Tag Archives: manage

Supplier Quality Audits: A Critical Factor in Ensuring GMP Compliance

By Amy Scanlin
No Comments

Editor’s Note: This is an article submission from the EAS Consulting Group, LLC team.


To Audit, or not to audit? Not even a question! Audits play a crucial role in verifying and validating business practices, ensuring suppliers are meeting their requirements for Good Manufacturing Practices (GMPs), and most importantly, protecting your interests by ensuring that you consistently receive a compliant and quality product. Audits can help ensure sound business procedures and quality systems, including well-established SOPs, verification and documentation of batch records, appropriate sanitation practices and safe storage and use of ingredients. Audits can also identify deficiencies, putting into motion a corrective action plan to mitigate any further challenges. While a detailed audit scheme is commonplace for established industries such as food, pharmaceuticals and dietary supplements, it is equally important for the cannabis industry to ensure the same quality and safety measures are applied to this budding industry.

If the question then is not whether to audit, perhaps the question is how and when to audit, particularly in the case of a company’s suppliers.This is an opportunity to strengthen the working relationship with each side demonstrating a commitment to the end product.

Supplier audits ensure first and foremost that the company with which you have chosen to work is operating in a manner that meets or exceeds your quality expectations – and you should have expectations because ultimately your product is your responsibility. Any issues that arise, even if they are technically the fault of a supplier, become your issue, meaning any enforcement action taken by your state regulators will directly impact your business. Yes, your supplier may provide you with a batch Certificate of Analysis but you should certify their results as well.

Audits are a snapshot of a moment in time and therefore should be conducted on a regular basis, perhaps biennially or even annually, if they are a critical supplier. In some cases, companies choose to bring in third-party auditors to provide an objective assessment of suppliers. This is especially helpful when the manufacturer or customer does not have the manufacturing, compliance and analytical background to accurately interpret data gathered as part of the audit. With the responsibility for ensuring ingredient identity and product integrity falling on the manufacturer, gaining an unbiased and accurate assessment is imperative to reducing the risk to your business.

Conducting a supplier audit should be well planned in advance to ensure both sides are ready. The audit team must be prepared and able to perform their duties via a combination of education, training and experience. A lead auditor will oversee the team and ultimately will also oversee the results, verifying all nonconformities have been properly identified. They will also work with the supplier to conduct a root cause analysis for those nonconformities and develop a corrective action plan to eliminate them from occurring in the future. The audit lead will also verify follow-up results.

Auditors should discuss with the supplier in advance what areas will be observed, what documentation will need to be ready for review and they should conduct their assessments with professionalism. After all, this is an opportunity to strengthen the working relationship with each side demonstrating a commitment to the end product.This is your chance to ensure your suppliers are performing and will meet your business, quality and product expectations.

Auditors must document that ingredient identity and finished product specifications are verified by test methods appropriate for the intended purpose (such as a whole compound versus a powder). State regulations vary so be certain to understand the number and types of required tests. Once the audit is complete and results are analyzed, you, the manufacturer, have an opportunity to determine if the results are acceptable. Remember, it is your product, so ultimately it is your responsibility to review the available data and release the product to market, you cannot put that responsibility on your supplier.

Quality Agreements as Part of a Business Agreement

There are opportunities to strengthen a partnership at every turn, and one way to set a relationship on the right path is to include a quality agreement as part of a business agreement. A quality agreement lays out your expectations for your suppliers, what you are responsible for and is a living document that, once signed, demonstrates their commitment to upholding the standards you expect. Just as with a business agreement, have any quality agreements reviewed by an outside expert to ensure the wording is sound and that your interests are protected. This is just another step in the development of a well-executed business plan and one that solidifies expectations and provides consequences when those expectations are not met.

Supplier audits must be taken seriously as they are opportunities to protect your brand, your business and your consumers. Enter into an audit as you would with any business endeavor – prepared. This is your chance to ensure your suppliers are performing and will meet your business, quality and product expectations.

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.