Remote Audit Resilience
Full transcript below:
Heatherly Bucher:
On behalf of Arena, I’d like to welcome all of our customers to this fourth event in our series on Get More Done. “Audits: Ready, Set, Go.” We hope you and your families are healthy and safe. We know these are challenging times, as many of us are facing new changes with the pandemic, new workplace regulations, and virtual audits. During the next hour, you’ll hear our panel of customers and one of our own Arena experts in this area share their experiences in compliant processes, responding to new regulations, and hosting virtual audits regardless of the regulations you must follow.
I’m now going to hand over to Ann McGuire, our Product Marketing Manager, who will be moderating the panel discussion today.
Ann has over 20 years of experience in product and quality management processes, particularly within the life sciences industry. I’m going to hand it over to you, Ann.
Ann McGuire:
All right, thank you. Now I would like to introduce our great channel lineup for today. Ginger has been in U.S.-based manufacturing and design for over 25 years. She has been directly involved in audits for over 15 years, and she led the Arena implementation team at Morey four years ago. Richard is a medical device professional with over 30 years’ experience with medium and small companies across medical therapeutic areas and device types. He successfully hosted QMS audits with foreign and U.S. regulators using Arena on-site and remotely. Jeff currently serves as Arena’s Information Security Officer. He has over 20 years’ experience in the areas of information security and audit and compliance.
Prior to joining Arena, Jeff spent seven years in financial services and over 10 years as a leader at Coalfire. There, he provided assessment and cybersecurity services to customers across various industries. We’d like to welcome, and we’d like to start with a quick poll. We were interested in where you were with your audit processes today. You can see from the poll icon that the question is: if your audit process is online as a process in Arena, if it refers to accommodations and tools for remote audits, and whether it’s documented in a binder. Please check all that apply, and then we will circle back in a little bit to see the results.
If you’ve joined us for past events, you’ve heard us talk about the changes we’ve all undergone in 2020. Well, we still have to follow regulations, even some new ones designed to keep us healthy. At the same time, agencies continue to audit companies to make sure they’re compliant. So, how can we best manage compliance today? Let’s hear from our panel starting with best practices. Ginger.
Ginger Butz:
We are ISO 9001 and IATF automotive compliant at the Morey Corporation. One of our largest customers is Caterpillar, and we also have medical customers, so we manage our entire business to the most stringent regulations. For following guidelines for Caterpillar, we make our work instructions, our operator instructions, rev control, all follow the highest level of regulation so that we’re not missing anything and there are no gaps for any of our customers.
Richard Balano:
Hey, Ginger. This is Rich. I was curious, do you guys have somebody on staff that looks at the regulations looking for the most stringent aspects?
Ginger Butz:
Yeah, absolutely. We have both account managers and document control team members that do that. Our audit guidelines address special characteristics. We go through our customers’ supplier quality manuals. We document anything that might be above an ISO standard or an ISO requirement. Then we document those in Arena. Then each quarter we review to see if any of our customers have released any new supplier quality documents to make sure that the requirements haven’t changed, because from quarter to quarter or year to year, they could possibly change. We want to make sure that we address those.
We manage that process in Arena Projects. If they haven’t changed, we sign off on the project in Arena and record that no new requirements are in the supplier manual and close that task. Then we have the next task to do with the next quarter. If things have changed, then we document those and we rewrite the instructions for the customer.
Richard Balano:
Yeah. In the pure medical device world, there’s a number of quality system standards that apply ISO 1345 as the primary one internationally, but that gets interpreted in a number of different ways depending on the jurisdiction. Then, of course, there’s the U.S. FDA QSR or 21 Part 11, Part 820 quality system regulations. They’re fairly similar, and FDA has actually been trying to go towards the ISO standard a little bit more, but then on top of that, you’ve got all the national requirements for a medical device approvals and you can get quite a bit of competition between what, say, Japan versus China versus South Korea versus Europe versus Australia, all the different jurisdictions, will require.
In one example, a really stringent requirement for product changes actually comes from Japan, where they generally want to see virtually every single change that you make. As minute as you might think changing a thread size on a bolt or a nut might be, they want to know about it generally, and it can be very difficult sometimes, but you can manage that pretty successfully with setting up your system appropriately.
Ginger Butz:
Yeah, we experience that as well. The nice thing about that is that the outcome by managing to that higher regulation or higher requirement or standard is that it’s better quality for all customers across the board. That’s what we found. That’s why we managed to that highest level of regulation and it really does improve the entire quality for all of our customers.
Ann McGuire:
Well, I bet the customers appreciate that. Richard, you mentioned the over-the-top stringent requirements. I’m hearing that you don’t want to apply those across the board. So, how do you manage those?
Richard Balano:
It’s a great question. Generally speaking, if you have the need to spin off a particular SKU that lives a different regulatory life, you can do that. A tool like Arena makes it very easy to duplicate BOMs and structures. You can split out and make, say, a Japanese SKU or a Chinese SKU that might, again, live a different regulatory timeline and be managed differently because of the notification requirements associated with that.
Ginger Butz:
Yeah, we have the same thing at Morey. We have a part number. For example, we have two products, one that we sell into China and one that we sell the rest of the world. There are some slight changes in the requirements and testing. So, we have two top-level part numbers that we manage in Arena with two different bills of materials so we can call out those different requirements. It works out very well for us.
Ann McGuire:
For our customers who are looking to scale by entering different markets, Ginger, what else would you recommend they do to be audit ready?
Ginger Butz:
One thing that we did at the Morey Corporation is we certainly involved our document control team in the implementation. They were part of the implementation team right from the beginning, and it’s not a huge team. We only have two people in our doc control and there’s about roughly 80 people in our office staff, and two of them are focused on document controls. They do all the uploads for bills of materials, and they also support all of our audits. They do all of our files to make sure that they’re rev control and align with our customers. So, if you have a team that’s implementing Arena, it’s important that the doc control team is part of that because they understand Arena inside and out.
But also, if they’re doing the audits, it’s helpful because they know exactly where to find all of the information, they understand rev controls and files, how we write our engineering change orders [ECOs], what drives revision change versus a part number change. So, our small staff maintains very tight controls and auditors absolutely like to see that. Only our doc control creates part numbers and certain users can push ECOs, so that’s why we’ve been successful because it’s consistent and it’s very controlled.
Richard Balano:
Yeah. I would echo the sentiment of having a documented control or a configuration assurance department that is involved in audits, having the right people, that supporting the audit is key in dealing with some regulators, sometimes you set up a front room and a back room depending on how the flow of the audit occurs, as far as on-site audits, but as far as dealing with the resources, it comes down to making sure that you have the right people in the room with the auditors, making sure that they’re experienced with finding documents, that they know the structure, they know, for example, where all the elements of a design history file are, which can be structured in Arena and created with a bill of documents, for example.
There’s a need to make sure that your approval matrix is appropriate, and you have value-added reviews and approvals for all the documents that are potentially presented to an auditor. If that’s done well, then there shouldn’t be much concern about what pops up real time.
Ann McGuire:
Great. We are ready for our poll results from that first poll. Let me switch over and share that. Let’s see, we have about, almost, half the people do have their process online with Arena and only 14% have it also in a binder or only in a binder, and only half are referring to accommodations and tools for remote audits. I hope from this discussion, you get some ideas about what you can do, if needed, to accommodate those ritual audits. Okay, let’s go back to our panel. The next question I have for you is, how do you develop processes that are compliant, so you’re prepared for an audit at any time? What tactics or tools help you make sure all your bases are covered? Jeff, I’d like to bring you into this conversation.
Jeff Baer:
Sure. Well, when I was at Coalfire, one of the things that we did was to help companies be compliant with industry requirements. One of the first things that we would do with our clients is to create a controls matrix. We’d map out any regulations, industry requirements, audit controls, or others in one location. When you map them all together, you see where they overlap and what controls are meeting what requirements. If you have multiple sets of regulations or requirements you’re facing, it’s important to pull them in a single location where your teams have complete visibility into what you’re supposed to be doing and what controls you have in place to ensure that you’re meeting the various industry requirements.
In general, if you have various types of regulations or industry requirements, it’s really important to map them out so that you really have a good visibility into what you’re supposed to be doing and how you’re actually executing against that. As it relates to the ITAR environment that we implemented in GovCloud last year, that’s one of the first things I did at Arena. What requirements controls we already had in place. We were SOC 1, we since pivoted to SOC 2, FDA. We have all these different things that we’re doing to enable our customers compliance. We also have our own series of things that we’re doing to be compliant with our own audits and also to meet customer needs. Understanding those requirements, what they are, the overlaps, what controls are tied to which requirements, do we know why it is that we have certain controls in place, which is really important.
At Arena, we’re actually leveraging a couple of different things. We’re using Arena’s Projects module. We’ve got our SOC 2 controls within the Projects module with stakeholders or owners assigned. When we have an audit, we can see the progress in each and every control. We know how we’re doing at any given time throughout the audit process. The Projects module in an Arena, it does take a lot of time and effort to get it customized and established to your own needs. But once that’s done, there’s no question that they help not only facilitate the audits, but also give you good visibility into your overall compliance.
We also use the quality processes for all the security questionnaires that we get from our customers. We implemented that recently, and it’s working very well for us. We’re able to manage what can be a significant influx of questionnaires in an orderly fashion, so that each one is addressed within a reasonable amount of time.
Ginger Butz:
Now, Jeff had mentioned the Projects module in Arena. We use that at Morey as well. We use it to implement all of our ECOs. So each ECO has a series of tasks in different functional areas that have to be completed before we actually implement the ECO. We make sure that the files and prints are updated and that the customer approves it, make sure that purchasing has enough inventory on hand. So, each item has a project task, and then the ECO is completed when all project tasks have been completed. As a result, every ECO has a matching project as well, which is great for the auditors to have visibility to that. Then they’ve seen everyone has looked at the ECO and finished their tasks associated with it.
Ann McGuire:
Well, it sounds like you have a high level of process control at Morey because you do have so many customers, and each of them have their own needs. What other factors play into the level of control needed for your organization? Let’s start with Rich on this one.
Jeff Baer:
Yeah. FDA and medical device regulators generally, internationally, are digging deeper and deeper into supplier assurance, and they recognize that a lot of the problems come from components or raw materials in many cases, or traceable to that. We found that instituting better communication with suppliers is a key level of control, sharing a seat, for example, on Arena, in prior companies has been very successful. Allows the supplier to reach in, see what is coming for changes, and provide a handshake between OEM and component manufacturer or contract manufacturer, and ensure that there is a nice level of control between the two. I would say, from what Ginger described, I would say our level of control is not exactly the same as Morey.
We generally empower the engineers to initiate, create items in their own ECOs, or DCOs in our case, but it’s overseen by a document control administrator who can cross Ts and dot Is, or reject and send things back for revision. In that way, we make sure that things are ready at any given time for an auditor to walk in the building. All the engineers should know the steps, but it doesn’t prevent obvious minor mistakes in the future. One other aspect of control is having an effective training system. The system actually has been very nice, has a nice ability to apply quizzes for any items that we have, and you can define items in a training plan and then associate training plans with employees, groups of employees. It’s no longer just this “read and acknowledge,” but you have actual quizzes associated with that content and can show trading effectiveness, so it’s pretty slick.
We’re training internally as well. We have about 60 different items within the training module. It’s a core part of what we do as it relates to, not only our requirements for our SOC audits and other industry requirements, but for our customers. We have a number of customers that require that we do certain types of training, like privacy or security awareness training. We use the Arena training module to keep track of all the different items, who’s trained on them, when they were trained, was it done within the required timeframe, etc. It’s really a great tool and we’re continuing to make it better.
Just one more thing to throw in. I mentioned ISO 1345 being the international medical device manufacturing standard for the quality systems. It went through a transition fairly recently, 2016, and one of the hot buttons that all the notified bodies or all the registrars were focusing on was training effectiveness. The aspect of being able to tie procedures or work instructions, or actual items, to a risk-based assessment and having an integrated risk-based system that would allow you to make quizzes, commensurate, the difficulty of passing a quiz commensurate with the risk associated with that procedure or the item, or again, whatever you want to associate the training plan with.
You could very strictly control who was competent or who passed their competencies, or who might need additional review and help in getting through a quiz and understand the material that is in the training plan. It provides a very visible system for assessing the training material and visibility on training effectiveness.
Richard Balano:
One of the things I’d like to add about that training module is that it’s very customizable. We have some training plans that are for all employees, like, again, security awareness. Then we have very targeted training, too, for different departments or for different areas of expertise. We really use that flexibility by defining dozens of different groups. They get their own targeted training program. So, the customization is actually very valuable.
Ann McGuire:
Yeah. Well, thank you. This is all interesting. Continuing with training, does anyone have stories about how you’ve used training lately to respond to quickly changing regulations?
Richard Balano:
Actually, we had a very poignant example in these last few months with the COVID-19 situation. We had to respond very, very quickly to be able to allow folks to work in our lab and demonstrate to the regulations or the requirements that were passed very quickly in Massachusetts requiring training, PPE training, awareness of the general requirements to wash hands, to don PPE equipments and do daily cleaning and things like that. We were able to put a system into place very quickly and allow that to facilitate us going back to work and doing it effectively.
Ann McGuire:
Good. Well, I hope those regulations keep your employees safe as they return to their work. We’re going to do the next poll results, or the next poll, but first I wanted to remind people to put your questions using that question feature in the events program. It is time for our second poll, which is about your experience with remote audits. You can see, we have three answers. You’ve had at least one internal or external audit. You have an external remote audit … internal or external remote audit, I should say, or you’ve had a remote audit planned, or you don’t have any experience with remote audits yet. Go ahead and answer that if you haven’t already, and then we will, again, circle back to get the results.
Speaking of audits, let’s continue with audits. What are your best practices with conducting audits with Arena? Let’s start with Ginger on this one.
Ginger Butz:
I would say during a virtual audit, because a lot of … right now we’re moving in that direction, so during a virtual audit, an auditor can see an audit trail very easy using Arena. For example, Morey is a contract manufacturer. A part may go to a long lead time, or it might get obsolete, and we use SiliconExpert, and they trigger us to tell us that that part is end of life and so we need to notify our customers. Now, I own some of our designs, but I don’t own all of our designs. What most of our work is, what would be called “build to print,” meaning the customer owns the design. I can’t make any changes on my own to the process or any part number on the bill of materials.
If I get that kind of a notification from SiliconExpert, I need to reach out to my customer because I need to make sure that they approve any additions or subtractions to their bill of materials. I get the notification that I’m no longer to purchase the part, I need to reach out to the customer, get approval, change their prints, they send us a new print, and then I add that to the file with the new revision. Next, I would write an ECO to make that change to the bill of materials. The nice thing about using Arena for all of those activities is that, whether an audit auditor is virtual or they’re right on-site with us, we can share our screen and Arena, and they can see that entire trail of how all of those activities happened. There’s a timestamp with those, there’s evidence with that, and so it’s very easy for an auditor to follow along.
Richard Balano:
Yeah. Throwing just some experience that I’ve had with some international audits in terms of some best practices, and being able to contrast, compare and contrast doing audits manually. We have a paper-based system versus online. We had, as an example, just South Korean authorities that wanted to visit one of our contract manufacturers. They actually did this a couple of times over a couple of years, and they chose different contract manufacturers at the time. This is at a previous company. We had the same situation, where the on-site audit was at the contract manufacturer, and it was all manual. It was frankly very slow because you had to go find a document, you had to either make copies for the additional auditors, or whatnot.
Whereas, the virtual part of it, or the onscreen part of it for design controls, which is what the OEM was on the hooks for, the contract manufacturer obviously, who’s doing all the criminal control, the production control, calibration, things like that. The OEM, we were in charge of the design history file and whatnot. Inevitably, the electronic part would always go so fast to the point where you could look at 80-20, 80% of the audit was focused on the paper part of it. Whereas, 20% of the audit was very quickly done through the specification, the design specification trace back to risk management documents and design inputs. You had all that right on the screen.
It was a huge contrast between manual systems and electronic systems in terms of like a best practice. Going electronic is really the only way that I could see having a successful audit.
Ann McGuire:
Great. Thank you. We are ready for the poll results, and I’ll share that. Let’s see. Okay. Oh, wow. Over half of you have already had at least one remote internal or external audit, and then another big number, 40%, don’t have any plans for a remote audit yet. Well, I hope this is just another reminder for your questions, whether you’ve had some experiences that lead to questions, or if you want to be ready for that first one, please put that in the questions. Now we have one more … All right. Looking ahead beyond 2020, what do you see as the future of remote audits?
Richard Balano:
Yeah. I’m seeing a lot of change. If you visit the notified body websites, if you look at DEKRA, TUV, BSI, they all have some reference on their websites about doing remote or virtual audits. Based on what has happened over the last three, four months, I would say, this is really how things are going to go in the future. It seems like it’s being validated as an effective way of doing an audit, especially if the company is able to project things remotely with the system, like Arena. My guess is FDA is probably going to follow. It’s hard to imagine them not doing so. The technology’s there. I think you can easily see how … When you’re projecting on a big screen for an auditor who is on-site, there’s virtually no difference.
Ginger mentioned this before, there’s almost no difference between having them on-site versus projecting it remotely. I think people are starting to realize that, and they’re starting to see that everything that you produce under normal circumstances, whether it’s documents, records, procedures or complaint logs, or lists, those are all things that make up what you project. As long as there’s no problem there, that’s probably what’s going to be happening in the future.
Ann McGuire:
Great. Well, Jeff, you’ve been with Arena for about two years, and you’ve done a lot since you’ve been here, not the least of which is getting Arena onto the AWS GovCloud for ITAR companies. What could you share with our customers about that process of getting us onto ITAR?
Jeff Baer:
Well, for those of you that work either with or in a supply chain supporting the DOD, you’re likely aware of controlled unclassified information, and also known as CUI. We decided to build an environment within the AWS GovCloud that would be capable of protecting CUI and meeting the requirements. We felt it was very important to bring in a 3PO or a third-party expert to advise us on that journey. They performed a gap analysis against the various frameworks required to be in place, helped some facilitated sessions for us to really understand the requirements and how they apply to our environment, and let us know what things we needed to do to move forward.
Once they delivered their reports, we were off to the races, implementing and enhancing controls to meet the requirements. Since that time, the requirements for [inaudible] CUI have actually changed. We are now focused on what is known as CMMC compliance, which is a framework that was published at the end of January. Again, we’ve brought in a third-party expert to advise us through that process, and we’re currently working diligently to meet that new standard.
Ann McGuire:
Great. Well, thank you so much. It’s time for … we’ve had a great time sharing with you today, and we encourage you to stay for a few minutes for Q&A, because we also have some truly fantastic swag to give you after this question session. With that, let’s move to the Q&A portion of today’s event. Let’s see. We have some questions have come in, and you can continue to ask questions, you continue to upload questions if you want as well. This one I’m going to start with, I’m going to guess Ginger for this first one, which is, what Arena world do you find most useful for managing and mapping compliance requirements? I can think of many different ways to approach it.
Ginger Butz:
We have been using Projects as I talked about, because we can create a project for a specific part number. Then under that part number, where it’s associated, we can then go in and create tasks that are associated to each quarter, and then on a quarterly basis, we go in, we make sure that we’re still compliant, and then we have the appropriate people tagged to those tasks, and then they can put notes into it. They can attach files. For example, we have some compliance testing that we have to have for a China audit for one of our products. So, we can attach the test results then to that task and project, and then we close it out.
Then when we get audited every year by China, they can come in and see exactly what we’ve accomplished, and the test results are right there attached in the project task.
Ann McGuire:
Wow. Yeah, that is powerful. Jeff, did you want to add to that?
Jeff Baer:
I would agree with what she said. We use the same project module internally, and I think Ginger answered it well.
Richard Balano:
I’m sorry. I just wanted to chime in about the quality world. In the medical device world where processes are repeated often, like you have a complaint process, you have an NCMR process, you have, say, a recall process, you have a management review process, you have all these things that get repeated, and you can set those up in the quality world as processes, as workflows. To me, that, it’s very similar to the projects. Whereas projects were probably, as Ginger was pointing out, is like, well, for a particular client, you’re going to customize that project in a particular way; in my world, it’s a little more needing of consistency. Just, you repeat the same thing over and over again and treat it the same way. From a compliance perspective, the quality world is kind of key for me. Just adding a little color there.
Ann McGuire:
Yeah. I can imagine that, and I can imagine for any OEM that needs to adhere to the same regulations. Yeah, maybe that quality, more of a fix would be the way to go. Yeah, that’s interesting. Okay. The next question is actually for you, Richard. It’s about medical devices. How do you address, you mentioned risk a little bit, but how do you address risk management? Do you use Arena or do you use something else along with it?
Richard Balano:
Yeah, so when we’ve had the opportunity to implement Arena across all our functions, it’s absolutely key. I mentioned the workflows that have the ability to carve out custom attributes, and those custom attributes can be populated with the FMEA indexes or indices, that you create during your risk management. Creating say, for example, FMEA, and you’ve got all these potential hazards and harms and what your mitigations are. Each of those is associated with an index that you have applied.
Those indices can be populated in whatever untoward event occurs, and you can think of, well, NCMR, nonconforming material report, or you can think of a customer complaint. You can think of a recall. You can think of, also, any kind of CAPA activity, or even preventive actions. All these things can be given a custom attribute that allows you to cross tabulate these risk indices. So, as long as you’ve got an integrated system, your risk management system is integrated across your entire quality management system. That’s a really cool thing about being able to implement Arena from the ground up, is you can design it so that everything, all these workflows are talking to each other, and at the end of the day, you can produce a report that says, well, show me the top five risk-related indices from my complaint system or from my NCMR system or from … and you can just do simple queries and be able to run reports and produce all the documentation that you need to ensure that your quality system is effective and that you are in a continuous improvement way of behaving.
Ann McGuire:
Yeah. Yeah, that’s good. Let’s see. I would like to ask, the next one is for Jeff, what is your change control process for the customer security questionnaire?
Jeff Baer:
Sure. When we receive those questionnaires, the Arena person who receives it, they put it into our quality process. That quality process has a number of different phases. Each phase relates to a different team—as those teams are going through and doing their part of the questionnaire, there’s actually a sign-off that occurs. So, it goes through all the different phases, different sign-offs. Then in the end, there’s kind of a QA process that we do as a final sign-off before those questionnaires get redistributed back to the customer that submitted it. So, a series of reviews of various teams that are involved, and also sign-offs within the application to ensure that we’re delivering consistent and accurate information back to our customers.
Ann McGuire:
Yeah. Wow. Yeah, that’s great. I know you get a lot of those, so it’s good to have a good process. The last question we have, and remember, it’s not too late to add one is, well, I guess we’re getting close on time, is have any of you, so I’ll throw this out to all three of you, have any of you had a bad experience with a virtual audit? Has it backfired because, for instance, they had too much information at their access? Who would like to start with that one?
Ginger Butz:
I can start, if you’d like me to. So, we have not had a bad experience with a virtual audit, quite the opposite. If I am going through a process with an auditor, it’s very easy for me to show them I can go into the part number and I can do revision history, and then what comes up are all the ECOs, and then if I click on the ECO, it says, what exactly changed on that ECO, and if it went from rev A to rev B, and they can easily follow through all of the revision changes associated with an ECO. So, it’s been easy to show confidence in our process because everything is documented right there in the tool.
Jeff Baer:
Yeah. I would agree with that as well. We have not had a negative experience so far. As a matter of fact, I would say it’s actually gone more smoothly now [inaudible 00:45:01], because with the virtual audit, you’re more reliant on technology. The Arena platform for us has really enabled us to share documents and evidence with our auditors in a controlled fashion. It’s really actually been a great experience. I was honestly nervous about that first one. But since then, it’s gone very well.
Richard Balano:
I would echo Jeff and Ginger’s comments 100%. Inevitably, having been part of a larger organization and being like one division that was doing a virtual audit, or projecting information from an EQMS system or Arena to an auditor, always, the first time it happens is a very nervous thing. But once you get into it, you project, just as Ginger explained, a level of confidence, a level of just knowledge of your system that I think hits, or makes an impression upon the auditor and gives them a very good feeling that you are in control of your quality system, and you’ve got your fingers on the pulse of everything going on in the company, which is really what they want to see. That tends to make audits shorter. It gives a lot more room for a little bit more chit chat and less digging.
Ann McGuire:
Thank you.