An Internal Audit System is a key building block to an effective Quality Management System. It is required as part of management responsibilities as indicated in the following regulations and guidelines.
- 21 CFR 820.20, Management Responsibility
- European Commission, EudraLex, Volume 4, Chapter 1, Pharmaceutical Quality System.
- ICH, Q10 Pharmaceutical Quality System (ICH, April 2009).
The information gathered through internal audits allows an organisation to continually improve their operations and maintain an audit ready status for external regulatory inspections. To reap the benefits of the internal audit system, it needs to be an effective and well run program. If the internal audit program is developed and rolled out appropriately, internal audits can provide key information to identify problem areas or prevent issues before they lead to compliance issues. Corrective and preventative actions can be put into place internally within the organisation before they arise. If the issues cannot be resolved immediately, a plan can be put in place. Internal awareness of weak or high risk areas gives you time as a company to decide how you will address this before it arises during a regulatory inspection. Having a plan of action in place will instil confidence in your regulatory inspector that you are in control and that you are continuously improving your operations. Internal audits also offer a great chance to communicate quality issues to all personnel across the company. Discussing issues from a quality perspective is valuable training for personnel and sets a tone for a good Quality Culture. So how can you roll out an effective Internal Auditor Program?
- Consider the structure of the audit program carefully. Take a risk based approach to the frequency of the audits. However, include a minimum frequency to ensure no area is overlooked. Consider if you wish to have audits system based or functional area based.
- Train your audit team. Have you an auditor certification program? What training or mentoring must they have completed to be an internal auditor? Have you lead auditors available to mentor newer auditors? Complete refresher training with internal auditors. Keep them up to date with regulatory changes, observation trends, and risk areas.
- Prepare an audit schedule periodically. The schedule should include who is the auditor and auditee area. Remember Auditors should be independent of the area they are auditing. Inform the auditors and auditees of the schedule as soon as it is issued.
- Auditors should plan the audit with the functional area well in advance. This gives the functional area time to prepare for the audit operationally and gives breathing space for scheduling changes. Prepare an agenda for the audit. Ahead of the audit identify any high risk or problem areas with the relevant personnel. Take a risk based approach and plan to apportion audit time to higher risk areas
- Have an opening meeting with all the functional areas, if possible, at the start of the audit. An internal audit should not take the same form as an audit by a regulatory authority. An internal audit should be a collaboration between the function being audited and auditor. It should be an open, honest, collaborative, educational forum where functional areas have the opportunity to discuss concerns and problem areas openly.
- During the audit, auditors should be direct and avoid asking questions designed to catch people out. The auditors should take this opportunity to educate personnel by explaining why they are asking particular questions and providing the regulatory citation for the inquiry. Another important behaviour is the ability to listen to the answers to the questions. The auditor needs to adopt a friendly, non-confrontational tone.
- Individuals who are responsible for performing the day-to-day activities often have the best insight as to what is working and what needs to be improved. Excluding them from participating in the audit process might result in overlooking a serious issue that could come up during a regulatory inspection.
- To enable the auditor get the most valuable information about the potential compliance issues facing the organisation, internal audits should not be judgmental or have a ‘tick the box’ mentality in execution. They should also avoid looking retrospectively in lieu of looking forward.
- Have a close out meeting. There should be no surprises here as the collaborative style of the audit means that issues have been discussed throughout the day.
- Prepare an audit report and capture the Corrective and Preventative Actions on a tracker with a due date and ensure closure of the actions. These, as with all CAPA actions, should have management oversight.