In today’s rapidly evolving regulatory environment, mastering the nuances of remote Good Pharmacovigilance Practice (GVP) audits is essential, especially when dealing with Chinese partners from the Marketing Authorization Holder (MAH) perspective. Whether you’re navigating online (remote) or offline (onsite) audits, ensuring compliance and mitigating risks are crucial for maintaining the integrity of your pharmacovigilance (PV) operations in China.

The Value of Remote GVP Auditing in China

Conducting remote GVP audits on your Chinese partners offers unparalleled flexibility, enabling organizations to achieve their pharmacovigilance (PV) audit objectives efficiently, regardless of location or external challenges. This approach ensures continuous audit activities, even in the face of travel restrictions, budget constraints, or safety concerns. To fully harness the benefits of remote auditing, it is crucial for all stakeholders to clearly understand their roles, the necessary inputs, and the associated risks and opportunities.

Navigating the Challenges of Remote GVP Audits with Chinese Partners

Advances in information and communication technologies have made remote GVP audits in China more accessible and feasible, particularly in the post-COVID era. These technologies enable auditors to communicate globally and access a wide range of data, ensuring that pharmacovigilance compliance is maintained, even when dealing with Chinese partners. However, it’s important to address the limitations and risks associated with remote auditing, such as information security, data protection, and the accuracy of evidence collected.

Key Considerations for Remote Audits in China:

Many of these concerns can only be fully addressed during an onsite visit to China. Therefore, audit project managers and teams must carefully evaluate the risks and opportunities to determine when and where remote auditing is appropriate, especially when dealing with Chinese partners.

Best Practices for Remote GVP Audits in China

This article delves into the critical aspects of remote auditing, from establishing the audit program to planning and execution, with a specific focus on audits involving Chinese partners. We share best practices, common pitfalls, and examples to help guide your decision-making process. Additionally, we provide a general risk and opportunity analysis for using ICT in remote audits in China, offering a solid foundation for informed decisions.

General Recommendations for Remote GVP Audits in China

1. AUDIT PROGRAMME

When considering remote auditing in China, it’s important to reference IAF documents, accreditation bodies, and certification bodies’ requirements. These frameworks help determine the eligibility of remote auditing for your specific audit objectives, particularly when auditing Chinese partners.

2. FEASIBILITY ASSESSMENT

The success of remote GVP audits, particularly those utilizing information and communication technology (ICT), relies on several critical factors, including technology readiness, auditor competency, and secure data handling. It is essential to conduct this assessment before deciding to implement remote auditing techniques, as proper preparation can optimize the audit process.

There are two primary scenarios for remote auditing:

The first step in ensuring feasibility is to determine the technology to be used, verify whether auditors and auditees possess the necessary competencies, and ensure that the required resources are available. Feasibility also depends on the quality of the online connection; weak bandwidth or limited hardware capabilities can significantly slow the process, reducing efficiency. The speed at which the auditee can access and present evidence via video or through a tablet or computer can also impact the audit process.

3. CONFIDENTIALITY, SECURITY AND DATA PROTECTION (CSDP)

In remote GVP audits, ensuring robust confidentiality, security, and data protection (CSDP) is paramount. Both the certification body (CB) and the organization must comply with relevant legislation and regulations, which may necessitate additional agreements from both sides (e.g., no recording of sound and images, or authorizations for using people’s images) and potentially from the auditee as well. Where required by national law, the Data Protection Officer (DPO) of both organizations should be involved in assessing these issues. In some cases, security requirements may prevent the use of ICT.

Preparation for using ICT should include identifying all certification, legal, and customer requirements related to confidentiality, security, and data protection, and taking the necessary actions to ensure these requirements are effectively implemented. Both the auditor and auditee must agree on the use of ICT and the measures taken to meet these requirements, with documented evidence of agreements on CSDP (e.g., records, agreed procedures, or emails). It is crucial that all participants acknowledge these CSDP criteria.

During the opening meeting, measures to ensure confidentiality and security should be confirmed. The audit team should avoid accessing or retaining more documented information than would be typical in a face-to-face audit. While auditors may seek access to additional information to prepare for the audit or to analyze documented information asynchronously, it is crucial to maintain trust in the audit process.

As a best practice, when documented information is analyzed asynchronously, it should be shared through secure and agreed systems, such as cloud-based platforms, Virtual Private Networks (VPNs), or other file-sharing systems that comply with CSDP guidelines. Once the audit is complete, the auditor should delete or remove access to any documented information and records not required as objective evidence. Auditors should not take screenshots of auditees as audit evidence. Any screenshots of documents, records, or other evidence should be pre-authorized by the audited organization.

4. RISK ASSESSMENT

A thorough risk assessment is essential for any remote GVP audit. Identifying, assessing, and managing potential risks ensures that your audit objectives are met while safeguarding your organization’s compliance and reputation. It is also important to determine which processes, activities, or sites within the organization can be audited remotely using the available ICT tools. IAF MD 4 clearly states that this decision should be based on a documented identification of the risks and opportunities that may impact the audit or assessment for each ICT tool considered.

The table below lists the main issues to assess feasibility and conduct a risk analysis for a remote audit. The assessment should be performed and documented for each audit, involving all members of the audit team and the representative of the audited organization. Any specific arrangements should be documented and communicated between the relevant interested parties.

1 Confidentiality, Security, and Data Protection (CSDP) Ensure agreement between auditor and auditee about CSDP.
2 Use of Information and Communication Technologies (ICT) There must be a stable connection with good online quality. The ICT should allow access to relevant documented information, including software, databases, records, etc. It should also enable the authentication or identification of interviewed individuals, preferably with image. If observing facilities, processes, or activities is relevant to achieving audit objectives, it must be possible to access them via video.
3 People in the Organization It must be possible to access and interview people relevant to the Quality Management System (QMS).
4 Operations If the organization is not operating regularly due to contingency situations, the processes or activities being performed should be representative and allow for the fulfillment of the audit objectives.
5 Complexity of the Organization and Audit Type In the case of complex organizations, processes, or products and services, where the audit type’s objectives require a full assessment of the standard and wider sampling (e.g., initial assessment or reassessment), a careful analysis of the feasibility of remote audits to fully evaluate the organization’s conformity to all requirements should be performed.
6 Conclusions The audit objectives can be attained with the remote audit – proceed to remote audit. The audit objectives can be achieved partially – a remote audit may be done partially and later complemented with an on-site audit. The audit objectives cannot be attained via remote audit.

Contact Us

Need expert support for your next GVP audit in China? Whether you’re looking for remote or onsite auditing solutions, our team of professionals is here to help you navigate the complexities of pharmacovigilance compliance. Contact us at info@accestra.com or visit China PV Hub to learn more about how we can assist your organization.