Gearing up for a Pharmacovigilance Audit Using a Risk Based Approach
Dr J Vijay Venkatraman, Managing Director & CEO Oviya MedSafe Pvt Ltd

This article details the needs, significance and advantages of adopting a risk based approach for conducting Pharmacovigilance audits.

In recent years, Pharmacovigilance regulations across the globe are becoming more stringent, placing various regulatory obligations on the Marketing Authorisation Holders (MAH) – a term that includes pharmaceutical companies as well as external agencies that hold the right of marketing any given medicinal product in a specified market. One of such stern obligations warrants the MAH to conduct a regular audit of its Pharmacovigilance system. As a result, the MAH is expected to assess their own Pharmacovigilance system using periodic risk-based and independent audits, and communicate any safety risks to the regulators and healthcare professionals.

Every MAH must establish and maintain a system for performing their Pharmacovigilance activities, monitoring the safety of authorised medicinal products and detecting any change in their riskbenefit balance. Likewise, the MAH must establish and use the quality systems that are adequate and effective to measure the outcomes relevant to Pharmacovigilance.

Being a component of the Pharmacovigilance system, a quality system has its own structures and processes which must envelop organisational structure, responsibilities, procedures, processes and resources of the Pharmacovigilance system. It should help in ensuring adequate compliance and record management. Regulatory authorities emphasize a process or measure to investigate or evaluate the performance and effectiveness of a Pharmacovigilance system and the quality system by the MAH themselves which is commonly referred to as audit.

In general, an audit is defined as an organised and unbiased assessment of activities to determine whether the evaluated activities were performed according to the defined requirements (audit criteria, regulations, procedures). From the pharmacovigilance perspective, an audit is defined as a “systematic, disciplined, independent and documented process for obtaining evidence and evaluating the evidence objectively to determine the extent to which the audit criteria are fulfilled, contributing to the improvement of risk management, control and governance processes” (European Medicines Agency). In other words, an audit can simply be defined as the process of assessing the appropriateness and effectiveness of the implementation and operation of the pharmacovigilance system through the evaluation and examination of objective evidence.

Risk based auditing is defined as an audit process that explains how the concept of risk are integrated into the strategies and approaches used for management. It emerged as a methodology that links internal auditing to an organisation's overall risk management framework (Institute of Internal Auditors, IIA). The risk based audit uses certain techniques to determine the areas of risk, where risk is defined as the probability of an event occurring that will have an impact on the achievement of objectives, taking in to account, the severity of its outcome and/or likelihood of its nondetection by other methods.

So, why is there a regulatory requirement to adopt the risk based approach to conduct PV audits? The recent switch to the risk based approach is because it helps to identify the areas of highest risk to the organisation’s Pharmacovigilance system, including its quality system for Pharmacovigilance activities. Moreover, it acknowledges the internal audit to provide assurance to the authorities that the risk management processes are managing risks effectively, in relation to the risk appetite (the amount of risk organisations are prepared to accept in order to pursue their objectives). In other words, the risk based approach helps to authenticate the effective operation and implementation of Pharmacovigilance system and to ensure that the company is operating in congruence with the established policies and that it complies with the regulatory requirements for the Pharmacovigilance/quality system.

Furthermore, a risk based audit empowers a MAH to evaluate the operations of the Pharmacovigilance system and provides numerous benefits to it such as:
  • It helps to prevent under or over auditing;
  • It provides results that are rational, unbiased, valid and reliable;
  • It reduces the investigator bias;
  • It helps to strengthen accountability for achieving objectives;
  • It improves understanding and communication of risk and mitigation options;
  • It details the complete risk management processes including their design and effectiveness;
  • It enables complete, accurate and appropriate reporting and classification of risks.
While trying to explore the basic differences between the traditional audit and the risk based audit, it is identified that the previous auditing standards just focused on the deficiencies in internal controls, and cases of non-compliance with policies, procedures and the country’s regulatory requirements which might not be present over time. In contrast, the modern risk based auditing spotlights the present and the organisation's level of preparedness to deal with the future. As a matter of fact, the concept of risk based auditing is not limited to identifying the risks that have a significant impact on the organisation’s Pharmacovigilance system but also to ensure whether the organisation has the ability to achieve or surpass its objectives.

Using this approach, the risk is assessed at the three different stages. The first stage includes the strategic level audit planning that gives rise to a long term audit strategy that usually lasts for a period of 2-5 years. The goal at this stage is to portray the areas highlighted for audit and must include the governance, risk management and internal controls of all parts of the Pharmacovigilance system.

Meanwhile, the risk can be assessed using the second stage, the tactical level audit planning. This strategy results in an audit programme planned for a specific timeframe, normally for a year. The main focus at this stage is on the critical Pharmacovigilance processes and the key control systems relied upon for Pharmacovigilance activities. The final stage of risk assessment is done via operational level audit planning resulting in an actual audit plan which comprises of risk prioritisation, sampling and design, grading, and results and reporting of audit findings.

The audit findings should be in line with their relative risk level and the grading should be documented in an audit report and then communicated to the management in a timely manner. Communications that involve critical findings requiring immediate action must be expedited to the superior management. The organisation must ensure that necessary action such as CAPA (Corrective Action, Preventive Action) is taken to address the audit findings.

To conclude, we are aware that every organisation is different, with a different attitude to risk, different structure, different processes and different quality systems. The European Medicines Agency (EMA) as well as the United Stated Food & Drug Administration (US FDA) and other regulatory agencies are now robustly conducting regulatory inspections based on the risk based approach. Considering the benefits of modern risk based audits and to comply with the global regulatory obligations, it is time for the pharmaceutical companies in all parts of the world to gear up for a Pharmacovigilance audit using a risk based approach.

(The author would like to thank Gayathri Subramani, Pharmacovigilance Associate and Ganesan Ramakrishnan, Drug Safety Manager from Oviya MedSafe for their valuable contribution in preparing this article.)

  1. Guideline on good Pharmacovigilance practices (GVP), module I Pharmacovigilance systems and their quality systems library/Scientific_guideline/2012/06/WC500129132. pdf
  2. Guideline on good Pharmacovigilance practices (GVP), module IV – Pharmacovigilance Audits library/Scientific_guideline/2012/12/WC500136233. pdf
  3. Chartered Institute of Internal auditors, UK risk-based-internal-auditing/
  4. Information Systems Audit and Control Association (ISACA),
  5. Institute of chartered accountants Australia (ICCA),
  6. Thomas M, The seven step process to risk based auditing, Institute of Internal Auditors, 2003, 3 (4).
  7. Spadaccini D, Difference between Traditional and Risk Based Auditing, 2010, documents/spe1357341.pdf