An audit by the Food and Drug Administration (FDA) can uncover violations of federal food and drug regulations, as well as the Food, Drug, and Cosmetic Act (FD&C Act). Those violations can lead to administrative, civil, or potentially even criminal penalties. Having an appropriate defensive strategy for an FDA audit is essential. However, the best strategy to adopt will generally depend on the type of audit that is being performed.

Different Types of FDA Audits

The Food and Drug Administration (FDA) conducts three ways or types of audits and inspections:

1. Routine inspections
2. Pre-approval inspections
3. “For cause” inspections

Depending on the nature of the inspection, the target may or may not have advance notice to prepare. For example, most routine FDA audits are unannounced, while pre-approval inspections generally only happen if the company is developing a new product that needs FDA approval.

The amount of notice your company has can drastically alter which defense strategy is the best for your circumstances. However, companies that are regulated by the FDA should always be thinking about audit defense, not just when an FDA agent knocks on the door with a Notice of Inspection on FDA Form 482.

1. Develop and Follow a Strong Compliance System

The best defense for an FDA audit is to have a strong compliance system already in place. If the compliance plan is all-encompassing, effectively created, and followed closely, it can drastically reduce the chances that an FDA inspection or audit – whether it is unannounced or not – uncovers a violation.

However, no compliance system is worth anything if it is not followed to the letter. Employees need to be made aware of their responsibilities under the system and reminded of their compliance duties regularly. Training and re-training are essential. Variations from the compliance system should be disciplined, and employees should be conscious of the penalties that come with a mistake as this will make them more likely to take their responsibilities seriously.

As Dr. Nick Oberheiden, founding partner of the FDA audit defense firm Oberheiden P.C., says, “Companies that take the time and the energy to craft a good compliance strategy, now, can effectively insulate themselves from liability of a failed FDA audit, later. Many companies find that stringent and vigilant compliance measures are extremely cost-effective.”

2. Know What to Expect During the Audit

Many FDA-regulated companies only have a vague idea of what the audit process will look like. That lack of awareness often means that their preparation will be haphazard, at best.

The FDA’s audit process is complicated, nuanced, and extensive. However, the agency is very transparent about it, going so far as to publish its Investigations Operations Manual online. It even provides Inspection Guides for a variety of different types of businesses that might undergo an FDA audit.

Of course, the easy accessibility of this information is a double-edged sword: It gives companies the guidance they need to pass an audit, while also making it very clear that the FDA expects all companies to be aware of their compliance obligations.

In many cases, FDA-regulated businesses end up deciding to hire outside counsel to guide them through the complicated audit process.

3. Monitor the Audit to Ensure It Stays Within the Boundaries Set By Form 482

When the FDA inspector shows up to conduct an audit, he or she will have an FDA Form 482 – Notice of Inspection. This Form states the statutory authority of the FDA to conduct the audit but also includes a description of the scope of the inspection.

A crucial defense strategy is to make sure that the FDA agent stays within the stated scope of the inspection.

Not closely monitoring the audit can let the FDA agent collect data and make observations that he or she had no right to, under the scope of the audit. If those observations become the grounds for a finding of an FDA violation, it can put the company into legal trouble that it could have easily avoided.

4. Research the Auditor’s Background

Not all FDA auditors are the same. Some have particular areas of expertise.

For unannounced FDA audits or “for cause” inspections, any information that you can find about your FDA auditor can help you understand what the audit is really about. For example, if the auditor has extensive experience in cybersecurity, the audit is almost guaranteed to focus on data integrity and the company’s computer system. This insight can give you a small, but very important, advantage during the audit.

5. Have a Response Protocol in Place

In addition to a strict compliance system, FDA-regulated companies should also have an established protocol for responding to an FDA audit. This protocol should always be ready to go at a moment’s notice, so when the FDA auditor knocks on the door the reaction is coherent and systematic.

This protocol should ensure that only a small team of individuals will respond to the audit, allowing the rest of the business to move smoothly and with a little interruption during the inspection. Keeping the response team small can also make it easier to manage, though it should generally include the following personnel:

• Executives
• In-house attorneys
• Outside FDA audit defense counsel
• Company experts in the subject matter being targeted by the audit

Each of these team members should have well-defined roles to follow during the audit procedure. An established chain of command is essential.

6. Make Reasonable Responses to Alleged Violations

Even well-prepared companies can find themselves in violation of FDA regulations. These regulations are extensive, wide-reaching, and extremely nuanced.

If the FDA auditor returns an FDA Form 483 for Inspectional Observations that lists one or more violations of FDA law, it is not always the best defense strategy to respond aggressively and challenge the findings. When the alleged noncompliance is based on faulty observations or lacks exculpatory context, taking a hard stance and challenging the findings is generally in the company’s best interests. However, businesses should reflect on the costs and the difficulties of fixing alleged violations and keep an open mind to remedying them, even if they are skeptical of the validity of the violation. Promptly rectifying the alleged violation can make more business sense than challenging the violation, and then potentially having to fix it, anyway, if the challenge fails.