Understanding Regulatory Audits: Purpose, Misconceptions, and Modern Approaches

Through my experience conducting consultations, external audits, and mock inspections, I have observed widespread misconceptions about the nature and purpose of audits in the pharmaceutical and medical device industries.

The Fundamental Purpose of Audits

Audits are not about “finding mistakes.” Rather, they are about “confirming the absence of errors.” Finding mistakes is the responsibility of Quality Control (QC), while Quality Assurance (QA) is responsible for ensuring quality. So what exactly is the purpose of audits?

For example, Chapter 9 of the PIC/S GMP (Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme Good Manufacturing Practice) contains the following requirement: “They should be examined at intervals following a pre-arranged programme in order to verify their conformity with the principles of Quality Assurance.”

Similarly, 21 CFR Part 820.22 Quality Audits of the U.S. Food and Drug Administration (FDA) Quality System Regulation (QSR) states: “Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system.”

Important Regulatory Update: Effective February 2, 2026, 21 CFR Part 820 will be renamed the Quality Management System Regulation (QMSR) and will fully incorporate ISO 13485:2016 by reference, representing a significant harmonization with international standards. This change aims to align U.S. medical device quality system requirements more closely with global standards while maintaining FDA-specific oversight requirements.

Neither regulation requires auditors to discover errors. The purpose of audits is to verify that the Quality Management System (QMS) meets regulatory requirements and to determine the effectiveness of the QMS. This distinction is fundamental and often misunderstood.

Characteristics of Companies That Make Favorable Impressions on Regulatory Authorities

Companies that make favorable impressions on regulatory authorities such as the FDA share several key characteristics:

First, they have auditors who possess skills and insights comparable to those of FDA investigators, and they conduct internal audits (Self-Inspections) appropriately. Second, they execute Corrective and Preventive Actions (CAPA) in response to internal audit findings and continuously pursue improvement. Third, their quality system functions effectively, and they have evidence to demonstrate this effectiveness.

Evolution of Regulatory Inspection Approaches

As pharmaceutical and medical device companies have accelerated globalization, they have increasingly faced inspections from overseas regulatory authorities, including the FDA. Simultaneously, regulatory authorities have increased the frequency of overseas inspections in response to the globalization of supply chains. However, inspection resources are limited, necessitating more efficient inspection methodologies.

Traditionally, inspections were deemed acceptable if companies corrected issues identified by inspectors. However, the number of problems and risks that an inspector can identify during a brief inspection period (FDA inspections in Japan typically last 3 to 5 days, with an average of approximately 4 days) is inherently limited. Therefore, correcting only the errors discovered by inspectors does not guarantee the protection of the domestic population’s safety.

Consequently, regulatory authorities such as the FDA have shifted from an inspection methodology focused on discovering errors and risks to an approach that investigates whether a company has established a robust Quality Management System under the governance of management. This paradigm shift represents a move from reactive compliance to proactive quality system assessment.

The Concept of Self-Inspection and Its Translation Issues

The term “Self-Inspection” is often translated into Japanese as “jiko-tenken” (自己点検), which literally means “self-checking.” However, this translation is problematic and potentially misleading. The more accurate translation should be “jiko-sasatsu” (自己査察, meaning “self-inspection” or “self-audit”) or “naibu-kansa” (内部監査, meaning “internal audit”).

Historically, pharmaceutical and medical device companies received approval as long as they implemented improvements in response to regulatory authority findings. However, this approach made companies dependent on the capabilities and time constraints of the authorities. Therefore, it is crucial for companies to reduce risks to acceptable levels through their own audits (Self-Inspection) rather than relying solely on authority inspections (Authority Inspection).

It should be noted that “Self-Inspection” encompasses various activities, including internal audits, external audits (vendor audits), periodic reviews, and management reviews. These activities form an integrated approach to quality oversight as emphasized in ICH Q10 (Pharmaceutical Quality System guideline).

Integration with Modern Quality Management Frameworks

The International Council for Harmonisation (ICH) Q10 guideline on Pharmaceutical Quality Systems provides a harmonized framework that complements regional GMP requirements. ICH Q10 emphasizes a lifecycle approach to quality management, covering pharmaceutical development, technology transfer, commercial manufacturing, and product discontinuation. The guideline identifies internal audits as a key element for monitoring system performance and provides essential input for management reviews.

The four specific pharmaceutical quality system elements outlined in ICH Q10 that augment regional requirements include: process performance and product quality monitoring, CAPA, change management systems, and management review. These elements work synergistically to achieve the objectives of product realization, maintaining a state of control, and facilitating continual improvement.

Quality Risk Management, as described in ICH Q9, is integral to an effective pharmaceutical quality system and should be applied to audit planning and execution. A risk-based approach to internal audits allows companies to focus resources on areas of highest risk and greatest potential impact on product quality and patient safety.

The Complete Audit Cycle

A common misconception I frequently encounter is that companies consider audits complete once they have conducted the audit, compiled findings, and prepared an audit report. This is incorrect and represents an incomplete understanding of the audit process.

An audit is only complete when the audited department has implemented corrective actions in response to the findings, and these actions have been verified through follow-up activities, including re-audits when necessary. This follow-up verification ensures that corrective actions are effective and that identified deficiencies have been adequately addressed. Without this crucial step, the audit process lacks closure and fails to fulfill its fundamental purpose of ensuring and improving quality system effectiveness.

The audit cycle therefore consists of several essential phases:

Planning: Developing a risk-based audit schedule that considers factors such as process complexity, compliance history, previous audit findings, and recent organizational changes.

Execution: Conducting systematic examinations of processes, procedures, records, and facilities to assess compliance with established requirements and evaluate system effectiveness.

Reporting: Documenting observations, findings, and recommendations in a clear, objective manner that facilitates understanding and action.

Corrective Action: Implementing measures to address identified deficiencies, including root cause analysis to prevent recurrence.

Follow-up: Verifying the effectiveness of corrective actions through re-audit or other appropriate means, thereby closing the audit loop.

Management Review: Incorporating audit results and trends into management review processes to drive strategic quality improvement initiatives.

Best Practices for Effective Internal Audit Programs

To maximize the value of internal audit programs and prepare for regulatory inspections, companies should consider the following best practices:

Auditor Independence and Competence: Ensure that auditors do not audit their own work and possess appropriate training, experience, and knowledge of both regulatory requirements and industry best practices. Organizations should invest in ongoing auditor development to maintain and enhance audit program effectiveness.

Comprehensive Coverage: Develop audit programs that systematically cover all elements of the quality system over defined time periods, with frequency determined by risk assessment rather than arbitrary schedules.

Documentation Excellence: Maintain thorough, well-organized audit documentation that demonstrates the scope, methodology, findings, and follow-up actions. This documentation serves as evidence of quality system effectiveness during regulatory inspections.

Timely Execution and Response: Conduct audits according to the planned schedule and ensure prompt response to audit findings. Delays in either conducting audits or implementing corrective actions undermine the effectiveness of the audit program.

Continuous Improvement Focus: Use audit findings not merely to identify non-conformances but to identify opportunities for system enhancement, process optimization, and innovation. This proactive approach aligns with the continual improvement objectives of modern quality management frameworks.

Cross-functional Collaboration: Foster collaboration between quality assurance, operations, regulatory affairs, and other relevant functions to ensure that audit programs address business needs while maintaining regulatory compliance.

The Strategic Value of Robust Audit Programs

Companies with well-developed internal audit programs gain significant strategic advantages. They identify and resolve issues before they become major problems or are discovered by regulatory authorities. They build institutional knowledge about their processes and systems. They demonstrate to regulators their commitment to quality and compliance. They create a culture of quality that permeates the organization.

Regulatory inspections become opportunities to showcase system effectiveness rather than sources of anxiety when companies maintain strong internal audit programs. Inspectors recognize and value companies that have implemented robust self-inspection processes, as this demonstrates management commitment to quality and reduces the risk of undetected quality issues affecting patients.

In today’s global regulatory environment, where supply chains span multiple countries and regulatory authorities increasingly collaborate and share information, the ability to demonstrate quality system effectiveness through comprehensive internal audit programs has become not just a regulatory expectation but a business imperative.

Conclusion

Understanding the true purpose of audits—verifying compliance and assessing system effectiveness rather than merely finding errors—is fundamental to developing effective quality management systems. As regulatory approaches continue to evolve toward more sophisticated, risk-based assessments of quality systems, companies must similarly evolve their internal audit programs to meet these expectations.

The integration of audit activities with other quality system elements, as described in frameworks such as ICH Q10, creates a comprehensive approach to quality management that supports product realization, maintains control states, and facilitates continuous improvement throughout the product lifecycle. Companies that embrace this integrated, strategic approach to auditing position themselves for success in both meeting regulatory requirements and achieving business objectives in the increasingly complex and globalized pharmaceutical and medical device industries.

By investing in robust internal audit programs, developing auditor competence, implementing effective CAPA processes, and maintaining comprehensive documentation, companies can transform audits from compliance exercises into strategic tools that drive quality improvement and business success while ensuring patient safety—the ultimate goal of all quality management activities in healthcare industries.