Configuring Audit Room

Vault QMS provides an Audit Room management solution to facilitate the time-sensitive activity of conducting third-party audits. Team members participating in an audit can create requests from the front room, associate them with documents or attachments, and manage them in the back room. Vault allows them to communicate the priority, status, and fulfillment of each request, publishing them to inspectors when ready. The functionality is facilitated by the Audit Room application page, a collaborative drag-and-drop interface that assists organizations with responding to requests and efficiently presenting information to auditors.

Admins can only configure the Audit Room feature suite in systems with Vault QMS enabled. This article outlines how to configure and integrate the feature with existing Audit lifecycles. The Audit Room does not rely on workflows to process Inspection Requests and instead utilizes a drag-and-drop interface to advance a request through its lifecycle.

Configuration Overview

To allow users to utilize the Audit Room feature suite, we recommend completing the following configuration steps in your Vault:

  • Ensure the Inspection (inspection__v) object type on the Audit (audit__qdm) object is active.
  • Optional: To configure the Inspection Request object, create the Inspector Status picklist field (with values: New, In Review, and Closed), add more values to the Category picklist field, and enable attachments.
  • Create a custom sharing rule on the Inspection Request object to assign All QMS Users to the Viewer role.
  • Add the Scribe Notes document reference field to the Audit object. Ensure the field is enabled for the Inspection object type.
  • Ensure the Inspector object type on the Person object is active.
  • Configure the Audit and Inspection Request page layouts according to your business needs. Ensure that a related object section for Inspection Requests exists on the Audit object page layout.
  • Create a custom tab for Inspection and Inspection Requests.
  • Add the Inspector, Fulfiller, and Front Office application roles to the Audit Lifecycle and Inspection Request Lifecycle.
  • Edit the permissions for each of the above application roles for the Audit Lifecycle and Inspection Request Lifecycle.
  • Configure security for Inspectors to access certain fields, documents, or attachments when they access records in Vault.
  • Set up VeevaID or External User licenses to accommodate Inspectors accessing Vault. We recommend that you implement only one (1) of these approaches for all inspections within the same Vault.
  • Add the Enter Audit Room user action to the In Audit state of the Audit Lifecycle.
  • Optional: Add entry criteria to the desired states on the Inspection Request Lifecycle to check for field values before a record progresses. Vault still applies these criteria when users initiate state changes from within the Audit Room.
  • Configure a Quality Team for the Inspection object type on the Audit object.

Permissions for the Audit Lifecycle

Admins must edit the role permissions on the Audit Lifecycle for each applicable application role. The Front Office and Fullfiller roles require Edit permissions in the lifecycle states in which they can edit an Inspection record. The Inspector role only requires View access to the Audit object when it’s in the In Audit state.

Permissions for the Inspection Request Lifecycle

Admins must edit the role permissions on the Inspection Request Lifecycle for each applicable application role. Vault displays an error message if the minimum permissions are not assigned at the object or field level to a user who attempts to access the Audit Room page.

The Front Office and Fullfiller roles require Edit permissions in the lifecycle states in which they can edit an Inspection Request record. We recommend granting View permissions to these roles when requests are in the Published, closed, or canceled states. The Inspector role only requires View access to the Inspection Request object when it’s in the Published state.

Configuring Audit Room for Inspectors

Inspectors require the Inspector User security profile to be able to view Inspections and their associated requests. Vault automatically assigns this security profile to new users assigned as Inspectors on an Inspection record. The following sections outline how to configure your Vault to ensure that Inspectors have appropriate access to view an inspection, its requests, and associated materials.

Configuring Security for Inspectors

You can control Inspectors’ access to certain fields or actions when they view Inspection and Inspection Request records within Vault. To control their access to certain object record fields, documents, and attachments, perform the following configuration steps:

  1. Optional: Configure field-level atomic security on the In Audit state of the Audit Lifecycle to grant Inspectors View permission to specific fields, such as the Scope, Date, or Purpose.
  2. Configure field-level atomic security on the desired states of the Inspection Request Lifecycle to Hide specific fields from users in the Inspector role, such as Response Comments or Request Comments. Optionally, you can grant the Inspector role Edit permission to the Inspector Status field when the request is in the Published state.
  3. Configure atomic security on the Published state of the Inspection Request Lifecycle to grant Execute permissions for the Attachments: Upload and Attachments: View and Download actions.
  4. Create a custom role for the Inspector application role on the desired document lifecycle. This allows Inspectors to view Vault documents related to Inspection Request records.

Setting Up VeevaID for Inspectors

We recommend configuring the Audit Room feature with VeevaID to invite Inspectors to a limited version of Vault. Complete the following configuration steps to ensure that Inspectors receive automated invites to register for VeevaID and can view the appropriate pages:

  1. Ensure the standard QMS (qms__v) tab is active.
  2. Add the Persons related object section to the Inspection object type page layout.
  3. Add the Invite Inspectors to VeevaID user action to the In Audit state of the Audit Lifecycle. You can also configure this as an entry action.

Setting Up External Users for Inspectors

As an alternative to setting up VeevaID, you can configure External Users to give Inspectors access to Vault. For organizations who prefer to directly create, manage, and maintain External User accounts and licenses for their Inspectors, complete the following steps in your Vault:

  1. Ensure the standard QMS (qms__v) tab is active.
  2. Create a permission set, such as External User - Audit Room, with Read permission for the following objects, object types, and tabs: Objects: Audits: Inspection, Objects: Inspection Request, Objects: Inspection Request - Document, Objects: Organization: Health Authority, External Organization, Tabs: Tab Collections: QMS, Tabs: Home, Inspections.
  3. Create a security profile, such as External User: Audit Room, and add the permission set created above to this security profile.
  4. Create a Vault user, such as External License, and assign the Inspector application role to the new user.
  5. Create a Person record and link it to the User record created above.
  6. Add the Persons related object section to the Inspection object type page layout.

Repeat steps 4 and 5 for each Inspector you’d like to add.

Configuring a Quality Team for Inspections

You can create a Quality Team for the Inspection object type on the Audit object to facilitate the assignment of team members to specific sharing settings on an Inspection object record. Create at least two (2) team roles to link to the Front Office and Fulfiller application roles. You can define role membership restrictions if suitable for your organization’s needs. We also recommend securing the Inspection Request related object for each team role created in the Quality Team definition.

To view the team members section on a record, a user requires Read permission on the relevant team-enabled object. To add, remove, or otherwise manage Quality Team members, a user requires Edit permission on the relevant team-enabled object. The ability to edit Quality Teams on team-enabled objects in a given lifecycle state also depends on the lifecycle’s Atomic Security on Relationships or locked state configuration.