The International Organization for Standardization (ISO), the world’s leading developer of international standards, is instrumental in boosting interest in quality audits among manufacturers and other types of businesses when it published the ISO 9000 standards in 1987. Today, popular standards such as ISO 9001: 2000, ISO 14001:2004, and ISO 13485 all require internal audits of the quality system (or the environmental management system in the case of ISO 14001: 2004). Under these standards, audit serves as a mechanism for evaluating and improving quality. The same principle is refected in a number of regulations enforced by the Food and Drug Administration. Under the Quality System Regulation (21 CFR Part 820), medical device manufacturers are required to conduct audits to ensure that the quality system is compliant (Sec. 820.22). The Current Good Manufacturing Practice (CGMP) regulations for pharmaceuticals (21 CFR Parts 210-211) and for blood and blood components (21 CFR Part 606) include general requirements for regular evaluation of quality standards. Guidances for the pharmaceutical industry and blood establishments also emphasize the importance of audits. For example, the “Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations” recommends internal audits and supplier audits. The “Guidelines for Quality Assurance in Blood Establishments” call for comprehensive audit of the quality assurance program.
Nature of Audit
In general, there must be a basis (specifc requirements) for an audit and a systematic method for gathering facts or evidence. An auditor compares the evidence with the requirements and comes up with observations, which can be either positive or negative. Up to this point, the process is similar to inspection. But an audit entails much more. The auditor analyzes his or her observations for patterns also called fndings in order to draw conclusions. The auditor then presents the observations, fndings, and conclusions in a report to all parties involved. The focus of an audit can be a product/service, a process, or a system. Going back to the example of the mystery shopper, the focus was customer service in just one store. A product audit of a vacuum cleaner may entail randomly pulling out
a box from the assembly line and taking the vacuum cleaner apart to examine it from a consumer’s perspective. In both cases, the audit has a narrow focus.A process audit focuses on a single activity. For example, a process audit at an ISO-certifed car manufacturing plant might examine the process of welding body panels together, or of installing doors and windows. The audit is likely
to be short but intense. It must be conducted several times in order to analyze patterns. This kind of audit is useful in troubleshooting and in solving specifc issues.A system consists of related processes with a common goal. Using the example of the car manufacturer, an audit of the quality system will cover not just the process of welding body panels, but all other processes, from design to assembly to
safety tests, etc. This type of audit is longer and broader, covering not only different processes but also their controls.
Compliance & Performance Audits
Audits can be categorized by purpose. The following two categories are particularly relevant to FDA-regulated and ISO-certifed companies.
Compliance Audit: This type of audit is about conformance to rules and regulations. The goal is to see if activities, processes, and systems meet requirements. The result is usually black or white — a product or process or system being audited either passes or fails. When the FDA conducts a CGMP (post-approval) inspection at a pharmaceutical company, it is essentially conducting a compliance audit. A conformance assessment for the purpose of ISO certifcation is another example. In both cases, the outcome is directly tied to compliance or certifcation. The companies being audited are primarily concerned about passing the audit with fying colors.
Performance Audit: In the third edition of Quality Audits for Improved Performance, Dennis Arter writes that a performance audit looks at three things: compliance to the rules, effectiveness of those rules for use, and suitability of those rules for achieving an organization’s goals. Going back to the example of the car manufacturer, a performance audit may be conducted not only to make sure that the plant’s quality system will pass an ISO conformance assessment, but perhaps to see how the system’s effciency can be improved in order to boost production and proftability. A performance audit is usually conducted internally to look at a company’s business results, or it can be applied to a supplier to help a company decide whether to sign or renew a contract with the supplier.
Auditors & Auditees
Audits may be categorized according to the parties auditing and being audited, such as:
First-Party Audit: In this type of audit also known as internal audit or self-audit those auditing
and those being audited all belong to the same organization. Taking the case of the car manufacturer, the headquarters in Detroit may be concerned about productivity of a plant in Ohio and may send an internal audit team to help fnd ways for improvement. An ISO-certifed supplier may also conduct a frst-party assessment to make a self-declaration of its conformity with specifc ISO standards.
Second-Party Audit: A second-party audit refers to a customer conducting an audit on a supplier or contractor. For example, a medical device company that contracted a laboratory to do sterility testing may conduct a second-party audit to make sure that the lab meets QSR requirements and to be able to demonstrate to FDA investigators that the contractor is compliant. The same company may audit a parts supplier to make sure that it conforms to ISO 9001 or ISO 13485 standards. It may also evaluate a potential raw materials supplier through an audit, although some auditors might argue that such a process is more of a supplier survey than an audit.
Third-Party Audit: Neither customer nor supplier conducts this type of audit. A regulatory agency or an independent body performs a third-party audit for the purpose of compliance or certifcation or registration. An example would be an FDA investigator conducting a CGMP inspection at a pharmaceutical company. Another example is a College of American Pathologists (CAP) team inspecting a blood bank for the purpose of accreditation. ISO conformity assessments are not carried out by ISO itself, but by private-sector third parties or regulatory bodies in countries where ISO standards have been incorporated into law.
Challenges:For audit to be an effective improvement and compliance tool, it must be conducted on an on-going basis. And this can be daunting for companies that rely on a paper-based or a partially electronic system. The following are some of the biggest challenges faced by such companies.
Poor Communication and Scheduling: Starting with planning and scheduling, a paper-based or hybrid process would entail face-to-face meetings and conference calls to bring together the auditors, auditees, corporate management, and others involved. Follow-up work would entail uncoordinated phone calls, e-mail, and personal reminders. Scheduling of audit-related tasks would depend on someone remembering to send assignments at certain dates. The situation may be manageable if there’s only one audit being conducted at a time and if the parties involved are 100 percent attentive. It can be downright problematic if there are multiple customer audits happening at the same time that either an ISO audit or an FDA inspection is taking place, especially if the same teams are involved in all audits. And if the scenario happens several times a year, it is likely that tasks will fall through the cracks, and the company might fail some audits.
Ineffciency: Most internal auditors are out in the feld inspecting facilities. They might use paper forms and either paper or electronic spreadsheet to collect data. Then they enter all data in the computer as soon as they return to the offce. The process is pretty straightforward if there’s only one auditor conducting one audit once a year. However, if there are several auditors working as a team, using large checklists, generating voluminous paperwork, and conducting multiple audits under tight deadlines, then the ineffciency of the process becomes a serious problem.
Poor Tracking: Even when a company performs only a small number of audits annually, each audit typically results in numerous fndings and related corrective/preventive actions (CAPAs) that all need to be addressed and managed. Under a manual or hybrid system, tracking these fndings and related documents, evaluating risks, verifying fndings, and ensuring proper closure could mean combing through voluminous paperwork and a lot of legwork, both of which could result in delayed CAPA completion.
Lack of Oversight: It’s diffcult to generate accurate and timely reports and trends using disparate tools (electronic spreadsheets, fowcharting software, paper documents). Without an effective reporting tool, managers are unable to see the big picture that audit fndings may reveal. When audit is not connected to other quality processes (change control, CAPA, training control, etc.), such as in a paper-based system, it is almost impossible to monitor the entire quality system.
MasterControl Audit™ is a complete and robust solution designed to automate, streamline, and manage the audit process.
It integrates the different steps (preparation, scheduling, execution, fndings, verifcation, and completion) for a more
effcient and effective process. Here’s how MasterControl can address the challenges discussed earlier.
Improved Communication and Scheduling: MasterControl eliminates most of the legwork during the planning and scheduling stage by automating task assignment, follow-up, escalation, review, and approval. Audit-related activities — from creating agendas to preparing checklists — will not be overlooked because they can be planned and scheduled well in advance. MasterControl’s Audit Summary form tracks basic information critical during planning and scheduling, such as type of audit, date, description, objective, scope, audit area, and lead auditor. It is also an effective tool for gathering such information as standard or regulation
that serves as the basis for the audit, audit agenda, audit team members, and checklists.
Effcient Tracking and Overall Process: MasterControl provides a centralized Web-based repository for all audit documentation, making tracking, search, and retrieval easy. MasterControl’s best-practice forms help collect and track data throughout the audit process, as well as streamline the workfow to promote effciency. Auditors and process owners can add their input directly into the electronic forms. The Audit Finding form not only tracks all fndings, but integrates risk management by providing a section for evaluating risks and recommending CAPA when necessary. It also ensures proper closure by tracking verifcation of the process owner’s response to the fndings.
Provides Connectivity, Increased Oversight: MasterControl can connect the audit process to CAPA, change control, training, and other quality processes, giving managers the ability to monitor the entire quality system. It provides advanced analytics and reporting capability, including customizable reports and online charting. Through the reports, managers get a real-time view of the audit process and can be more proactive about improving their quality system.
Compliant Ready: As part of the MasterControl™ integrated quality suite, the Audit module inherits all of the compliant attributes of the overall system, which is designed to facilitate FDA and ISO compliance. MasterControl provides comprehensive validation services, including IQ, OQ, and PQ protocols, to help FDA-regulated companies meet 21 CFR Part 11’s validation requirements. It continuously develops new methods to cut the time involved in validating a system and to make it easier to validate software upgrades, both of which are essential in lowering overall validation cost.
Manufacturing and business operations grow and change. Old products and services are updated or discontinued. New technologies are constantly being developed. Through all of these changes, the audit process can serve as a primary mechanism for a self-correcting quality system. Compliance audits help ensure that changes to quality processes are correctly implemented and the quality system is in a state of control, both of which are prerequisites for manufacturing
safe, reliable, and high quality products. Performance audits demonstrate not only regulatory compliance and high quality standards, but also ways for improving business results and achieving business goals.Gone are the days when auditors and auditees treat each other like adversaries. More and more companies now see audit as an occasion for auditors and auditees to work together in achieving a common goal improved performance. Forward-looking organizations recognize that the audit process is one of the best tools for continuous improvement of the quality system and for making sure that the system is always compliant.