collected, you should contact the local environmental, health and safety representative. Specifically, ask the investigator what is to be sampled, the type of sampling equipment to be used, the method of sampling, who will provide analysis and when you may obtain results.
If sampling raw materials or waste, request a split sample and have half of the sample analyzed by a laboratory selected by your organization.
If employee exposures to dust, fumes, vapors, noise or other work stress are sampled, side-by-side sampling is recommended. Samples should be collected and preserved in accord with good industrial hygiene practices.
Avoid demonstrations of equipment, processes and methods. If a machine or area is inactive, do not activate it unless demonstration is required by permit. Should an investigator ask about work performed at an inactive machine or work area, tell the investigator the process is not scheduled for this work period and operators are unavailable.
Never attempt to take the place of an operator. If a demonstration must be given, provide a qualified, experienced operator. Do not allow the investigator to rush the process or distract the operator.
Auditors and investigators may request an interview with a representative number of employees at the site to ascertain the employees’ knowledge of regulatory requirements and compliance with such requirements. The auditor (investigator), however, does not have the right to speak with all personnel or to unduly interrupt or delay the production effort of the facility.
The auditor (investigator) may restrict the interview to prevent an employer representative from being present. However, assume a presence at the interview unless privacy is requested.
When a request is made to interview an employee, the site representative should:
- Contact the key personnel to determine whether that individual can be interviewed (and whether the regulation or law allows for it).
- Contact the employee’s immediate supervisor or manager and ask that arrangements be made to temporarily release the employee for the interview.
- Guide all participating individuals to a safe, out-of-the-way area. If an office is to be used, remove visible documents and records.
If an interview is requested with an employee involved in essential tasks and interruption would cause a hardship, explain the situation to the auditor (investigator) and offer to schedule the interview during a convenient break in the work process. Alternate employees also may be suggested for interview.
If the employee to be interviewed is represented by a union, the employee is entitled—upon request—to have a union representative present during the interview. The auditor (investigator) may restrict the interview to prevent a union representative from being present, but assume a presence at the interview unless privacy is requested.
At the end of a compliance audit or inspection, the organization should ask the regulatory official to attend a closing conference or debriefing session. The purpose of this session is to gain as much information as possible about the investigator’s findings and future actions that may result. It is generally recommended that people attending the opening conference be invited to attend the closing conference.
During the closing conference, the site representative should:
- Determine what (if any) functions or portions of the audit or inspection remain incomplete and when such functions will be completed.
- Find out whether the organization will receive a report, notice of violation, citation or other acknowledgment of audit finding, and when.
- Learn the auditor’s (investigator’s) general impression of the organization’s compliance programs and implementation efforts.
- Request specific items found in noncompliance.
- Obtain recommendations for improvements in organization compliance programs and implementation efforts.
- Request any expected actions that may be taken by the regulatory agency.
- Learn the required organization response to the audit or inspection, and the person, address and phone number to which the organization response must be made.
- Determine any time limitations for abatement of noncompliance or required responses.
- Determine appeal procedures.
The site representative may use this opportunity to clear up any misunderstandings about facts gathered during the audit (inspection), but arguments must be avoided. This is not the time or place to present a defense. Do not make commitments or promises other than to say the organization will consider findings and recommendations, and comply as required.
At the end of the closing conference, thank the government representative for his or her help and recommendations, and accompany him or her off the premises.
After the inspector leaves
The facility representative should immediately notify executive management that the audit or inspection has been completed and provide a briefing on the results. A similar notice should be made as soon as possible to the individuals identified on the call list.
A brief report of the audit (inspection) should be prepared and assembled with all supporting notes and documentation. A copy of all notice of violations, citations, summons, warrants or notice of pending legal action must be forwarded to the functional head of QA and regulatory affairs.
Generally, regulatory audits and inspections result in an official report listing citations of violations—with or without proposed penalties—recommendations, required organization response, and required timing for correction of violations and response to the government agency. Instructions for appeal and listings of the employer’s rights may accompany the report.
It is important that all instructions be understood and followed in a timely manner. A written response to the report always should be prepared and, if approved, submitted in reply to the agency. If a written response is not required, the response should be filed as records.
Certain regulatory response action may require employers to advise their employees or to post copies of citations or notices of violation in their place of business. Employee notice of challenge, hearings and reviews also may be required.
All required postings should include the date of posting and date removed. Required postings must be retained with the audit (inspection) file.
As a manufacturer or distributor of regulated products, you can expect to have your friendly regulatory inspector or investigator knock at your door periodically. Depending on your industry, the investigators can be representatives from the FDA, OSHA, USDA, your state’s department of health or others.
Knowing your rights, as well as the rights of the investigator, will allow you to effectively manage those visits and ensure that you retain control of the inspection.
This new addition to Standards Outlook will provide you with monthly nuggets of information related to the ISO 9001 and ISO 14001 revisions planned for 2015. This month, heed this advice from author Paul Palmes as you plan your organization’s transition to ISO 9001:2015:
"Don’t do anything right away because we’re still in what we call the draft international standard phase," said Palmes in the video, "ISO 9001:2015—What You Must Know Now." "There are still considerable changes that could come into effect."
After the final standard is released later next year, you will have three years to transition. Then, Palmes said, "Take your time, do it right, but don’t lollygag."
For more tips and advice, watch Palmes’ full video interview at bit.ly/palmesvideo, and visit ASQ’s ISO 9001:2015 page often at http://asq.org/knowledge-center/standards-iso-9001-2015.html for more updates and resources.
Les Schnoll has more than 35 years of experience in industries regulated by the U.S. Food and Drug Administration (FDA). He is a senior member of ASQ and an ASQ-certified quality engineer, auditor and manager. A former member of the U.S. technical advisory group to ISO technical committee 176, Schnoll wrote The Regulatory Compliance Almanac (Paton Press, 2001, 2008). He is the principal of Quality Docs LLC, providing quality and regulatory consulting services to FDA-regulated industries. He also teaches several courses in master’s degree programs in regulatory affairs at Arizona State University in Phoenix and Northeastern University in Boston.