Audit management

Audit management is the documented system a regulated organisation uses to plan, schedule, execute, evidence, and close every audit it runs or receives. The scope is wider than newcomers expect: it covers internal audits of the company's own quality system, supplier audits (on-site, virtual and desk audits), regulatory inspections (FDA, MHRA, ANVISA, PMDA), certification audits (ISO 9001, ISO 13485, GFSI schemes), customer audits and contract-manufacturer audits — and the cross-cutting machinery that turns every finding into a tracked CAPA.

A defensible audit-management programme is not the same thing as having a clipboard, a checklist and a person who fills it in. The auditor's checklist is barely 5% of the system. The other 95% is: a risk-based annual schedule, qualified and independent auditors, controlled audit plans, evidence preserved with chain-of-custody, findings classified consistently, time-bound corrective and preventive actions, verified effectiveness reviews, and management-review reporting that closes the loop.

An FDA QSIT investigator, a Notified Body lead auditor and a GFSI certification body all start an inspection the same way: ask for the audit programme, the schedule, the past 12-24 months of internal audit reports, the past 24 months of supplier audit reports, and the CAPA log they fed. Their reasoning is identical — a quality system that audits itself well will catch most issues before the inspector arrives; a system that doesn't is one where the inspector's findings are the first time anyone has looked.

There is a second, structural reason. ICH Q10 names internal audit as one of the four pillars of the pharmaceutical quality system, alongside management review, CAPA and change management. ISO 9001 §9.2 and ISO 13485 §8.2.4 do the same for general quality and for devices. Without a working audit programme, none of the other QMS subsystems can be trusted, because there is nothing systematically checking that they are working as intended.

The third reason is regulatory protection in the United States. 21 CFR 820.180(c) and FDA's 'Quality Audit Inspection' policy explicitly limit the FDA's right to demand internal audit reports — but only if the audits are run as a quality-system function, are reported back through management, and feed CAPA. Lose any of those properties and the protection evaporates.

Audit management is one of the most consistent patterns across global regulation. The wording differs slightly, the substance is essentially identical: schedule by risk, audit with independence, document the evidence, close findings through CAPA, review at management level.

The QMSR transition (FDA's harmonisation of 21 CFR 820 with ISO 13485, due February 2026) maintains the §820.22 substance but aligns wording with ISO 13485 §8.2.4. The shape of a defensible audit-management programme does not change.

Audits are usually classified by who is auditing whom. Each type has its own cadence, evidence rules and downstream workflow, but the underlying machinery — schedule, plan, execute, evidence, finding, CAPA, close, review — is the same.

Some organisations add a sixth category for 'unannounced' audits — required by EU MDR / IVDR for critical-supplier oversight, and by FDA when 'for-cause' triggers fire. From a system point of view they collapse into one of the five above; they just have a shorter notice period.

ISO 9001 §9.2.2 and ISO 13485 §8.2.4 both require that the audit programme be planned 'taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits'. In plain language: schedule by risk, not by checkbox.

A defensible annual programme contains, at minimum:

• A list of every auditable subject (each QMS process, each manufacturing area, each critical supplier, each computerised system).
• A risk score per subject derived from process criticality, regulatory exposure, complaint volume, deviation/NCR trend, last audit result and changes since the last audit.
• A scheduled audit date per subject — high-risk subjects audited more often than once a year, low-risk no less than once every two years.
• Named lead auditor per audit, with documented independence from the audited area.
• Estimated audit duration and required auditor-hours, summed up so resource constraints surface before the year starts.
• An approved version of the programme with QA sign-off, and a controlled change record whenever the programme is re-baselined mid-year.

ISO 19011:2018 is the global reference for how to actually conduct a management-system audit. Whether internal, supplier or third-party, the shape is the same:

1. Initiating the audit — confirm objectives, scope and criteria; assign the audit team with documented independence and competence.
2. Preparing audit activities — review documents (SOPs, last audit report, CAPA status, complaint trend), prepare the audit plan, prepare the checklist with mapped clauses.
3. Opening meeting — confirm scope, schedule, communication protocols, escort arrangements and findings classification scheme.
4. Conducting on-site activities — interview people, observe processes, sample records (always to a documented sampling plan), photograph evidence where permitted, maintain auditor notes with date / time / location for every observation.
5. Generating findings — every finding stated in the language of the standard or SOP it deviates from, with objective evidence, audited person and date.
6. Closing meeting — present findings, confirm the auditee understands them, agree timeline for the audit report.
7. Preparing and distributing the audit report — typically within 10 working days; classified findings, executive summary, recommended actions.
8. Completing audit follow-up — CAPA opened against each major / critical finding, owners assigned, target dates set, effectiveness verified.

Auditor notes are not informal. They are part of the audit evidence and have to be retained as long as the audit report — typically 5 years for internal audits, longer for supplier audits referenced in regulatory submissions.

Every audit-management programme needs a consistent classification scheme, because the class drives the CAPA response timeline and the management-review escalation. The standard four-tier scheme:

Inconsistent classification — one auditor calling 'no training record on file' a minor, another calling it a major — is one of the highest-frequency findings against the audit programme itself. The classification rubric needs to be in the audit-management SOP, training delivered to every qualified auditor, and calibration audits run periodically to test consistency.

ISO 19011:2018 §7 lists the competence requirements for auditors: knowledge of the relevant standards, audit principles and techniques, the audited discipline (e.g. sterile manufacturing, software validation, sterilisation), and personal behaviours (ethical, open-minded, diplomatic, observant, perceptive, versatile, tenacious, decisive, self-reliant).

21 CFR 820.22 adds the independence requirement: audits 'shall be conducted by individuals who do not have direct responsibility for the matters being audited'. ICH Q10, EU GMP Chapter 9 and ISO 13485 all say the same. In practice this means:

• Each auditor record carries: training delivered, qualifying audits witnessed, qualifying audits led, areas qualified to audit, areas excluded by independence rule.
• An auditor cannot lead an audit of an area they own, manage, work in or have a direct reporting relationship to.
• Small organisations that cannot achieve independence internally typically contract an external auditor for at least one audit per cycle — explicitly named as a control in the programme.
• Auditor calibration — re-witnessing of audits or shadowing — runs at least every 2 years to keep qualification current.

21 CFR 820.50 (purchasing controls), ICH Q7 §17 and FDA's Contract Manufacturing Quality Agreement guidance all require evaluation and ongoing monitoring of suppliers proportional to the risk they pose. For critical suppliers — those whose materials or services directly affect product quality — that monitoring almost always includes periodic on-site audits.

A defensible supplier-audit programme integrates four data sources:

1. Supplier risk assessment (criticality of material, regulatory implications, single-source vs alternates).
2. Performance scorecard (on-time delivery, quality incidents, CoA accuracy, complaint rate) — see our companion page on supplier scorecard.
3. Last audit result and any open CAPAs from it.
4. Trigger events since the last audit — quality incident, recall, ownership change, manufacturing-site change, regulator action against the supplier.

Audit frequency is risk-tiered. A common scheme: Tier 1 (critical, single-source, regulator-registered) audited every 12 months on site; Tier 2 (critical with alternates) every 18-24 months on site; Tier 3 (non-critical) every 24-36 months by desk audit or self-assessment questionnaire. Any 'trigger event' moves a supplier to the front of the queue regardless of tier.

Supplier-audit findings close through CAPA — but the CAPA is the supplier's, not yours. Your audit-management system tracks: the finding, the agreed CAPA plan from the supplier, the target close date, the verification evidence and any escalation triggered (re-audit, escalation to QA leadership, removal from approved supplier list).

Regulatory inspections are audits that you do not schedule. The audit-management system has to handle them with the same machinery as internal and supplier audits, but with three additional disciplines:

• Inspection readiness — a back-room team available within hours of an FDA investigator arriving; document fulfilment turnaround under 2 hours; subject-matter experts available for every QSIT subsystem.
• Form 483 / inspection-report management — every observation logged within the audit-management system within 24 hours of issue; written response to FDA within 15 working days for 483s, per FDA expectation.
• CAPA traceability — every observation linked to one or more CAPAs that are visibly in flight; the FDA Establishment Inspection Report (EIR) closes only when CAPAs are verified effective.

MDSAP audits use a process-based audit model with documented sampling tables and time allocations. The model is publicly available; preparing for MDSAP is in part preparing the audit-management system to receive the model's evidence requests without scrambling.

The single most important property of an audit-management system is what happens after the audit report is issued. Every major / critical finding must flow into CAPA with a documented owner, root-cause analysis, corrective action, preventive action and effectiveness review. Findings without CAPA closure are not closed findings — they are open findings that the inspector will rediscover and escalate.

The effectiveness review is the step organisations skip most often. ISO 9001 §10.2.1(e), ISO 13485 §8.5.2(f) and 21 CFR 820.100(a)(4) all explicitly require verification that the corrective action did not adversely affect the finished device and was effective. In audit terms: a re-audit (or re-sample) some period after CAPA close-out, comparing the result to the original finding pattern.

See our companion pages on [CAPA](/glossary/capa) and [NCR](/glossary/ncr) for the lifecycle on the response side.

Audit evidence is a regulated record in its own right. ALCOA+ applies (attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, available — see our [data integrity](/glossary/data-integrity) page) to auditor notes, photographs, screen captures, audit reports and CAPA evidence.

Retention defaults to align with regulatory requirements: typically the life of the device + 2 years for devices (ISO 13485 §4.2.5), the life of the product + 1 year for drugs (21 CFR 211.180), and at minimum 3-5 years for general quality-system records (ISO 9001 §7.5.3). External / regulatory audit reports are typically retained indefinitely as part of the regulatory file.

Electronic audit-management systems sit under 21 CFR Part 11 and EU GMP Annex 11. Audit-trail continuity, electronic signatures on audit reports and CAPA closure records, and controlled access to historical audits are all enforceable controls — and the audit-management system itself is a routinely audited target of internal and external audits.

Reading three years of FDA Warning Letters and Notified Body deficiency reports surfaces the same audit-management failure modes over and over:

• No risk-based programme — same audit list, same frequency, year after year, with no reference to changes since the last audit.
• Auditor independence violated — an area lead also leads the audit of their own area, or a contract auditor is also the contract consultant who wrote the audited SOP.
• Findings classified inconsistently — same observation classified minor by one auditor and major by another, with no calibration evidence.
• Audit report issued late or never — the audit happened, the report is still in draft three months later.
• CAPA not opened against major findings — the finding sits in the audit report with no traceable corrective action.
• CAPA closed without effectiveness verification — the corrective action was 'retrain operator', the operator was retrained, no one re-sampled the process.
• Repeat findings — the same observation appears in three successive audits, with three successive 'closed' CAPAs, indicating root-cause analysis is rubber-stamped.
• Internal audit results not reported to management with responsibility — violates the FDA §820.180(c) protection and the ISO §9.2.2 reporting requirement at the same time.
• Supplier audits skipped because of access difficulty — particularly during 2020-2022 — without a documented compensating control such as remote / desk audit + extended monitoring.
• Regulator-issued 483 observation not entered into the audit-management system, lived in an email thread, came back as a Warning Letter.

ISO 9001 §9.3 and ISO 13485 §5.6 require that internal audit results be a standing input to management review. A management-review-grade audit-management dashboard tracks at least seven metrics, trended quarterly and segmented by site, audit type and process area:

• Programme adherence — % of scheduled audits completed on the originally planned date.
• Open findings by class — current count of critical / major / minor findings open, with ageing.
• Mean time to close — from finding issue to CAPA effectiveness verification, by class.
• Repeat-finding rate — % of new findings that match a previously closed finding by root cause or affected area.
• Supplier scorecard impact — % of supplier audits that triggered a scorecard tier change.
• Regulator-finding rate vs internal-finding rate — ratio of findings discovered by external inspectors to those discovered by your own audits in the same period. The internal rate should be at least 5-10x the external rate; the inverse is a quality-culture warning sign.
• Auditor utilisation and qualification status — hours used vs hours planned, % of qualified auditors with current calibration.

Audit management is one of V5's core wedges: we treat the audit → NCR → CAPA → hold → scorecard → training loop as a single integrated workflow rather than separate modules that have to be reconciled at month-end. The capabilities, end to end:

• Risk-scored annual programme generator: every QMS process, manufacturing area, computerised system and approved supplier carries a risk score derived from criticality, regulatory exposure, complaint / NCR trend and time since last audit. The programme is generated from the scores and rebalanced when any input changes.
• Auditor qualification + independence enforcement built into scheduling — an auditor whose profile lists the target area as 'excluded by independence rule' cannot be assigned as lead.
• Checklist library mapped to the source clause (ISO 9001 §9.2, ISO 13485 §8.2.4, 21 CFR 820, GFSI scheme clauses). Each checklist line carries its citation so the audit report can be assembled by clause.
• Mobile-fit audit execution — checklists, evidence capture (photo, document attachment, observation note), finding draft, all from a phone or tablet. Works offline, syncs when reconnected.
• Findings auto-routed into NCR / CAPA on classification, with the audit-management system as the parent record. CAPA closure cannot happen until effectiveness review evidence is attached.
• Supplier audit results feed the supplier scorecard automatically; scorecard tier changes feed the next audit schedule automatically; the loop is closed without manual reconciliation.
• Regulator-inspection mode — a dedicated workflow for FDA / Notified Body / MHRA visits that timestamps every document request, every response, every observation and every commitment, and tracks 15-day-response clocks for Form 483 observations.
• Management-review dashboard — every metric above pre-built, with drill-down to the underlying audit / finding / CAPA, exportable as PDF for the quarterly management-review pack.
• Audit-trail continuity, two-person e-signature on critical findings and CAPA closures, and ALCOA+ data-integrity controls on every audit record — Part 11 / Annex 11 by construction, not by add-on.