An audit describes the systematic review and evaluation of processes, systems, or specifications within a company. This involves checking whether the requirements for these are met and whether they are effective. The aim is to improve the corporate organization based on observations, reviews, interviews, and inspections of associated documents. Central to an audit is that this review is carried out objectively by an independent industry expert.
Internationally, a distinction is made between three levels. This allows the various forms of audits to be systematically organized:
1st Party Audit (Internal Audit): The company audits itself to optimize its own processes.
2nd Party Audit (Supplier Audit): A customer audits its supplier or service provider (external).
3rd Party Audit (Certification Audit): An independent organization (e.g., TÜV, DEKRA) checks compliance with standards such as ISO 9001.
In general, these types of site inspections exist in a wide variety of areas. In the pharmaceutical industry, audits are a central component of GMP-compliant quality assurance (e.g., as required in the EU GMP Guidelines, Part I, Chapter 9 "Self-Inspection"). This is a good thing, because these systematic examinations check whether statutory requirements and GMP guidelines (Good Manufacturing Practice) are being observed. These quality standards do not exist for nothing; they ultimately serve to protect the patient.
What forms of audits are there?
internal
- Quality audit
- Safety audit
external
- Authority audit
- Customer audit
Internal quality audits serve to regularly check compliance with all applicable standards and processes and to identify deviations at an early stage. Such internal reviews, for example by Quality Assurance, highlight any weak points that can thus be rectified early on.
Another type is safety audits. Depending on the risk assessment and the size of the company, a safety officer must be appointed in operations with regularly more than 20 employees (§ 20 DGUV Regulation 1). Safety officers support entrepreneurs and managers in the implementation of occupational health and safety and can accompany inspections or safety audits as part of their duties; however, legal responsibility for compliance with occupational health and safety regulations remains with the employer.
What is the purpose of external audits?
In contrast, there are external tax or operational audits, which include authority audits. In the USA, for example, the FDA conducts GMP inspections; in the EU, they are carried out by national medicines agencies and coordinated by the EMA. The WHO also inspects production sites as part of its prequalification programs to ensure compliance with WHO-GMP.
The inspections often last several days and large parts of the company are inspected (production facilities, laboratories, etc.). If the auditors notice quality defects, these must be rectified by the company promptly. If these are serious, the authorities can even block the company from distributing its products until the processes have been improved.
Why does the PIC/S model scheme exist?
The PIC/S (Pharmaceutical Inspection Co-operation Scheme) is an international cooperation for the harmonization of GMP inspections and the training of inspectors. This is used in some of these authority audits. Here, the medicines authorities of various countries, including many European states and the USA, have joined forces to create uniform standards and procedures for pharma audits. They establish these together and also train the inspectors together.
What is the difference to customer audits?
The customer audit also counts as an external audit. They typically take place at contract manufacturers, suppliers, or service providers. In this process, the auditors usually inspect all areas commissioned with the processing of their product. The customer generally has contractually regulated rights of inspection into relevant documents created in connection with their products. If quality defects are found, they must be eliminated.
Who carries out an audit?
An audit is always carried out by an examiner, the so-called auditor. The unit examined by them is referred to as the auditee. For an audit to be meaningful, important principles apply worldwide:
- Independence: The auditor must not check the area for which they themselves are responsible.
- Objectivity: Evaluations are based exclusively on evidence, not on assumptions.
- Confidentiality: Sensitive company data is treated protectively. In addition to technical expertise, auditors also require social competence, especially a skillful questioning technique, to create a cooperative auditing climate.
Other forms of operational inspections In addition, there is, for example, the data protection audit, which checks whether the GDPR, among other things, is being complied with. Likewise, the trade supervisory office or the employers' liability insurance association can announce their visit.
If a company wants to be certified according to an ISO standard, a site inspection (audit) is carried out by a certification body accredited according to ISO/IEC 17021-1 (e.g., TÜV, DEKRA). These independent bodies also carry out inspections in which specific processes or facilities are specifically examined for their conformity.
Furthermore, there are inspections in which a checklist is usually worked through to check whether certain safety devices in the company are functioning properly.
The audit process in detail
As a rule, external audits are announced; however, authority inspections can also take place unannounced. As soon as the date is fixed, it is determined which products and departments are affected. If the exact batches of a product are also known, the complete documentation is prepared and checked in advance. In addition, there are SOPs (Standard Operating Procedures) as well as process descriptions and testing instructions, all of which are brought up to date.
Before particularly important authority audits, internal site inspections by Quality Assurance take place to point out and eliminate any defects.
The actual audit itself starts with an introductory meeting in which the auditors discuss what the objective of their visit is. This is followed by an inspection of the production and packaging facilities, the storage rooms, and the laboratories.
Afterwards, the auditors review documents. This includes SOPs, as well as product documentation, training records, and maintenance reports for the facilities. In this context, it is checked, for example, whether the production facilities are regularly maintained and cleaned and whether the analytical instruments were in a calibrated state.
During this process, the company's audit team is available to answer questions. This often consists of the heads of Quality Assurance, Quality Control, and Production. At the end, an initial result is announced in a closing meeting.
Afterwards, the auditors write their audit report, which also contains recommendations for improvement measures. This is forwarded to those responsible, who eliminate defects to be prepared for a subsequent inspection.
These systematic and regular reviews contribute to ensuring a high level of quality that customers and patients can ultimately rely on.