*1M. Pharm Research Scholar, Department of Pharmaceutical Quality Assurance, 2Associate Professor, Department of Pharmaceutics Bhupal Noble’s Institute of Pharmaceutical Sciences, Bhupal Noble’s University, Sevashram Road, Udaipur 313001, Rajasthan, India
Email: [email protected]
Received: 11 Sep 2018, Revised and Accepted: 19 Nov 2018
Auditing is a vital function within a pharmaceutical company nowadays. Quality audit is a review and evaluation of all or part of a quality system with the specific purpose of improving it. It is one of the means to examine pharmacy programs and ensures that the procedures and reimbursement mechanisms comply with the contractual and regulatory requirements. A quality audit is usually conducted by external or independent experts or by a team designated by management for this purpose. These audits can be extended to suppliers and contractors as well. An audit will assess the strengths and weaknesses of quality assurance and quality assurance processes, the results of which assists in improving processes and building a better system for company benefits. This article focuses on various aspects of quality auditing in the pharmaceutical industry including its principles, objectives, importance and benefits and planning along with the deficiencies that are likely to occur during the process. This review comprises a well-organized summary of various guidelines available till date using the Google Scholar search engine and the keywords listed below.
Keywords: Quality audit, Auditor, Audit planning, Internal audit, Audit procedures, Audit deficiencies
© 2019 The Authors.Published by Innovare Academic Sciences Pvt Ltd. This is an open-access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)
Audits are conducted to ascertain the validity and reliability of the information; also to provide an assessment of the internal control of a system. It provides management with information on the efficiency with which the company controls the quality of its processes and products .
The audit in simple terms could be defined as the inspection of a process or a system to ensure that it meets the requirements of its intended use . International organization for standardization (ISO) defines the audits as "Systematic, independent and documented process for obtaining audit evidence and evaluating them objectively to determine the degree to which the verification criteria are met" .
Instead of considering the audit as an intrusive and potentially threatening review, pharmacies should consider the audit as a quality control mechanism. The results of the audit and the resulting corrective actions ensure all the involved parties that a program works in accordance with established rules of practice .
In the pharmaceutical industry, audits are virtual means for assessing compliance with the established objectives defined in the quality system and thus paving the way for the continuous improvement program by providing feedback to management . A company that produces drugs today must be able to demonstrate that it does so with absolute reliability, in optimal conditions and with extreme uniformity that allows accurate reproduction .
In food and drug administration (FDA) and ISO environments, auditing of both compliance and performance is essential. Pharmaceutical audit experience includes the drafting and revision of validation policies, guidelines and standard operating procedures (SOP) from project qualification to performance evaluation phases . If implemented correctly; it can be one of the most effective means of improvement .
Definition of internal audit
The chartered institute of management accountants, UK (CIMA) defines Internal Audit as:
‘An independent appraisal activity established within an organization as a service to it. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls; a management tool which analyses the effectiveness of all parts of an organization’s operations and management.’
The institute of internal auditors (IIA) also defines Internal Audit on similar lines as:
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’
These definitions state two clear functions of the Internal Audit activity namely;
Internal control: A process which is performed by the employees of the company as well as the information technology systems that are used to assist the company in achieving its objectives.
Management tool: These monitors and evaluates the effectiveness of operational processes and risk management of a company .
Goals of an audit
The simple goal of this complex process is to evaluate existing activities and documentation and determine if they meet the established standards. An audit will evaluate the strengths and weaknesses of quality control and quality assurance processes, the results of which will help us to improve processes and build a better system for the benefit of the company. Every product manufactured by a pharmaceutical company has characteristics that must be quantified or qualified by laboratory tests. Quality control and quality assurance are the necessary processes that play the role of control and balance system in pharmaceutical industry.
With proper preparation and planning, the audit itself must easily achieve the intended purpose. Effective auditing and proper compliance with standards will help build brand reputation and avoid the negative effects of non-compliance, such as fines, bad public relations and court proceedings .
Audit objectives may include:
Evaluating conformity of requirements to ISO 9001
Evaluating conformity of documentation to ISO 9001
Judging conformity of implementation to documentation
Determining effectiveness in meeting requirements and objectives
Meeting any contractual or regulatory requirements for auditing
Providing an opportunity to improve the quality management system
Permitting registration and inclusion in a list of registered companies
Qualifying potential suppliers 
Audits and regulatory standards
The ISO, a global leader in the development of international standards, is instrumental in boosting interest in quality audits among manufacturers and other types of businesses when it published the ISO 9000 standards in 1987. Today, popular standards such as ISO 9001: 2000, ISO 14001:2004, and ISO 13485 all require internal audits of the quality system (or the environmental management system in the case of ISO 14001: 2004). Under these standards, audit serves as a mechanism for evaluating and improving quality. The same principle is reflected in a number of regulations enforced by the Food and Drug Administration. Under the Quality System Regulation (21 Code of federal regulations [CFR] Part 820), medical device manufacturers are required to conduct audits to ensure that the quality system is compliant (Sec. 820.22). The current good manufacturing practice (CGMP) regulations for pharmaceuticals (21 CFR Parts 210-211) and for blood and blood components (21 CFR Part 606) include general requirements for regular evaluation of quality standards. Guidance for the pharmaceutical industry and blood establishments also emphasize the importance of audits. For example, the “Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations” recommends internal audits and supplier audits. The “Guidelines for Quality Assurance in Blood Establishments” call for a comprehensive audit of the quality assurance program .
Benefits of auditing
Whilst there is usually low influence on regulatory inspections, audits should be seen as a management tool to assess the company’s in-house quality management system. Internal, as well as external auditing, can help to achieve this goal. The major benefits of an effective audit system can be summarized as follows:
Managing a quality management system
Detecting in advance weak points, through identification of unsatisfactory trends or situations
Preventing quality failures, on the basis of quality data reviewing
Informing Senior Management about the quality level of facilities and/or operations
Standardizing audits will optimize the output, the quality level of audits will increase (and therefore the quality of products and services) which will finally lead to a continuous improvement loop.
The auditee will understand that audits are not created to control and criticize his work, but will improve the company's performance. This will lead to a higher acceptance of the audits. He will see audits as a chance to educate and improve his knowledge in terms of quality related aspects.
Combining audits of quality, safety, and environmental matters will reduce the number of audits significantly which will give a greater acceptance to the auditee and will save his time.
Additional benefits can be achieved by pooling audits, for example, Shared Third Party Audits.
By establishing a high-quality audit system throughout the industry, the level of compliance will increase. Mutual confidence building and an improved relationship between the partners will be the result of these efforts .
Types of audits
The quality audit system mainly classified in three different categories:
Quality audits are performed to verify the effectiveness of a quality management system. 
This type of audit is also known as First-Party Audit or self-audit. Those auditing and those being audited all belong to the same organization.  Internal audit is a professional activity that consists of advising organizations on how to achieve their goals in a better way. The internal audit involves the use of a systematic methodology to analyze business processes or organizational problems and recommend solutions. The main objectives of internal audits can be summarized as follows:
1. To assist the internal control system.
2. Review of organizational policies and their operations.
3. Verify the accuracy and authenticity of errors and frauds.
4. Detection and prevention of errors and faults.
5. Safeguarding the assets
6. Applicability of accounting policies.
7. Helps in smooth functioning of the internal check system.
In a pharmaceutical facility for internal auditing, one requires to check mainly two things namely,
Activities carried out by different departments and
Documents maintained by these departments.
For this purpose, a department-wise questionnaire and document list is required to be prepared in detail. 
This type of audit is also known as Second-Party Audit. It refers to a customer conducting an audit on a supplier or contractor.  Although there are no strict legal requirements for this control. It is always advisable to evaluate the competence of the contractors in which we produce our products or carry out the analysis of our products or any other activity according to GMP. Performing these audits also offers important commercial advantages:
• Develop knowledge and confidence in the partnership agreement
• Ensures that requirements are understood and met
• Allow the reduction of some activities (e. g. in-house quality control (QC) testing of starting materials)
• reduce the risk of failure (and, by implication, its costs)
Many pharmaceutical industry suppliers are ISO 9001 or ISO 9002-certified and are regularly audited by their certification body. Pharmaceutical contract manufacturing or packaging companies will need to be licensed and will be subject to regulatory audits. 
This type of audit is also known as Third-Party Audit. Neither customer nor supplier conducts this type of audit. A regulatory agency or independent body conducts a third party audit for compliance or certification or registration purposes.  International regulatory bodies such as. Medicines and healthcare products regulatory agency (MHRA), UK, United States food and drug administration (USFDA), Therapeutic goods administration (TGA), Australia, Medicines control council (MCC), South Africa, etc. are responsible for carrying out these checks. There is a team to perform the audit; it must be composed of audit inspectors and a multidisciplinary company team.
The company must have representatives from each of the following departments: production, quality control, warehouse, maintenance, administration/personnel and marketing/sales. These audits can be performed without warning (MHRA currently performs around ten percent of its inspections in the UK in this way) as manufacturers are required to always comply with GMPs. Regulatory bodies in other countries where products are sold can also audit companies (e. g. FDA audits European manufacturers).
All regulatory inspectors are extensively trained, competent and professional. All MHRA inspectors are professionally qualified and have a minimum of five years of appropriate experience in a production operation; they will be in the registers of persons eligible to act as qualified persons and lead auditors.
Failure to approve a regulatory audit may result in restrictions (or revocation) of production or import/export license. (The FDA has recently imposed "punitive consensus decrees" on financial companies that did not respond adequately to the audit results and comply with the GMPs). Therefore, it is essential that companies have defined processes for managing audits and staff should be adequately trained for being audited. Internal audits can provide valuable opportunities for practice .
Principles of auditing
The audit is characterized by dependence on a number of principles. These principles should help to establish audit as an effective and reliable tool to support management policies and controls, by providing information on what an organization can act to improve its performance. Adherence to these principles is a prerequisite in order to provide relevant and sufficient audit conclusions and allow auditors to work independently from each other, to reach similar conclusions in similar circumstances.
Integrity: the basis of professionalism
The auditors and the person who administers an audit program must:
-Carry out their work with honesty, diligence, and responsibility;
-Observe and comply with applicable legal requirements;
-Demonstrate their competence while carrying out their work;
-Be sensitive to any influence that can be exercised on the judgment while conducting an audit.
Fair presentation: the obligation to report truthfully and accurately
The audit findings, audit conclusions and audit reports should truthfully and accurately reflect the activities of the audit. Significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee should be reported. The communication should be truthful, accurate, objective, timely, clear and complete.
Due professional care: the application of diligence and judgment in auditing
Auditors should pay due attention to the importance of the task they perform and the trust placed in them by the audit client and other interested parties. An important factor in the execution of work with due professional attention is having the ability to express reasoned judgments in all audit situations.
Confidentiality: security of information
Auditors should exercise discretion in the use and protection of information acquired in the course of exercising their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the correct management of sensitive or confidential information.
Independence: the basis for the impartiality of the audit and the objectivity of the audit conclusions
The auditors should be independent of the activity audited wherever possible, and in all cases, they should act in a manner that is free from prejudice and conflicts of interest. For internal audits, auditors must be independent of the operational managers of the function being audited. Auditors must maintain objectivity throughout the review process to ensure that audit findings and conclusions are based only on audit evidence.
For small organizations, internal auditors may not be totally independent of the activity being audited, but all efforts must be made to eliminate bias and encourage objectivity.
Evidence-based approach: the rational method for achieving reliable and reproducible audit conclusions in a systematic audit process
Audit evidence must be verifiable. In general, it will be based on samples of available information, since an audit is conducted in a limited period of time and with limited resources. An appropriate use of sampling should be applied, as it is closely related to the confidence that can be included in the audit conclusions .
The auditor within the audit system
An auditor is defined by ISO 19011 as a person with the competence to perform an audit. To perform an audit, the auditor must be authorized for that particular audit.
The auditor has the following responsibilities:
Assist in the selection of the team and inform the team
Responsibility to plan and manage all phases of the audit
Represent the audit team with the auditee
Control conflicts and manage difficult situations
Direct and control all meetings with the team and the auditee
Make decisions about audit issues and the quality system
Report the results of the audit without delay
Report the main obstacles encountered
Report critical non-conformances immediately
Possesses effective communication skills
Managing an audit program
An audit program may include one or more audits, depending on the size, nature, and complexity of the organization to be audited. These audits may have a variety of objectives and may also include joint (multiple auditing organizations) or combined (Quality management and Environmental management systems) audits. Management of an audit program includes all the activities necessary for planning and organizing the types and number of audits, and for providing resources for conducting them effectively and efficiently within the specified time frames [fig. 1].
The organization’s top management should grant the authority for managing the audit program. Those assigned the responsibility for managing the audit program should:
Plan, establish, implement, monitor, review and improve the audit program
Identify the necessary resources and ensure they are provided.
Fig. 1: Managing an audit program–process flow 
Fig. 2: Various steps of audit activities 
The planning and conducting of audit activities involve the following process flow or life cycle: as is depicted in Fig. 2. .
What is information?
Information is simply the facts or knowledge provided or learned. It can be tacit, in people's heads, or explicit, in documents-electronic or hard copy .
During the audit, information relevant to the objectives, scope and criteria, including information on interfaces between functions, activities and processes, should be collected by appropriate sampling and should be verified. Only verifiable information can be audit evidence which must be recorded .
Audit evidence is any information used by the auditor to determine if the audited information is in accordance with the established criteria and to arrive at the conclusions on which the audit opinion is based. Internal Audit Evidence includes any data, information, process flows, vouchers, bills, memos, contracts or transactions.
The internal audit evidence collected would be dependent on the following:
Audit procedures to use-specific procedures should be spelled out for instruction during the audit.
Sample size-how many items should be tested for each audit procedure.
Items to select-determine which items in the population should be selected.
Timing-timing can vary from the beginning of the accounting period to the closure of it .
Methods of gathering audit information
There are six basic methods of gathering information during an audit. Depending on the type of information that needs to be obtained, the Internal Auditor will need to determine which method, or combination of methods, should be used.
Interviewing is a powerful data collection technique, which works well on its own and is often used to support other techniques, such as observation. The interviewee’s insights can guide the Internal Auditor’s decisions about what to observe. The most important thing to remember when interviewing is to always talk to the right person, as it can save a lot of time and confusion.
Communication is a key element to the success of any audit. The more effectively the Internal Auditor interviews personnel, the more useful information will be gathered. Questions may be asked several times in different ways or to different people depending on their level of responsibility (Operator, Supervisor, etc.) in order to get a complete answer.
When inspecting something, it is good practice to start with general observations and then proceeding to the more specific elements. First, the Internal Auditor will have a good overall look around the facility and then examine specific items more closely, noting anything that does not seem quite right. It is important to ask questions throughout the inspection. If a problem is found, the Internal Auditor must investigate (dig deeper) to explore the extent of the finding.
When reviewing company records, the Internal Auditor can use a number of techniques. Random sampling is one of them. It gives a general idea of the quality of record keeping and exposes the potential problem areas. However, one sample taken in one given period of time is usually not enough to form accurate conclusions. Another important aspect of record keeping is clarity. Documents should be clear regardless of who reads them. Details vary but, in general, every document should carry a title, an owner and a revision status. If any of this information is missing, the Internal Auditor should ask why. The revisions noted should be checked against the master record. Changes must be authorized, signed and dated by an authorized person.
The simplest way to check how a process works is to observe it in action. Observing a routine activity for a couple of hours can give the Internal Auditor the opportunity to see how something is done under normal circumstances. He or she should ask questions about what they see, making sure at all times not to interfere with the processes they are observing, as that may cause the personnel not to carry out their tasks as they usually do.
This method is also referred to as “vertical auditing” and consists of following a specific development from the beginning until the end, simultaneously checking all the records that are produced in the process. Applying the vertical tracking technique can lead the Internal Auditor to areas that were not initially part of the scope, but it does facilitate a bigger picture view, as this allows the Internal Auditor to see how the various parts of a given program work together.
The aim of an exercise is to test something that is usually done at the facility as part of the routine. However, the Internal Auditor gets to pick the time and the circumstances for the test. The subject of testing can be the personnel, the program, or the equipment. An Internal Auditor should not run an exercise without the knowledge and cooperation of the auditee. Doing so is likely to have negative consequences as unannounced actions may breach certain facility-specific rules or regulations which the Internal Auditor is unaware of.
A good Internal Auditor must have his or her own efficient way of taking notes. This is an extremely important part of the job that cannot be neglected. Notes must get reviewed and refined along the way. In situations where taking notes is inconvenient, a mental note-taking technique should be used. Notes are used to organize thoughts and observations which will, in turn, help the Internal Auditor reach accurate conclusions throughout the audit. Notes need to be reviewed and completed at the end of each audit day .
Fig. 3: Process for collecting information to reach audit conclusions 
The internal audit team must have the confidence and trust of the key stakeholders it works with and be seen as a credible source of assurance and advice. This confidence should not be assumed and can only be established and maintained by having an effective working relationship, by delivering high-quality and timely advice and internal audit reports that are seen to be contributing directly to assisting the organisation to meet its responsibilities. The key stakeholders of internal audit are:
•Board of Directors
The importance of these individual relationships is analysed below.
a) Chief executive
While internal audit reports functionally to the Audit Committee, it is important that the Head of Internal Audit has direct access, as and when required, to the Chief Executive.
Organisations today, recognize the advantages in making the Head of Internal Audit directly accountable to the Chief Executive. This not only sends a clear signal about the importance of the internal audit function, it also facilitates regular contact between the Chief Executive and internal audit. This contact should be used as an opportunity to gain insights into new and emerging risks and issues facing the organisation and to discuss the role the Chief Executive expects internal audit to fulfill in the company.
b) Board of directors
The Head of Internal Audit may formally report to the Board of Directors on the effectiveness of the internal audit function in order to exchange views and ideas. As the Audit Committee is usually a sub-committee of the Board, this responsibility is often delegated to the Audit Committee. As a minimum, it is important that the Head of Internal Audit has direct access to the Chair of the Board and the Chief Executive, as and when required.
c) Audit committee
Audit Committees play an integral role in the governance framework of organizations. It assists Chief Executives and Boards to understand whether key controls are appropriate and operating effectively. In this respect, the relationship between internal audit and the Audit Committee is crucial and has a number of dimensions which are mentioned below:
Advise the Chief Executive about the internal audit plans of the organisation;
Direct or coordinate work programs relating to internal and external audits;
Review the content of internal [and external] audits to identify significant matters of concern, and to advise the Chief Executive on good practice or opportunities for improvement;
Review the adequacy of responses to reports of internal and external audits;
Endorse the internal audit charter and be responsible for either reviewing and approving internal audit plans or recommending their approval by the Chief Executive/Board of Directors;
Act as the internal audit function’s primary client and form a sound professional relationship with the internal audit team as a whole and each of its members;
Utilize internal audit reports and its general interaction with the Internal Audit team, to assess the effectiveness of controls and the performance of the organisation and
Utilize the internal audit function to undertake secretariat compliance
Given this relationship, it is important that both formal and informal lines of communication be maintained between internal audit and the Audit Committee and with individual committee members, particularly the Chair. Audit Committee members should be in a position to be able to openly discuss matters of interest with the Head of Internal Audit. It is also good practice for the Audit Committee to meet privately with the Head of Internal Audit from time to time to ask questions and to seek feedback from internal audit without management being present. This practice also supports the independent role of internal audit.
d) Senior management
To effectively fulfill its responsibilities, it is important that internal audit has a professional and constructive relationship with senior management of the organization. Internal auditors should interact on a regular basis with members of the senior management team, and through the delivery of practical, business-focused and useful reports and advice, build a relationship that is based on cooperation, collaboration and mutual respect. Meetings with organization managers should be used as an opportunity to be briefed on key business developments and associated risks facing the organization. These meetings should also be used to obtain informal feedback about the performance of internal audit and to assist in identifying ways that internal audit can best assist organization management. Thus, the internal audit team would encourage managers to seek their advice and assistance on either an informal or formal basis as the need arises.
e) External auditors
External auditors too must help in developing internal audit strategy and internal audit work plan. Both audit teams need to address the key financial and business systems underpinning the company's financial statements and to avoid duplication of compliance and assurance. To avoid such duplication, the external auditor must evaluate the work of the internal audit function to determine its adequacy for external audit purposes. The Internal audit function can be made responsible for liaising with external auditor on behalf of the organization. Such a role can be a useful way for an internal audit team to be aware of planned and actual external audit coverage. Thus, a constructive relationship between both sets of auditors assists in the conduct of external audits. Such a role can only be fulfilled when there is healthy communication between internal and external audit teams which can be achieved by setting up formally establish meetings between internal and external audit to allow for a routine exchange of information.
f) Other reviewers
Internal audit is one of a number of internal and external review and assurance activities that exist as part of an organization’s governance arrangements. The company shall benefit when all these activities, such as those performed by the Ombudsman and regulators, operate in a coordinated and complementary manner to the greatest extent possible. This requires regular formal and informal contact between review bodies to minimize duplication and overlap. Some organisations see a benefit in protocols being formalised for such activities: providing, for example, for the regular exchange of views and information and for the reporting of the results of work undertaken in a coordinated manner. Protocols can be particularly important in situations where internal audit needs to work closely with other entities as a result of inter-agency or other agreements. 
Audit planning procedures
In order to conduct an audit effectively and efficiently, the work needs to be planned and controlled. The form and nature of the planning required for an audit will be affected by the size and complexity of the enterprise, the commercial environment in which it operates, the methods of processing transactions and the reporting requirements to which it is subjected.
Audit planning is the formulation of the general strategy for audit which sets the direction for the audit, describes the expected scope and conduct of the audit and provides guidance for the development of the audit program.
Adequate planning of an audit work aims at
Establishing the intended means of achieving the objectives of the audit
Assisting in the direction and control of the work
Helping to ensure that attention is devoted to critical aspects of the audit work
Ensuring that the work is completed expeditiously
Facilitating review of the audit work
Helping to assign the proper tasks to members of the audit team and coordinates outside experts.
The audit plan
The auditor should develop an audit plan for the audit in order to reduce audit risk to an acceptably low level. The audit plan is more detailed than the overall audit strategy and includes the nature, timing, and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. Documentation of the audit plan also serves as a record of the proper planning and performance of the audit procedures that can be reviewed and approved prior to the performance of further audit procedures. 
"The objective of the auditor is to plan the audit so that it will be performed in an effective manner." Audits are potentially complex, risky and expensive processes. Although firms have internal manuals and standardized procedures, it is vital that engagements are planned to ensure that the auditor:
Devotes appropriate attention to important areas of the audit;
Identifies and resolves potential problems on a timely basis;
Organizes and manages the audit so that it is performed in an effective and efficient manner;
Selects team members with appropriate capabilities and competencies;
Directs and supervises the team and reviews their work; and
Effectively coordinates the work of others, such as experts and internal audit.
The purpose of all this is to ensure that the risk of performing a poor quality audit (and ultimately giving an inappropriate audit opinion) is reduced to an acceptable level .
The steps in planning an audit include (Planning Procedures):
Basic discussions with the client about the nature of the engagement are performed first, and the auditor meets the key employees or new employees of a continuing client. The overall audit strategy or the timing of the audit may also be discussed.
Review of audit documentation from previous audits performed by the accounting firm or a predecessor auditor (if the latter makes these audit documentation available) will assist in developing an outline of the audit program.
Ask about recent developments in the company such as mergers and new product lines which will cause the audit to differ from earlier years.
Interim financial statements are analyzed to identify accounts and transactions that differ from expectations (based on factors such as budgets or prior periods). The performance of such analytical procedures is mandatory in the planning of an audit to identify accounts that may be misstated and that deserve special emphasis in the audit program.
Non-audit personnel of the accounting firm who have provided services (such as tax preparation) to the client should be identified and consulted to learn more about the client.
Staffing for the audit should be determined and a meeting held to discuss the engagement.
Timing of the various audit procedures should be determined
Outside assistance needs should be determined, including the use of a specialist as required and the determination of the extent of involvement of the internal auditors of the client.
Pronouncements on accounting principles and audit guides should be read or reviewed to assist in the development of complete audit programs fitting the unique needs of the industry.
Scheduling with the client is needed to coordinate activities.
The internal audit work plan would generally include:
1. Audit title
2. Functional and Operational Area to be covered
3. Director and manager responsible
4. Type and scope of internal audit
5. The benefit expected by the audit procedure
6. Resources allocation for the purpose of the audit
7. Proposed duration and timelines for completion 
There are total 10 steps of the audit process:
1. Notification: Audit process begins with notification. The notification process alerts the party to be audited of the date and time of the process. The notification also will list the documents that the order wishes to review in order to understand the organization of the company.
2. Planning: Planning is the steps the auditor takes, before the audit, to identify key areas of risk and areas of concern.
3. Opening meeting: Meeting between the auditing staff and senior management of the auditing target as well as administrative staff. The auditors will describe the process they will undertake. Management will describe areas of concern to them and the schedule of the employees that must be consulted.
4. Fieldwork: Fieldwork begins after the results of the meeting are used to adjust the final audit plans. Employees are notified of the audit, schedules are drawn up regarding the activities of the audit staff, and an initial investigation begun after learning of business procedures, interviewing key staff, testing current business practices by sampling, reviewing the law and testing internal rules and practices for reasonableness.
5. Communication: The audit team should consistently be in contact with the corporate auditor to clarify processes, gain access to documents and clarify procedures.
6. Draft audit: At the completion of the audit, the next step, the draft audit, is prepared. The draft audit detail what was done and what was found, a distribution list of parties to receive preliminary results, and a list of concerns.
7. Management response: The draft is given to management to review, edit and suggest changes, probe areas of concern and correct errors. Upon making final corrections, the report is given to management for the seventh step, the management response. Management is requested to answer the report by stating whether they agree with the problems cited, the plan to correct noted problem and the expected date by which all issues will have been addressed.
8. Final meeting: The final meeting is designed to close loose ends, discuss the management response and address the scope of the audit.
9. Report distribution: The ninth step is the report distribution, where the final audit report is sent to appropriate officials inside and outside the audit area.
10. Feedback: The last step is the audit feedback whereby the audited company implements the recommended changes and the auditor's review and test the quality, adherence and effects of the adopted changes. This continues until all issues are adopted and the next audit cycle begins. 
Recording nonconformities or deficiencies
As the audit proceeds, there might arise some situations where the facts indicate there is a failure, either partially or wholly, of the quality management system, such a situation is called nonconformity”.
What is nonconformity?
a condition adverse to Quality
The non-fulfillment of a requirement
There may be nonconformity for one of three reasons
The procedure or defined process does not conform to the regulatory requirements
The procedure or process has not been put into practice in the described way
The practice, what is actually done, is not effective (planned results not achieved).
The statement of nonconformity needs to be in a format understandable both to people in the audit and to those who were not. People who were not present at the audit will be assigned to take the necessary corrective action most often. This need alone defines some rules for the recording of nonconformities:
Exact observation of the facts. Only the facts are needed, and the reporting of them needs to be exact.
Where was it found? The statement needs to identify exactly where it was found; otherwise, it may not be found again.
What was found? It needs to be clear so that people understand what aspect of the system is nonconforming.
Why is it nonconformity? The statement needs to make it clear what specified requirement has not been met.
What is the objective evidence of the nonconformity? What audit evidence do we have–records, documents, statements or observations for our nonconformity findings?
Who was involved? The statement often has no need to involve specific people, but where the objective evidence was based on a statement, and then the statement and the originator (s) need to be clear. Job titles rather than names should be used.
Use local terminology. Industry has its own names for certain activities, documents, etc. These unique terms should be used for clarity.
Make it retrievable. Someone has to go back after the audit and put it right, possibly after a considerable period of time.
Make it helpful. To be helpful, nonconformity statements should be complete, correct, concise and clear. Suggestions, particularly on external audits, are not recommended, nor are they the auditor’s duty .
Classification of deficiencies
The number of nonconformities that can arise during an audit can be numerous. Following types of defects are identified during an internal audit and these are helpful in regulatory compliance:
Critical defects have a high probability of resulting in a product recall or in an adverse physiological response by the consumer. Critical deficiencies found in internal audits that usually produce significant effects on the strength, identity, safety, and purity of the product that will be considered during regulatory compliance.
The possible source of a critical defect
• Cross-contamination of materials of the product
• Incorrect labeling
• Active ingredients outside of specifications
• Product manufactured according to obsolete or unapproved procedures
• Open sterile products located in a non-aseptic area
• Untrained operators working in the sterile filling area
• Contaminated purified water or water for injection system
Major defects found during the internal audit can reduce the usability or stability of a product, but without causing harm to the consumer.
The possible source of a major defect
• Major equipment not calibrated or out of calibration
• Inadequate segregation of quarantine components
• Inadequate evaluation of production process outside of action levels
• Process deviations not properly documented or investigated
• Operator not trained in or familiar with the standard operating procedures
• Preventive maintenance on a critical water system not conducted according to schedule
• Lack of standard operating procedures for cleaning equipment.
• Audits of a contract manufacturer not conducted
Minor defects have a low probability of affecting the quality or usability of the product which can help in regulatory compliance.
Possible source of the minor defect
• Failure to complete all batch record entries
• Warehouse not cleaned according to schedule
• Cracks in wall surfaces
• Failures to correct documentation errors properly
• Operator uniform not properly worn
• Standard operating procedure review is overdue
• Adhesive tape used on manufacturing equipment
• Laboratory buffer solutions are obsolete 
A quality systems approach calls for audits to be conducted at planned intervals to evaluate effective implementation and maintenance of the quality system and to determine if processes and products meet established parameters and specifications. An audit performed by a well-trained and thoroughly prepared auditor can be highly beneficial by identifying areas for genuine improvement. An audit should not to be seen as interrogation with the auditee as permanent loser, it is a comparison of what is laid down to what is in place. Auditing is no goal in itself. Auditing in the pharmaceutical sector serves two different categories: regulatory compliance and business needs. When employees and managers begin to see audits as opportunities to improve, they begin to see auditors not as police officers but as productive members of the organization.
All the authors have contributed equally
Kumar S, Tanwar D, Arora N. The role of regulatory GMP audit in pharmaceutical companies. Int J Res Dev Pharm Life Sci 2013;2:493-8.
Kaur J. Quality audit: Introduction, types and procedure [Internet]. Place Unknown: Pharma Pathway; 2017. Available from: http://pharmapathway.com/quality-audit-introduction-types-and-procedure/. [Last accessed 19 Mar 2018]
Biswas P. ISO 9001. Internal audit [Internet]. Place Unknown: Word Press; 2015. Available from: http://isoconsultantpune.com/iso-90012015-internal-audit-by-pretesh-biswas-apb-consultant/. [Last accessed on 19 Mar 2018]
Bernacchi T. The pharmacy audit: what is it and are you prepared? J Managed Care Pharm 1999;5:94-8.
Shah M. Quality audit: a tool for continuous improvement and compliance. Place unknown: Pharma Tips. Available from: http://www.pharmatips.in/Articles/Quality-Audit-A-Tool-For-Continuous-Improvement-And-Compliance.aspx. [Last accessed on 19 Mar 2018]
Professional Development Committee, the Institute of Cost Accountants of India. Exposure Draft: Guidance Note on Internal Audit of Pharmaceutical Industry; 2013. Available from: http://icmai.in/upload/Institute/Comments_Invited/ED-IA-Pharma.pdf. [Last accessed 19 Mar 2018]
Vedanabhlata S, Gupta VN. A review on audits and compliance management. Asian J Pharm Clin Res 2013;6:43-5.
Sharma S, Kohli S, Potdar M. Current good manufacturing practices: Audit. Place Unknown: Word Press; 2008. Available from: https://drpotdar.wordpress.com/2008/04/30/audit/. [Last accessed 19 Mar 2018]
Active Pharmaceutical Ingredients Committee (APIC). Auditing guide; 2016. Available from: http://apic.cefic.org/pub/Auditing/APIC_CEFIC_AuditingGuideAugust2016.pdf. [Last accessed 19 Mar 2018]
BSI standards publication: European committee for standardization. Guidelines for auditing management systems; 2011. Available from: http://qic-eg.com/wp-content/uploads/2015/08/BS-EN-ISO-19011-2011.pdf. [Last accessed 19 Mar 2018]
Chartered Institute of Internal Auditors. How to gather and evaluate information; 2017. Available from: https://www.iia.org.uk/resources/delivering-internal-audit/how-to-gather-and-evaluate-information/?downloadPdf=true
Performance Review Institute. Internal auditor techniques: Data gathering [Internet]. Place Unknown: Performance Review Institute; Available from https://docs.google.com/ viewerng/viewer?url=https://visionpdf.com/download/1-internal-auditor-techniques-data-gathering-performance-rev.html?reader%3D1. [Last accessed 19 Mar 2018]
Association of Accountancy Bodies in West Africa (ABWA): Accounting Technicians Scheme (West Africa). Principles of auditing. ABWA Publishers. Second edition; c2009. p. 101-10. Available from: http://www.icanig.org/documents/ ATSWA_ PRINCIPLES_OF_AUDITING.pdf. [Last accessed 19 Mar 2018]
Kaplan Financial Knowledge Bank. The audit planning process. UK: Kaplan Financial; c2012. Available from: http://kfknowledgebank.kaplan.co.uk/KFKB/Wiki%20Pages/The%20Audit%20Planning%20Process.Aspx. [Last accessed 19 Mar 2018]
Roger CPA Review Blog. The 10 steps in planning an audit; 2009. Available from: https://www.rogercpareview.com/ blog/10-steps-planning-audit. [Last accessed 19 Mar 2018]
Choudhary A, Bake A. Internal audit or self-inspection defects and regulatory compliance checklist. Place Unknown: Pharmaceutical guidelines; 2013. Available from: https:// www.pharmaguideline.com/2013/05/pharmaceutical-self-inspection-defects.html [Last accessed 19 Mar 2018]