GxP Lifeline

Quality Audit Tools for Continuous Improvement and Compliance


The word "audit," in the broadest sense, refers to a variety of activities. It may refer to an accounting firm examining the financial statements of a public corporation, or a consultant checking the process of lid sealant dispensing in a semiconductor package assembly line. It may even refer to a mystery shopper testing the patience of sales clerks in an upscale department store.

The fact that the audit process casts auditors on one side and the people being audited on the opposite side has created a general impression that auditing is adversarial. While this is true in some cases, an audit does not have to be a negative experience or a dreaded event. When implemented properly, it can be one of the most effective means for improvement. From financial institutions to manufacturers to hospitals, audit is being utilized as an important management, compliance and quality tool.

For life science companies or other regulated industries that follow ISO quality standards, auditing — both for compliance and performance — is critical. Considering the type of products that the U.S. Food and Drug Administration (FDA) and other regulatory agencies monitor and the diversity of the industries where ISO quality standards are applicable, auditing for the purpose of maintaining high quality standards directly impacts public health and safety. In these environments, the audit process is closely associated with quality and directly related to regulatory compliance.

Regulations and Standards

The International Organization for Standardization (ISO), the world's leading developer of international standards, boosted interest in quality audits when it published the ISO 9000 standards in 1987. Today, popular standards such as ISO 9001:2015, ISO 14001:2015 and ISO 13485:2016 all require internal audits of the quality system (or the environmental management system in the case of ISO 14001). Under these standards, audit serves as a mechanism for evaluating and improving quality.

The same principle is reflected in a number of regulations enforced by the Food and Drug Administration. Under the Quality System Regulation (21 CFR Part 820), medical device manufacturers are required to conduct audits to ensure that the quality system is compliant (Sec. 820.22).

The Current Good Manufacturing Practice (CGMP) regulations for pharmaceuticals (21 CFR Parts 210-211) and for blood and blood components (21 CFR Part 606) include general requirements for regular evaluation of quality standards. Guidances for the pharmaceutical industry and blood establishments also emphasize the importance of audits. For example, the "Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations" recommends internal audits and supplier audits. The "Guidelines for Quality Assurance in Blood Establishments" call for comprehensive audit of the quality assurance program.

Nature of Quality Audit

In general, there must be a basis (specific requirements) for a quality audit and a systematic method for gathering facts or evidence. An auditor compares the evidence with the requirements and comes up with observations, which can be either positive or negative. Up to this point, the process is similar to inspection. But an audit entails much more. The auditor analyzes his or her observations for patterns — also called findings — in order to draw conclusions. The auditor then presents the observations, findings and conclusions in a report to all parties involved.

The focus of an audit can be a product/service, a process or a system. Going back to the example of the mystery shopper, the focus was customer service in just one store. A product audit of a vacuum cleaner may entail randomly pulling out a box from the assembly line and taking the vacuum cleaner apart to examine it from a consumer's perspective. In both cases, the audit has a narrow focus.

A process audit focuses on a single activity. For example, a process audit at an ISO-certified car manufacturing plant might examine the process of welding body panels together, or of installing doors and windows. The audit is likely to be short but intense. It must be conducted several times in order to analyze patterns. This kind of audit is useful in troubleshooting and in solving specific issues.

A system consists of related processes with a common goal. Using the example of the car manufacturer, an audit of the quality system will cover not just the process of welding body panels, but all other processes, from design to assembly to safety tests, etc. This type of audit is longer and broader, covering not only different processes but also their controls.

Compliance and Performance Audits

Audits can be categorized by purpose. The following two categories are particularly relevant to life sciences and ISO-certified regulated companies.

Compliance Audit: 

This type of audit is about conformance to rules and regulations. The goal is to see if activities, processes and systems meet requirements. The result is usually black or white — a product or process or system being audited either passes or fails. When the FDA conducts a CGMP (post-approval) inspection at a pharmaceutical company, it is essentially conducting a compliance audit. A conformance assessment for the purpose of ISO certification is another example. In both cases, the outcome is directly tied to compliance or certification. The companies being audited are primarily concerned about passing the audit with flying colors.

Performance Audit:

In the third edition of Quality Audits for Improved Performance, Dennis Arter writes that a performance audit looks at three things: compliance to the rules, effectiveness of those rules for use, and suitability of those rules for achieving an organization's goals. Going back to the example of the car manufacturer, a performance audit may be conducted not only to make sure that the plant's quality system will pass an ISO conformance assessment, but perhaps to see how the system's efficiency can be improved in order to boost production and profitability. A performance audit is usually conducted internally to look at a company's business results, or it can be applied to a supplier to help a company decide whether to sign or renew a contract with the supplier.

Auditors and Auditees

Audits may be categorized according to the parties auditing and being audited, such as:

First-Party Audit:

In this type of audit — also known as internal audit or self-audit — those auditing and those being audited all belong to the same organization. Taking the case of the car manufacturer, the headquarters in Detroit may be concerned about productivity of a plant in Ohio and may send an internal audit team to help find ways for improvement. An ISO-certified supplier may also conduct a first-party assessment to make a self-declaration of its conformity with specific ISO standards.

Second-Party Audit:

A second-party audit refers to a customer conducting an audit on a supplier or contractor. For example, a medical device company that contracted a laboratory to do sterility testing may conduct a second-party audit to make sure that the lab meets Quality System Requirements (QSR) and to be able to demonstrate to FDA investigators that the contractor is compliant. The same company may audit a parts supplier to make sure that it conforms to ISO 9001 or ISO 13485 standards. It may also evaluate a potential raw materials supplier through an audit, although some auditors might argue that such a process is more of a supplier survey than an audit.

Third-Party Audit:

Neither customer nor supplier conducts this type of audit. A regulatory agency or an independent body performs a third-party audit for the purpose of compliance, certification or registration. An example would be an FDA investigator conducting a CGMP inspection at a pharmaceutical company. ISO conformity assessments are not carried out by ISO itself, but by private-sector third parties or regulatory bodies in countries where ISO standards have been incorporated into law.

Audit Challenges

For audit to be an effective improvement and compliance tool, it must be conducted on an on-going basis. And this can be daunting for companies that rely on a paper-based or a partially electronic system. Coordinating multiple audits, tracking remediation efforts, and trying to find anything about the audit after the fact are struggles of auditing on paper. COVID-19 has presented its own set of challenges to audits. Social distancing, working from home, and limiting travel have made it difficult to conduct or host audits. Companies that use digital solutions have partially solved this problem.

Remote audits are becoming just as big as remote work. If a company uses a digital quality management system (QMS), they can give an auditor remote access to their documentation. Standard operating procedures (SOPs), corrective and preventive actions (CAPAs), and training records can all be reviewed remotely. In some cases, auditors have done remote tours of facilities by someone on-site walking around with a mobile device. The FDA is even starting to come around to this approach and allowing remote audits under certain circumstances.


Gone are the days when auditors and auditees treat each other like adversaries. More and more companies now see audit as an occasion for auditors and auditees to work together in achieving a common goal — improved performance. Forward-looking organizations recognize that the audit process is one of the best tools for continuous improvement of the quality system and for making sure that the system is always compliant.


Jason Clegg is MasterControl's director of marketing strategy. His experience covers more than 20 years of marketing, from traditional paper-based campaigns to digital media. Clegg has directed MasterControl's marketing growth from a small document control company to an international provider of quality management solutions.

Free Resource
MasterControl Audit™

Enjoying this blog? Learn More.

MasterControl Audit™

Download Now
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]