Guest Column | March 16, 2020

Are You Ready For A DSCSA Audit? 5 Steps To Ensure The Answer Is "Yes"

By Mike Karhoff and Mark Karhoff, Ten Count Consulting, LLC

Imagine the FDA showing up at your headquarters or distribution center for an audit. Your team is ready for the gauntlet  of questions and is prepared to show proof through procedures, data, and action. The team just needs to stay focused and finish the audit and the officials will be on their way. Then, the auditor starts to ask questions about the U.S. DSCSA (Drug Supply Chain Security Act): “Show us how you offer and share your T3 data with downstream trading partners.”1 You hold your breath and gulp as your mind tries to recall who the company expert on this is. Is this question owned by supply chain, quality, or commercial operations?

Pharma Manufacturer Readiness

T3 data sharing is only one aspect of DSCSA. We have assessed company readiness for DSCSA questions in audits and have found that often companies are not as prepared as they should be, especially on clear ownership and documentation requirements. According to our count, there are 75 considerations that need to be covered by manufacturers to meet the full requirements of the DSCSA.

The prep work and assessments we have completed to date reveal that many organizations are missing overarching playbooks and often need to involve new internal groups in FDA audit preparedness. The quality and manufacturing teams that typically handle the auditors are often not subject matter experts on DSCSA and may not yet have the knowledge to satisfy auditors’ questions around the DSCSA. In fact, the DSCSA gives the FDA more reasons to show up at your company headquarters to find the right people to answer their questions on company-wide aspects of the law. Do the associates handling their visit know which groups to involve? Do all of the team members know the role they serve in DSCSA? Do your business leaders understand these needs? 

DSCSA is meant to cover all sectors of the U.S. pharmaceutical supply chain, not just manufacturers. We count 65 requirements that are related to distributors and over 60 requirements for dispensers.

Many of your requirements can be met by reviewing and updating your processes and training your personnel to be ready in case a federal or state official shows up with questions on DSCSA. Much of the law can be met with existing systems, but don’t be surprised if you start getting calls from vendors wanting to sell you new solutions. Ask that they identify specific requirements of the law and associated guidance their product covers so you can look at your existing systems and procedures first. While a new system be the best course for the long term, it is best to focus on basic compliance first, with a constant eye on where the industry is going on future requirements, such as 2023 interoperability systems. Although you may have not had the FDA or other state or federal officials show up for this type of inspection to date, the time to prepare is before the official is at your site to avoid giving the impression of non-compliance. 

Our intent is not to induce panic but rather to highlight where sound planning and preparation are required and to emphasize there is more to the law than simply a 2D matrix barcode and some data scanning. DSCSA requirements cover everything from annual reporting to verification requests, from T3 sharing to trading partner authorization, from serialization to data retention, and much more. Remember, the heart of the law is to protect the patient and facilitate quicker investigations in the event of a suspicious product. 

What Steps Should You Be Considering?

Here are five things to consider in preparing for these requirements in a federal or state audit:

  1. Determine Specific Requirements. Build a list of the requirements of the DSCSA that affect your business by reviewing the law and related guidance documents. Be sure to keep an eye out for requirements where you need to support your partners, such as sharing data or documents.
  2. Establish Ownership and Coverage. Match an owner to each of the requirements on the list and work through any areas where ownership is not clear. This may require working with industry peers or external resources that are familiar with best practices on ownership. You will likely have some owners that are not as familiar with state or federal audit processes, so cross training may be required from those who handle such audits.
  3. Document Coverage. Make note of systems, procedures, or documents that will help show how you are covering each item. Where possible, we recommend using existing procedure management systems where you can establish links that are automatically updated if documents are revised.
  4. Pressure Test. Perform mock audits to test your readiness and the completeness of your documentation. This may be done initially in an informal conference room pilot but should conclude with something more formal that captures areas for improvement and follow up. Using an external resource or someone who understands the law but has not been part of building the coverage document should ensure the highest level of readiness.
  5. Set Up Regular Reviews. Once you have completed the list and it is ready for audit use, it is important to plan regular checkups on the document to ensure it stays up to date. We recommend considering a quarterly or twice annually review, as well as reviewing during any updates to DSCSA guidance documents or significant company changes in related areas.


Good preparation will yield good results when an audit happens. Putting together the proper owners with each requirement will also help build the confidence of your team because they will feel more prepared when an auditor shows up. We have also found a significant benefit is that it allows your company to move project related activities into fully operational mode for the long haul.

The old saying “an ounce of prevention is worth a pound of cure” really does apply. Audit preparedness is a wise investment to avoid the bad press, legal fees, and fines that follow a bad audit. 


  1. U.S. FDA, Drug Supply Chain Security Act (DSCSA)

About The Authors:

MarkMark Karhoff is a supply chain consultant and founder of Ten Count Consulting, LLC. He has 25 years of experience in program management, process improvement, supply chain solutions, and blockchain, as well as DSCSA (Drug Supply Chain Security Act) compliance. Mark has served as a contracted pharmaceutical client representative with industry groups such as PDG (Partnership for DSCSA Governance), HDA, GS1, and PDSA to establish standards and build alignment on solutions to meet the unfolding U.S. law. He lives with his family in Chicago and believes in advancing corporate social responsibility through his volunteer work with a job skills program for 18 to 24 year-old urban youth called Year Up-Chicago. You can reach him at or connect with him on LinkedIn.

MikeMike Karhoff is a supply chain and project management consultant at Ten Count Consulting, LLC. He serves as the DSCSA assessment lead and coordinates a pharma manufacturer best practices forum. Mike has over 25 years of experience in project management, manufacturing quality, and engineering roles. He has a diverse background of project management in the pharma, foundry, and automotive industries. He lives with his family in Northwest Ohio and travels to clients throughout the U.S. You can reach him at or connect with him on LinkedIn.