Ronald Boumans Dear Laura, as a former senior inspector for medical technology at the Dutch Competent Authority I must advice against this. If an authority starts asking questions you should make sure you provide them with a full answer, never holding back anything. If they feel a company is not providing a complete answer they will come back with more questions and the longer this process takes, the deeper they will dig. And if they dig deep enough, they will always find something. Believe me, I have been there.

The interesting thing about your question is that I have the feeling that earlier in this process something may have gone wrong. Normally these authorizations are routine matters, handled by staff at the junior end of the organization. Requiring an audit report would typically be a question asked by a senior staff member. This would indicate your case has somehow raised extra attention. It could be worth the effort to figure out what could have triggered this and try to fix that.

Rob Packard If a regulatory authority is requesting an audit report, you will need to submit a full report. Sending less than the full report or redacting information will result in delays and more scrutiny as Ronald indicated.

Yes you have to no option left, just be ready with corrective action if any Non conformance identified in audit report

Daniel John Laura, sending a censored or full report depends on the Authority, that you are referring to. Usually no regulatory authority will ask for a "full audit report" unless an adverse event related to your company product has occurred. As Robert & Ronald said, if the request is from CABs or Regulatory Agency then there is no option but to send a complete report. Again you have not mentioned about the "initial certification audit" or "surveillance audit" or both reports have been requested. Usually the audit reports will only specify conformance & deficiencies along with the summary of validation reports or other supporting documentations, if any, which will not include any propriety information. So I don't understand what you meant by company specific information. And as Ronald said, your case has definitely raised attention and you have to work on identifying & fixing the same.

G M Butcher There is no use in trying to instill fear of further actions by the regulated authority by indicating this is anything more than normal. The few pages of the audit report were sent (without requesting it??) and now for completeness the regulatory authority is asking for the remainder of the report. Normal business as I see it. It may extend to requests for copies of the actions resulting from the audit, but this is a consequence of sending the first few pages. Just make sure the findings are properly executed and closed, and no worries. Your company may want to learn from this experience and establish a process for handling documents / records requests from external sources - many companies have this process established simply because of the sensitive nature of some information. It is easier to reply 'that is not our policy', than to send incomplete or sensitive information.

For what reason are they asking? if your company has retained it's certification, this should be enough. This is a business decision, however employees and company confidential information must be protected unless there are non-disclosure and confidentiality agreements in place for product and company info.

It is always better to provide the information required by a competent authority as it is showing you are willing to cooperate. In addition they can't make any decision just based on the first pages of the report.

Markus Angst Like Ronald, I feel that this kind of request is very unusual, and would also be curious to learn about its background.

Daniel John To ensure proper response to "Authority" that you are referring, there should be information on why confirmation by the Notified body along with the first few pages of the audit was sent in the first place.

I agree with one caveat--do not submit the report until any major nonconformities are addressed so the report will so reflect. The minor ones should reflect that they will be reviewed at the next audit.

Laura Irwin Rossing Thanks for the feedback Ronald and Robert. I appreciate your perspectives and experience - so now I can relay this on. Personally, I would just hand it over, but here I am functioning more as the coordinator as a part of a larger group and need to respect Company/group wishes. Therefore the audit will be redacted for names etc to start with and a letter will sent explaining what is redacted, why and that is doesn't change the content nor its understanding. If this doesn't work, then they can have the whole report unredacted.

To give a little more background, this Authority is relateively new to the Regulatory domain. There have been several episodes where it is quite clear that they are still learning the ropes in regards to their own system/criteria e.g. how the ISO certificates is understood/interpreted as is the case here. On the other hand, I need to respect that they have their own interpretation and methods.

Will let you know how we get on.

Have a good day!

Jonathan Wacks Not a terribly common request. Is the company or the industry under scrutiny?

Whenever a Competent Authority requests information, you must provide it. Remember, they have the authority to say yay or nay to the approval of your products in the country which they represent. The gentlemen above have advised you wisely.

Sonja Holten Carefull with what you send. However, if the CA have seen it exists it is fair game when asked for. Make sure CAPA (corrective and preventive measures) are in place and in good order. Btw you do not have to hand over company sensitive data, like financial or strategic information. They can ask but you may politely refuse.

ommon for registration in the Middle East and providing a redacted report will almost certainly result in the application being rejected.

Laura Irwin Rossing Thank you so much for your input. I can see that there are different definitions.

Luckily no company scrutiny or anything like that. The reports have nothing that attracts attention. I sent the Re-certification audit, but in essence it would have been smarter to take the follow-up to show closure as suggested above.

I think that it is as simple as that the country is new in implementing their regulatory systems. The legal representative in the country does also not know why they want it, but it is apparently not unusual. Requesting a full report and not accepting the certificate is, from what I have understood, also common practice in countries with new regulatory systems outside of the EU (among other countries). So this seems to be a beginner issue. I'm trying to take it up as a business decision as this would close it nicely next time.
The Authority inspected and passed the premises recently. In essence we should have let them see the Report here if we had predicted this.

ISO 13485 speaks to the Quality Systems audit so I am curious- agencies rarely want to see actual reports of your own internal systems audits, they mainly want to see that you actually perform them and track your findings/resolutions. So then, is this a report of an audit that your company performed on one of your suppliers? And is it the supplier's proprietary information that you are attempting to protect? I think if you specify if this is the case then you might get more specific responses.

Laura Irwin Rossing Thanks Carolyn and Marcy. I am aware that Agencies rarely ask for this, but my main point here is that when most people refer to agencies, they are well established, European/North American/Asian etc agencies, not newly started countries. Therefore it doesn't surprise us. Additionally, the ISO is not understood in the same way as in Europe, so it is just a question of perception and culture and that has to be worked with.

The Audit report is the Companies ISO 13485 Report in full. There seems to be no interest in other documents.

The question of proprietary is a Little harder as I am in the RA department and this is more a business question. The working Group's QA people made these decisions and will take it up further. True, I should have specified exactly what was being specified in that sense rather than just stating it out of context. Good point.

Thanks so very much and have a great day - I will let you all know how we get on!
Laura

Laura Irwin Rossing Hi Everyone! Just an update - the censored Audit report was accepted and the submission approved.

Thanks for all of your input!

Kind regards,
Laura