An internal audit or also known as a quality audit says in 21 CFR 820: “Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.” I would like to make an important point that although this is a Quality System Regulation requirement, the need for internal or quality audits are also necessary in the pharmaceutical drug, biological drug, food, cosmetic, and dietary supplements industries.

Within the regulated industries, I will discuss quality audit requirements for five departments: Quality Assurance, Clinical, IT, Manufacturing, and Laboratory. In this article, I will offer some suggestions as to target areas to audit within each of the five functional areas.

Internal Audits / Quality Audits
! I will refer to both internal audit and quality audit in this article so consider them one in the same, as they are use interchangeably in the industry. Briefly, let’s establish the two main objectives of internal audits. The two main objectives are to ensure that your organization is following the applicable code of federal regulations as well as following your own work instructions, standard operating procedures, or policies. Let’s start with Quality Assurance.

Quality Assurance
! The Quality Assurance (QA) Department is responsible for performing the internal audits throughout the organization and unfortunately, they cannot audit themselves. Therefore, I recommend a third part auditor perform an internal audit of the Quality Assurance Department to avoid any conflict of interests. A third party auditor should be checking to ensure the QA Department is following their own procedures as well as performing their internal audits. Additionally, they should ensure audit corrective actions are being followed up on for internal audits, including CAPAs associated with audit findings. I will now provide an example of a recent FDA observation pertaining to quality audits: “ Procedures for conducting quality audits you were not defined. Specifically, the frequency of quality audits for each audited area is not defined in your firm’s Quality Manual and/or SOPs.” Next, we will discuss the Clinical
Department and what areas a QA Department should be looking at.

Clinical
The single most important area a QA Department can audit is the Trail Master Files for clinical trials. For example, you want to make sure there are informed consents for all of the enrolled patients. A recent 483 Observation issued to Hsueh, Willa A. , M. D., Principal
Investigator, stated: “The general requirements for informed consent were not met in that the information given was not in language understandable to the subject or the subject's representative. Specifically, for trial NN2211-1574: All subjects screened and enrolled in trial NN2211-1574 were primarily Spanish speaking and according to the principalinvestigator, were initially consented orally by a bilingual subinvestigator using English informed consent forms. However, no documentation exists of the translation. The informed consent document also did not contain a description of the procedures to be followed.” As always, QA should also check Clinical’s procedures to ensure they are following them. Lack of following procedures is by large the most common audit finding when conducting quality audits. Consequently, organizations find themselves out of control because procedures are not being adhered to. Federal FDA Investigators like to target situations like these because it is a key indicator to them that an organization is out of control. Next, let’s talk about the IT Department.

IT
The IT department is responsible for data security and data integrity. An underlying network must be qualified in order to ensure the security and integrity of the data that resides on it. In addition to the network, the applications and networked applications must be
validated as well. A recent Warning Letter to Genzyme cited the following: “ Your firm failed to maintain computerized systems in a validated state”4 Some key areas to focus your attention are the validation of regulated applications as well as the maintenance and qualification state of the network. Standard operating procedures an auditor should be checking are: change control for both software and hardware, configuration management for the network, computer system validation lifecycle, network qualification, backup restore, disaster recovery, and security. Some questions you should ask as an auditor are: Does your data get backed up regularly? If so,
where are the backup tapes stored? Offsite? Do you exercise a Disaster Recovery Plan? Is there physical security for the Data Centers? Can I see your change log for both software and hardware? Can I see a recent example of a computer system validation of a system? These are all good questions to ask when auditing the IT area. Training records for SOPs should also be
checked to ensure employees, contractors, and consultants are trained on the procedures they
are carrying out. Next, we turn to Manufacturing.

Read More....