未分類

Internal Audits: Understanding Their True Purpose

Internal Audits: Understanding Their True Purpose

In my line of work, I frequently review clients’ audit reports. However, I am consistently astounded to find that the fundamental purpose of auditing is not understood in any of the audit reports I examine.

The purpose of internal audits consists of two elements:

  1. To verify that the company’s Quality Management System (QMS) complies with regulatory requirements.
  2. To verify the effectiveness of the QMS.

There is nothing beyond these two objectives.

Regulatory Requirements for Internal Audits

FDA Quality System Regulation

The FDA’s Quality System Regulation (21 CFR Part 820) contains the following provision under §820.22 Quality Audit:

Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary.

Important Update: On February 2, 2024, the FDA issued a final rule amending 21 CFR Part 820 to align with ISO 13485:2016. This revised regulation, now called the Quality Management System Regulation (QMSR), will become effective on February 2, 2026. The new QMSR incorporates ISO 13485:2016 by reference while maintaining certain FDA-specific requirements. Until the effective date, manufacturers must continue to comply with the current Quality System Regulation (QSR). After February 2, 2026, the terminology “QSR” will become outdated, and the regulation should be referred to as “QMSR.”

PIC/S GMP Requirements

The PIC/S GMP Guide contains the following requirement in Chapter 9 – Self Inspection:

Principle:

Self-inspections should be conducted in order to monitor the implementation and compliance with GMP principles and to propose necessary corrective measures.

The True Nature of Auditing: What Audits Are Not Designed to Do

Neither regulatory framework states that the purpose of audits is to discover mistakes or errors.

For example, in internal audit reports, I often see instances where transcription errors or similar mistakes are pointed out. This approach is inappropriate. What auditors should identify is not the individual error itself, but rather the systemic failure—the inadequacy in the system or procedures that allowed the transcription error to go undetected. Furthermore, auditors should also address the fact that Quality Assurance (QA) is not functioning appropriately.

Auditing is a third-party verification activity and an essential element of quality assurance. The job of an audit is not to find defects. The fundamental purpose is to verify the absence of defects. However, if defects are discovered, they must be pointed out.

Additionally, auditors must serve as a deterrent against misconduct and, should such situations arise, respond with a resolute attitude.

Types of Audits

There are three types of audits based on the relationship between the auditing party and the audited party:

Audit TypeConducted ByPurpose
First-Party Audit (Internal Audit)Organization’s own personnelSelf-assessment of QMS compliance and effectiveness
Second-Party AuditCustomer (of supplier) or Supplier (by customer)Verification of supplier/customer QMS
Third-Party AuditRegulatory authorities or Certification bodiesIndependent verification for certification or compliance

First-Party Audit (Internal Audit)

Internal audits are referred to as first-party audits. The critical aspect here is verifying the compliance of the company’s QMS with regulatory requirements and the effectiveness of the QMS. Additionally, auditors also serve as internal consultants. When they identify their own problems, challenges, or risks, they must propose improvements.

Second-Party Audit

Second-party audits refer to cases where an organization is audited by a customer or where an organization audits its suppliers. A certain degree of consultation is also permissible in these audits.

Third-Party Audit

Third-party audits correspond to inspections by regulatory authorities or surveys by certification bodies. In third-party audits as well, compliance and effectiveness of the QMS are assessed. Inspectors are not necessarily experts in each field. However, they possess the skills to audit quality systems.

It should be noted that consultation is prohibited in third-party audits.

ISO 19011: International Standard for Audit Methodology

ISO 19011 is the international standard for audit methodology. ISO 19011 is a standard that integrates the audit portions of ISO 9001 and ISO 14001. It was first published in 2002, revised in 2011 after nine years, and most recently updated in 2018.

Evolution to ISO 19011:2018

The 2018 revision of ISO 19011 introduced significant changes to reflect the evolving landscape of management systems auditing:

Key Updates in ISO 19011:2018:

  • Addition of a seventh principle: risk-based approach to auditing
  • Expansion of guidance on managing audit programs, particularly regarding audit program risk
  • Enhanced guidance on conducting audits, especially in the planning phase
  • Expanded generic competence requirements for auditors
  • Terminology adjusted to reflect the process rather than the object
  • Inclusion of guidance on remote auditing and virtual audit techniques
  • Alignment with the High-Level Structure common to modern ISO management system standards

The Seven Principles of Auditing (ISO 19011:2018)

ISO 19011:2018 establishes seven fundamental principles that underpin effective and reliable auditing. These principles help make auditing an effective and reliable tool in support of management policies and controls, providing information on which an organization can act to improve its performance.

The seven principles are:

1. Integrity: The Foundation of Professionalism

Auditors and individuals managing audit programs should:

  • Perform their work ethically, with honesty and responsibility
  • Only undertake audit activities if competent to do so
  • Perform their work in an impartial manner, remaining unaffected by bias or conflict of interest
  • Be sensitive to any influences that may be exerted on their judgment while conducting audits

2. Fair Presentation: The Obligation to Report Truthfully and Accurately

Audit findings, audit conclusions, and audit reports should:

  • Reflect truthfully and accurately the audit activities
  • Report significant obstacles encountered during the audit and unresolved diverging opinions between the audit team and the auditee
  • Communicate in a truthful, accurate, objective, timely, clear, and complete manner
  • Include only information supported by verifiable audit evidence

3. Due Professional Care: The Application of Diligence and Judgment

Auditors should exercise due care in accordance with:

  • The importance of the task they perform
  • The confidence placed in them by the audit client and other interested parties
  • The requirement to have the ability to make reasoned judgments in all audit situations
  • The need to exercise care in proportion to the significance and complexity of the task

4. Confidentiality: Security and Discretion with Information

Auditors should:

  • Exercise discretion in the use and protection of information acquired during their duties
  • Not use information inappropriately for personal gain by themselves or others
  • Not act in any way prejudicial to the legitimate interests of the auditee
  • Properly safeguard audit information, especially sensitive or confidential data

5. Independence: The Basis for Impartiality and Objectivity

Auditors should:

  • Be independent of the activity being audited wherever practicable
  • Remain free from bias and conflict of interest
  • Act in an impartial manner throughout the audit process
  • Maintain objectivity in forming audit conclusions

For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but every effort should be made to remove bias and encourage objectivity.

6. Evidence-Based Approach: The Rational Method for Reaching Reliable Conclusions

Audit evidence should:

  • Be verifiable and based on samples of available information
  • Be gathered through a systematic audit process conducted during a finite period with finite resources
  • Support reliable and reproducible audit conclusions
  • Be appropriately sampled, as this is closely related to the confidence that can be placed in audit conclusions

7. Risk-Based Approach: Focusing on What Matters Most (New in 2018)

The risk-based approach should:

  • Substantially influence the planning, conducting, and reporting of audits
  • Ensure that audits are focused on matters that are significant for the audit client
  • Support achievement of the audit program objectives
  • Consider both risks and opportunities throughout the audit process
  • Help prioritize audit resources on areas of higher risk and performance impact

This seventh principle represents the most significant addition to ISO 19011:2018. It reflects the modern emphasis on risk management in business operations and quality systems. The risk-based approach enables auditors to allocate their time and attention more effectively by focusing on areas where risks to quality, compliance, or organizational objectives are highest.

Competence and Conduct of Auditors

No individual can perfectly demonstrate all of these principles and behaviors at all times. What is important is the continuous effort to improve insufficient behaviors and develop competencies.

The effectiveness of quality management systems depends significantly on the competence of auditors. ISO 19011:2018 dedicates an entire chapter to auditor competence, emphasizing:

  • Personal behaviors and attributes necessary for effective auditing
  • Generic knowledge and skills applicable to all auditors
  • Discipline-specific knowledge and skills based on the type of management system being audited
  • Methods for evaluating auditor competence
  • The importance of maintaining and improving competence through continuing professional development

The Role of Internal Auditors as Consultants

While third-party audits strictly prohibit consultation activities, internal auditors (first-party) and, to some extent, second-party auditors can and should provide consultative input. This dual role allows internal auditors to:

  • Identify systemic weaknesses in processes and procedures
  • Propose practical improvements based on observed conditions
  • Share best practices from other areas of the organization
  • Provide expertise on regulatory compliance requirements
  • Support the organization’s continuous improvement objectives

However, auditors must maintain their objectivity and independence even when providing consultative support. The primary function remains verification and assessment, with consultation as a value-added service.

Contemporary Auditing Practices

Modern auditing has evolved to incorporate several important considerations:

Risk-Based Audit Planning: Organizations should plan their audit programs based on risk assessments, focusing resources on areas with higher potential impact on quality, safety, and regulatory compliance.

Remote and Virtual Auditing: The 2018 revision of ISO 19011 acknowledges the growing importance of remote auditing technologies, providing guidance on conducting effective virtual audits while maintaining audit integrity.

Integration with Other Management Systems: Many organizations maintain multiple management systems (quality, environmental, occupational health and safety, information security). ISO 19011 supports integrated auditing approaches that examine multiple systems simultaneously, improving efficiency while maintaining thoroughness.

Regulatory Harmonization: With the FDA’s adoption of ISO 13485:2016 through the new QMSR, there is increasing global alignment of quality system requirements. Internal audit programs should reflect this harmonization while remaining sensitive to jurisdiction-specific requirements.

Conclusion

Internal auditing is a systematic, independent, and documented process essential for maintaining and improving quality management systems. The purpose is not to find fault but to verify compliance and effectiveness, identify opportunities for improvement, and provide confidence in the organization’s ability to meet its quality objectives and regulatory obligations.

Auditors must understand that their role goes beyond simple inspection—they are guardians of quality assurance, consultants for improvement, and essential contributors to organizational excellence. By adhering to the principles of auditing, maintaining professional competence, and focusing on systemic assessment rather than individual errors, internal auditors fulfill their vital function in the quality management system.

As regulatory requirements continue to evolve and align internationally, auditors must stay current with standards such as ISO 19011:2018 and upcoming changes like the FDA’s QMSR to ensure their organizations maintain compliance while driving continuous improvement.

Note: The continuation of the category classification series from the previous issue will be published in the next issue.

Software Categorization in Pharmaceutical Manufacturing Previous post Software Category Classification: Focus on User Requirements, Not Labels Next post

Related post

Comment

There are no comment yet.