Vendor Audits in Pharmacovigilance

Introduction

Outsourcing pharmacovigilance activities creates dependency.

When critical activities are performed by third parties, organisations must demonstrate that those activities remain under effective control.

Governance meetings, KPIs and contractual agreements contribute to oversight.

However, these mechanisms often rely heavily upon information provided by the vendor.

Audits provide something different.

They provide independent verification.

For this reason, vendor audits remain one of the most important tools within a mature pharmacovigilance oversight framework.

Why Vendor Audits Matter

Vendor oversight requires evidence.

An organisation may believe:

• Processes are functioning
• Reporting timelines are being met
• Quality systems are effective

An audit helps determine whether those assumptions are correct.

Vendor audits help answer questions such as:

• Are procedures being followed?
• Are controls operating effectively?
• Are responsibilities understood?
• Are compliance risks managed appropriately?

The objective is not simply to identify deficiencies.

The objective is to understand whether outsourced activities remain under control.

The Regulatory Perspective

Regulators generally expect organisations to maintain oversight of outsourced activities.

Inspectors frequently review:

• Audit programmes
• Audit schedules
• Audit reports
• CAPAs
• Follow-up activities

The absence of audits does not automatically indicate non-compliance.

However, organisations should be able to explain how oversight effectiveness is verified.

Audits are often one of the strongest forms of evidence.

Audits Within the Vendor Oversight Lifecycle

Vendor audits should not be viewed as isolated events.

They form part of a broader oversight lifecycle.

Vendor Qualification
        ↓
Risk Assessment
        ↓
Contracting
        ↓
Onboarding
        ↓
Oversight
        ↓
Audit
        ↓
CAPA
        ↓
Continuous Improvement

An audit provides an opportunity to test whether governance assumptions remain valid.

Audit Objectives

Audit objectives vary depending on the vendor relationship.

Common objectives include:

• Assessing compliance
• Evaluating controls
• Verifying contractual obligations
• Reviewing quality systems
• Assessing risk management
• Identifying improvement opportunities

A clear objective improves audit effectiveness.

Risk-Based Audit Planning

Not all vendors require the same audit frequency.

Audit planning should generally be driven by risk.

Examples include:

Low-Risk Vendors

May require:

• Limited audits
• Remote reviews
• Periodic assessments

Medium-Risk Vendors

May require:

• Scheduled audits
• Focused reviews

High-Risk Vendors

May require:

• More frequent audits
• Broader audit scope

Critical Vendors

May require:

• Enhanced audit programmes
• Senior management visibility
• Follow-up reviews

Risk-based planning improves resource allocation.

For additional information see:

[[vendor-risk-assessment]]

Audit Types

Several audit approaches may be used.

On-Site Audits

Auditors visit the vendor's facilities.

Advantages:

• Direct observation
• Staff interviews
• Process verification

Challenges:

• Cost
• Travel requirements
• Resource intensity

Remote Audits

Conducted virtually.

Advantages:

• Efficiency
• Lower cost
• Faster scheduling

Challenges:

• Reduced visibility
• Limited observation opportunities

Hybrid Audits

Combine remote and on-site elements.

Increasingly common within modern audit programmes.

Audit Scope

Audit scope should reflect vendor risk and activity type.

Examples include:

Case Processing Vendors

Potential scope:

• Case intake
• Data entry
• Quality review
• Reporting compliance

Literature Monitoring Vendors

Potential scope:

• Search strategies
• Screening processes
• Documentation

Safety Database Vendors

Potential scope:

• Data integrity
• Validation
• Security
• Change management

The scope should focus on areas creating the greatest risk.

Audit Preparation

Effective audits begin long before the audit date.

Preparation commonly includes:

• Reviewing agreements
• Reviewing previous audits
• Reviewing KPIs
• Reviewing deviations
• Reviewing CAPAs

Preparation helps focus attention on higher-risk areas.

Conducting the Audit

Typical activities include:

Opening Meeting

Defines:

• Objectives
• Scope
• Expectations

Document Review

Examines:

• Procedures
• Training records
• Quality records
• Governance records

Interviews

Assesses:

• Understanding
• Roles
• Responsibilities

Process Verification

Confirms whether activities operate as described.

Closing Meeting

Summarises observations and findings.

Audit Findings

Findings vary considerably.

Examples include:

Documentation Issues

• Missing records
• Incomplete procedures

Compliance Issues

• Reporting delays
• Process deviations

Governance Issues

• Weak oversight
• Unclear responsibilities

Quality Issues

• Training gaps
• CAPA weaknesses

The significance of a finding depends on both severity and risk.

Finding Classification

Many organisations classify findings.

Example:

Consistent classification supports risk-based follow-up.

CAPA Management

An audit is valuable only if findings lead to improvement.

Corrective and Preventive Actions should:

• Address root causes
• Prevent recurrence
• Be tracked to completion

Weak CAPAs often focus on symptoms.

Strong CAPAs improve systems.

For additional information see:

[[vendor-capas]]

Follow-Up Activities

Audit closure should not mark the end of oversight.

Follow-up activities may include:

• CAPA review
• Effectiveness checks
• Targeted reassessments
• Additional monitoring

The objective is sustained improvement.

Common Audit Mistakes

Several weaknesses occur repeatedly.

Checklist Auditing

Audits become procedural rather than risk-focused.

Excessive Scope

Too many areas are reviewed superficially.

Weak Root Cause Analysis

Findings are identified but not understood.

Poor Follow-Up

CAPAs remain open or ineffective.

Lack of Risk Prioritisation

Resources are allocated inefficiently.

These weaknesses reduce audit value.

The QPPV Perspective

The QPPV may not personally perform vendor audits.

However, visibility remains important.

Examples include:

• Critical findings
• Significant compliance risks
• High-risk vendors
• Escalated CAPAs

Audit outcomes often provide valuable insight into oversight effectiveness.

Inspection Perspective

Inspectors frequently review:

• Audit schedules
• Audit reports
• CAPA records
• Follow-up activities

A common question is:

How does the organisation know the vendor is operating effectively?

Audit evidence often forms a significant part of the answer.

Characteristics of Mature Audit Programmes

High-performing organisations generally demonstrate:

Risk-Based Planning

Audit frequency reflects risk.

Clear Objectives

Audits focus on meaningful risks.

Competent Auditors

Auditors understand pharmacovigilance requirements.

Effective CAPAs

Findings drive improvement.

Continuous Improvement

Audit results influence governance activities.

These characteristics improve both compliance and oversight.

Key Takeaways

• Vendor audits provide independent verification of outsourced activities.
• Audit planning should be risk-based.
• Audit scope should reflect vendor activities and risk profile.
• Findings should lead to meaningful CAPAs and improvement.
• Follow-up activities are essential.
• Audit programmes support vendor oversight, inspection readiness and QPPV governance.
• Mature organisations use audits to strengthen systems rather than merely identify deficiencies.

References

1. EMA Good Pharmacovigilance Practices (GVP) Module I – Pharmacovigilance Systems and Their Quality Systems.
2. EMA Good Pharmacovigilance Practices (GVP) Module III – Pharmacovigilance Inspections.
3. EMA Good Pharmacovigilance Practices (GVP) Module II – Pharmacovigilance System Master File.
4. Regulation (EC) No 726/2004.
5. Directive 2001/83/EC.
6. Commission Implementing Regulation (EU) No 520/2012.
7. ICH Q9 Quality Risk Management.
8. PIC/S Guidance on Pharmacovigilance Inspections.