Conducting an Internal Audit

The internal audit function of life science companies is one cornerstone of an effective and efficient quality management system. There are several types of audits that comprise a robust internal control program including supplier audits, internal audits, and regulatory audits.


Compliance Audit


Compliance audit documents to be reviewed include the quality manual, list of standard operating procedures, open deviations, and corrective and preventive actions. Any additional supporting evidence an ISO audit team may choose to review will help the certified auditor team assess and decide the final facility compliance status.


Forensic Audit


Preparing for a forensic audit or regulatory audit typically consists of the regulatory inspector providing the facility being audit agenda. This listing would include any areas of the audit mentioned in a FDA 483 and audit trail documents. The audit report will focus on life science departments to be inspected. This can include incoming raw materials, quality control, chemistry and microbiology laboratories and manufacturing. 


IT Audit


Conducting an IT audit is also critical in times like these of high cybersecurity concerns. Internal audits are performed by the company as a self-assessment for the purpose of identifying areas/issues that might affect their IT compliance status. This specific audit committee may include employees from across the company to intentionally examine IT process and quality from a cross-functional perspective. 


Audit Committees


Preparing for an internal audit requires the same discipline as preparing for supplier and regulatory audits. This includes audit committees and the number of employees involved in the process. During the COVID-19 pandemic, many companies reduced the number of employees allowed at an audit site. Many of the other audit committee who helped conduct the audit were allowed to work remotely. It is important to consider where employees are globally and the role they each play during an internal audit. 


Internal audits are part of management team responsibilities. Conducting an internal audit is different from the other audit types, whether it is pre-, during, or post-pandemic. If designed and implemented appropriately, there is great value in the internal audit. It allows the company to find vulnerabilities in their systems and remediate before they are discovered by an external auditor.


Audit Procedures


Internal audits can provide valuable information that can be used to prevent issues before they become compliance concerns. Audit procedures often help develop a remediation plan to take action to mitigate compliance problems. Having corrective actions in place before others identify the issue may lessen the impact of the observation. Most importantly, show there is a process in place for continuous improvement. In addition, the internal audit can be used for training staff and communicating valuable information to the organization.


Audit Schedule


The ideal tone for an internal audit should be a collaborative team-oriented activity that is instructive, informative, open, honest, and inclusive. There are several factors that help contribute to establishing this tone. The most successful is hiring a certified information system auditor to help guide the process. 


Another way to set the proper tone is to publish the audit schedule or agenda in advance. This makes sure the functional areas personnel are informed of the time schedule. During a pandemic, the agenda takes on another level of importance because it ensures the proper documents are ready to go. Teams should upload all data either before or during the audit. Prior planning precludes poor performance in this area.


Audit Office


Each of these specific audits requires preparation to make sure the forensic audit is productive and accomplishes its intended purpose. In the manufacturing world, the goal of the audit office is to ensure facilities are manufacturing fit-for-use products in full adherence. This includes meeting current good manufacturing practice (CGMP) requirements.


Audit Trail


Supplier audits are performed to confirm the audit trail of raw materials, packaging, labeling components, etc.. An effective audit trail should provide documentation of a continuous, uninterrupted supply of materials that are compliant with CGMPs. Regulatory authorities perform inspections to determine if the manufacturing company is providing materials that comply to CGMPs.


Audit Risk


An operations audit conducted requires documents be shared electronically to the auditor using secure electronic systems. This electronic exchange helps reduce audit risk by increasing the efficiency between independent auditor and a facility being audited. The quality audit documentation can be reviewed by the auditor, and questions can be communicated to the audit manager via email, conference calls or virtual technology. While this may not be ideal, because it eliminates the audit planning in-person interaction, it is still an effective way to conduct a system audit.


Facility Audit Tour


internal audit

Touring the facility is challenging when a virtual audit or external audit is conducted. These challenges can be overcome with some flexibility and ingenuity. Live video feed could be streamed to the auditor while the company’s audit manager and/or subject matter experts are available. This can help answer questions that might arise during the live videoconference.


Audit Video Recording


Additionally, the operational audit could be recorded, and that recording could be provided to the auditor. The understanding would include the audit manager being available to answer any questions upon the review of the video. The recorded version of the tour has both positives and negatives. For example, a certified auditor needs to see things in as real time as much as possible. However, it does allow for the auditor to pause and go back to review audit control processes in more detail if warranted.


Audit Issues


The auditors should work with the functional area and talk with as many employees as possible to identify the issues of concern. Individuals who are responsible for performing the day-to-day activities often have the best insight. Questions would include what is currently working and what needs to be improved.


Excluding them from participating in the audit process might result in overlooking a serious issue. As a result, this could come up or inadvertently lead the auditor to think the site is hiding something. To be able to get the most valuable information about the potential compliance issues facing the organization, internal audits should not be judgmental or antagonistic. 


Audit Questions


Auditors should be direct and avoid asking questions designed to intentionally stump people. Another important behavior is the ability of the auditor to listen to the answers and refrain from judging. The exact same behavior defined for the auditor should also be the behavior displayed by the auditees.


Auditees should be direct and avoid deflecting or obfuscating answers. They should take the time to explain why they do things the way they do them. Performance audit answers should be proactive, point out things of concern and seek advice on how to remediate them. Both parties need to remember they are not enemies, rather they are the partners in improving the organization.




Conducting these types of each technical audit presents a multitude of challenges. Today’s audit risk model has allowed the life science industry to creatively utilize technology-based applications to communicate and perform an effective system audit. The documentation and supporting evidence review can be conducted remotely, and confidentiality can be maintained. After reviewing the documentation and supporting evidence, the auditor can request interviews with various personnel.


Integrated audit interviews can then be scheduled via Zoom or online video conferencing. With appropriate planning and the proper use of technology, remote auditing can have the same audit quality as in-person auditing. 



BioPharm International

Vol. 34, No. 2

Pages: 44-45


About RCA’s Pharmaceutical Consulting Services 


Regulatory Compliance Associates (RCA) has helped thousands of pharmaceutical companies meet regulatory, compliance, quality assurance, and remediation challenges. With more than 20 years of experience with FDA, Health Canada, EU and global regulatory agencies worldwide, Regulatory Compliance Associates® offers leading pharmaceutical consultants. We’re one of the few pharma consulting companies that can help you navigate the challenges associated with industry regulations.


Our pharmaceutical consulting firm includes over 500 seasoned FDA, Health Canada & EU compliance consultants and regulatory affairs experts who understand industry complexities. It’s a pharma consultancy founded by regulatory compliance executives from the pharmaceutical industry. Every pharmaceutical industry consultant on the Regulatory Compliance Associates team knows the unique inner workings of the regulatory process. 


Client Solutions


Whether you’re in the product planning, development or pharmaceutical lifecycle management stage or need a remediation strategy for a compliance crisis, Regulatory Compliance Associates will guide you through every pharmaceutical consulting step of the regulatory process and create a customized approach depending on your product and your pharma company’s individual needs. Our regulatory compliance clients include:


  • Companies new to FDA, Health Canada or EU regulations and regulatory compliance
  • Start-up organizations with novel submissions to 510(k) submissions from multi-national corporations
  • Investment firms seeking private equity due diligence for pre-acquisition and post-deal research
  • Law firms seeking pharmaceutical consulting firm expertise in the remediation of warning letters, consent decrees, 483’s or import bans


Regulatory Affairs


Regulatory affairs is Regulatory Compliance Associates backbone. We exceed other pharma consulting companies with industry experts experienced in complexities of the pharmaceutical and biopharmaceutical industries. Our pharma consulting expertise spans all facets and levels of Regulatory Affairs, from Regulatory Support for New Products to Life Cycle Management, to other services like Outsourced Regulatory Affairs, Submissions, Training, and more.


As your partner, we can negotiate the potential assessment minefield of regulatory compliance services with insight, hindsight, and the clear advantage of our breadth and depth of knowledge and regulatory compliance consulting. We offer the following pharma consulting regulatory affairs services for pharmaceutical companies.


  • New Product Support
  • Product Lifecycle
  • Other Regulatory Services
  • Combination Products


Compliance Assurance


The regulations process surrounding pharmaceutical companies can be tricky for even the most experienced industry veteran to understand. Just one misstep could mean significant and lasting consequences for your business. At Regulatory Compliance Associates, we offer the pharma consulting experience and pharma consultants necessary to guide you through the quality compliance process.


  • Assessments
  • Audits
  • Regulatory Agency Response
  • Preparation and Training
  • Inspection Readiness
  • Data Integrity


Quality Assurance


Regulatory Compliance Associates Quality consulting includes assessments, strategy, implementations, staff augmentations, and identification of quality metrics to ensure continuous improvement. Our pharma consultants understand the strategic thinking needed to align your business needs and goals. Regulatory Compliance Associates quality assurance services include quality experts with experience spanning major corporations and start-ups. Our pharmaceutical consulting firm knows firsthand how to achieve, maintain, and improve quality, and we excel in transferring pharma consulting knowledge to your organization.


  • 21 CFR Part 11
  • Data Integrity
  • Manufacturing Support
  • Facility Support
  • Quality Metrics


Remediation Services 


Regulatory Compliance Associates has a proven remediation services approach to managing FDA Warning Letters, Consent Decrees, Remediation and other serious regulatory situations. Our pharma consultants know how to partner with executive, legal, and communication teams. Each RCA pharma consulting Expert will develop a response that will be accepted by the regulatory agency and be realistic to execute.


Regulatory Compliance Associates pharma regulatory consultants will develop a comprehensive proof book of documented evidence demonstrating the corrective action taken to remediate non-compliant issues. In addition, each Regulatory Compliance Associates pharma consulting Expert understands compliance enforcement. We’ll prepare a comprehensive pharma consulting strategy to assist in your remediation efforts, drive continuous improvement, and maintain regulatory compliance with the regulations.


  • Regulatory Action
  • Regulatory Compliance
  • Regulatory Enforcement
  • Warning Letter
  • 483 Observation
  • Oversight Services
  • Risk Management Plan


About Regulatory Compliance Associates


pharmaceutical consultantsRegulatory Compliance Associates® (RCA) provides pharmaceutical consulting to the following industries for resolution of life science challenges:



We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.


As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.


  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021


About Sotera Health


The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.


Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.


We are a trusted partner to 5,800+ customers in over 50 countries, including 40 of the top 50 medical device companies and 9 of the top 10 pharmaceutical companies.


Commitment to Quality


Our Certificate of Registration demonstrates that our Quality Management System meets the requirements of ISO 9001:2015, an internationally recognized standard of quality.


To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 


Our website uses cookies to give you the best possible experience.

By continuing to use this site, you agree to the use of cookies.