CRO Audits: What to Look at and How to Do It

Auditing is about a set of activities sponsors should perform in their CROs in order to ensure that regulatory requirements are met and risks can be efficiently addressed. Before engaging with any contract research organization, sponsors have to evaluate their capabilities and qualifications, as well as the pertinence of regulations applicable to the task these CROs are hired to perform. Further evaluations (or auditing) should be performed to ensure that the initially set standards regarding the concrete project’s services and data are maintained in a due manner.


Audit Objectives

How can a sponsor ensure their CROs are meeting their regulatory requirements if not but conducting audits? Considering that the process of auditing consumes so much time and resources, it is highly desirable to organize it effectively.  These insights will help streamline the processes and deal with possible risks.

Here are some top objectives your CRO audit plan should be built around.


The three criteria to look at here are the expertise and experience they hold for your specific areas of interest, as well as the cultural fit: a CRO team of 20 to 30 individuals should be able to work together and also communicate efficiently with their sponsor. These aspects can be evaluated by meeting and interviewing personally the people involved. And this is when audit can prove to be a very efficient and crucial instrument to employ.

Workforce turnover

If the personnel feel unhappy with their work (for whatever reason) they are likely to leave the company. An indicator of high turnover in a company may be the huge efforts put into the recruitment of new employees. Major turnovers at CROs may result in the decrease in employees’ understanding of the company’s SOPs and culture. And in a case of CRO mergers, the companies should have a plan of their transition process implementation with regard to the mentioned aspects too.


With no companies conducting extensive personnel trainings, the risk of staff growing underqualified increases. The web-based training most CROs practice today, as a rule, cannot provide the required depth of knowledge and does not always meet the requirements of project training. This is how to evaluate this issue: if a CRO is practicing online basic GCP training, chances are that it is not teaching the skill as such, but rather do it for checking a box.


Who Should Perform Audits?

Who, indeed? Should the audit be performed by an outside company or by someone in the clinical operations team? This is a question with no one correct answer. Whether you opt for an outside contractor or by someone within your organization, you should make sure that the person (or group of persons) is in the best position to perform it and knows well how to evaluate such criteria as:

  • whether the CRO maintains your documentation properly
  • whether SOPs and any other regulatory requirements addressed correctly and whether problems are detected on early stages
  • whether Corrective and Preventive Actions (CAPA) can be managed to completion.


When to Perform Audits

Some sponsors suggest that it is best to perform the audit after the sites (at least 90 % of them) have been initiated and have enrolled some patients. That would be a good time for checking the documentation to make sure patient data is being collected and registered correctly. In the case of any issues, you have enough time to fix them even if doing so requires amending procedures.

Performing audits when the trials are closely prior to submission leave no time for fixing critical errors in the way of data collection. As a result, the trial will have little if any value and may have to get trashed incurring additional expenses for the companies involved.

One of the best ways of performing audits at an early stage is mock initiation visits, with getting the staff in a room and asking them to perform a walk-through. This method allows to gain insight into how CRAs are interacting with their sites, how flexible their processes are, and how experienced the site staff is.


Identification of Risks

Unfortunately, there is no standardized, one-fits-all list of possible risks. Depending on CRO geographical location and specifics of the clinical research, risks can range from a (so common) shortfall in patient enrollment and a (quite common) transition on the study team, to travel bans with supplies not arriving in time and a government shutdown.

However, some CROs can present a list of identified risks along with possible solutions for them as part of their RFP (request for proposal). That is a sure sign that the CRO has an understanding of the trial as well as of general risk management. Nevertheless, when working for a certain therapeutic area, CROs may demonstrate a lack of knowledge of risks likely to occur in other areas. For instance, CROs conducting trials for dementia treatment products may be less informed about Alzheimer’s and other diseases.

Anyhow, risk should be identified upfront and followed by producing a plan of tracking and reducing it. Risk assessment methods should be developed basing on the protocol of the given research.

Workshops can be one of such methods. This format implies discussion of particular situations, making your contractors think about the ways they would react and apply their experience, thus getting prepared for them.

Overall, auditing should be performed at the initial stage of the partnership as well as on the succeeding ones, on regular basis, rather than just at the end of the study if you want to detect and solve problems early, thus saving time and budget.

Another approach to the time-and-money-consuming process of CRO audit suggests the introduction of a CRO certification program, with audit findings being accessible to any sponsor. The companies and the industry as a whole could benefit a lot by not having to perform independent audits doomed to produce the same findings.