Int J App Pharm, Vol 11, Issue 1, 2019, 14-22Review Article



*1M. Pharm Research Scholar, Department of Pharmaceutical Quality Assurance, 2Associate Professor, Department of Pharmaceutics Bhupal Noble’s Institute of Pharmaceutical Sciences, Bhupal Noble’s University, Sevashram Road, Udaipur 313001, Rajasthan, India
Email: [email protected]

Received: 11 Sep 2018, Revised and Accepted: 19 Nov 2018


Auditing is a vital function within a pharmaceutical company nowadays. Quality audit is a review and evaluation of all or part of a quality system with the specific purpose of improving it. It is one of the means to examine pharmacy programs and ensures that the procedures and reimbursement mechanisms comply with the contractual and regulatory requirements. A quality audit is usually conducted by external or independent experts or by a team designated by management for this purpose. These audits can be extended to suppliers and contractors as well. An audit will assess the strengths and weaknesses of quality assurance and quality assurance processes, the results of which assists in improving processes and building a better system for company benefits. This article focuses on various aspects of quality auditing in the pharmaceutical industry including its principles, objectives, importance and benefits and planning along with the deficiencies that are likely to occur during the process. This review comprises a well-organized summary of various guidelines available till date using the Google Scholar search engine and the keywords listed below.

Keywords: Quality audit, Auditor, Audit planning, Internal audit, Audit procedures, Audit deficiencies


Audits are conducted to ascertain the validity and reliability of the information; also to provide an assessment of the internal control of a system. It provides management with information on the efficiency with which the company controls the quality of its processes and products [1].

The audit in simple terms could be defined as the inspection of a process or a system to ensure that it meets the requirements of its intended use [2]. International organization for standardization (ISO) defines the audits as "Systematic, independent and documented process for obtaining audit evidence and evaluating them objectively to determine the degree to which the verification criteria are met" [3].

Instead of considering the audit as an intrusive and potentially threatening review, pharmacies should consider the audit as a quality control mechanism. The results of the audit and the resulting corrective actions ensure all the involved parties that a program works in accordance with established rules of practice [4].

In the pharmaceutical industry, audits are virtual means for assessing compliance with the established objectives defined in the quality system and thus paving the way for the continuous improvement program by providing feedback to management [2]. A company that produces drugs today must be able to demonstrate that it does so with absolute reliability, in optimal conditions and with extreme uniformity that allows accurate reproduction [1].

In food and drug administration (FDA) and ISO environments, auditing of both compliance and performance is essential. Pharmaceutical audit experience includes the drafting and revision of validation policies, guidelines and standard operating procedures (SOP) from project qualification to performance evaluation phases [1]. If implemented correctly; it can be one of the most effective means of improvement [5].

Definition of internal audit

The chartered institute of management accountants, UK (CIMA) defines Internal Audit as:

An independent appraisal activity established within an organization as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls; a management tool which analyses the effectiveness of all parts of an organization’s operations and management.

The institute of internal auditors (IIA) also defines Internal Audit on similar lines as:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

These definitions state two clear functions of the Internal Audit activity namely;

Goals of an audit

The simple goal of this complex process is to evaluate existing activities and documentation and determine if they meet the established standards. An audit will evaluate the strengths and weaknesses of quality control and quality assurance processes, the results of which will help us to improve processes and build a better system for the benefit of the company. Every product manufactured by a pharmaceutical company has characteristics that must be quantified or qualified by laboratory tests. Quality control and quality assurance are the necessary processes that play the role of control and balance system in pharmaceutical industry.

With proper preparation and planning, the audit itself must easily achieve the intended purpose. Effective auditing and proper compliance with standards will help build brand reputation and avoid the negative effects of non-compliance, such as fines, bad public relations and court proceedings [7].


Audit objectives may include:

Audits and regulatory standards

The ISO, a global leader in the development of international standards, is instrumental in boosting interest in quality audits among manufacturers and other types of businesses when it published the ISO 9000 standards in 1987. Today, popular standards such as ISO 9001: 2000, ISO 14001:2004, and ISO 13485 all require internal audits of the quality system (or the environmental management system in the case of ISO 14001: 2004). Under these standards, audit serves as a mechanism for evaluating and improving quality. The same principle is reflected in a number of regulations enforced by the Food and Drug Administration. Under the Quality System Regulation (21 Code of federal regulations [CFR] Part 820), medical device manufacturers are required to conduct audits to ensure that the quality system is compliant (Sec. 820.22). The current good manufacturing practice (CGMP) regulations for pharmaceuticals (21 CFR Parts 210-211) and for blood and blood components (21 CFR Part 606) include general requirements for regular evaluation of quality standards. Guidance for the pharmaceutical industry and blood establishments also emphasize the importance of audits. For example, the “Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations” recommends internal audits and supplier audits. The “Guidelines for Quality Assurance in Blood Establishments” call for a comprehensive audit of the quality assurance program [5].

Benefits of auditing

Whilst there is usually low influence on regulatory inspections, audits should be seen as a management tool to assess the company’s in-house quality management system. Internal, as well as external auditing, can help to achieve this goal. The major benefits of an effective audit system can be summarized as follows:

Types of audits

The quality audit system mainly classified in three different categories:

  1. Internal Audits

  2. External Audits

  3. Regulatory Audits

Quality audits are performed to verify the effectiveness of a quality management system. [5]

Internal audit

This type of audit is also known as First-Party Audit or self-audit. Those auditing and those being audited all belong to the same organization. [1] Internal audit is a professional activity that consists of advising organizations on how to achieve their goals in a better way. The internal audit involves the use of a systematic methodology to analyze business processes or organizational problems and recommend solutions. The main objectives of internal audits can be summarized as follows:

1. To assist the internal control system.

2. Review of organizational policies and their operations.

3. Verify the accuracy and authenticity of errors and frauds.

4. Detection and prevention of errors and faults.

5. Safeguarding the assets

6. Applicability of accounting policies.

7. Helps in smooth functioning of the internal check system.

In a pharmaceutical facility for internal auditing, one requires to check mainly two things namely,

For this purpose, a department-wise questionnaire and document list is required to be prepared in detail. [8]

External audits

This type of audit is also known as Second-Party AuditIt refers to a customer conducting an audit on a supplier or contractor. [1] Although there are no strict legal requirements for this control. It is always advisable to evaluate the competence of the contractors in which we produce our products or carry out the analysis of our products or any other activity according to GMP. Performing these audits also offers important commercial advantages:

• Develop knowledge and confidence in the partnership agreement

• Ensures that requirements are understood and met

• Allow the reduction of some activities (e. g. in-house quality control (QC) testing of starting materials)

• reduce the risk of failure (and, by implication, its costs)

Many pharmaceutical industry suppliers are ISO 9001 or ISO 9002-certified and are regularly audited by their certification body. Pharmaceutical contract manufacturing or packaging companies will need to be licensed and will be subject to regulatory audits. [8]

Regulatory audits

This type of audit is also known as Third-Party Audit. Neither customer nor supplier conducts this type of audit. A regulatory agency or independent body conducts a third party audit for compliance or certification or registration purposes. [1] International regulatory bodies such as. Medicines and healthcare products regulatory agency (MHRA), UK, United States food and drug administration (USFDA), Therapeutic goods administration (TGA), Australia, Medicines control council (MCC), South Africa, etc. are responsible for carrying out these checks. There is a team to perform the audit; it must be composed of audit inspectors and a multidisciplinary company team.

The company must have representatives from each of the following departments: production, quality control, warehouse, maintenance, administration/personnel and marketing/sales. These audits can be performed without warning (MHRA currently performs around ten percent of its inspections in the UK in this way) as manufacturers are required to always comply with GMPs. Regulatory bodies in other countries where products are sold can also audit companies (e. g. FDA audits European manufacturers).

All regulatory inspectors are extensively trained, competent and professional. All MHRA inspectors are professionally qualified and have a minimum of five years of appropriate experience in a production operation; they will be in the registers of persons eligible to act as qualified persons and lead auditors.

Failure to approve a regulatory audit may result in restrictions (or revocation) of production or import/export license. (The FDA has recently imposed "punitive consensus decrees" on financial companies that did not respond adequately to the audit results and comply with the GMPs). Therefore, it is essential that companies have defined processes for managing audits and staff should be adequately trained for being audited. Internal audits can provide valuable opportunities for practice [8].

Principles of auditing

The audit is characterized by dependence on a number of principles. These principles should help to establish audit as an effective and reliable tool to support management policies and controls, by providing information on what an organization can act to improve its performance. Adherence to these principles is a prerequisite in order to provide relevant and sufficient audit conclusions and allow auditors to work independently from each other, to reach similar conclusions in similar circumstances.

  1. Integrity: the basis of professionalism

  2. The auditors and the person who administers an audit program must:

    -Carry out their work with honesty, diligence, and responsibility;

    -Observe and comply with applicable legal requirements;

    -Demonstrate their competence while carrying out their work;

    -Be sensitive to any influence that can be exercised on the judgment while conducting an audit.

  3. Fair presentation: the obligation to report truthfully and accurately

  4. The audit findings, audit conclusions and audit reports should truthfully and accurately reflect the activities of the audit. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.

  5. Due professional care: the application of diligence and judgment in auditing

  6. Auditors should pay due attention to the importance of the task they perform and the trust placed in them by the audit client and other interested parties. An important factor in the execution of work with due professional attention is having the ability to express reasoned judgments in all audit situations.

  7. Confidentiality: security of information

  8. Auditors should exercise discretion in the use and protection of information acquired in the course of exercising their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the correct management of sensitive or confidential information.

  9. Independence: the basis for the impartiality of the audit and the objectivity of the audit conclusions

  10. The auditors should be independent of the activity audited wherever possible, and in all cases, they should act in a manner that is free from prejudice and conflicts of interest. For internal audits, auditors must be independent of the operational managers of the function being audited. Auditors must maintain objectivity throughout the review process to ensure that audit findings and conclusions are based only on audit evidence.

    For small organizations, internal auditors may not be totally independent of the activity being audited, but all efforts must be made to eliminate bias and encourage objectivity.

  11. Evidence-based approach: the rational method for achieving reliable and reproducible audit conclusions in a systematic audit process

Audit evidence must be verifiable. In general, it will be based on samples of available information, since an audit is conducted in a limited period of time and with limited resources. An appropriate use of sampling should be applied, as it is closely related to the confidence that can be included in the audit conclusions [10].

The auditor within the audit system

An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform an audit, the auditor must be authorized for that particular audit.

Auditor's responsibility

The auditor has the following responsibilities:

Managing an audit program

An audit program may include one or more audits, depending on the size, nature, and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint (multiple auditing organizations) or combined (Quality management and Environmental management systems) audits. Management of an audit program includes all the activities necessary for planning and organizing the types and number of audits, and for providing resources for conducting them effectively and efficiently within the specified time frames [fig. 1].

The organization’s top management should grant the authority for managing the audit program. Those assigned the responsibility for managing the audit program should:

  1. Plan, establish, implement, monitor, review and improve the audit program

  2. Identify the necessary resources and ensure they are provided.

Fig. 1: Managing an audit program–process flow [3]

Fig. 2: Various steps of audit activities [3]

Audit activities

The planning and conducting of audit activities involve the following process flow or life cycle: as is depicted in Fig. 2. [3].

Information gathering

What is information?

Information is simply the facts or knowledge provided or learned. It can be tacit, in people's heads, or explicit, in documents-electronic or hard copy [11].

During the audit, information relevant to the objectives, scope and criteria, including information on interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only verifiable information can be audit evidence which must be recorded [3].

Audit evidence is any information used by the auditor to determine if the audited information is in accordance with the established criteria and to arrive at the conclusions on which the audit opinion is based. Internal Audit Evidence includes any data, information, process flows, vouchers, bills, memos, contracts or transactions.

The internal audit evidence collected would be dependent on the following:

Methods of gathering audit information

There are six basic methods of gathering information during an audit. Depending on the type of information that needs to be obtained, the Internal Auditor will need to determine which method, or combination of methods, should be used.


Interviewing is a powerful data collection technique, which works well on its own and is often used to support other techniques, such as observation. The interviewee’s insights can guide the Internal Auditor’s decisions about what to observe. The most important thing to remember when interviewing is to always talk to the right person, as it can save a lot of time and confusion.

Communication is a key element to the success of any audit. The more effectively the Internal Auditor interviews personnel, the more useful information will be gathered. Questions may be asked several times in different ways or to different people depending on their level of responsibility (Operator, Supervisor, etc.) in order to get a complete answer.


When inspecting something, it is good practice to start with general observations and then proceeding to the more specific elements. First, the Internal Auditor will have a good overall look around the facility and then examine specific items more closely, noting anything that does not seem quite right. It is important to ask questions throughout the inspection. If a problem is found, the Internal Auditor must investigate (dig deeper) to explore the extent of the finding.

Reviewing documents

When reviewing company records, the Internal Auditor can use a number of techniques. Random sampling is one of them. It gives a general idea of the quality of record keeping and exposes the potential problem areas. However, one sample taken in one given period of time is usually not enough to form accurate conclusions. Another important aspect of record keeping is clarity. Documents should be clear regardless of who reads them. Details vary but, in general, every document should carry a title, an owner and a revision status. If any of this information is missing, the Internal Auditor should ask why. The revisions noted should be checked against the master record. Changes must be authorized, signed and dated by an authorized person.


The simplest way to check how a process works is to observe it in action. Observing a routine activity for a couple of hours can give the Internal Auditor the opportunity to see how something is done under normal circumstances. He or she should ask questions about what they see, making sure at all times not to interfere with the processes they are observing, as that may cause the personnel not to carry out their tasks as they usually do.

Vertical tracking

This method is also referred to as “vertical auditing” and consists of following a specific development from the beginning until the end, simultaneously checking all the records that are produced in the process. Applying the vertical tracking technique can lead the Internal Auditor to areas that were not initially part of the scope, but it does facilitate a bigger picture view, as this allows the Internal Auditor to see how the various parts of a given program work together.


The aim of an exercise is to test something that is usually done at the facility as part of the routine. However, the Internal Auditor gets to pick the time and the circumstances for the test. The subject of testing can be the personnel, the program, or the equipment. An Internal Auditor should not run an exercise without the knowledge and cooperation of the auditee. Doing so is likely to have negative consequences as unannounced actions may breach certain facility-specific rules or regulations which the Internal Auditor is unaware of.

Taking notes

A good Internal Auditor must have his or her own efficient way of taking notes. This is an extremely important part of the job that cannot be neglected. Notes must get reviewed and refined along the way. In situations where taking notes is inconvenient, a mental note-taking technique should be used. Notes are used to organize thoughts and observations which will, in turn, help the Internal Auditor reach accurate conclusions throughout the audit. Notes need to be reviewed and completed at the end of each audit day [12].

Fig. 3: Process for collecting information to reach audit conclusions [3]


The internal audit team must have the confidence and trust of the key stakeholders it works with and be seen as a credible source of assurance and advice. This confidence should not be assumed and can only be established and maintained by having an effective working relationship, by delivering high-quality and timely advice and internal audit reports that are seen to be contributing directly to assisting the organisation to meet its responsibilities. The key stakeholders of internal audit are:

•Chief Executive

•Board of Directors

•Audit Committee

•Senior management

•External auditor

•Other reviewers

The importance of these individual relationships is analysed below.

a) Chief executive

While internal audit reports functionally to the Audit Committee, it is important that the Head of Internal Audit has direct access, as and when required, to the Chief Executive.

Organisations today, recognize the advantages in making the Head of Internal Audit directly accountable to the Chief Executive. This not only sends a clear signal about the importance of the internal audit function, it also facilitates regular contact between the Chief Executive and internal audit. This contact should be used as an opportunity to gain insights into new and emerging risks and issues facing the organisation and to discuss the role the Chief Executive expects internal audit to fulfill in the company.

b) Board of directors

The Head of Internal Audit may formally report to the Board of Directors on the effectiveness of the internal audit function in order to exchange views and ideas. As the Audit Committee is usually a sub-committee of the Board, this responsibility is often delegated to the Audit Committee. As a minimum, it is important that the Head of Internal Audit has direct access to the Chair of the Board and the Chief Executive, as and when required.

c) Audit committee

Audit Committees play an integral role in the governance framework of organizations. It assists Chief Executives and Boards to understand whether key controls are appropriate and operating effectively. In this respect, the relationship between internal audit and the Audit Committee is crucial and has a number of dimensions which are mentioned below:

  1. Advise the Chief Executive about the internal audit plans of the organisation;

  2. Direct or coordinate work programs relating to internal and external audits;

  3. Review the content of internal [and external] audits to identify significant matters of concern, and to advise the Chief Executive on good practice or opportunities for improvement;

  4. Review the adequacy of responses to reports of internal and external audits;

  5. Endorse the internal audit charter and be responsible for either reviewing and approving internal audit plans or recommending their approval by the Chief Executive/Board of Directors;

  6. Act as the internal audit function’s primary client and form a sound professional relationship with the internal audit team as a whole and each of its members;

  7. Utilize internal audit reports and its general interaction with the Internal Audit team, to assess the effectiveness of controls and the performance of the organisation and

  8. Utilize the internal audit function to undertake secretariat compliance

Given this relationship, it is important that both formal and informal lines of communication be maintained between internal audit and the Audit Committee and with individual committee members, particularly the Chair. Audit Committee members should be in a position to be able to openly discuss matters of interest with the Head of Internal Audit. It is also good practice for the Audit Committee to meet privately with the Head of Internal Audit from time to time to ask questions and to seek feedback from internal audit without management being present. This practice also supports the independent role of internal audit.

d) Senior management

To effectively fulfill its responsibilities, it is important that internal audit has a professional and constructive relationship with senior management of the organization. Internal auditors should interact on a regular basis with members of the senior management team, and through the delivery of practical, business-focused and useful reports and advice, build a relationship that is based on cooperation, collaboration and mutual respect. Meetings with organization managers should be used as an opportunity to be briefed on key business developments and associated risks facing the organization. These meetings should also be used to obtain informal feedback about the performance of internal audit and to assist in identifying ways that internal audit can best assist organization management. Thus, the internal audit team would encourage managers to seek their advice and assistance on either an informal or formal basis as the need arises.

e) External auditors

External auditors too must help in developing internal audit strategy and internal audit work plan. Both audit teams need to address the key financial and business systems underpinning the company's financial statements and to avoid duplication of compliance and assurance. To avoid such duplication, the external auditor must evaluate the work of the internal audit function to determine its adequacy for external audit purposes. The Internal audit function can be made responsible for liaising with external auditor on behalf of the organization. Such a role can be a useful way for an internal audit team to be aware of planned and actual external audit coverage. Thus, a constructive relationship between both sets of auditors assists in the conduct of external audits. Such a role can only be fulfilled when there is healthy communication between internal and external audit teams which can be achieved by setting up formally establish meetings between internal and external audit to allow for a routine exchange of information.

f) Other reviewers

Internal audit is one of a number of internal and external review and assurance activities that exist as part of an organization’s governance arrangements. The company shall benefit when all these activities, such as those performed by the Ombudsman and regulators, operate in a coordinated and complementary manner to the greatest extent possible. This requires regular formal and informal contact between review bodies to minimize duplication and overlap. Some organisations see a benefit in protocols being formalised for such activities: providing, for example, for the regular exchange of views and information and for the reporting of the results of work undertaken in a coordinated manner. Protocols can be particularly important in situations where internal audit needs to work closely with other entities as a result of inter-agency or other agreements. [6]

Audit planning procedures

In order to conduct an audit effectively and efficiently, the work needs to be planned and controlled. The form and nature of the planning required for an audit will be affected by the size and complexity of the enterprise, the commercial environment in which it operates, the methods of processing transactions and the reporting requirements to which it is subjected.

Audit planning is the formulation of the general strategy for audit which sets the direction for the audit, describes the expected scope and conduct of the audit and provides guidance for the development of the audit program.

Adequate planning of an audit work aims at

  1. Establishing the intended means of achieving the objectives of the audit

  2. Assisting in the direction and control of the work

  3. Helping to ensure that attention is devoted to critical aspects of the audit work

  4. Ensuring that the work is completed expeditiously

  5. Facilitating review of the audit work

  6. Helping to assign the proper tasks to members of the audit team and coordinates outside experts.

The audit plan

The auditor should develop an audit plan for the audit in order to reduce audit risk to an acceptably low level. The audit plan is more detailed than the overall audit strategy and includes the nature, timing, and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. Documentation of the audit plan also serves as a record of the proper planning and performance of the audit procedures that can be reviewed and approved prior to the performance of further audit procedures. [13]

Planning objectives

"The objective of the auditor is to plan the audit so that it will be performed in an effective manner." Audits are potentially complex, risky and expensive processes. Although firms have internal manuals and standardized procedures, it is vital that engagements are planned to ensure that the auditor:

The purpose of all this is to ensure that the risk of performing a poor quality audit (and ultimately giving an inappropriate audit opinion) is reduced to an acceptable level [14].

The steps in planning an audit include (Planning Procedures):

  1. Basic discussions with the client about the nature of the engagement are performed first, and the auditor meets the key employees or new employees of a continuing client. The overall audit strategy or the timing of the audit may also be discussed.

  2. Review of audit documentation from previous audits performed by the accounting firm or a predecessor auditor (if the latter makes these audit documentation available) will assist in developing an outline of the audit program.

  3. Ask about recent developments in the company such as mergers and new product lines which will cause the audit to differ from earlier years.

  4. Interim financial statements are analyzed to identify accounts and transactions that differ from expectations (based on factors such as budgets or prior periods). The performance of such analytical procedures is mandatory in the planning of an audit to identify accounts that may be misstated and that deserve special emphasis in the audit program.

  5. Non-audit personnel of the accounting firm who have provided services (such as tax preparation) to the client should be identified and consulted to learn more about the client.

  6. Staffing for the audit should be determined and a meeting held to discuss the engagement.

  7. Timing of the various audit procedures should be determined

  8. Outside assistance needs should be determined, including the use of a specialist as required and the determination of the extent of involvement of the internal auditors of the client.

  9. Pronouncements on accounting principles and audit guides should be read or reviewed to assist in the development of complete audit programs fitting the unique needs of the industry.

  10. Scheduling with the client is needed to coordinate activities.[15]

The internal audit work plan would generally include:

1. Audit title

2. Functional and Operational Area to be covered

3. Director and manager responsible

4. Type and scope of internal audit

5. The benefit expected by the audit procedure

6. Resources allocation for the purpose of the audit

7. Proposed duration and timelines for completion [6]

Auditing procedure

There are total 10 steps of the audit process:

1. Notification: Audit process begins with notification. The notification process alerts the party to be audited of the date and time of the process. The notification also will list the documents that the order wishes to review in order to understand the organization of the company.

2. Planning: Planning is the steps the auditor takes, before the audit, to identify key areas of risk and areas of concern.

3. Opening meeting: Meeting between the auditing staff and senior management of the auditing target as well as administrative staff. The auditors will describe the process they will undertake. Management will describe areas of concern to them and the schedule of the employees that must be consulted.

4. Fieldwork: Fieldwork begins after the results of the meeting are used to adjust the final audit plans. Employees are notified of the audit, schedules are drawn up regarding the activities of the audit staff, and an initial investigation begun after learning of business procedures, interviewing key staff, testing current business practices by sampling, reviewing the law and testing internal rules and practices for reasonableness.

5. Communication: The audit team should consistently be in contact with the corporate auditor to clarify processes, gain access to documents and clarify procedures.

6. Draft audit: At the completion of the audit, the next step, the draft audit, is prepared. The draft audit detail what was done and what was found, a distribution list of parties to receive preliminary results, and a list of concerns.

7. Management response: The draft is given to management to review, edit and suggest changes, probe areas of concern and correct errors. Upon making final corrections, the report is given to management for the seventh step, the management response. Management is requested to answer the report by stating whether they agree with the problems cited, the plan to correct noted problem and the expected date by which all issues will have been addressed.

8. Final meeting: The final meeting is designed to close loose ends, discuss the management response and address the scope of the audit.

9. Report distribution: The ninth step is the report distribution, where the final audit report is sent to appropriate officials inside and outside the audit area.

10. Feedback: The last step is the audit feedback whereby the audited company implements the recommended changes and the auditor's review and test the quality, adherence and effects of the adopted changes. This continues until all issues are adopted and the next audit cycle begins. [1]

Recording nonconformities or deficiencies

As the audit proceeds, there might arise some situations where the facts indicate there is a failure, either partially or wholly, of the quality management system, such a situation is called nonconformity”.

What is nonconformity?

There may be nonconformity for one of three reasons

  1. The procedure or defined process does not conform to the regulatory requirements

  2. The procedure or process has not been put into practice in the described way

  3. The practice, what is actually done, is not effective (planned results not achieved).

The statement of nonconformity needs to be in a format understandable both to people in the audit and to those who were not. People who were not present at the audit will be assigned to take the necessary corrective action most often. This need alone defines some rules for the recording of nonconformities:

  1. Exact observation of the facts. Only the facts are needed, and the reporting of them needs to be exact.

  2. Where was it found? The statement needs to identify exactly where it was found; otherwise, it may not be found again.

  3. What was found? It needs to be clear so that people understand what aspect of the system is nonconforming.

  4. Why is it nonconformity? The statement needs to make it clear what specified requirement has not been met.

  5. What is the objective evidence of the nonconformity? What audit evidence do we have–records, documents, statements or observations for our nonconformity findings?

  6. Who was involved? The statement often has no need to involve specific people, but where the objective evidence was based on a statement, and then the statement and the originator (s) need to be clear. Job titles rather than names should be used.

  7. Use local terminology. Industry has its own names for certain activities, documents, etc. These unique terms should be used for clarity.

  8. Make it retrievable. Someone has to go back after the audit and put it right, possibly after a considerable period of time.

  9. Make it helpful. To be helpful, nonconformity statements should be complete, correct, concise and clear. Suggestions, particularly on external audits, are not recommended, nor are they the auditor’s duty [3].

Classification of deficiencies

The number of nonconformities that can arise during an audit can be numerous. Following types of defects are identified during an internal audit and these are helpful in regulatory compliance:

Critical defect

Critical defects have a high probability of resulting in a product recall or in an adverse physiological response by the consumer. Critical deficiencies found in internal audits that usually produce significant effects on the strength, identity, safety, and purity of the product that will be considered during regulatory compliance.

The possible source of a critical defect

Cross-contamination of materials of the product

Incorrect labeling

Active ingredients outside of specifications

Product manufactured according to obsolete or unapproved procedures

Open sterile products located in a non-aseptic area

Untrained operators working in the sterile filling area

Contaminated purified water or water for injection system

Major defect

Major defects found during the internal audit can reduce the usability or stability of a product, but without causing harm to the consumer.

The possible source of a major defect

Major equipment not calibrated or out of calibration

Inadequate segregation of quarantine components

Inadequate evaluation of production process outside of action levels

Process deviations not properly documented or investigated

Operator not trained in or familiar with the standard operating procedures

Preventive maintenance on a critical water system not conducted according to schedule

Lack of standard operating procedures for cleaning equipment.

Audits of a contract manufacturer not conducted

Minor defect

Minor defects have a low probability of affecting the quality or usability of the product which can help in regulatory compliance.

Possible source of the minor defect

Failure to complete all batch record entries

Warehouse not cleaned according to schedule

Cracks in wall surfaces

Failures to correct documentation errors properly

Operator uniform not properly worn

Standard operating procedure review is overdue

Adhesive tape used on manufacturing equipment

Laboratory buffer solutions are obsolete [16]


A quality systems approach calls for audits to be conducted at planned intervals to evaluate effective implementation and maintenance of the quality system and to determine if processes and products meet established parameters and specifications. An audit performed by a well-trained and thoroughly prepared auditor can be highly beneficial by identifying areas for genuine improvement. An audit should not to be seen as interrogation with the auditee as permanent loser, it is a comparison of what is laid down to what is in place. Auditing is no goal in itself. Auditing in the pharmaceutical sector serves two different categories: regulatory compliance and business needs. When employees and managers begin to see audits as opportunities to improve, they begin to see auditors not as police officers but as productive members of the organization.




All the authors have contributed equally




  1. Kumar S, Tanwar D, Arora N. The role of regulatory GMP audit in pharmaceutical companies. Int J Res Dev Pharm Life Sci 2013;2:493-8.

  2. Kaur J. Quality audit: Introduction, types and procedure [Internet]. Place Unknown: Pharma Pathway; 2017. Available from: [Last accessed 19 Mar 2018]

  3. Biswas P. ISO 9001. Internal audit [Internet]. Place Unknown: Word Press; 2015. Available from: [Last accessed on 19 Mar 2018]

  4. Bernacchi T. The pharmacy audit: what is it and are you prepared? J Managed Care Pharm 1999;5:94-8.

  5. Shah M. Quality audit: a tool for continuous improvement and compliance. Place unknown: Pharma Tips. Available from: [Last accessed on 19 Mar 2018]

  6. Professional Development Committee, the Institute of Cost Accountants of India. Exposure Draft: Guidance Note on Internal Audit of Pharmaceutical Industry; 2013. Available from: [Last accessed 19 Mar 2018]

  7. Vedanabhlata S, Gupta VN. A review on audits and compliance management. Asian J Pharm Clin Res 2013;6:43-5.

  8. Sharma S, Kohli S, Potdar M. Current good manufacturing practices: Audit. Place Unknown: Word Press; 2008. Available from: [Last accessed 19 Mar 2018]

  9. Active Pharmaceutical Ingredients Committee (APIC). Auditing guide; 2016. Available from: [Last accessed 19 Mar 2018]

  10. BSI standards publication: European committee for standardization. Guidelines for auditing management systems; 2011. Available from: [Last accessed 19 Mar 2018]

  11. Chartered Institute of Internal Auditors. How to gather and evaluate information; 2017. Available from:

  12. Performance Review Institute. Internal auditor techniques: Data gathering [Internet]. Place Unknown: Performance Review Institute; Available from viewerng/viewer?url= [Last accessed 19 Mar 2018]

  13. Association of Accountancy Bodies in West Africa (ABWA): Accounting Technicians Scheme (West Africa). Principles of auditing. ABWA Publishers. Second edition; c2009. p. 101-10. Available from: ATSWA_ PRINCIPLES_OF_AUDITING.pdf. [Last accessed 19 Mar 2018]

  14. Kaplan Financial Knowledge Bank. The audit planning process. UK: Kaplan Financial; c2012. Available from: [Last accessed 19 Mar 2018]

  15. Roger CPA Review Blog. The 10 steps in planning an audit; 2009. Available from: blog/10-steps-planning-audit. [Last accessed 19 Mar 2018]

  16. Choudhary A, Bake A. Internal audit or self-inspection defects and regulatory compliance checklist. Place Unknown: Pharmaceutical guidelines; 2013. Available from: https:// [Last accessed 19 Mar 2018]