U.S. Food and Drug Administration (FDA) audits can uncover violations of the Food, Drug, and Cosmetic Act (FD&C Act) and other federal food and drug laws and regulations. Those violations can lead to administrative, civil, or potentially even criminal penalties, depending on the circumstances involved. As a result, implementing an effective defensive strategy for an FDA audit is essential.
But this is easier said than done.
Not only can FDA inspection target a wide range of data integrity and statutory and regulatory violations, but it can also take several forms. When facing an FDA regulations audit, understanding both the nature and the scope of the audit is essential for developing and executing a sound defense strategy. Once you know what issues the FDA is prioritizing, and how it is gathering the information it needs, you can plan accordingly. Of course, a thorough understanding of the pertinent statutory and regulatory provisions is also essential, and this is one of several reasons why it is important for entities facing FDA audits to engage experienced legal counsel promptly.
“FDA audits can present significant financial and business risks for all companies. If the FDA inspector uncovers evidence of noncompliance with FDA-regulated products, it can implement several means of enforcement, including denying approval and requesting (or requiring) market withdrawal. Facing allegations of noncompliance from the FDA can also present other risks, making it essential to execute a sound audit defense strategy.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Executing a sound audit defense strategy starts with planning ahead. With this in mind, here are seven keys to effective FDA audit defense:
1. Understanding the Different Types of FDA Audits
The Food and Drug Administration (FDA) conducts three primary types of audits (or “inspections” in FDA terminology). These are:
- Routine inspections
- Pre-approval inspections
- “For cause” inspections
These types of FDA audits differ in several important ways. For example, depending on the type of audit, the target entity may or may not receive advance notice. Most routine FDA inspections are unannounced to ensure data integrity, while pre-approval inspection and audit procedures are generally scheduled in advance during the FDA approval process.
The amount of notice a target receives can play a major role in developing and executing its defense strategy. Companies subject to the FDA’s oversight need to prioritize and maintain compliance on an ongoing basis—not just when an FDA agent knocks on the door with a Notice of Inspection (or FDA Form 482). Responding to an FDA audit inspection process takes time and requires a structured and proactive approach.
Generally, “for cause” audits present the greatest risks and are also frequently unannounced. These FDA audits arise out of specific concerns of noncompliance. As a result, for targets not prepared to respond effectively, presenting an effective defense can prove very challenging—but it can also be critical for avoiding unnecessary commercial and legal consequences.
2. Prioritizing FDA Compliance
Given what we’ve just discussed, the best defense strategy for all types of FDA audits is to ensure that the entity already has a strong compliance program. An effective and comprehensive approach to FDA compliance can mitigate the risk of facing a “for cause” audit and ensure that entities are prepared for all types of FDA audits when they arise.
With that said, simply having an FDA compliance program is not enough. Effective implementation is essential; employees must know their specific roles and responsibilities. Training and re-training are core components of an effective FDA compliance program, and employees who are responsible for compliance failures should be disciplined accordingly.
3. Knowing What to Expect During the FDA’s Audit
Knowing what to expect during the process is critical with all three types of FDA audits. Far too many FDA-regulated companies only have a vague idea (at best) of what to expect when they are being audited. This lack of understanding limits their ability to prepare, which in turn limits their ability to build and execute an effective audit defense strategy.
The FDA’s audit processes are complex and extensive. However, the Administration is also fairly transparent about its auditing procedures. It has published an Investigations Operations Manual that provides valuable insights for companies facing all types of audits and Inspection Guides for various types of businesses.
Crucially, the accessibility of this information is a double-edged sword: While it gives companies the guidance they need to prepare for FDA scrutiny, it also means that the FDA expects audit targets to be fully aware of their compliance obligations. Regarding FDA compliance (and demonstrating compliance during the audit process), ignorance is not an excuse for failure. If an audit target is not fully prepared to respond to inspectors’ inquiries in a way that demonstrates comprehensive compliance, this will lead to adverse outcomes in most cases.
4. Overseeing the Audit Process
When FDA inspectors show up to conduct on-site audits, they will have an FDA Form 482 (Notice of Inspection). This Form states the statutory authority of the FDA to conduct the audit and explains the scope of the inspection.
A crucial defense strategy is ensuring the FDA stays within the stated scope of the inspection.
Failing to oversee the audit process can allow the FDA to collect data and make observations outside its auditing authority. If these observations become the grounds for a finding of an FDA violation, this can lead to issues that the target could (and should) have avoided. In these situations, audit targets will generally be deemed to have consented to the FDA’s collection, meaning that they will have few grounds (if any) to challenge the FDA’s use of its findings against them.
As a result, overseeing the audit process is essential. This task should generally be left to the target’s outside counsel. A thorough understanding of the substantive issues involved and the FDA’s auditing procedures is essential, as is the ability to intervene effectively when necessary.
5. Having Response Protocols in Place
In addition to effective compliance policies and procedures, FDA-regulated companies should also have established protocols for responding to FDA audits. These protocols should facilitate a prompt, structured, and organized response and address the relevant substantive and procedural requirements for each type of FDA audit.
Companies’ FDA audit response protocols should also ensure that only a small team of individuals will be involved with the company’s audit response, allowing the rest of the business to continue running smoothly and with little interruption during the inspection. Keeping the response team small can also make managing internal and external communications easier. An FDA audit response team should generally include the following personnel:
- Company executives
- Company personnel who are experts in the subject matter of the audit and quality management system
- In-house attorneys
- Outside FDA audit defense counsel
All team members should have well-defined roles, and an established chain of command is essential. By having a playbook to implement in the event of an FDA audit, companies can significantly reduce the risk of the audit, leading to unnecessary adverse consequences.
6. Researching the Auditors’ Backgrounds
Many of the FDA’s auditors have particular areas of expertise. For unannounced FDA audits, including “for cause” inspections, any information that targets can learn about the auditors involved can help them understand the focus of the inquiry. For example, if an auditor has extensive experience in bacterial infections, the audit is almost guaranteed to focus on contamination-related concerns at the company’s manufacturing facilities. Knowing that this is the case can help facilitate a targeted and effective response—and, just as important, it can help audit targets avoid devoting resources to demonstrating compliance in areas that are not presently of concern.
7. Knowing How to Respond to Any Allegations of FDA Noncompliance
Of course, the reality is that even companies that prioritize FDA compliance can find themselves forced to deal with violations. When an FDA audit uncovers (or is likely to uncover) evidence of noncompliance, this requires a particular type of response.
Knowing how to respond to allegations of FDA noncompliance starts with understanding the specific compliance concerns. Are these concerns technical in nature, or do they present public health or safety risks? How widespread are the concerns? Are they indicative of systemic compliance failures or the result of an isolated incident already addressed? If the FDA decides to pursue enforcement action, what penalties will be on the table?
The answers to these questions—among many others—are critical for formulating an effective FDA audit defense strategy. For FDA-regulated entities that do not currently have effective audit response protocols in place, the time to take action is now. While a proactive approach can significantly mitigate the risks of facing FDA scrutiny, once the FDA launches an inspection, it will be too late to implement many types of essential precautionary measures.
