Data Integrity: The New World of Virtual Audits and Investigations
The Covid-19 pandemic has disrupted our world, our work, and our work habits. Despite our growing use of technology and ability to navigate the world from a cell phone, the abruptness and forced global migration to the virtual workplace has robbed us of personal interaction. The virtual interconnectivity that was once a convenience is now a critical modus operandi, sparing no time to compensate for the loss of face-to-face communications and direct connections.
This change of venue and routine presents a challenge particularly for those of us responsible for the integrity of GxP data. The essential data generated in support of life science innovations, advances that enhance the well-being of patients, must still be audited to ensure Integrity, regardless of the difficulties in conducting effective investigations in the virtual environment.
Data integrity audits highly depend on direct observation, verification of raw data, and the soft skills and acumen to finesse the root cause of critical data Integrity lapses, particularly when that cause may involve the human element. Consequently, conducting data integrity audits and investigations remotely requires a new strategy, one that can adapt vital in-person techniques to virtual constraints.
Face-to-Face
In the realm of videoconferencing, the employment of soft skills is vital. Expressions of attentiveness, neutrality and empathy, components essential for successful communication, rarely translate on a blank screen or in the intermittent silence and lag of a teleconference. Where auditors and investigators are not acquainted with their hosts, the impact of a visual interpersonal exchange cannot be underestimated. For planned data integrity audits and investigations, a virtual meet-and-greet can set a collaborative tone and encourage transparency. Where activities are unannounced, relying on elements of unexpectedness, visual interface may aid in managing the normal apprehension of individuals who suddenly find themselves the focus of data integrity inquiries. In the event of sensitive interviews or – worst case – suspicion of intent or fraud, being able to observe emotion and read body language is critical.
Pre-Audit Preparation
Preparation lays the groundwork for a successful remote strategy. In advance of conducting data integrity site audits, the topics of virtual platforms, technology, record management plans, pre-audit documentation requests, audit plans and investigation protocols can be researched, and decisions can be made. Platforms such as Microsoft Teams, GoToMeeting™ and Cisco Webex are reliable and secure. These or any virtual technology that leverages cell phones, cameras, selfie-sticks, tripods, headsets or bodycams should be tested in advance to ensure both the host and auditors have the technical capability to support the chosen applications and have the time to become familiar with their use.
Many organizations have strict policies governing the exchange of confidential information that may cause significant delays and raise barriers if not identified and resolved prior to an audit or data integrity investigation. A records management plan should be developed mutually to include selection and design of a secure shared-document repository, encrypted delivery of sensitive documents, management and organization of pre-documentation requests and data exports, tracking of reviews and feedback and storage of evidence.
A session on forensic data integrity investigations will be featured at the virtual 2020 PDA Data Integrity Workshop in September. To learn more and to register, visit https://www.pda.org/global-event-calendar/event-detail/2020-data-integrity-workshop.
Well-planned audit agendas and investigation protocols are critical enablers for remote data integrity activities. Standard document requests include governing policies and SOPS, deviations, investigations and resulting CAPAs and OOSs, lists of key organizational personnel and their roles and recent inspections histories. These should be enhanced to request data governance plans, data integrity program documents, data integrity metrics, quality review outputs, data process maps and data flow diagrams. All these documents should be reviewed with an eye to the audit agenda and/or data integrity protocol design. Auditors and investigators who have become familiar with the way an organization manages, generates, stores and archives data across GxP processes can then design agendas and protocols that facilitate the right subject matter experts at the right time to assure a targeted assessment.
Audits, Investigations and Forensics
Robust data integrity audits and investigations are historically contingent upon onsite “sweeps” and “walk-throughs.” Typically, unannounced (or at least somewhat unpredictable) these activities are highly effective in uncovering data integrity risks and lapses that would otherwise go undetected. Manual uncontrolled documentation, scrap paper, post-it notes, discarded electronic data and GMP processes and data managed outside the official quality management system can be more difficult to identify without benefit of direct observation or a sweep through workspaces and trash bins. And the benefit of spontaneous inquiries with personnel observed during a walk-through can go unrealized in a remote audit or an investigation limited to specific invitees.
Then again, using virtual technologies offers exciting new possibilities to achieve meaningful oversight. Walk-throughs and sweeps, facilitated by an onsite colleague, can be enabled through camera devices and software, some of which offer panoramic views that can feed to multiple participants. Through such devices, audit teams and investigators can survey a facility and communicate in real-time with their hosts, direct spot-checks of documentation, look at data in locally stored environments and get visuals of trash bins and shredders. It also allows the onsite auditor to stop for conversations with GMP employees observed along the virtual tour. Articles or sights of interest can be photographed immediately, records can be retained, and interviews can be documented.
Electronic data sweeps can be managed through screen-sharing, data exports and tools designed to query data files. For more routine data integrity audits or investigations, those that do not carry a component of intent or fraud, general queries and review and analysis of exported data may suffice to reveal patterns of interest. Use of basic tools, such as pivot tables in Excel, or data visualization tools, such as Tableau, may also prove helpful. If critical breaches or regulatory deviations are observed, forensic strategies and other tools may be required. Programs that extract data, including full text and metadata, offer key-word search capabilities to aid analysis. Databases, emails, desktops, shared drives and audit trails can all be exported and analyzed remotely. Other applications may be used to scan system files and folders to identify deletions, otherwise undetectable during a system review, and restore such data.
Health authorities and industry alike continue to experiment with various approaches to remote audits and inspections for data integrity. Some preliminary experience suggests that, with the right tools and a thoughtful approach to designing audit agendas and investigation plans, the outcome may be even more efficient, effective and cost-friendly than an in-person operation, especially when data analytics and virtual technologies are employed. The remote process will likely become more refined over time as legal, data privacy and security controls are enhanced. The challenge of the global pandemic has introduced new opportunities and ways of working to conduct data integrity investigations and audits, many of which may be here to stay.