Internal audit of research projects is an important means by which Melbourne Health  ensures research conducted under its auspices is conducted in accordance with good clinical practice (GCP) and approved ethical guidelines.

Internal Audit of research ensures the reliability and integrity of information; compliance with requirements such as ethical guidelines, ICH GCP, adherence to the study protocol, and applicable institutional policies, state and federal legislation, regulations and guidelines, for research conducted under its auspices. Auditing is also an educational activity aimed at improving and streamlining procedures.

Categories of audit

There are two categories of audit for research conducted at Melbourne Health;

  • Human Research Ethics Committee (HREC) audits; and
  • Office for Research instigated audits (includes onsite audits conducted by the Office for Research, self-audits requested by the Office for Research and annual self-audits submitted with the annual report).

Further details are provided in the drop downs below.

Audit informing education

Internal Audit of research is also an educational activity aimed at improving the quality and maintaining compliance of research at MH. Through these reviews, additional training and education is provided to the support the research team if required.

We request that you forward any audit reports and details of corrective and preventive actions arising from external audits (sponsor audits or regulatory inspections etc.) to the Office for Research to support training and education activities. Forward the report to research@mh.org.au and include the subject line “Audit report for Manager Research Governance and Audit”.

The findings of audits are also aggregated and used to inform the training and education program and materials provided by the Office for Research to its research staff. In simpler words, we're here to help.

Frequently asked questions

What are HREC audits?

All HREC approved projects are eligible for audit. Projects may be selected by the HREC for audit for a variety of reasons:

  • It is part of the conditions of approval or due to the classification of risk.
  • A complaint has been received.
  • Discrepancies in Annual Progress Report compared with the approved project protocol.
What are Office for Research audits

All ethically approved projects conducted at MH sites are eligible for audit. Three types of audits are conducted by the Office for Research:

  • On-site audits – are conducted by Office for Research personnel. Study documents are reviewed in the researcher’s department. It is expected that Principal Investigator attend the audit opening and closing meetings. The Principal Investigator will be notified prior to the audit to identify a mutually convenient time for the audit and forwarded the Audit Form to assist in preparation for the audit.
  • Self (Desktop) audits - are conducted by researchers on request from the Office for Research. The Principal Investigator will be notified when a self-audit is required to be completed and submitted to the Office for Research.
  • Themed audits (i.e. consent audits) – are audits in which the Office for Research reviews one aspect across several studies. Principal Investigators will be notified if they are required to provide information for this type of audit.
What are annual self-audits

A self-audit using the Department of Health (VIC) Self Audit Report for Research form is to be completed annually for each research project and submitted it with the project annual progress report.

Researchers are also encouraged to audit their own research teams and projects. The forms listed at the bottom of the page may be of use for this.

What are the different types of audit – internal, external, self, routine and for cause audits?

Depending on who conducts an audit it may be an internal audit, self-audit or external audit.

Internal Audits are undertaken by groups within the organisation that are independent of the activity being audited. Internal audits are an objective assurance and consulting activity designed to add value and improve an organization's operations by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Self-audits are a type of internal audit conducted by researchers, either at the request of the Office for Research or as a team quality improvement activity. The Principal Investigator will be emailed the audit request and Audit Form for completion and return by a set date.

External audits may be conducted by the Sponsor or regulatory bodies [FDA (US), MHRA (UK) etc.] (to support regulatory applications). Sponsor audits are different to monitoring visits.

Routine audits are planned or scheduled according to the project monitoring plan or auditing body (institution, regulator etc.) schedule.

For cause audits are triggered by an event such as a complaint, non-conformances identified from other activities (i.e. routine monitoring or reporting), high numbers of amendments or protocol deviations, safety reporting, data discrepancies or concerns over the ethical conduct of the study. For cause audits may be conducted by the Office for Research, HREC, the sponsor or a regulator. Note: the Australian regulator, the Therapeutic Goods Administration (TGA), does not currently conduct audits. The items reviewed in a for-cause audit are similar to those reviewed in a routine audit.]

Who conducts internal audits of research projects at MH?

The Office for Research manages internal audit of research projects undertaken at MH. Internal audit are usually conducted by the Office for Research audit staff. However, on occasion the Office for Research may engage external auditor to conduct an internal audit.

The HREC may request that the Office for Research conduct a for cause audit of a research project. Depending on resources, the audit may be conducted as an internal audit or external auditor may be contracted to conduct an internal audit.

Researchers also complete a self-audit using the Department of Health (VIC) Self Audit Report for Research form annually for each research project and submit it with the annual progress report for the project.

What if an external auditor contacts you?

Tell us about it, we may be able to help you track down documentation required for the audit.

Send us a copy of the audit report and associated corrective and preventive actions so that learnings can be disseminated (de-identified) throughout the organisation. Forward the report by email to the Manager Research Governance and Audit at: research@mh.org.au.

How are research projects selected for audit?

HREC audits

All HREC approved projects are eligible for audit. Projects may be selected by the HREC for audit for a variety of reasons:

  • It is part of the conditions of approval or due to the classification of risk.
  • A complaint has been received.
  • Discrepancies in Annual Progress Report compared with the approved project protocol.

Office for Research audits

All research projects conducted at MH are eligible for audit.

Research projects are randomly selected based on a basic risk assessment. First, the research activities are broken down into audit risk areas, such as commercial or MH sponsored or investigator initiated, interventional clinical trial or clinical research, unfunded or collaborative research. The Office for Research may also decide to audit certain types of project based on audit findings from other similar projects. On-site audits are weighted to higher risk projects. Self-audits are weighted to lower risk projects.

Notification process for internal audits

The Office for research will contact the PI by email to notify them that the project has been selected for either on-site or self-audit.

For self-audits: The PI or delegate completes the audit tool and returns it to the Office for Research. The notification will identify the project number and title and return date or the completed audit.

For on-site audits: Auditor/s from the Office for Research visit the department and conduct meetings and a review of project documents.

The notification will identify the project number and title, personnel required to be present at audit meetings, documentation required for audit and a selection of potential audit dates. The final date will be negotiated with the PI.

Internal Audit Scope

The scope of audit includes all project documentation for compliance with applicable MH policies, guidelines and SOPs, regulations, legislation and guidelines including:

  • ICH GCP E6 R2
  • NHMRC Australian Code for the Responsible Conduct of research (2007).
  • NHMRC National Statement on Ethical Conduct in Human Research (2007).
  • Research Policy (MH 18) (access via ipolicy - internal staff access only)
  • MH Office for Research SOP 001
  • MH Policy 05 Documentation and Records Management (access via ipolicy - internal staff access only)
How long will an onsite audit take?

We budget between 12 and 15 hours for a typical audit, depending on the size and complexity of the project. However we try to minimise the time researchers are required to be present for audits. Much of the time spent conducting an audit occurs behind the scenes preparing for the audit, conducting preliminary reviews, following up information and report writing.

On the day of the audit - the auditors will be onsite in your department for one day. The audit will include an opening meeting, review of documentation and a closing meeting.

The Principal Investigator and coordinator, and any other key personnel identified as required during the audit are required to attend the opening and closing meetings. It is often helpful to identify a contact person who can locate required documents and answer questions that may arise during the documentation review process. The contact person, timing and method of contact will be identified at the opening meeting.

Opening meeting – The PI and key staff (AIs, coordinator, research nurse as appropriate) must be available during this meeting. The auditor will provide you with a summary of the audit process and may ask questions on about the key aspects of the project such as progress of the project, consent process, handling of; adverse events, investigational products and data.

Closing meeting - The PI and key study staff should be available at the final meeting to answer question or address any concerns at the time of the visit and be available for the close out meeting at the conclusion of the audit. During this meeting, the auditor will typically review all major audit findings.

What is audited?

Researchers are required to maintain documentation that creates an audit trail. An audit trail is a transparent description of the research steps taken from the start of a research project to the development and reporting of findings. These are records that are kept regarding what was done in an investigation.

Most audits involve the review and inspection of informed consent forms, documentation of the consent process, reported data, regulatory records, source documents to ensure protocol compliance and drug accountability records. The auditors may also request to review the site’s internal standard operating procedures (SOPs) for conducting research and copies of the research team’s credentials and documentation of training to ensure appropriate delegation of specific research tasks.

How to prepare for an onsite audit

Ideally your research team should always be prepared for a potential audit.

It is essential that there are written SOPs (project specific and/or departmental) for how the study team should conduct research. All staff should have adequate and documented training on the protocol, key policies and processes. The research team should also be aware of proper audit etiquette and present themselves in a calm and professional manner at all times.

To prepare for an upcoming audit, it is helpful to review all research charts, consents, regulatory documents and source documents for accuracy and completeness. This will allow the team to be prepared for any deviations that the auditors may note during their review. A room should be reserved in advance for the auditors.

All necessary documentation, including research charts, medical records, access to electronic medical records and regulatory documents, should be requested and available upon the day of the audit for inspection. All records and charts should be organized in a similar manner to allow for easy review. It is helpful to develop a flagging mechanism so that all pertinent documents are identified and easy for the auditors to find. It is in the research team’s best interest to have everything as organized as possible.

For external audit

The date of the audit, location, required personnel and tentative schedule for the day should be communicated in writing to all key members of the research team and office for Research. When the auditors arrive, they should be escorted to the audit area and oriented to the location and organization of all pertinent documents and files. If it is an FDA audit, the research team should request the “Notice of Inspection” (FDA form 482) and sight identification of the inspectors. Key study staff should be available to answer question or address any concerns at the time of the visit and be available for the close out meeting at the conclusion of the audit. During this meeting, the auditor will typically review all major audit findings.

Please note that many auditors are not permitted to accept meals, so you must know in advance whether policies will allow you to provide the auditors with food. Identify to the auditors the location of food and bathroom facilities.

What are internal auditors looking for?

Primarily compliance with applicable organisational policies, Good Clinical Practice (ICH-GCP E6 R2), guidelines, legislation and sound internal controls. MH's policies are designed to help ensure we all comply with applicable laws and regulations and operate efficiently. By following these policies we help protect MH and research participants from unnecessary risks. However, not all internal controls can be codified in policy. Researchers should prepare SOPs as required to ensure that their studies comply with applicable requirements.

How are audit outcomes reported?

Written report to Principal Investigator: The PI receives the written audit report (generally 4-6 weeks after the audit). The report contains audit outcomes including a summary of the audit process, audit observations, audit rating and follow-up actions.

Generally the audit report does progress any further and the Office for Research work with you to undertake any corrective and preventive actions (CAPAs) identified from the audit.

However, if the observation of the audit are serious in nature then the report may be referred on to the Executive Director of Research (EDR).

If the audit outcomes are reported to the EDR, the EDR may escalate the audit report to the Director of Research Governance and Ethics for review of the impact on the research governance approval, or to the HREC for consideration of the impact on the ethical acceptability of the project.

Reporting to the MH HREC: Audit outcomes are reported to the HREC as monthly line listings. The findings of individual audits that have identified serious issues may be referred to the MH HREC. The HREC may request further information and conduct a review of the ongoing ethical acceptability of the project.

Reporting KPIs: Audit is an Office for Research KPI and as such the number of audits completed is reported monthly in the Chief Executive report.

Learning activities: The findings of audits are also aggregated and used to inform the training and education program and materials provided by the Office for Research to its research staff.

What are audit ratings?

There are three ratings an audit may obtain depending on the audit observations.

Satisfactory: The audit observations support continuing conduct of the project +/- corrective/preventive actions (within allocated timeframes)

Needs improvement: The audit observations identify significant issues that must be addressed to support continuing conduct of the project

Does not meet requirements: The audit observations identify serious issues that affect the conduct of the project

What if something isn't handled correctly?

We will discuss recommendations for improvements with you. The recommendations need to realistic because we want you to be able to incorporate them into you systems and procedures so that you implement them.

What is CAPA?

CAPA is short for Corrective and Preventive Action.

You will be asked to respond to the audit observations outlined in the report with an outline of the CAPAs to that have or will be completed.

Remember – CAPAs should improve your systems. Only implement CAPAs that are realistic, achievable and have a measurable outcome (i.e. fix the problem). If the desired outcome is not achieved, review the CAPA and adjust to ensure the desired outcome is achieved.

Example: An audit identified that the Signature and Delegation log was not kept up to date. The CAPA could be that the log was reviewed and updated AND an agenda item “review of status of the Signature and Delegation log” was added to the monthly research project meeting agenda to ensure that the document was reviewed and maintained as current.