Considerations for a value-added internal audit program

Patient safety relies on a robust, effective, and consistent quality management system (QMS) established for the specific facility, operations, and product challenges encountered by the organization. Once the appropriate processes for risk control are in place to minimize patient safety risk, a robust QMS should ensure that the controls are properly maintained and appropriate for the site operations, and they should signal when adjustments are needed due to challenges. The formal expectations for monitoring and maintaining the effectiveness of a QMS for pharmaceutical products and drug substances are outlined in ICH Q10, and ICH Q7, respectively.

Internal audits are a key component for monitoring and assuring the continued effectiveness of a QMS. The value provided by a strong internal audit program is in the early detection and correction of quality concerns, reducing the likelihood of patient safety issues and decreasing the waste of resources. An effective internal audit program should also result in increased customer satisfaction, reduced likelihood of recall, and successful agency inspections.

Given the critical connection between protecting patient safety and internal audits, the program should be prioritized and executed in the same way as a formal agency inspection. Of course, most companies are not conducting a simultaneous audit of all their systems, as is done in an agency inspection. However, the priority and diligence assigned to internal audits must elevate to an agency-inspection level to attain the intended risk management and efficiency benefits.[vc_column_text css=”.vc_custom_1659011065574{margin-top: 40px !important;margin-bottom: 20px !important;}”]

Here are 10 KEY CONSIDERATIONS to ensure your internal audit program delivers efficiency, effectiveness, and patient safety targets.

[vc_row margin_top=”20″][vc_column width=”1/2″][vc_column_text]



The ultimate goal of timely internal audits is patient safety.

[vc_zigzag][vc_column_text]These audits ensure that the site is executing the expected risk management controls to reduce the likelihood of patient risk associated with the production of medicines. Keeping this purpose in mind may help to focus the program.[/vc_column][vc_column width=”1/2″][vc_column_text]



Every audit should compare how things are executed in practice versus the expectations in specific laws and regulatory guidance.

[vc_zigzag][vc_column_text]Evaluating internal activities against current Standard Operating Procedures (SOPs) assumes that these fully address the risk associated with the regulatory requirements. If this assumption is incorrect, the patient will continue to be exposed to the specific risk element. Keep in mind, complying with your internal SOPs is not the same as complying with the regulations. This is often evidenced by unexpected receipt of regulatory inspection observations in areas covered by the internal audit program.[vc_row margin_top=”40″][vc_column width=”1/2″][vc_column_text]



The checklist is a convenient time-management tool, and can act as a reminder to perform repetitive, time-sensitive tasks.

[vc_zigzag][vc_column_text]However, unless non-compliance is a standardized practice at your facility, you are unlikely to identify such issues using a checklist. Audits should identify activities that result from inefficient or ineffective controls. Checklists can record standardized and repetitive tasks but are less effective at revealing infrequent or unexpected non-compliance concerns within a system.[/vc_column][vc_column width=”1/2″][vc_column_text]



One of the biggest constraints for internal audits is time. It is rare that an organization has Quality Unit personnel solely dedicated to internal audits with no other responsibilities

[vc_zigzag][vc_column_text]These audits ensure that the site is executing the expected risk management controls to reduce the likelihood of patient risk associated with the production of medicines. Keeping this purpose in mind may help to focus the program.[vc_row margin_top=”40″][vc_column width=”1/2″][vc_column_text]



Regulatory inspectors are responsible for seeking evidence that proves an organization is operating in compliance, which is essential for patient safety.

[vc_zigzag][vc_column_text]An inspector prepares for the site inspection by refreshing their knowledge of the regulations governing the facility type, studying any historical data related to the specific site, and reviewing any non-conformance trends among companies with similar operations. Although inspectors always review SOPs to understand the organization’s intentions, completed records will always be reviewed to confirm compliance. Similarly, an internal auditor should refresh their knowledge on the requirements of the specific system and any performance data available prior to the audit. Industry non-conformance trends could help identify the vulnerabilities unique to each system. During the internal audit, perform in-depth reviews of the records for compliance, consistency, and data integrity. Always consider whether the records provide an acceptable level of proof that the system is operating within compliance and an acceptable level of control to minimize patient safety risk.[/vc_column][vc_column width=”1/2″][vc_column_text]



Companies often start the year with a comprehensive internal audit plan, scheduling each system to be audited at appropriate intervals throughout the year and perhaps even assigning auditors.

[vc_zigzag][vc_column_text]Despite even the best preparations and intentions, including approval by the Quality department, when challenges arise, internal audits are often de-prioritized in exchange for other operational needs. Considering the purpose of the internal audits is to minimize risk to patient safety, any program delays could elevate that risk. You would never consider de-prioritizing participation in an agency inspection; internal audits should be prioritized with the same level of importance.[vc_row margin_top=”40″][vc_column width=”1/2″][vc_column_text]



Identifying areas for improvement and assigning CAPAs is essential to ensure patient safety.

[vc_zigzag][vc_column_text]Implementing preventative actions should eliminate recurrence of non-compliance or risk concerns. When implementing corrections, there may be a need to assess products or materials processed using the system under audit. This evaluation should be recorded as part of the audit corrections. The total number of CAPAs created by the internal audit should not be the measure of success or failure. Rather, the focus should be assigning the appropriate CAPAs to eliminate causes and contributing factors. Consider combining several related CAPAs to ensure that a robust effectiveness check can be designed and the overall system improved.[/vc_column][vc_column width=”1/2″][vc_column_text]



Performance metrics drive internal behaviours. It is critical to ensure metrics do not drive behaviour that inadvertently increases patient safety risk.

[vc_zigzag][vc_column_text]For example, placing a limit on the total number of internal audit observations as a performance metric may ensure the site does not exceed a specific number of observations, but it also diminishes the value of the internal audit by limiting the identification of risk and non-compliance issues. Metrics related to internal audit performance should emphasize adherence to schedule, time to CAPA assignment, on-time CAPA completion, positive effectiveness checks, and recurring events.[vc_row margin_top=”40″][vc_column width=”1/2″][vc_column_text]



Internal audits generate information and data that is useful for continuous improvement. In addition, CAPA and effectiveness checks are essential to ensure the overall internal audit program is suitable.

[vc_zigzag][vc_column_text]It is helpful to manage this data through an electronic system for the purposes of tracking, identifying trends, and scheduling internal audit frequency based on risk. The electronic capture of audit data allows for trending across systems to identify broader issues, such as personnel qualification. This is why it is important to implement the practice of looking across the audited systems as a part of the program.[/vc_column][vc_column width=”1/2″][vc_column_text]



An essential element of the internal audit program is a qualified, objective auditor. The auditor must be familiar with the regulatory expectations of the system while also being independent of the system under review.

[vc_zigzag][vc_column_text]Often, firms will use personnel at the site to perform local audits. These auditors may not be objective, though, and their bias due to their experience in everyday operations may interfere with their ability to recognize non-compliance issues. Furthermore, if an auditor participated in design of the system under review, it may be difficult for them to be impartial during an audit of the system. Typically, firms assign staff who do not work on the specific system to conduct the audit often someone who works in the Quality unit. This can present other challenges. Who then will perform the audit of the Quality System? Since staff from other departments may not be qualified in the regulatory expectations for the quality system, it is strongly recommended that a third-party service provider assist with internal audits of the Quality System.[vc_row margin_top=”40″][vc_column][vc_column_text css=”.vc_custom_1659012635035{margin-top: 40px !important;}”]PharmaLex has a team of experienced GxP auditors knowledgeable in global regulatory requirements and ready to assist you in any capacity for your internal audit program, including but not limited to: designing an internal audit program, conducting audits, identifying trends, and monitoring and assisting with CAPA follow-up.View Services


This blog is intended to communicate PharmaLex’s capabilities which are backed by the author’s expertise. However, PharmaLex US Corporation and its parent, Cencora, Inc., strongly encourage readers to review the references provided with this article and all available information related to the topics mentioned herein and to rely on their own experience and expertise in making decisions related thereto as the article may contain certain marketing statements and does not constitute legal advice. 

Contact us for more information

Scroll to Top