Back to news

Risk Based Approach to Auditing in Pharmacovigilance

Companies that research, produce and/or sell pharmaceutical products are subject to the relevant GxP requirements (e.g. Good Pharmacovigilance Practices (GVP). Compliance to these regulations must be continuously monitored and evaluated.

To assure this, the legal framework outlines the requirement for each Marketing Authorisation Holder (MAH) to perform regular audits based on risk-assessments. Such risk-based audits should therefore be planned and conducted in light of relevant legislation and guidance ensuring that the company and its systems are operating in the right way and meet regulatory requirements.

Risk-based approach to audit planning

The risk-based approach to audits focuses on the areas of highest risk to the organisation’s systems, including its quality system. As per GVP Module IV, risks must be assessed at three different levels:

Strategic level audit planning

Pharmacovigilance Audit Strategy should consider future to be risk-assessed and describe the approach which will be taken for a period of 2-5 years. The audit strategy should cover all parts of existing systems including, but not limited to:

  • systems audits (e.g. risk management, literature screening, case processing);
  • subsidiary audit (affiliates);
  • business/license partner audit (e.g. marketing partner);
  • service provider audit (vendors with specific delegated pharmacovigilance responsibilities);
  • verification audit (re-visiting a previously conducted audit to verify completion of agreed corrective action plans).

The selection of areas/processes to be audited over a defined period should be performed by considering risk assessment calculations. These calculations should be performed within the developed risk assessment tool. The risk assessment tool should:

  • consider future to be risk-assessed (e.g. system, affiliate);
  • identify risk criteria (e.g. criticality of the processes being audited, number of deviations, the severity of audit findings/deviations, changes in legislation, employee turnover, etc.);
  • assign risk scores (identify high, medium and low-risk entities);
  • re-assess periodically.

Tactical-level audit planning

Once a long-term audit strategy is in place, a tactical audit schedule should be prepared in line with it. The tactical audit schedule is usually developed for one year. The audit schedule should include and outline the areas/process to be audited, the scope of the audit, objectives, regulations and timelines for audit completion. What is more, every company should have an ongoing due diligence approach to risk management, ensuring that when audits are performed, the outcome is reviewed and the audits are re-scheduled.

Operational-level audit planning

Operational-level audit planning helps to assess risk for a specific audit. Key preparation steps of operational planning are:

  • notification (communicate with key personnel within a defined timeframe, confirm audit dates, and logistics, ensure availability of personnel;
  • research (understand the process that you will be auditing, meet with the necessary personnel, review SOPs, legislation and other applicable documents, and identify records to be requested from auditees (before or during the audit));
  • preparation of audit plan and agenda (defining objectives and scope of an audit, identifying topics to be covered during an audit (all topics shall be arranged in a logical order));
  • reporting the findings and CAPA (finalising data collection and findings, grading the findings, issuing the report and completing the CAPA plan).


Pharmacovigilance risk-based audits are performed at regular intervals to ensure that the quality system complies with the quality system requirements and to determine its effectiveness. When performing risk assessments, it is compulsory to perform it at three different levels: strategic, tactical and operational. The strategic level shall reflect the whole audit universe, tactical – audit programee, operational – assess risks for a specific audit. The audit strategy will define an audit cycle that could reasonably be performed within a defined period. The tactical plan is usually developed for the year and will include audits required per the cyclical audit plan. Operational planning will include notification, research, preparation of an audit plan and reporting audit findings. The same principles can be used for all audit types, but it is important to emphasise that each audit is unique in its complexity.

At Insuvia we partner with pharmaceutical companies by ensuring compliance of their PV quality systems. For more information, please do not hesitate to contact us and our team of experts will provide comprehensive guidance.

Back to news