Guest Column | July 15, 2015

Are You Using Internal Quality Audits Effectively?

By Dan O'Leary, President, Ombu Enterprises


One of the most powerful tools in the quality management toolbox is the internal quality audit. Unfortunately, it often is underutilized or misapplied. The result is that management does not obtain the information necessary to help ensure an effective quality management system (QMS). Even worse, an inadequate program doesn’t help prepare for or find problems that show up in an FDA inspection or a Notified Body (NB) audit.

One measure of this problem’s magnitude is its relative frequency of occurrence in FDA warning letters. These often cite multiple problems with a company’s QMS, but an analysis can count the number of times “§820.22 Quality Audit” is cited. The table below shows the rank order for recent years.

Audit Classification
Internal quality audits fit into a classification system, so it is valuable to explore their place. The classification system actually is multi-dimensional, so internal quality audits are part of a rich collection of techniques.

The first dimension shows the relationship between the auditor (the organization conducting the audit) and the auditee (the organization being audited).

FDA uses the term “Inspection,” which is performed by “Investigators”. The inspections are, in this classification, third-party audits, since FDA is independent of the device manufacturer, its customers, and patients. Similarly, NB audits are third-party audits.

The second dimension includes the audit types shown in the table below.

For process audits, there is a further subclass: Tracing follows the process in chronological order. In a forward-tracing process audit, the auditor starts at the beginning and follows the process downstream, while a backward-tracing process audit starts at the end of the process and follows it upstream. In both cases, the auditor collects evidence to help evaluate conformance.

An interesting example includes NB audits under the European Union’s Medical Device Directive (MDD). The NB performs periodic surveillance audits of the QMS. These are third-party system audits. The audit may include review of technical documentation or design dossiers. In a recent change, NBs now must perform unannounced audits. These will be backward-tracing process audits, not system audits. The NB will select one or more current Declarations of Conformity and trace upstream, from final acceptance to the purchase and receipt of incoming material.

Internal Quality Audits
Both 21 CFR Part 820, the Quality System Regulation (QSR), and ISO 13485:2003 require internal quality audits. In QSR, the audits have two primary purposes: Assure that the quality system is in compliance with the established quality system requirements, and determine the effectiveness of the quality system.

QSR requires the manufacturer to establish procedures for quality audits and to conduct the audits. The word “establish” has a special meaning of define, document, and implement. QSR uses the word to require a written procedure. But, of course, just having a procedure is not adequate. You must implement the procedure, meaning conducting the audits.

People conduct audits, so they must meet certain requirements. In this case there is a positive requirement, competence, and a negative requirement, independence. Competence comes from §820.25(a), which requires a sufficient number of competent (education, background, training, and experience) people to implement the internal quality program. In addition, §820.25(b) requires the auditors to have documented training. On the negative side, an auditor may not have direct responsibility for an area she audits.

These principles are illustrated in warning letters, which usually are the result of FDA inspections. Items cited in a warning letter are significant violations that the manufacturers must address in writing to the FDA. As you look at a warning letter citation, you should ask two questions: What prevents this problem in my QMS? And, if it should occur, what audit activity (audit number, checklist item, interview question, etc.) would detect the problem? A brief written statement will help clarify your thinking.

One warning letter illustrates the situation when the company writes a procedure during the inspection:

When asked by the investigator, you replied that your firm has not established procedures for quality audits and you did not maintain documentation that any quality audits were conducted. During the course of the inspection, you provided a procedure to our investigator. The procedure references ISO 9001 requirements, but does not reference applicable FDA requirements, including, but not limited to 21 CFR Parts 820, 803, and 806.1

While a good procedure is important, failure to follow it — the implement portion of the term “establish” — also can result in a warning letter:

[Your firm’s internal audit procedure requires you] to generate an audit schedule and that the schedule is such that all major systems and areas are covered at least once a year. The firm has no documented schedule, no documented specific internal audit criteria, and has not completed any official internal audits.2

Auditor competence and training is essential to a successful program. Auditors must understand the principles of auditing, as well as regulatory requirements for the areas audited. Your procedures, as illustrated in this warning letter, should define the qualifications, and management must ensure that auditors meet them.

Records do not exist to demonstrate that the auditors met all qualification requirements as specified in the firm's audit procedures. Auditors did not meet the qualifications outlined in your firm’s Internal Quality Audit procedure. The Internal Quality Audit procedure requires auditors to have knowledge of relevant legislation. The Quality Control Supervisor, who performed some of the quality audits, stated that he was not familiar with 21 CFR Part 803 and 21 CFR Part 820.3

Another requirement is independence; people cannot audit work for which they have direct responsibility. It is important, when assigning auditors, to account for their responsibilities and to avoid the problem in this warning letter.

For the past 5 years, the annual internal quality audit has been conducted by the Quality Assurance Supervisor, who has responsibility for many of the areas audited.4

Conducting the Audit
QSR does not include requirements for conducting an audit. However, the define element of “establish” indicates that you need an effective method. One useful approach is ISO 19011:2011 Guidelines for Auditing Management Systems. The approach defines a process that will help conduct effective audits.

Establish initial contact with the auditee. For the internal audit this is, following QSR, management having responsibility for the matters to be audited. Typically, the manager will know of the pending audit from the audit schedule.

Also, determine the audit’s feasibility. Ensure that key people will be available, considering vacations, external training, etc. For production, you may need to reschedule the audit if key equipment is undergoing scheduled maintenance. If the audit is not feasible, it needs to be rescheduled, but too many reschedules can be a sign of other problems.

Preparing for an effective audit includes document review. For internal audits, the audit criteria should be the procedures and work instructions. The document control process should ensure they conform with the regulations and standards, so the audit can focus on conformance to the requirements.

Additionally, planning the audit will help ensure success. Document the scope, dates, location, audit criteria, and responsible management for the audit. Planning includes developing audit checklists, interview questions, and any data collection forms.

Performing the audit usually is a matter of following the audit plan, implementing the checklists, conducting the interviews, and collecting the audit evidence. However, even the most well-planned audit can lead to unanticipated areas. The audit should be flexible enough to follow threads that could uncover problems.

During performance, the audit team collects audit evidence, which could include records, interview results, and observed work practices. This could demonstrate conformity and good practices, or unearth failure to meet a requirement. Audit evidence helps prepare audit findings, which can be positive (solid conformance) or negative (not meeting a requirement).

The audit results are used to compile a report that usually includes the audit’s scope, dates, location, criteria, findings, and conclusion. The audit report is a quality record associated with the audit. The audit program usually defines the distribution, but QSR requires a review of the report by “management with responsibility for the matters audited.”

Audit Results
As noted above, appropriate management must review the audit report. Your procedure should require a quality record that documents the review and avoids the problem in this warning letter:

Your Internal Audits procedure does not require a report of the results of each quality audit be reviewed by the management responsible for the matters audited, and your records do not demonstrate such reviews have taken place.5

QSR requires corrective action when necessary (i.e., when there is a negative audit finding, one that documents a nonconformity). This introduces §820.100 Corrective and Preventive Action, which provides a mechanism to eliminate the cause of the nonconformity. Following §820.100(a)(2), the process starts with investigating the cause of the nonconformity, and it ends with an effectiveness check — a reaudit. The reaudit confirms that the cause of the original nonconformity has been identified and eliminated.

Audit Records
QSR requires recording the dates and results of both audits and reaudits. These become quality records maintained by under the record retention procedure.

In general, FDA investigators can review quality records, but there is an exception for quality audit reports, §820.180(c). Still, the investigator may review the procedures and ask top management for a written certification the audits have been performed.

However, the exception does not apply to the corrective action records. The QSR preamble, section #160, states “FDA will review the corrective and preventive action procedures and activities performed in conformance with those procedures without reviewing the internal audit reports. FDA wants to make it clear that corrective and preventive actions, to include the documentation of these activities, which result from internal audits and management reviews are not covered under Sec. 820.180(c).”

Management Review
QSR §820.20(c) requires management to review the suitability and effectiveness of the quality system. While the regulation does not specify the inputs, quality audits will provide valuable information. The QSR preamble, section #53, states “An evaluation of the findings of internal … audits should be included in the Sec. 820.20(c) evaluation” and recommends reviewing internal audit results, as well as any corrective and preventive actions taken.

Internal quality audits are one of the best tools to evaluate the QMS. Well-conducted audits can find problems and provide an opportunity to rectify them. This is particularly important in regulated industries such as medical devices. QSR has requirements for the audit program that must be followed:

  • Establish a procedure to manage and conduct the audits
  • Define auditor competence and ensure auditors are qualified
  • Prohibit auditors from auditing areas for which they have direct responsibility
  • Create audit reports that are quality records
  • Take corrective action in cases of audit nonconformances
  • Reaudit to verify corrective actions’ effectiveness