FAQs Regarding the Audit Process

1) What is an audit?

An audit is a systematic independent examination of trial-related activities and documents. It is limited in scope, as it is a snapshot in time and examines a subset of subjects. Audits are used to determine whether data were recorded accurately, and whether study activities were conducted according to the protocol, regulatory requirements and existing SOPs.

2) What is the difference between auditing and monitoring?

An audit takes a one-time snapshot look at a trial; whereas monitoring oversees the progress of a clinical trial from start to finish.

3) Why was my study selected for an audit?

This depends on the type of audit:
Routine Audits: selected by RCQA using a risk-based approach based on criteria such as the following:

Level of risk to subjects

Investigators holding an IND or IDE (sponsor-investigators)

First-time investigators

Investigator-initiated studies

Investigators overseeing a high number of studies, etc.

*Directed Audits:* “for cause” audits, based on identified concerns about human subject safety and/or regulatory compliance.

These may be directed by individuals such as the Institutional Official (IO)/Vice Provost for Research (VPR), the Associate Vice Provost for Human Subject Research, the IRB, etc. They may also result from complaints reported in person or via “CaneWatch.”

There can also be (routine or directed) Focused Audits which examine a particular aspect of a clinical trial, such as the informed consent process.

4) I have heard that audits take a lot of time. Does the PI need to be present during the whole audit?

No, the PI does not need to be present for the duration of the audit; however, the auditors would like to meet with the PI at least twice—first, prior to the start of the audit to review the scope and the study protocol, and second, at an exit meeting to review the outcome of the audit. If the PI is unavailable, the auditors may begin the audit if a study team member can provide the study records for review; a meeting with the PI is then scheduled as soon as is feasible.

5) I am really busy, and my coordinator is on vacation—can we do this audit another time?

RCQA is always willing to work with the PI on timing. The goal is to get the audit done as soon as possible while causing the least amount of disruption to the site’s operations.

6) Does the PI need to cancel patient appointments?

No, we will not ask you to cancel any clinical activities. We want to conduct our audits with as little disruption as possible.

7) OK, but how long will this audit take?

The duration of an audit may be affected by several variables such as the type of audit, complexity of the study, number of subjects enrolled, number of protocol procedures, etc. On average, full audits typically take 3-5 days at a study site. Focused audits are usually completed in less than a day.

8) Why do you copy all those people when you send out the audit notifications and the audit reports?What should I do with the audit report?

Senior University leadership requested these notifications so that the leaders responsible (Dean, Chairs, etc) are able to keep abreast of research compliance in their respective areas. This communication promotes accountability and awareness, and allows leaders to be proactive.

9) I conduct social/behavioral research. Will I be audited for compliance with FDA regulations?

No. We audit studies only against the standards and regulations that apply. All Human Subjects Research at UM must comply with the policies outlined in the UM Investigator Manual. All Human Subjects Research except Social/Behavioral Research is also subject to International Conference on Harmonization (ICH) Guidelines for Good Clinical Practice (GCP). Additionally, FDA and OHRP (Office of Human Research Protection) regulations may apply depending on the type of study you are conducting and whether it is supported by the PHS (Public Health Service). Please call RCQA for any questions you may have.

10) How do you decide what findings are high, medium, or low significance? Do these categories relate to “serious” noncompliance?

These categories are defined succinctly by a Table on the first page of every audit report. In general, a finding is considered of “high” significance if it appears to pose a significant risk to subject rights and/or safety, or to data integrity, or to represent a major deviation from applicable regulations, policies and/or procedures. These are findings that need to be corrected as soon as possible. “Medium” findings are deviations or deficiencies in compliance with regulations, policies, procedures, or data standards, which if not corrected may lead to serious issues. “Low” findings are generally those that should be corrected (but are not urgent) and that should be taken into account for quality improvement purposes. There is no algorithm linking the number and/or category of findings with a determination of “serious noncompliance” by the Serious and Continuing Noncompliance Committee (SNCC). Rather, the SNCC takes into account the totality of the findings and their potential impact.

11) Who is responsible for writing the audit response?

The audit report is issued to the PI and it is the PI’s responsibility to write the response. It is very important that the PI responds to his/her own audit report so that he/she is fully aware of all proposed corrective and preventive actions and is able to carry them out. RCQA will work with the PI and study team by providing feedback and recommendations on how to write a good response.

12) Some of the findings in my audit report are also findings for the IRB. Does the IRB have to provide responses to these findings?

A section of our audit report (Section 12) is dedicated to IRB findings (Review and Approval of Research); the PI does not need to respond to these findings. Instead, the IRB has to provide RCQA and the Institutional Official with a written response to their findings. These IRB responses are evaluated using the same criteria as for the PI responses, which means that they must specify both corrective actions and preventive actions.

13) What happens after the audit takes place?

An audit report is issued to the PI, copying cognizant UM officials (Chair, Dean, IO, etc).

The PI’s written response is expected within 10 days of the issued audit report. 

The audit report and the PI’s response are provided to the IRB/HSRO, with copies to cognizant UM officials. 

Audit reports and PI responses are forwarded to: 

The Serious and Continuing Non-Compliance Committee (SNCC) which determines if audit findings constitute serious non-compliance and/or continuing non-compliance. 

The relevant IRB Board, which determines if the PI response to the audit is appropriate and sufficient or whether additional actions are needed. The IRB may also ask for a follow-up audit. The IRB’s determination and/or further actions will be described in an IRB determination letter.

14) My study Sponsor has requested a copy of the audit report. Am I allowed to provide this?

Internal audit reports, Federal inspection notices/correspondence (e.g. Forms FDA 483, Untitled Letters, Warning Letters, etc.) and other such documents are confidential and must not be shared with any 3rd parties, including, but not limited to, study Sponsors. However, a specific Sponsor-related finding can be shared with your study Sponsor. Please check with RCQA if you are unsure what can be shared.

15) Do you provide FDA with a copy of my audit report?

Internal audits are part of a rigorous quality assurance program that is designed to encourage candor and collaboration between Investigators and the various components of UM’s Human Subject Research Protection Program (RCQA, IRB, etc.). For this reason, it is RCQA’s practice not to provide internal audit reports to the FDA (or other regulatory bodies). While the University wants to demonstrate full cooperation with Federal agencies, the risks and benefits of full disclosure are considered on a case by case basis, and in rare instances UM has had to cooperate with federal agency requests for internal audit reports in order to avoid an escalation in regulatory action or the prolongation of a federal audit.