By removing any barriers to easy access and use, companies can ensure 100% adoption of the application. This paper addresses how the next generations of compliance systems are addressing these key issues.

As companies implement the enterprise-wide compliance and quality systems to support their 21CFRPart 11 or Sarbanes-Oxley or ISO9000 initiatives, they are forced to address the following critical issues:

  • How do you ensure that every person who interacts with a regulatory process, including the most casual user, always uses the software that automates the regulatory process, instead of informal mechanisms, to get the job done?
  • How do you make the compliance software easily accessible to road warriors such as auditors and inspectors even when they are offline, so they don’t have to record the compliance and quality information manually and later transfer it into the compliance software - a key source of user errors leading to failure to comply with the regulation or mandate?

The solution to these issues lies in leveraging the latest but proven technologies to provide new ways for the user to access the application. By removing any barriers to easy access and use, companies can ensure 100% adoption of the application. This paper addresses how the next generations of compliance systems are addressing these key issues.

Engaging casual users 
One of the key requirements for successful compliance with regulations is that everyone who interacts with the relevant processes should follow the defined policies and procedures. Typically these procedures and policies are encapsulated in applications that automate the process. Hence successful compliance requires 100% adoption of these applications by everyone who interacts with the process. However this requirement also implies that even the most casual users within the enterprise and at suppliers should know how to navigate through the application and be familiar with its functionality in order to use it as they interact with the process. As a result, such casual users become the weakest link in the compliance process.

Let us take the example of an environment where the process engineer approves any change to the operating instruction of complex manufacturing equipment before it is put into production. The process engineer uses the quality management system to approve such a change. He is trained on using the system and always needs to use the system to approve the change, so there is an audit trail of his approval (under the 21CFR part 11 requirements). However in this scenario he wants to request his senior product manager to review a specific change before it is approved to go into production, since the change may affect the surface tension of the product. Even though the product manager is asked to review such documents very-very infrequently for approval, she should use the quality management system to approve the change, rather than sending the approval via email, since her approval needs to be recorded into the system from a regulatory compliance perspective. As a result of this requirement, she is expected to know how to navigate the quality management system that she uses very infrequently. Such a requirement is challenging to impose on a casual user. What if the product engineer from the equipment vendor also needed to approve the instruction, since it related to a new feature recently introduced in the product? It would be extremely difficult to expect a product engineer from a vendor to know how to navigate a customer’s quality management system. These examples indicate that enterprise-wide compliance software must enable a casual user to easily transact on the system without any knowledge of the navigation or the functionality.

An ability to capture approvals and explanations from even the most casual users is also very critical in key financial processes within a company. An example scenario may require a confirmation and explanation to be obtained from a controller in a foreign subsidiary for reporting a certain set of numbers in a revenue recognition account. In addition, this information needs to be recorded in a system to ensure compliance with the Sarbanes-Oxley regulations. As is the case at many Fortune 500 companies, the subsidiary is using a packaged financial system that is different from the corporate financials system. Hence the controller of the foreign subsidiary is not at all familiar with the corporate financials system and chooses to send conformations and explanations via the company emails or faxes. Such key approvals documents get buried under an avalanche of emails/paperwork and can not be easily discovered later by auditors or regulators.

A best-in-class compliance and quality management addresses this issue by delivering relevant application forms through email to the casual users. The email is sent by the quality management application to these casual users with forms embedded inside the email to collect the required data. When the user receives the email from the application, (s)he opens the email and then enters the relevant information in the form and hits send. The application processes the email, as if the information inside the email form was entered on an online form by the user. Hence the casual user can work within the familiar email system without needing to learn to navigate and use the application. Such an application capability allows companies to ensure adoption of their compliance and quality application by all relevant users.

User Access Requirement

(Please click on image for enhanced version)

Providing offline access 
Internal auditors, who are very mobile and typically work offsite, today use spreadsheets and printed reports to collect audit data at the site and then manually enter that data into their auditing application when they are back at their office. Since auditors typically work in teams and the audit team leader needs to review all the data collected by team members, paper-based (or spreadsheet-based) data collection techniques become very cumbersome in environments where checklists are large and timelines are tight. In addition, such a process leaves a lot of room for errors -a system responsible for managing a regulatory environment can not afford to introduce errors into the system.

For example, when a team of internal auditors visits a key supplier, they may spend 2-5 days auditing the various design, engineering, manufacturing, shipping, quality and accounts payable processes of their suppliers. Most of the time during the day is spend collecting the data from interviews and observations and analyzing the data against the expected process flow to identify gaps and recording those issues. By asking the auditor to record the results on paper or on a spreadsheet and then manually typing them into the system when they are back at their home office creates an opportunity to introduce errors in the system. In addition, when the team leader wants to review the analysis and findings of the team members, he/she would have to manually review their notes.

The offline capability within the application enables audit teams to take their audit checklists offline on their laptops, easily share collected data among team members, and then synchronize the checklists with collected data back into the online compliance and quality system when they are back in the office. The synchronization happens automatically in the background and should ensure that the data recorded during offline access is safely updated into the system. All the forms in the off-line system should look exactly like the online web screens, so there is no additional training needed. In addition by keeping the user interaction with the software the same for off-line and on-line environments, the system usage and adoption is ensured - a key requirement for compliance.

The next generation of enterprise-wide compliance and quality applications leverage the latest technology to provide offline access and email-based application access capabilities. As a result of these two new access capabilities, organizations can ensure across-the-board use of the compliance and quality applications, rather than use of informal mechanisms to interact with the business processes that are regulated.