Auditing- It’s All in the Process and the Approach



  • Companies in the medical device and pharmaceutical industries as well as in any other regulated industry are required to perform audits, have audits performed by independent third party auditors, or both.  Once audits are complete, the companies are also required to address the identified issues through corrections, corrective actions and/or preventive actions depending on the nature of the issue identified.  When approached, and executed properly, they can positively impact product or service quality, operational efficiencies and even lower operating costs which in turn can improve customer satisfaction.




  • When audits are not approached, or executed properly the benefits can be diminished or eliminated.  In fact, operational efficiencies can go down and costs can go up.   There are myriad ways companies approach the audit activity as well as how they approach addressing any findings.  This in itself is not bad.  In fact, when designed to fit well into a company’s individual organizational structure and culture, many different approaches can work well.  However, all too often one or more of the following scenarios play out and the benefits of auditing are gone.


  • Conflict of Interest – exists when auditors are in a position of auditing departments, activities or records they have some level of ownership for. In this scenario, there is built in bias even if unintentional, because as the auditor you either gloss over audit elements or skip them completely because you believe you already know the details and you already believe it is in compliance or already believe you know where the issues are.
  • Minimal Effort – this can be the result of limited resources or for the simple reason that some companies consider audits to be a waste of time, effort and money.
    • Limited resources may mean that there are too few auditors or may mean there are limited resources associated with the follow-up activities including cause assessment, corrections, corrective actions and/or preventive actions.
    • The belief by some management that there is a lack of benefit from auditing will greatly impact the ability to perform anything more than management’s understanding of what the minimum regulatory requirements are for the audits themselves as well as any follow-up activities including cause assessment, corrections, corrective actions and/or preventive actions.
  • Tunnel Vision – this can be the result of many things typically related to a lack of understanding of how the various functions and systems within an organization work together. In other words, a) what are the inputs and outputs of each activity or b) who are the internal or external suppliers and customers of the products or information moving through the operation.
    • Historically many compliance concerns result from the transfer of information and/or materials from one operation to another. Either the recipients of the transfer don’t get everything they should or they don’t clearly understand the status or instructions that go with the transfer (e.g. hold, rework, re-inspect, etc.)
    • Credibility of Findings – this can be the result of not clearly stating the requirement findings are based on or not clearly providing objective evidence. By providing both, we ensure it is accurate and we ensure the people who will do the cause assessments, and then define / perform the corrections, corrective actions and/or preventive actions will be focused on the right issues.



  • There are several ways to eliminate, or at least reduce the impact of these problem scenarios.  Company size, structure, culture and management’s thoughts about auditing can all come into play when looking for ways to avoid or eliminate these scenarios.  However, improving ones understanding of the functions and systems being audited and improving the understanding by everyone, including management, of how the proper approach can not only eliminate wasted time, effort and money, it can result in overall improvements in quality, efficiency and cost.


  • Conflict of Interest – there are several actions that can be taken to address this problem. They include, but are not limited to:
    • Hiring more auditors is the obvious solution to suggest, however it is not always practical and sometimes not doable for cost reasons. This however does not mean there are no options.  One option is to train existing non-auditor employees to be auditors on a part time basis.  There are some concerns to overcome, but this solution can work as long as you keep in mind and address the following:
      • Auditors are not good auditors just because they have been trained. Experience is important.  Therefore, ensure all part time auditors perform, or at least assist in the performance of several audits during the course each year.  These can be short, focused audits that may only take a few hours to a few days.  They do not need to be facility wide audits.
      • Be aware of the potential for conflicts of interest even with part time auditors.
      • Have a lead auditor or audit manager who can review and challenge audit findings while reports are in draft form to avoid having to revise or reverse findings later. This reduces credibility of the auditor individually and potentially of the entire audit department.
    • Rotating existing auditors works well whether they are within the same facility or between facilities. As long as the multiple auditors don’t share the same conflict of interest, this works very well.  However, if the same potential conflict of interest exists and can’t be avoided, having two auditors challenge each other can help identify conflict even if not intentional.
  • Minimal Effort – there are several actions that can be taken to address this potential problem. They include but are not limited to:
    • Where the reason is related to limited resources, the solution suggested in sections 1a and 1b above.
    • Where company management does not believe in the need for, or benefits of auditing the solutions are more complex, or at least more difficult to sell to management. Certainly, implementing some of the other solutions in this white paper, even if suggested for other problems can have a beneficial outcome, but the true solution needs to be a change in understanding by those who doubt the benefits.  Just telling management they need to do more typically does not work.  Just telling management that their understanding of the requirements is wrong typically does not work.  However, providing evidence of the proper interpretation of the requirements of the applicable regulations, directives and standards and providing objective evidence of how regulatory agency and notified body auditors interpret the requirements does work.  Consider the following.
      • Research industry newsletters as well as regulatory agency / notified body websites where they discuss actual audit findings from individual audits as well as from their trending of findings.
      • Research FDA Warning Letters to understand which issues the agency looks at with even greater urgency.
      • Research court cases, monetary fines and settlements.
      • Read guidance documents used by and / or accepted by the regulatory agencies / notified bodies when performing their own audits.
    • These and many other sources of information available online and through seminars / webinars provide great insight into how the various regulatory agencies / notified bodies interpret the requirements and just as importantly how they assess and judge the implementation of those requirements.
  • Research the company’s internal failure rates and associated scrap and rework costs and how much of that is the result of issues that would have been found if properly audited or would have been eliminated if adequate audit follow-up activities including cause assessment, corrections, corrective actions and/or preventive actions took place.
    • When looking at the audits themselves, consider the discussion below in section 3 for Tunnel Vision.
    • When looking at the follow-up activities, start by assessing the determination of cause. If a true root cause was not identified, then adequate actions would not be defined for corrective or preventive actions.
    • When looking at corrections, corrective and preventive actions, ensure proper verification actions were also executed to assess the adequacy of those actions.
  • Tunnel Vision – understanding the movement and handoff of materials / information between the activity being audited and the source (the internal or external supplier) of that material / information as well as with the activity next in the process (the internal or external customer) and including that movement and handoff when planning the audit will take care of this concern. Use caution, there needs to be logic applied to the audit.  That is where the understanding comes in.  Knowing what is important to the focus of the audit as opposed to auditing everything from the “supplier” or “customer” side of the process is not practical or even necessary unless those activities are already in the scope of the audit.
  • Credibility of Findings – this is critical. We have all read audit reports and walked away wondering what requirement was not satisfied and what objective evidence was reviewed to reach the conclusion of poor quality or noncompliance.  The solution is simple.
    • Always make very clear references to the regulation or standard and to the specific section within it.
      For example: FDA’s “General Labeling Provisions” Regulation 21 CFR 801.1 (a) states “The label of a device in package form shall specify conspicuously the name and place of business of the manufacturer, packer, or distributor.”
    • Always make very clear references to the specific objective evidence found to be out of compliance.
      For Example: while reviewing product in the distribution center, product number 1234 with lot number 05252016 was audited. Although the name of the manufacturer was there, no labels on the unit packs or the shipping cartons included the place of business (e.g. no address).
  • This clarity provides information to the auditee allowing them to easily assess the root cause.  It also allows the auditor to easily go back to the objective evidence if challenged.  Combined, this results in saving time and effort in the follow-up activities often resulting in more robust actions.




  • Avoiding the problems mentioned above through understanding and adjustment in approach will result in more effective cause assessment and therefore more effective correction, corrective actions and preventive actions.  This can reduce scrap, rework, hold time and increase overall process efficiency and product or service quality.  In the end, a company’s ability to improve customer satisfaction is increased.


Safis Solutions has a depth and breadth of auditing experience which stretches across multiple Life Science industries, including Rx360 chosen auditor, notified body qualifications, and qualification audits for labs (GLP, CLIA, CAP, NYS) and manufacturers (GMP, API, ISO).

An ambassador for you can be found at

Share this:

Leave a comment..