Ask an Expert: Regulatory Compliance Audits – An Overview

June 24, 2020

Audits. The word strikes fear into the hearts of most people working in any consumer related industry. At the very least, they can be inconvenient and tie up resources that could be used for more productive endeavors.

What is an audit and what is the best way to prepare for them?

Per ISO 19011:2011, Guidelines for Auditing Management Systems, an audit is defined as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”[1]

What are the types of audits?

The types of audits include Product, Process, and System.

Product Audit – Reviews a product to determine if it conforms to performance, specification and customer requirements.
Process Audit – Looks at an activity to verify all procedures, inputs and results correspond to predetermined instructions and requirements.
System Audit – A System Audit reviews everything within a system (processes, products, services and support functions (packaging, training, waste management, etc.)).

An audit may be internal or external.

Internal Audit (first party audit) – an audit performed by a company on itself, or on a company’s behalf.
External Audit (second party or third party audit) – an audit performed by an outside resource.

Continuous Manufacturing A second party audit may be conducted by outside resources, such as a supplier, customer or contracted organization on behalf of a customer.

A third party audit is an audit performed independent of the supplier/customer relationship.Government audits and certification audits are forms of third party audits.

Audits may not follow all of the procedures described below as they depend on the purpose of the audit or the focus and motivation of the auditor.

What are the usual steps in an audit process?

Pre-Audit – Typically, before an audit is conducted, the auditee will receive notice of the audit.After the initial contact, the audit scope, audit objectives and an anticipated schedule for the audit will be sent to the auditee.This will give the auditee time to arrange for the proper resources and documents to present during the audit.Note that this will not occur for a surprise FDA audit.

Audit – An audit will commence with an introductory meeting to introduce the audit team and the auditee support team. Data collection for the audit usually includes a facility tour, review of applicable documents and records, observation of the work process, examination of the product (including but not limited to: labels, packaging, housekeeping, equipment maintenance, etc.) and interviews to confirm adherence to procedures and employee understanding.

Data patterns and trends may also be reviewed. A wrap up meeting is typically held at the end of each day to summarize any observations. An exit meeting will conclude the audit where the audit team will share the audit results. The exit meeting should include a review of all significant findings from the audit.

Post-Audit – After the audit, the auditor will provide the auditee with a formal, written audit report to communicate the observations and results of the investigation.This report should include any findings, nonconformities or deficiencies encountered during the audit.If required, the report will ask the auditee to provide a corrective action plan for nonconformities and deficiencies. The auditee will then have defined period to respond to the audit findings.
Audit Follow Up – If corrective action for any findings is required from the audit; an audit follow up may be required to determine if the corrective actions are sufficient.The follow up may vary from review and approval of the corrective action plan to a re-audit for serious nonconformities.

What are the benefits to performing an audit?

Verification that the product, process and system operates as intended to meet all acceptance criteria.
Identification of any risks or deficiencies in the product, process or system that may impact quality or user satisfaction.
Identify possible improvement opportunities.

Design Group Regulatory Compliance professionals have experience acting as consultants on behalf of clients in Food & Beverage, Life Sciences, Consumer Goods, and other market sectors. Their experience includes quality system, MDSAP, ISO 9001, ISO 13485, GAMP 5, 21 CFR Part 11 and 820, cGMP and data integrity audits among others. Connect with our experts for more information.

[1] ISO 19011:2011, Guidelines for Auditing Management Systems (Milwaukee, WI: ASQ Quality Press, 2011), p. 16

Laura is a Project Manager in the Regulatory Compliance group at Design Group. She has a BSE and PE in Chemical Engineering. Laura is also a Certified Quality Auditor (CQA). She has been on both sides of the auditor’s table on separate occasions serving as a client representative and performing supplier audits.

In her 20 years in project management and regulatory compliance, she has been involved in all stages of project engineering. Responsibilities ranged from generating User Requirement Specifications, developing the supplier bid package, performing Change Control tasks, overseeing installation, generating and executing qualification documents for equipment, facility and utility systems, and reviewing the supplier turn over package for accuracy and completeness.