How to be audit-ready at all times

27 Jun 2024 - Frans Vanhaelewijck

How to be audit-ready at all times Image by vector4stock on Freepik

Besides all the complexities of managing a software product company, there is another challenge many companies face: ensuring they can pass audits. Especially in regulated sectors like pharmaceuticals, this can literally be a show-stopper if you are not prepared. Our approach to this challenge is to be ‘always audit-ready,’ and that has proved to be a game-changer.

Identifying core processes

The transformation began with identifying our core processes. We pinpointed around 17 key processes that constitute the majority of our work. This step was crucial because it allowed us to focus on which processes are essential for our operations.

Creating checklists for each process

We then created specific checklists for each one. Checklists are straightforward, prevent tasks from being overlooked, and bring a sense of clarity and direction. In our case, these were particularly designed to keep us audit-ready for our yearly ISO audits and other unplanned customer audits.

Integration with tools

We integrate these checklists into GitLab. This integration is vital as it enables us to track every action on the checklists, creating an automatic audit trail of who approved what, and at what date and time. It not only promotes accountability but also provides a clear record for audits, simplifying what was once a complex process.

Wiki for team knowledge

For knowledge sharing and management, we opted for a wiki structure. It’s particularly helpful that you can step in and out of the process documentation during an audit, showing the auditor the process steps we have set up.

Real-life application

Implementing this system has had a profound impact. For instance, our software release process, which sometimes was a bottleneck, became more streamlined. The checklists integrated into our version control system reduced errors and made auditing processes more straightforward. It seems almost magical to auditors when they realize they are looking at actual system logs of what happened, timestamped at the exact moment it happened. It alleviates their suspicion that perhaps all these logs were filled in the last month in preparation for the audit.

Balancing Flexibility and Structure

It’s important to balance the rigidity of checklists with the need for flexibility. We made sure our checklists were guides rather than constraints, and we continuously adapt them based on team feedback and improved or changed processes.

Benefits

The formal benefits are

But the real caveat is that the easiest way to get things done is the compliant way : every team member has a clear inventory of what needs to be done, and completing the checklist also creates the necessary logs for the audit trail.

Conclusion

Once the 17 processes above were defined, there was much less discussion on how things should get done or get approved. During retrospectives, risk analyses, or bug post-mortem reviews, we go through our processes to see what we have missed or what can be improved. This results in a process update and a parallel checklist update.



frans@vanhaelewijck.com