<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=489233&amp;fmt=gif">

7 Steps of the Internal Compliance Audit

Published
Updated

Internal audits can strengthen the quality management system (QMS) of your organization by improving sub-processes by identifying open issues and opportunities. In addition, internal audits can be more informal than external audits so that your organization can simulate an external audit in a less stressful setting. Although various regulations mandate the internal audit, it also has many benefits for your organization and employees, especially for the company’s quality culture.

A well-implemented internal audit management system can help foster an organization-wide quality culture. A well-implemented internal audit means you can adapt internal audit processes to your paper-based QMS or have a separate module in your eQMS to link and track internal audits easily.

 

Why Perform Internal Audits?

Internal audits are also called first-party audits and performed by or on behalf of the organization for management purposes. This can provide the basis for the organization’s self-declaration of conformity.

ISO 9001 and ISO 13485 require organizations to have a QMS that reflects their processes. Specifically, clause 9.2 in ISO 9001:2015 and clause 6 in ISO 13485:2016 demand that we ‘shall’ conduct audits; it is not an option if we wish to comply with the standard. Therefore, internal audits are a vital management tool for evaluating the conformance of the management system to the related standard(s).

 

Basics of the Internal Audit

Internal audits are for evaluating a company’s internal processes. We take advantage of internal audits by identifying and correcting problems before an external auditor observes them. Furthermore, the problem can be challenging, requires further investigation, and is much more expensive if an external auditor finds it.

 

Infographic that shows the main stakeholders involved in an internal audit | Scilife

Pitt, S.-A. (2014). Internal Audit Quality (1st edition). Wiley.
 
 

By maintaining a disciplined, integrated approach to regulations, policies, risks, controls, and issues, the organization can demonstrate that it has an understanding of regulatory compliance obligations and can provide transparency into overall business risks. The seven key steps of conducting an internal audit are as follows:


1. Schedule the Audit

A. Identify the Processes for Auditing

The audit team should identify the areas, departments, and/or processes that operate using policies and procedures that need auditing. Once you have the list of all the areas, start listing each subprocess or activity. The auditor can conduct an audit in two ways: department-/function-based or product-based. If the auditors conduct a product-based audit, they select a product or product group and review its entire process.

 

B. Determine the Frequency of Internal Audits

Depending on the department, some areas may only require annual audits, while others may require more frequent audits. For example, production processes need to be audited monthly, weekly, or daily, while non-operational departments only need audits annually.


C. Audit Calendar

Once you determine and define processes and the frequency to be audited, you should define them within your QMS or, more precisely, the internal audit management system. Now you can start creating an audit calendar for the year. Distribute the audit calendar to top management, department managers, and the audit team itself in this way:


      • The entire organization will be informed.
      • Departments and audit teams can plan their activities and work accordingly.
      • The audit team can ensure that they are done consistently on time.
      • Ensure that no single process or area is left unaudited. 

To maximize the potential of the auditing function, follow a structured and systematic approach.

If you have (or plan to have) an eQMS, consider its features for internal audit management. This can help you conduct the entire audit process, including setting up an audit calendar, notifying stakeholders automatically, assigning auditor(s) and auditee(s), executing on time, following up after audit actions, and closing such actions effectively. Furthermore, you can easily integrate different QMS features into the internal audit process, such as CAPA management, events and change control.

 

D. Unscheduled or Ad Hoc Audits

Unscheduled audits are permissible as requested by management and may include:

      • Mock pre-approval inspections
      • Addition of a new product or service
      • FDA (or other MOH) readiness determination
      • Significant changes to external regulatory requirements
      • Issues identified in a previous regulatory inspection
      • Verification assessment
      • Due diligence
      • Product-focused audits

 

2. Prepare the Audit

A. Audit Notification

Notify the auditee department in advance so they can prepare all necessary documents for the audit. Notification should be given to the most senior manager of the audited department, and the notice should include the following:

      • Proposed date of the audit
      • Members of the audit team
      • Content and areas to be audited (the scope of the audit should be known in advance)
      • Proposed duration of the audit
      • A general audit plan
      • Request for documents/personnel that must be available for the audit

B. Audit Arrangements

The lead auditor may request the auditee to provide data for review before the audit. This data can include:

      • Previous audit findings/observations, including status reports
      • FDA’s MAUDE queries for Medical Devices
      • Management Review Minutes
      • Product Surveillance queries
      • Drug Master File(s) or Device Master Records
      • Batch Records or Device History Records (DHRs)
      • Validation reports or Design History Files (DHFs)
      • Policies, procedures, protocols, specifications
      • NCMR reports, exception reports, yield reports, or scrap reports

 

C. Audit Team

Some organizations have auditors who work together as a team. Typically, the most experienced auditor should be the lead auditor. Or you can team up with your employees to audit your internal processes, and the team members may be interdisciplinary. The critical point is having them be trained sufficiently internally or externally or both. ISO 19011:2018 is a general standard for implementing auditing management systems within your organization. Furthermore, you should also align this standard with the related ISO QMS standard, such as ISO 9001 for general purposes or ISO 13485 for medical device manufacturers. The lead auditor decides between the auditors to agree on a division of the work and which departments will be audited by whom when they plan the audit calendar.

 

3. Audit Execution

A. Opening Meeting

Auditor(s) conduct an opening meeting. The lead auditor shares the strategy and scope of audit at the opening meeting with the auditee(s).

 

B. Audit

After the opening meeting, auditor(s) may request to walk through the operation area, such as production processes, warehouse, etc. These walks might be at the beginning of the audit to get a clear idea of how the process works. Or auditor(s) may demand to visit afterwards when they specifically review that process. Auditors start reviewing the selected process by sampling and recording the contextual objective evidence. This may include:

      • Documentation

Reviewed documents during the internal audit.

Document name and code, revision, issue and effective date, reference(s).

      • Personnel

Interviewed employees during the internal audit,

The person’s name, title, and department.

      • Physical Processes

Reviewed processes during the internal audit,

Process name, product/material name, code, and batch number.

 

C. Daily Wrap-Up

The lead auditor conducts a daily wrap-up with the most senior Quality Managers each day of the audit. This wrap-up should ideally be an open and frank discussion of all potential observations discovered during the audit along with any questions or concerns up to that point.

 

D. Draft of Observations

The auditors confirm the internal audit standard(s) and /or requirement(s) and decide whether their observations meet those requirements. Each observation needs to be categorized as:

      • Critical observations
      • Major observations
      • Minor observations
      • Opportunity for improvements

 

E. Closing Meeting

The lead auditor schedules and conducts a closing meeting with all involved quality and operations personnel. The closing meeting is an excellent opportunity to provide feedback to the auditee on the areas where the system works well or needs improvement. This helps reduce the belief that auditing is a negative activity. All observations intended to be included in the audit report are discussed, in addition to the probable classification of each observation. Preparation for audit closing meetings should include the observations with references to applicable regulatory requirements or corporate policies for each observation. We suggest you use the following during the closing meeting as talking points:

      • Thank the auditee(s) for their cooperation.
      • Explain that the internal audit is sample-based.
      • State the general outcome of the internal audit.
      • Advise the auditee(s) of any observations, including the category of each observation.
      • Inform the auditee(s) when the audit report will be produced.
      • Explain and agree with the auditee(s) on a timeline to complete the correction and corrective action(s) for observation(s).
      • Answer any questions.

 

4. Audit Report

The lead auditor will issue a written report with results for each element identified in the audit plan to detail all critical, major, and minor observations, plus any comments that might include opportunities for improvements, and a final compliance classification of the site or function of “Satisfactory” or “Unsatisfactory.”

Audit reports may include recommendations for corrective actions of all major and critical observations.

The report shall be addressed to the most senior Quality Manager, and the most senior manager for the operations or functions audited. The report may include the following, as applicable:

    • Location and name of organization being audited.
    • Dates of last FDA or Ministry of Health (MOH) and corporate audits, with the classification of the previous audits.
    • Lead Auditor and team members.
    • Type of audit being conducted (e.g., pre-approval inspection, scheduled, unscheduled).
    • Regulatory standards applied during the audit.
    • Scope and areas covered in the audit.
    • Areas exempted or not covered during the audit.
    • General statements of positive findings and improvements.
    • Summary of critical and major observations found during the audit.
    • Whether a response is due or not, and the date by which the audited organizations’ response is expected.

A. Categorization of Observations and Compliance Classification

Categorization of Observations

All observations made during the inspection shall be categorized and listed in order of priority as critical, major, or minor and documented in the final report. In addition, observations corrected during the audit should be included in the final report, with a note that the observation was corrected during the audit and whether the Auditor had an opportunity to review and verify the corrections. All observations rated as critical and major shall have a recommendation for corrective action documented in the final report. Comments are optional, which includes the opportunity for improvements.

 

Compliance Classification

The site, function, or quality system audited shall be given a compliance classification based on the number and significance of observations made during the audit. Here is an example of a compliance classification:

 

Compliance Classification

Number of Critical Observations

Number of Major Observations

Satisfactory

No Critical Observation

<7 Major Observations

Unsatisfactory

≥1 Critical Observation

7≥ Major Observations

 

Sites, functions, or quality systems that are found to be in compliance with regulations shall be given the status of “Satisfactory.” Audits resulting in an “Unsatisfactory” classification shall result in a follow-up audit being scheduled to occur within a predefined time of the issuance of the audit completion notice.

Minor observations shall be grouped by quality system, and if there are more than three minor observations for any system, the combination of minor observations shall be re-classified as a major observation.



B. Review and Distribution of the Audit Report

The Audit will be reviewed and approved by the lead auditor and/or quality associate and the report shall be distributed to personnel in the following positions:

      • Chief Executive Officer
      • Most senior Quality Managers and all Quality Management in the chain of command
      • Most senior Operations Managers and all Operations Management in the chain of command
      • VP of Business Excellence
      • VP of Service of the Division (if applicable)
      • VP of Research and Development of the Division (if applicable)
      • Division/Region President (if applicable)
      • Chief Scientific Officer
      • Others specified by the lead auditor in the distribution list
      • All Auditors involved in the audit
  •  

 

5. Audit Report

A. Written Response

The auditee shall provide the auditor(s) with a written response. All responses need to be submitted within a predefined timeline following the audit report’s receipt. Audit responses should contain the following information:

      • The complete observation, with categorization.
      • Impact of the observation on the product in distribution, if any.
      • Impact of the observation on, e.g., other products or product lines, equipment, systems, utilities, qualifications, or records.
      • Correction (if applicable) 
        taken to correct the immediate nonconformity.
      • Root Cause
        How and why the observation occurred.
      • Corrective Actions
        Taken to eliminate nonconformity and prevent a recurrence, including:

-   Responsible person for the action(s),
-   Specific milestones and deliverables,
-   Expected completion date of deliverables and/or corrective action, and
-   Measurable acceptance criteria and effectiveness checks for the corrective action.

 

B. Acceptance of Action Plan

The auditor will review the response for completeness, adequacy, and timeliness of each observation’s target completion date. If the response is adequate, the auditor signs the response, indicating approval of the action plan(s). The lead auditor should review and approve the response(s) within the predefined timeline.

 

C. Audit Completion Notice

When the response has been accepted, the lead auditor will issue an audit completion notice to the auditee, which will be signed by the auditor and auditee(s).


D. Commitment Tracking

The auditee shall submit periodic updates to the response/action plan to the lead auditor and/or a quality associate responsible for tracking the progress of all corrective actions for their audits.

 

E. Review, Analysis, and Trending

Internal audit performance, issues associated with audit planning, execution, reports and responses, and trends in audit observations will be reviewed periodically. Internal audit observations are trended and discussed during Management Review.

 

6. Follow-Up

A. Execution of Action Plan

Do not underestimate follow-up! When inspecting taken actions, you should be acting like auditing the same function again. Review each piece of evidence by correlating it with the pertaining observation(s). Ideally, actions taken should be deemed effective so that the nonconformity report can be closed. But if an action is not effective, the auditee needs to issue a new nonconformity report and take other action(s) to resolve the problem. The following questions are a good guideline when reviewing the response to the audit report:

      • Was any immediate corrective action taken?
      • Was this action completed within the agreed timeframe?
      • Can the corrective action be deemed effective?
      • If not, what are the follow-up requirements?
      • Do the risk and opportunities register need to be reviewed and updated?

 

B. Periodic Status Reporting

Status reporting is very vital especially if the agreed-upon timeframe is longer than usual. That internal audit is not the only task that employees have, so tracking and reporting activities periodically give an advantage to both parties.

 

C. Extension Requests as Necessary

If any action requires different sources or more time than initially planned for, the auditee can ask the auditor what they need (and why) to resolve the observation.

 

D. Actions Verified at Subsequent Audit

All actions taken – unless they are pertaining to a critical observation – will be reviewed and verified at the subsequent internal audit. Critical observations should be handled immediately and all related actions should be reviewed at the earliest date possible.



7. Closure

A. Certificate of Completion

Once all necessary actions have been taken by the auditee and are deemed effective by the auditor, a certificate of completion will be issued to the auditee.

 

B. Records Maintenance

Audit plan, audit report and responses to the audit report, including any extension requests, audit completion notice, and certificate of completion, must be retained indefinitely until a subsequent audit has verified all corrective actions have been implemented.

 

Improving Your Compliance

Once you complete the internal audit, you should try to remediate any identified gaps as soon as possible. Conducting a follow-up audit after the initial audit will further increase the likelihood that an external audit goes well. You may identify several of the following risks during your internal audit:

  • Reputation risk
  • Operational risk
  • Transactional risk
  • Credit risk
  • Compliance risk
  • Strategic risk
  • Geographic risk
  • Legal risk
  • Vendor concentration risk
  • Cybersecurity risk

Identifying these high risks during an internal audit is the first step. Creating a plan to remediate any risks will ensure that your organization is ready for an external audit.

So if your organization still uses spreadsheets to conduct internal audits, you may be in for a time-consuming, frustrating ride. Fortunately, there is a solution for that.

 

mockup-audit

 

 

If you want to get a complete overview of how to easily conduct an internal audit, download our best practices guide here!

Download Now


How Scilife can help

Any software that can help you perform all seven steps above with ease and convenience is a worthy investment! You don’t need to waste time, effort, and resources on traditional audit practices.

But a robust audit management software will help you achieve success only when your business maintains consistency in product quality, process quality, and continuous improvements. A streamlined and standardized audit process ensures compliance standards and industry best practices are followed, while also avoiding multiple deployments – and, therefore, multiple versions of the truth – or tedious and time-consuming manual processes.

Pre-loaded with compliance framework content supporting standards and regulations, Scilife saves you time and helps identify gaps or overlaps of running multiple programs side-by-side.

Continuous compliance monitoring can create positive audit outcomes by automating the compilation of internal and external auditors’ evidence and quickly assessing the acceptability of risk controls.

Pre-built compliance dashboards provide visibility into completed tasks, open items, and more to reveal the health of your company’s compliance and IT security, along with a simple way to manage your compliance program.

 

Learn how Scilife can fit into your business to simplify all your internal audits processes, turning them into a continuous improvement tool!

Book your Demo

The requirements of Life Sciences companies (including in the pharma and medical device space) inevitably change over time. Sometimes, a change is due to regulatory requirements; sometimes, customer needs change. Keep reading if you want to...