The Quality Audits should be managed according to the Quality Management System requirements, which should include:
- A risk-based planification system for audits to be performed within a certain period.
- Effective training and qualification programs for the auditors, including clear requirements for their approval.
- A well-defined system for planning, performing, reporting, and evaluating audits.
- An efficient system for handling non-compliance until its closure.
Figure 1 – Quality Management System requirements
In order to improve the audits management and to achieve consistent results, audits should be managed using a PDCA life cycle approach (see Figure 2).
Figure 2 – PDCA life cycle approach
Audits Plan
At the beginning of each auditing cycle, usually every year, an Audit Plan has to be defined, including the type of audits to be performed, their timings, reference documents required, and the responsible auditors.
Both internal audits and external audits (audits to suppliers and subcontractors) should be planned. Third-party audits (audits and inspections from authorities and official bodies), expected to be held in the company during the Auditing Cycle, could also be included in the Plan, to provide a wider overview and to allow a better resource allocation. All these audits could be scheduled in the same Audit Plan, or different Audit Plans can be prepared for each type of audit
First-party audits program
All Quality Management System standards require conducting internal audits on a regular basis, to verify the level of compliance of the QMS with the standard requirements and to provide tools for continuous improvement. Most of the time, these internal audits are expected to be scheduled at least every year, although the frequency can be increased in case needed (e.g. when major changes are planned, or when the audits results show a poor level of control).
Thus, the complete system should be reviewed minimally once a year, but this revision could be split up into partial assessments during the auditing period. This allows a better fit of the audit to the requirements related to the activities of the company, a better selection of specialized auditors, and a more specialized approach to the different areas to be audited. Moreover, according to results obtained in different areas, a specific follow-up can be scheduled, including additional off-program audits in case needed.
Keeping this in mind, partial audits can be programmed along the year as well, assigning the most suitable auditors at the right time.
Second-party audits program
According to GXP requirements, critical suppliers should be included in the audit plan. In some cases, there are clear regulatory requirements or expectations that stipulate the minimum frequency of audits to be included in the Audit Plan (e.g. API suppliers should be audited at least every 3 years).
However, there are so many different types of suppliers, with no specific existing requirements, but with direct or indirect impact over the product/data quality, that should also be assessed and approved, and perhaps even included in the Audits Management System. The approval criteria and auditing frequency for all these types of suppliers should be established by using a Risk Based Approach.
Different risk factors should be considered during the assessment, including, of course, criticality of supplies or services provided, having an existing QMS in place, and official certifications or the continuous quality assessment of services and products provided. This risk-based approach will provide the necessary elements to create a calendar for the suppliers and subcontractors audits, considering their level of concern and their priority within the global picture.
Audits performance
Throughout the year, programmed audits will be carried out according to internal procedures, and by qualified auditors. Each audit carried out will be recorded and followed up as described in the auditing policies of the company.
Audits can be performed using their resources or can be outsourced to specialized auditors or auditing companies. In both cases, the auditors’ qualification, the operating procedures, and the generated documents and records must be compliant with the internal policies of the company. It is important to remember that this type of providers shall also be included in the suppliers’ assessment and approval, and may be included in the auditing program too.
Audits Plan compliance review
At the end of each auditing cycle, compliance with the Audit Plan shall be verified, to check that all the scheduled audits for a specific period of time have been properly completed. In the event of non-compliance with the provisions, the cause of the non-compliance should be stated and justified.
Based on the results of the revision, the new Audit Plan for the next auditing cycle will be prepared. Areas requiring special attention based on previous audits, non-conformity reports or corrective action reports, will be considered for scheduling additional audits.