The purpose of an internal audit is to ensure the compliance of the process or processes being audited. That the documented procedure is followed, justified, validated. That the operators carrying out the process are trained and have a strong understanding of the process.
Why do we need to audit?
- The regulator requires in via The PIC/S guide to GMP for medicinal products. Section 9 & 10 of ISO 9001 (2015) – Quality management systems details the internal audit and process improvement with ISO 19011 (2011) – Guidelines for auditing management systems detailing specifics. Admittedly, I’ve not looked at that in a while and what follows is off the top of my head.
- To ensure your processes are compliant
- Where a process has been found to be non-compliant, a gap analysis or risk assessment needs to be performed to determine how big of an issue the non-compliant process is. That way a plan can be put in place a prioritised and if a regulator drops by to audit.
- To be confidant you pass a regulatory audit.
- Regular internal audits familiarise your staff with the audit process. NOTE! Internal audits can be conducted more “openly” than a regulator audit as the point is not to “hide” gap. Your internal audit needs to find any gaps so they can be addressed, thus reducing the chance of citations. If you were found to be hiding a gap, you may not pass an external audit. Here it might show a problem internally if large gaps were not identified until an internal audit. Are the operators not advising management? Is everyone trained? Are people paying lip service to the need to follow procedures etc?
What are the Regulatory Requirements?
- In Australia, the TGA requires healthcare products be manufactured according to the PIC/s Guide to GMP . Chapter 1 states that a Quality Assurance internal audit system needs to be in place.
Scheduling the Internal Audit
- At the top level, you should ensure your site has an internal audit schedule that examines processes across your site. Eg.
- Learning and Development
- Quality Assurance
- Quality Control
Stick to the schedule!
You could review every single process each year, though if you have a small team or auditors and a large facility, I’d recommend setting up a schedule to cover the documentation update cycle and when the overriding SOP is due to be updated, audit the process 6 months before so any deficiencies identified can be incorporated into the documentation update. The added bonus here is that you are not expending time updating a document that “was just updated”. Be sensible here as if every process was being updated in June, auditing everything in January would be ineffective. Aim for at least one process audit a month. Give consideration to areas identified as issues in regulator audits, or areas where there is high staff turnover.
Planning the Internal Audit?
Why plan? To ensure your audits are consistent and effective. In reality, you’ll be following documented internal procedures designed to ensure this.
Without planning, you are wasting your time. With your next audit identified…
- Examine the documentation: SOPs, OIs, training records, etc. This enables you to formulate questions and identify key steps in the process.
- Use an audit checklist. This might form part of your internal auditing SOP or OI. If you use your own, it forms part of the audit data.
- Review the previous audit report for the process to determine what was an issue then in order to see if improvements have actually been made.
- Schedule the audit with the relevant Area Manager to ensure resources are available. Each department should be issued the audit schedule when approved, so news of an impending audit is not a surprise.
- Confirm the audit time and date a week out and the day before.
- NOTE! If auditing an entire area, you’ll need opening and closing meetings etc. For a single process, things are much simpler.
Conducting the Internal Audit?
- Advise the attendees that this is a fact finding operation designed to improve the process and smooth things come external audit time. You want to find deviations and have known deviations communicated to you.
- Stick to the plan. That way you will be efficient. If a deviation is noticed, note it down.
- Ask questions like
- “Show me…”
- “How do you…”
- “Have you…”
- “What happens when/after/next…”
- You want to get a feel for how well the operators understand the task(s) at hand.
- You want to make sure the task is being done correctly. No additional or missing steps.
- If you record a deviation, advise the auditee of this. Tell them this will improve the process and it is not a negative reflection on them (as it will and it is not!)
- With reference to your notes, write the report. I favour bullet points.
- The report should include date(s), attendees, process audited, location, documentation reference (Policies, SOPs, OI’s, possibly standards).
- Good AND bad points
- What you have observed that might improve the process, along with logical justifications for such thought.
- Where deviations are found, Corrective and Preventative Action (CAPA) needs to be formulated, scheduled and assigned in order to improve the process.
- Sign off on the audit. Sign off on the CAPA. QMS manager (or equivalent) to sign off on the report.
Did you find this informative or useful? Please consider a small donation so I can expand and improve on what I deliver.