In the Quality Assurance (QA), Quality Improvement (QI), and Regulatory Compliance (RC) world, there exists a mantra that reminds of a constant preparation for an audit. In fact, most QA, QI, and RC departments have such preparations as the primary goal of their quality and compliance program implementation.
While the extent and degree of a constant preparation for external audits lie with individual quality assurance and compliance departments, there is a "back end" (i.e. audit response component) to external audits that lies not with the quality and compliance departments but with the requirements of external regulators. This "back end" goes beyond constant preparation to include a more systematic self assessment and realignment. It occurs when an audit results in an unfavorable finding or observation by external regulators.
An external audit, whether it is a quality, regulatory, or systemic audit, is an examination and evaluation conducted by an outside reviewer such as a government agency or other independent auditors to determine whether quality and regulatory compliance activities and their results comply with established regulations or planned arrangements; and whether implementation is effective and suitable to achieve objectives.
Knowledge of how to respond and provide systemic resolution to “issues” from an external audit cannot be overstated regardless of whether the audit of your programs and services results in favorable or unfavorable audit findings.
In the organization's constant preparation for audit, the QA, QI, and RC department must always ensure that quality is built into their processes. Auditors are looking for current implementation of programs alongside how the organization develops and implements any corrective actions to audit observations. The organization's actions before, during, and after the audit can shed light on the organization's level of compliance.
Whatever you do, don't panic. Understand the Audit Findings and Citations.
Take note of the auditor's feedback during and after the audit.
Understand and evaluate the context of the audit findings.
Solicit inputs from personnel involved with the audit.
Solicit feedback from the auditors during "exit conference."
THE EXIT CONFERENCE
The "Exit Conference" is the closing meeting at the end of an audit. The auditor meets with the organization's representatives to provide feedback on observations during the course of the audit as well as provide pertinent information including timeline regarding the final audit reports. The manner in which the organization approaches the exit meeting can have critical ramifications on the final results and overall relationship with the auditing body.
Before attending the exit conference, consider the following:
Decide in advance how the organization is going to approach the meeting.
Have the appropriate personnel in attendance.
Will the organization's representatives be competitive whereby they question every observation and attempt to get them removed?
Will the organization be all welcoming and accepting every observation even erroneous ones?
Who in the organization will comment on the observations?
Will the organization debate or disagree with valid observations?
A good approach is where the head of quality or regulatory compliance:
Hosts the audit and moderates the meeting.
Reviews each item with the auditor to effectively understand what they are citing. Guessing or speculating on the auditors' findings will affect the quality of response to the auditors' concerns.
Comments if errors are present. Asks for clarification, because like every human, auditors do make mistakes too.
If corrections have already being made – decides if he/she will indicate that fact here.
Discusses true points of contention, but doesn’t argue directly with the auditors. Note: (1) It is not best practise to argue every point or even a large percentage of them; (2) Be cautious in committing to anything during the exit meeting. The auditor is taking notes and will indicate that the firm “committed” to a particular action or time frame.
Things to keep in mind while the organization crafts its response to audit findings:
Don't give an auditor the "run around" for corrective actions or a cause to conduct extensive follow-up. To avoid this, ensure clarity and details in your response so as to not create a cause for further information request, a new review, and so on.
Adhere to a policy to immediately respond to critical deficiencies noted. Remember: This is the organization chance to re-establish credibility with the auditor and those to whom the organization's reputation matters.
RE-ESTABLISHING CREDIBILITY
Your response to the audit findings is your opportunity to re-establish your credibility with auditors. Before you pen a response, get all the facts. Do the following:
Evaluate the current state of compliance relevant to the audit observation. Indicate what is compliant and what is not.
Identify the root cause of the issue. Understand how the organization will systematically resolve the issue identified.
Review prior commitments. Check for repeated deficiencies under the same types of system issues. Remember: Commitments made in the past regarding deficiencies but for which corrective actions were not implemented or did not resolve, may result in a more critical and robust audit evaluation in addition to the likelihood of further regulatory actions.
Relate each observation to the appropriate compliance and/or quality system. Understand the area of impact of the issue in relation to the functions impacted by that issue.
Develop a corrective action plan around the entire scope of the issues noted.
Secure the required resources needed to complete the corrective actions in the time frame indicated.
Verify that responsibilities are assigned to key people and make them accountable.
NOTE: Assignments given to “departments” or groups of people are almost doomed to failure. Someone has to be in charge. Assign work, track, and modify the assignment as needed. Just as important, a single key individual, typically the head of quality, will need to be responsible for the overall work.
WRITING THE RESPONSE
There are some basic rules regarding writing an audit response letter. Some or all of these rules may apply depending upon the particular situation of the organization:
Someone in a high level in the quality or compliance function should write the response.
Personnel copied on the response should include high-level management to indicate that management is aware of the issues and of the commitments being made.
Include a cover letter or opening statement. Thank the auditor(s) for being professional, providing insight or other appropriate remarks as warranted. State the site address of the audit and the dates.
Always remember that you are writing the response to an auditing body not to an individual auditor. Do not assume that the person reading the report understands the context of the observation or your reply.
Re-state the observation and reference number in the response. Typically, the observation goes directly above the response.
If possible, indicate the related compliant systems. This shows that you are in control and that some operations were functioning within acceptable oversight regulatory parameters.
If the action item is going to take some time to implement, state what will be done in the interim to be compliant with the oversight regulations.
Don’t simply indicate that actions will be taken in six months to correct the issue in which you are currently out of compliance without addressing what you will do to be compliant from the current date until the corrections are implemented.
If corrective actions have already taken place, indicate the following:
Dates implemented
Training performed (copies of training attendance sheets included)
Copies of updated operating procedure – indicating what was changed.
Copies of any other documentary evidence of the corrective actions
RESPONSE STRATEGIES TO EMBRACE
Define how enhancements will prevent recurrence of the issue observed. Don’t assume that the reader will understand this fact. Be clear, detailed, and concise.
Explain what will be done to expand, enhance or streamline the compliance system.
Describe capacity building measures including training and education development. Allow sufficient time to implement changes to incorporate training that may include proficiency testing, where applicable.
Describe how the organization will monitor the progress and effectiveness of the corrective actions.
If possible, it may be helpful to explain that despite the observations noted, there has never been an issue with service quality, efficacy, safety, etc. It is not advisable to use this response tactic each time but it can be advantageous for critical observations.
Revise, again, and again. Allow other people not directly involved with the audit to review and comment on the response. They may have insight on response wording that would assist in clarification or strengthening of points.
When initially formulating a response, 1) restate the observation, 2) Define Root Cause, 3) Indicate Corrective Actions and 4) Develop a Due Date.
RESPONSE STRATEGIES TO AVOID
The bottom line is to avoid responses that would otherwise imply to an auditor the organization's unwillingness to change or inability to make appropriate corrective actions.
Having said that, avoid the following:
During the exit meeting or in the response letter, arguing every point as “inappropriate” or saying things like “we have never had an issue with this point from other auditors.” Doing this would strengthen an auditor's message of the organization's non-compliance to the auditor body.
Stating that the corrective actions being requested will “put the organization out of business."
Overpackaging: an overwhelming response by incorporating massive amounts of data that is not warranted with the hopes that the reviewer will be “impressed” with the work.
Implement changes immediately. If the issue is simple, great – no problem implement changes immediately. However, for complex observations, a rapid response indicates that the organization has taken an automatic reaction and implemented corrective actions without thinking of the root cause of deficiency identified.
Not responding to the audit. Actions may have been taken but no formal letter sent to indicate what was performed. This approach indicates that the organization does not take the audit seriously.
The enigmatic response. The organization indicates that actions are going to be taken but does not address what these actions include. Example: Actions Taken – Records were updated. When? How were they updated?
Promise without substance. Similar to the enigmatic response, this approach does not indicate any specifics. An example includes: Deficiency – Detailed investigation not performed in a timely manner. Response – Investigations will be carried out in a timely manner.
LEADERSHIP ROLE
The role of management cannot be overstated relevant to a successful audit outcome. The auditor must get the impression that organization's leadership is informed of the issues and is vested to resolve issues.
Some of the roles include:
Hosting the inspection. Alternatively, if no one from management is “available” or even attempts to participate in the audit, there is a lost opportunity to indicate that the organization is willing to listen and learn from the experience of the auditor.
Participate in the Exit Conference. This will indicate management is accountable for decisions being made and actions taken.
Should be aware of or participate in the response letter.
Must commit resources to accomplish the corrective actions in the allotted time frame.
Beyond the Context of the Direct Observations
A systemic response to any audit observations must equate to a systemic resolution to any issues within the organization. Programs need to be established which require any observations and their corresponding responses to be circulated for evaluation within the organization to determine if other areas are non-compliant.
Prepare to be Re-audited
After the audit, there is a tenancy to drift back into an operational mode. Along with other daily issues, some commitments can be dropped and forgotten. It is compliance and quality assurance role to assure that the organization has met their commitments in the anticipation of a re-audit.
Contact Amaka Consulting for details as well as for audit preparation, responding to auditors, and capacity development of agency personnel.