Current Good Manufacturing Practices

Audit
The most general definition of an audit is “an evaluation of a person, organization,
system, process, project or product”. Audits are performed to ascertain the validity
and reliability of the information, and also it provides an assessment of a system’s
internal control. The goal of an audit is to express an opinion on the
person/organization/system etc. under the evaluation based on work done on a test
basis. Due to practical constraints, an audit is a system which seeks to provide only
reasonable assurance that the statements are free from material errors & other
errors. Hence, random sampling is often adopted in the audits.
A systematic and independent examination of trial-related activities and documents to
determine whether the evaluated trial-related activities were conducted, and the data were
recorded, analyzed, and accurately reported according to the written protocol, sponsor’s
standard operating procedures (SOPs), and the applicable regulatory requirement(s).
All pharmaceuticals plants are required to turn out quality pharmaceutical products, which
can be promote and disseminated in the commerce. The main intention of all the cGMP is to
pull together this requirement of producing and distributing quality pharmaceutical products.
To scrutinize the process of cGMP a system is required & this is only possible from
beginning to end a well designed and implemented quality audit organization.

Five basic principles of Audit Program

1. An uncompromising emphasis on conclusions based on facts. Any conclusions
lacking a factual base must be so labeled.
2. An attitude on the part of auditors that the audits provide assurance to
management & also a useful service to line managers in managing their
departments. Thus audit reports must provide sufficient detail on
deficiencies to facilitate analysis & action by the line manager.
3. An attitude on the part of auditors to identify opportunities for improvement.
Such opportunities include highlighting good ideas used in practice that are
not part of formal procedures. Sometimes an audit can help to overcome
 deficiencies by communicating through the hierarchy the reason for
deficiencies that have a source in another department.
4. Addressing the human relations issues discussed.
5. Competence of auditors. The basic education & experience of the auditors
should be sufficient to enable them to learn in short order the technological
aspects of the operations they are to audit. Lacking this background, they
will be unable to earn the respect of operations personnels. In addition, they
should receive special training in the human relations aspects of auditing.
Steps used in structuring an audit program
Audit Line Upper
department department management
Discussion of purpose to be achieved by * * *
audits & general approach for
conducting audits
Draft of policies, procedures & other rule * *
to be followed.
Final approval *
Scheduling of audits * *
Conduct of audits *
Verification of factual findings *
Publication of report with facts and *
recommendation
Discussion of repots * * *
Decision on action to be taken *
Subsequent follow-up *
Planning audits for activities:
Important policies issues for planning audits:
Legitimacy:
The basic right to conduct audits is derived that has been approved by upper
management, following participation by all concerned. Beyond this basic right are other
questions of legitimacy: What is the scope & objective? What shall be the subject matter for
audit? Should the auditor be accompanied during the tour?
Scheduled versus unannounced:
 Most auditing is done on a scheduled basis. “No surprise, no secrets.” This practice
enables all concerned to organize workloads, assign personnel, etc., in an orderly manner. It
also minimizes the irritations that are inevitable when audits are unannounced.
Customer:
The customer of the audit is anyone who is affected by the audit. The key customer is
the person responsible for the activity being audited. Each customer has needs that should be
recognized during the planning of the audit.
Audit team:
Audits are conducted by individuals or by a team. A team usually has a lead auditor
who plans the audit, conducts the meeting, reviews the findings and comments of the
auditors, prepares the audit report, evaluates corrective action, & presents the audit report.
Audit performance:
Several policy issues affect audit performance.
Verification of facts
Auditors are universally expected to review with the line supervision the facts of any
deficiencies discovered during the audit. The facts should be agreed on before the items
enters a report that will go to higher management.
Discovery of causes:
Many companies expect the auditor to investigate major deficiencies to determine
their causes. This investigation then becomes the basis of the auditors recommendation.
Recommendations & remedies:
Auditors are invariably expected to make recommendations to reduce deficiencies &
improve performance. In contrast, auditors are commonly told to avoid becoming involved in
designing remedies & making them effective.
Status of the audit:
The key customer should be kept informed about progress of the audit- what has been
covered & what remains to be done. The status of lengthy audits can be reported through
debriefing meeting, informal discussions, & electronic mail.
The report should include minimum following items:

• Executive summary

• Purpose & scope of the audit

 • Details of the audit plan, including audit personnel, dates, the activity that was
audited. Details should be placed in an appendix.

• Standards, checklist, or other reference documents that were used during the
audit.

• Audit observations, including supporting evidence, conclusions, &

recommendations-using the audit customer’s terminology.

• Recommendations for improvement opportunities.

• Recommendation for following-up on the corrective action that is to be

proposed & implemented by line management, along with subsequent audits if
necessary.

• Distribution list for the audit report.

1. Internal audit:
Internal auditing is a professional activity involved in advising organizations
regarding how to achieve their objectives in a better way. Internal auditing involves the
utilization of a systematic methodology for analyzing business processes or organizational
problems and recommending solutions. Professionals called internal auditors are employed
by organizations to perform the internal auditing activity. The scope of internal auditing
within an organization is broad and may involve internal control topics such as the efficacy
of operations, the reliability of financial reporting, deterring and investigating fraud,
safeguarding assets, and compliance with laws and regulations. Internal auditing frequently
involves measuring compliance with the entity’s policies and procedures. Internal auditing
activity is primarily directed at improving internal control. Internal auditing professional
standards require the function to monitor and evaluate the effectiveness of the organization’s
Risk management processes. Risk management relates to how an organization sets
objectives, then identifies, analyzes, and responds to those risks that could potentially impact
its ability to realize its objectives. Some of the key risk assessment activities in organizations
include: production planning, quality planning, incentive payout determination, credit
authorization, and capital planning, each of which can be audited in one or more projects. It
is an independent objective assurance and consulting activity designed to add value and
improve an organization’s operations. It helps an organization to accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance process.

History of internal audit:

The Internal Auditing profession evolved steadily with the progress of
management science after World War II. It is conceptually similar in many ways to
financial auditing by public accounting firms, quality assurance and banking
compliance activities. Much of the theory underlying internal auditing is derived from
management consulting and public accounting professions. With the implementation
in the United States of the Sarbanes-Oxley Act of 2002, the profession’s growth
accelerated, as many internal auditors possess the skills required to help companies
meet the requirements of the law.
The main objectives of the internal audits can be summarized as follows:
1. To assist the internal control system.
2. Review of organizational policies and their operations.
3. Verify the accuracy and authenticity of errors and frauds.
4. Detection and prevention of errors and faults.
5. Safeguarding the assets
6. Applicability of accounting policies.
7. Expense properly authorized.
8. Right disposal of assets and
9. Helps in smooth functioning of internal check system.

Internal audit system, if designed and implemented properly helps in different fields such as:
− Regulatory management
− Q.A. Managers and other employees
− Government auditors.

Internal audit project involves the following steps:

1. Establish and communicate the scope and objectives for the audit to appropriate
management.
2. Develop an understanding of the business area under review. This includes objectives,
measurements, and key transaction types. This involves review of documents and
interviews. Flowcharts and narratives may be created if necessary.
3. Identify control procedures used to ensure each key transaction type is properly controlled
and monitored.
4. Develop and execute a risk-based sampling and testing approach to determine whether the
most important controls are operating as intended.
5. Report problems identified and negotiate action plans with management to address the
problems.
6. Follow-up on reported findings at appropriate intervals. Internal audit departments
maintain a follow-up database for this purpose.
Designing of the Internal Audit System:
In a pharmaceutical facility for internal auditing, you require to check mainly two things
namely,
− Activities carried out by different departments and
− Documents maintained by these departments.
For this purpose a department wise questionnaire and document list is required to be
prepared in detail.

Implementing the Internal Audit System:

Ideally following steps should be taken to implement the audit system,
− Constitute a small team of experts from various disciplines e.g. Q.A. / Q.C., Production,
Validation, Engineering, Personnel etc.
− Provide initial training to all team members on carrying out the audit activity.
− Generally the head of Q.A. should be the chairman of this team.
− Fix an audit schedule (time table) and communicate to all concerned people.
− Carry out the audit of each area of activity at least once in six months.
− Report the audit findings to the concern department and seek their time bound compliance.
− Report to top management on observed deficiencies and corrective actions planned.
− Follow up and take further corrective actions if required.
− Repeat the audit as per pre-planned schedule.
 How the Department should prepare for Audit?
A practical approach which is taken in Pharmaceuticals industry is as follows:
− First divide all activities in sections and also defined the rooms (or physical or geographical
areas) and assigned the responsibilities of the complete compliance in each area to a
person, starting from production supervisor to production manager.
− Then a detailed room wise checks list is prepared by each department head and discussed
and handed over to their assigned people and asked them, that they will be totally
responsible for all compliance in their areas.
− Then the departmental manager are called and asked to look after all general or
departmental requirements to meet the compliances and see that all the minor details in
the area will be looked after by the junior staffs who were assigned each specific area.
This helps us tremendously since all the minor details in each area were looked into
by the relatively junior staff and since they were large in number, the work load gets evenly
distributed. Senior staff get sufficient time to look into more general and policy related work.
Generally we see that such divided work – type of system really helps in making the
organizations more cGMP compliant.

Preparing a Audit:

Thorough Procedures should cover all aspects of

work where conformity and standards are
required to achieved desired quality
levels. For example, one might decide to
 control formal program testing, but leave
the preliminary testing of a prototype to
the programmer’s discretion.
Procedures Any recurring aspect of work could merit
regulation. The style and depth of the
description will vary according to needs
and preferences, provided it is sufficiently
clear to be followed.
Defined A major tenet is that the defined
procedures are good and will lead to the
desired levels of quality. Considerable
thought, consultation and trialing should
be applied in order to define appropriate
procedures. Procedures will often also
require defined forms or software tools.
Controlled As with any good quality management,
the procedures should be properly
controlled in terms of accessibility,
version control, update authorities etc.
Communicated All participants need to know about the
defined procedures - that they exist,
where to find them, what they cover.
Quality reviewers are likely to check that
team members understand about the
procedures.
Used The defined procedures should be
followed. Checks will be made to ensure
this is the case. A corrective action
procedure will be applied to deal with
shortcomings. Typically the corrective
action would either be to learn the lesson
for next time, or to re-work the item if it is
 sufficiently important.

How to conduct the audit?

1. To conduct an audit the audit team has the authorization to review any record that
they deem necessary.
2. The entire team should as much as possible try to work together during the audit.
3. The audit team walks through every section of the plant & carefully reviews every
paper, record or area that is specified in the formal audit questionnaire no matter
how familiar one member of the team is with the questionnaire item or the area.
4. Each record, procedure & report is challenged. A good tip is to retrieve all forms,
records & samples of a given batch selected randomly from one of the batches
made within the last six months.
The following things that should be challenged for the selected batch in the audit:
Manufacturing record & procedures
Dosing/filling record & procedures
Raw materials analytical forms
Packaging material analytical forms
Bulk product report
In-process control record
Final product record
QC recording books
Warehouse recording books
Purchase orders for raw materials, packaging components & miscellaneous
Materials stock control bin cards
Production & QC equipment log books
Final product bin card
5. The questionnaire is used to help the team to monitor adhernce to the GMP. Each
qestion is answered Yes or No according to the current actual status observed by
the audit inspector during the audit & not according to the intent or future plan.
6. Under the obeservation/comments section, notes should be recorded of status of
conditions as a guide for improvements to be recommended.
 For devepoling the plan of audit engagement (projects) based on a risk
assessment, Internal Audit standards requires. The input of senior management and
the Board is typically included in this process. Many departments update their plan of
engagements throughout the year as risks or organizational priorities change.
This effort helps to ensure the audit activity is aligned with the organization’s
objectives, by answering two key questions: First, what goals is the organization
trying to accomplish in the upcoming period? Second, how can the Internal Audit
Department assist the organization in achieving these goals?
Internal auditors often conduct a series of interviews of senior management to
identify potential engagements. Changes in people, processes, or systems often
generate audit project ideas. Various documents are reviewed, such as strategic
plans, financial reports, consulting studies, etc. Further, the results of prior audits
and resolution of open issues are considered. For example, even if a business area
is important, prior audit work and the nature and status of open issues may render
further audit effort unnecessary. If the organization has a formal enterprise risk
management (ERM) program, the risks identified therein help limit the amount of
separate risk assessment performed by Internal Audit.
The preliminary plan of engagements is documented and prioritized. Audit
resources and expertise are then considered and a final plan is presented to senior
management and the Audit Committee. The presentations vary based on the needs
of the stakeholders but typically include the following:
Summary of key goals, risks and corresponding major audits, to illustrate
alignment;
Analyses of audit effort along a variety of dimensions along with commentary
regarding changes;
Brief description of critical projects identified;
Projects requested but not planned for execution due to prioritization and
resources;
Required co-sourcing effort, typically where outside expertise is required or during
peak periods; and
 Appendix materials, such as planning approach, assumptions (e.g., days per
auditor and staffing level) and brief descriptions of all planned audits and related
prioritization.
Practice in the measurement of the internal audit function involves a balanced
scorecard approach. Internal audit functions are primarily evaluated based on the
quality of counsel and information provided to the Audit Committee and top
management. However, this is primarily qualitative and therefore difficult to measure.
“Customer surveys” sent to key managers after each audit project or report can be
used to measure performance, with an annual survey to the Audit Committee.
Scoring on dimensions such as professionalism, quality of counsel, timeliness of
work product, utility of meetings, and quality of status updates are typical with such
surveys.
Quantitative measures can also be used to measure the function’s level of
execution and qualifications of its personnel. Key measures include:
Plan completion: This is a measure of the degree to which the annual plan of
engagements is completed, measured at a point in time. This may be measured
using the number of projects completed, weighted by the planned size of each
project, with estimates for projects in-progress. Measured throughout the year, it is
compared against the percentage of the year elapsed.
Report issuance: This is a measure of the time elapsed from completion of testing
to issuance of the final audit report, including management’s action plans. This can
be measured in average days or percentage of reports issued within a certain
standard, such as 30 days. Establishing expectations for the timing of management’s
response to report recommendations is critical. In addition, the scope and degree of
change involved in the report’s action plans are key variables.
Issue closure: Reported audit findings are often called “issues” or “deficiencies.”
Professional standards require audit functions to track reported findings to resolution,
which effectively requires the maintenance of an issues follow-up database. The
number of days that reported issues remain open, or open after their agreed-upon
closure date, are key measures. In addition, reporting database statistics such as the
number of issues open (unresolved), closed (resolved), and issues opened/closed
during a given period are useful statistics.
Staff qualifications: This can be measured through the percentage of staff with
professional certifications, graduate degrees, and overall years of experience.
Staff utilization rate: This is measured as the percentage of time spent on projects,
as opposed to administrative time such as training or vacation. Many internal audit
departments track time by audit project.
Staffing level: The number of positions filled relative to the authorized staffing level.
Due to the challenge of finding qualified staff, departments may have rotational
programs to bring in management to complete tours in the function or be “guest”
auditors. Audit departments also “co-source,” meaning they obtain contract auditors
from service providers.
For the reporting of critical findings the Chief Audit Executive (CAE) typically reports
the most critical issues to the Audit Committee quarterly, along with management’s
progress towards resolving them. Critical issues typically have a reasonable
likelihood of causing substantial financial or reputational damage to the company.
For particularly complex issues, the responsible manager may participate in the
discussion. Such reporting is critical to ensure the function is respected, that the
proper “tone at the top” exists in the organization, and to expedite resolution of such
issues. It is a matter of considerable judgment to select appropriate issues for the
Audit Committee’s attention and to describe them in the proper context.