How to be audit-ready at all times
27 Jun 2024 - Frans Vanhaelewijck
Image by vector4stock on Freepik
Besides all the complexities of managing a software product company, there is another challenge many companies face: ensuring they can pass audits. Especially in regulated sectors like pharmaceuticals, this can literally be a show-stopper if you are not prepared. Our approach to this challenge is to be ‘always audit-ready,’ and that has proved to be a game-changer.
Identifying core processes
The transformation began with identifying our core processes. We pinpointed around 17 key processes that constitute the majority of our work. This step was crucial because it allowed us to focus on which processes are essential for our operations.
Creating checklists for each process
We then created specific checklists for each one. Checklists are straightforward, prevent tasks from being overlooked, and bring a sense of clarity and direction. In our case, these were particularly designed to keep us audit-ready for our yearly ISO audits and other unplanned customer audits.
Integration with tools
We integrate these checklists into GitLab. This integration is vital as it enables us to track every action on the checklists, creating an automatic audit trail of who approved what, and at what date and time. It not only promotes accountability but also provides a clear record for audits, simplifying what was once a complex process.
Wiki for team knowledge
For knowledge sharing and management, we opted for a wiki structure. It’s particularly helpful that you can step in and out of the process documentation during an audit, showing the auditor the process steps we have set up.
Real-life application
Implementing this system has had a profound impact. For instance, our software release process, which sometimes was a bottleneck, became more streamlined. The checklists integrated into our version control system reduced errors and made auditing processes more straightforward. It seems almost magical to auditors when they realize they are looking at actual system logs of what happened, timestamped at the exact moment it happened. It alleviates their suspicion that perhaps all these logs were filled in the last month in preparation for the audit.
Balancing Flexibility and Structure
It’s important to balance the rigidity of checklists with the need for flexibility. We made sure our checklists were guides rather than constraints, and we continuously adapt them based on team feedback and improved or changed processes.
Benefits
The formal benefits are
- Efficiency in Operations
- Ease in Audit Preparation
- Improved Knowledge Management
But the real caveat is that the easiest way to get things done is the compliant way : every team member has a clear inventory of what needs to be done, and completing the checklist also creates the necessary logs for the audit trail.
Conclusion
Once the 17 processes above were defined, there was much less discussion on how things should get done or get approved. During retrospectives, risk analyses, or bug post-mortem reviews, we go through our processes to see what we have missed or what can be improved. This results in a process update and a parallel checklist update.