9 Strategies for Effective Internal Audits

As the age-old saying goes, sunlight is the best disinfectant. In the field of quality, internal audits are the equivalent of this sunlight.

Similar to spring cleaning, internal audits provide the opportunity to bring process issues into the open before they become external challenges like customer complaints, FDA warning letters, and recalls.

It’s one reason why internal audits are a basic requirement under ISO standards such as ISO 9001, ISO 13485, and ISO 45001. If compliance is the only reason you’re conducting audits, however, you’ll only get minimal results from your efforts.

With that in mind, this article explores nine strategies for more effective internal audits, looking beyond mere audit readiness to focus on extracting maximum value from this labor-intensive effort.

Download the AssurX Audit Management brochure to learn more about streamlining your audit process

1. Understand the Benefits of Internal Audits

The first strategy for more effective internal audits is knowing—and communicating with your team—why you’re conducting internal audits in the first place. The key message: internal audits aren’t just about meeting compliance.

Instead, internal audits help you monitor the health of your systems and processes as a whole. This mindset shift is necessary to move beyond basic compliance to a quality management system (QMS) that enables you to attain ever-increasing levels of quality.

Viewed from this perspective, internal audits allow you to:

• Identify inefficiencies and opportunities for process improvement
• Proactively identify and reduce compliance risks
• Ensure alignment between documented processes and plant floor practices
• Demonstrate your commitment to quality to your team, so that they in turn prioritize quality

Finally, internal audits help the organization maintain a state of readiness for external audits and inspections. Remember, you don’t want somebody asking a question you don’t already know the answer to. By making sure you’ve already asked yourself all the tough questions with a meticulous and thorough audits, you’re better prepared to avoid external audit findings such as FDA 483 observations and warning letters.

2. Document Your Internal Audit Procedure

Defining and documenting your internal audit procedure is another preliminary step that helps streamline the process and make it more effective. Steps you’ll want to cover are:

• Scope and objectives of the audit
• Planning activities such as reviews, scheduling, and meeting
• How you will execute the audit
• Reporting and assessment processes
• Follow-up measures and corrective actions
• Who is responsible for each step in the process

3. Stick to an Audit Schedule

Creating and sticking to a regular audit schedule is key to avoiding rushed audits or external audit preparation. If you’re required to conduct an audit every calendar year, and you’re scrambling to complete it in December, how much value do you think it will provide?

The answer: not much.

A thorough audit requires careful preparation and meticulous attention. That means deciding ahead of time what you will audit and when, ensuring that responsible parties have time to do the job right.

So how often should you conduct internal audits? Some companies will audit a different area each month, for instance looking at individual production lines or processes such as calibration systems. In other cases, organizations will audit their entire system once a year or even once a quarter.

Whether you do a full system audit periodically or break it into parts, it’s important that you make a plan and stick to it. Audit management software within an automated QMS can help with the planning process, including:

• Creating an audit schedule
• Defining audit scope, processes, and responsibilities
• Linking relevant standards and requirements
• Compiling checklists and questions

4. Compare Requirements Against Controls

A successful audit demands a thorough accounting of all compliance obligations within the scope of the audit to then identify and fill any gaps. This can be broken down into a four-step process:

1. Build a complete list of all applicable requirements: Include any relevant regulatory requirements, ISO standards, and internal requirements such as SOPs, work instructions, and specifications.
2. Link each requirement to a control: Here you need to check not just that there is a documented process or control for each requirement, but also that the control is in place on the manufacturing floor. You’ll also want to verify that employee training materials align with process requirements.
3. Identify and document compliance gaps: This can occur during your documentation review, or during the audit on the plant floor. Even if you fix something on the spot, it’s essential to document any gaps in the audit record for future reference and verification.
4. Add corrective actions and follow-up: Once you’ve identified compliance gaps, you must then add new controls via corrective action to ensure you address them adequately. Adding future verification checks is also crucial to make sure you hold those gains in place, as is implementing preventive action in other at-risk processes.

Leveraging the QMS can make it easier to manage documentation such as lists of requirements, employee training records, corrective actions, and audit reports. An integrated QMS will let you link all of them together, saving time while creating a comprehensive record of all audit-related activities.

5. Classify Findings by Risk

It’s possible that through the above process, you may identify a number of compliance gaps needing attention. Classifying findings by risk helps you prioritize follow-up, so that high-risk problems don’t languish while you’re busy resolving minor items.

Within the QMS, you should be able to add a risk assessment to each finding, scoring it according to its severity, frequency, and detection. From there, you can assign issues based on pre-defined criteria such as risk level, roles, or product line to close the loop on problems efficiently. This helps reduce organizational risk, and demonstrates a proactive risk management stance in alignment with regulatory requirements and standards.

6. Focus on Past Problems

Known problems should be a key area to focus on during internal audits, based on records such as:

• External audit findings
• Corrective and Preventive Actions (CAPAs)
• Nonconformance reports
• Customer complaints

These events represent some of the biggest areas of risk in a plant. For example, if you implemented a new control after a CAPA, it’s vital to check that the control is in place and working.

You can also be certain that external auditors and inspectors will ask about these records. Doing the work upfront ensures you aren’t caught off-guard, and instead will be ready with documentation and evidence that you’ve adequately addressed known issues. Failure to do so is a common citation in FDA warning letters and observations, and will undoubtedly put you in a difficult spot with regulators.

7. Consider an Outsider’s Perspective

Related to the above point, you want to consider the outside perspective as you plan and conduct your internal audit. What would customers look for during a customer audit? What about ISO auditors, or regulators?

For example, ISO audits frequently include checks of employee training records. Rarely would an auditor ask to see every person’s training record, but it’s likely they will ask for a random selection. To prepare for this, you must make sure employee training files are up-to-date, documenting training on SOPs, procedures, and more.

The key takeaway: assess your systems with a critical eye for deficiencies you can fix now, before they become a problem on an external assessment.

8. Document Everything

Thorough documentation is a vital component of any internal audit. As the saying goes, if it isn’t documented, it didn’t happen. External auditors and regulators will likely want to see your record of internal audits, making it essential to fully document:

• Areas, processes, and systems you’ve audited and when
• Any findings that occur during the audits, including items corrected on the spot
• Corrective actions and subsequent monitoring activities put into place
• How you improved your procedures with preventive action based on audit findings

One strategy here that can improve documentation in certain situations is to add photo evidence to both findings as well as CAPA verification. This helps clarify what needs correction, since a photo can provide critical context and detail. Adding photo verification to a CAPA can also help demonstrate and document the problem’s full resolution.

9. Automate Your Workflows

Internal audits require coordinating a wide range of documentation and action items. Automating your workflows in the QMS can help eliminate bottlenecks and prevent issues from falling through the cracks. A robust QMS will allow you to create custom workflows for planning, audit execution, and follow-up, with the ability to:

• Create standardized audit and checklist templates
• Generate your audit plan
• Schedule and assign audits, with email reminders to keep people on track
• Manage findings with risk assessments and corrective action routing
• Generate final reports and route them for sign-off

Conclusion

Internal audits are a foundation of the quality process, but far too many companies conduct them from a basic compliance perspective. The key to getting more from them requires an expanded view of the role of internal audits, combined with a thorough approach to bringing issues into the light.

An automated QMS creates a seamless, closed-loop audit process from planning through follow-up, so manufacturers can spend less time on paperwork and more time identifying and mitigating risks.

About the Author

Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.

Download a free case study to learn how a global pharma and chemical manufacturer saved 800 hours of prep time per audit with AssurX Audit Management