Compliance Audit Best Practices
If you’re working in a regulated industry, compliance audits are a part of your day-to-day. Without the right processes in place to follow applicable standards, compliance can be tricky, and audits can be daunting.
In order to successfully comply with regulatory standards applicable in your industry, you will be required to adopt a set of tools and practices as part of your product lifecycle itself. These will help everyone adhere to a defined workflow, avoid process gaps, and keep track of all work completed. As not all regulations are the same, and you don’t have to necessarily adhere to industry standards to benefit from a compliance audit, let’s first review some ins and outs of these audits.
What Is a Compliance Audit?
A compliance audit is a formal review of an organization’s operations and procedures to determine whether that company and its products meet regulatory demands/standards.
These regulations are specific to the type of product being developed and affiliated safety risks. Obviously as some of these risks can be catastrophic, some regulations can impact the product lifecycle at a granular level.
Passing a compliance audit, then, requires proof that these regulations were not only built into the workflow, but followed appropriately. Proof comes by way of an audit trail — one that shows enough detail, for example, to verify that user A logged in at [specific] time; tester Y ran [specific] tests and clearly documented which tests passed, which failed, and what action was consequently taken.
Audit trails may also show what kind of security groups are in place to prevent unauthorized users from editing data or viewing confidential information. Depending on the standard or regulation, the entire workflow can be audited for compliance.
As a measure of strict safety and quality assurance, audit trail would also provide a proof to any changes (and by who) made to the requirements, configuration, conditions and any other parameter that may impact the workflow and thus the behavior or functionality of the product.
Consequently, a large amount of data may need to be presented in a given audit. This is why some companies struggle. It may take a lot of time to go back through development to collect necessary data. And without certain safeguards in your process, errors are inevitable.
Failing a compliance audit could result in fines or discontinuation of a product pending corrective action. So it is important to get everything right the first time.Back to top
How Is Compliance Auditing Used?
There are a number of regulatory bodies that have established standards across many industries. What’s audited depends on the applicable standard for the product, for example those under ISO, IEC, 21 CFR, GDPR, and many more.
Regardless of the standard, it exists to protect the end users’ safety, whether that is physical (automotive, medical device), informational (financial or personal data), or otherwise. Compliance audits are used to hold companies to these standards and ensure the quality and safety of their products.
While audit trails are reviewed by the regulatory body that holds the standard — like the FDA — the evidence of compliance is the responsibility of the company being audited. Being in charge of the audit legwork puts you in a good position. You can hold routine internal audits in the same way (whether you’re regulated or not) to hold yourself accountable and be more confident about compliance.
Take note: because software is used in so many products and services, and software is prone to a number of security risks, internal software compliance audits are recommended regardless of any regulatory adherence. The following best practices apply to all product and software compliance audit standards.Back to top
Compliance Audit Best Practices
Because there are so many different standards across numerous industries, it’s impossible to give specific guidelines that apply to all regulations. However, these three general best practices can help you effectively create and maintain a compliant operation, and make audit trails a breeze.
1. Automate the Process
Compliance audits are stringent. Proving compliance is more than just documenting the process — you need evidence that security restrictions were enforced. You need to prove that no person was able to make independent changes or push the product to the next step without completing all required conditions. And you’re probably showing you did this throughout the entire product lifecycle.
If you do this manually (without traceability), or if you try to piece together workflows from separate tools, a couple things are bound to happen. First, mistakes will be made. We are human. And the more complicated a document or process, the more likely it is something will get overlooked. What’s to keep a person from skipping a step so that production stays on schedule?
Second, creating a manual audit trail takes a massive amount of time. A compliance manager may spend weeks tracking everything down for an audit, whereas an automated tool with built-in traceability will deliver an audit report in minutes.
You can best ensure that you stay compliant using an automated tool (like Helix ALM) and also cut unneeded steps. Just remember that the tool you use is also part of the compliance process. Make sure your vendor can provide validation documentation for the software you choose.
2. Establish and Enforce a Defined, Repeatable Process
Any regulation you’re meeting will have its own set of boundaries and requirements. You need to define these boundaries and establish them within the workflow so that requirements must be met before a step is completed. You also need to set up security groups and permissions to ensure that no unauthorized user can make edits, and that the appropriate manager is approving work.
An approval process has to be defined on top off that: who can approve a requirement or approve changes to a requirement? Who can promote a requirement to the next phase in the workflow?
Does your workflow require electronic signatures for compliance purposes when you add, edit, or delete items, enter workflow events, or perform other actions? For an efficient compliance process, electronic signatures should be saved in the project’s audit trail, which tracks when and how data was modified.
Remember: documenting everything, starting from requirements, comments and edits, approvals, tests cases and results, and any other action taken, should be embedded in the workflow so that you can prove what happened and when. Again, this is simplest when using an automated lifecycle management solution.
As you set up the workflows, bear in mind they must be repeatable. It’s inefficient to have to create a new workflow for every version. And of course, make the workflows enforceable. By using restrictions and mandatory fields/steps, you ensure that that the boundaries you defined are followed, and the information you need for an audit is present and stored for the required period of time by the regulator.
3. Implement Baselines
A baseline is a preserved collection of data at a point in time. This data set is compared to its future version, when those are available, in order to calculate the difference between the two.
The information in a baseline cannot be modified. You can go back and view data at the point it was captured, making it a very reliable way to compare versions and easily identify changes between them. If any settings, requirements, approvals, or other change occurred, it must be shown in an audit trail.
Another benefit of baselines is they can be duplicated. This makes it easy to replicate your process for the next release — supporting your efforts to create a repeatable process. And from a compliance standpoint, they make audits much easier.Back to top
Compliance audits don’t have to be a nightmare. It can be simple to create proof you followed every step that your regulatory body requires. And while this may mean investing in a new tool, consider any costs that could be eliminated with the right solution. Whether that’s time spent by a Compliance Manager, product rework, multiple process reworks, or the cost of failing the audit.
See How Helix ALM Can Help You Set Baselines and Ensure Traceability
The end-to-end traceability of Helix ALM and its baseline functionality are just the beginning. Watch an on-demand demo of Helix ALM to see it in action.
- Learn about using tools to find code vulnerabilities, ensure standards compliance, and reduce time-to-market early in the development process with Perforce's Shift Left 101
- How to Pass a Compliance Audit with Real-Time Traceability
- 5 Keys to Faster Development and Compliance
- Compliance Management: How 4 Companies Simplified the Complex