<img src="https://ws.zoominfo.com/pixel/OJkQgdjSvoid2NFoB5Qs" width="1" height="1" style="display: none;">

How to Structure Your Internal Audit Program (Plus 4 Tips)

January 21, 2018


As your company heads back from holiday breaks, what’s happening into the New Year?

Are you confident that you’ve got a good plan for the year, including internal auditing, or are you beginning the year by scrambling to catch up from issues identified late last year?

This is a scenario that plays out too often for companies, particularly as related to internal auditing. Let’s make this year one of preparedness and avoiding the mad scramble by planning ahead for your internal audit program.

Free Download: Get your FDA QSR & ISO 13485:2016 Internal QMS Audit Checklist. Click here to download your PDF.

An all-too-common internal audit story...

Let’s begin with a story. Several years ago when I was doing some work with a company, they’d had some problems with an FDA inspection, which was part of the reason why I was brought in. We needed to do a lot of work on their quality system and procedures that were not up to scratch.

It was around December and I asked them the question about reviewing their internal audits for the year. As I watched, the color drained from the faces of the president and senior team members. They’d just realized that it was now into the last few weeks of the year and they hadn’t given any thought to internal auditing, let alone done anything about it.

The requirement of the FDA is that you’re conducting internal audits according to a schedule that you have prepared. Some processes are more critical than others and absolutely should be audited at least once per year, while others may be given a pass for every other year if you can provide a reasonable explanation as to why this fits.

So, the company is now panicking a little bit because according to their own documented schedule, they must conduct an internal audit of each and every process once per year. Their next move was to contact a consultant and request an internal audit before the end of the year. Does this sound like a good idea? I’ll tell you now the answer is no!

The best way to conduct an internal audit is to be present and interact with the people who are in charge of the processes being audited. Given that it was late in the year, the consultant audited every process remotely, and even then managed to find a number of holes that needed to be addressed.

Now, the company policy stated that any issues found in an internal audit must lead to a CAPA. This is a huge mistake! Just because something has been found in an audit doesn’t automatically mean that CAPA should be enacted. As we’ve discussed previously, CAPA should be reserved for systemic issues that aren’t addressed by following your other procedures (such as your procedures for complaints or nonconformances). The company had at least 30 issues identified and now their own policy was telling them to issue a CAPA for each one.

While the consultant conducted the audit and had reports completed by December 31 of that year, it really was more of a checkbox activity for the company because their processes told them they “had” to. They now had 30-40 CAPAs to begin their New Year, while patting themselves on the back because they had “checked off” the internal audit. This was a company that was already struggling, now they had buried themselves even further under the burden of CAPAs.

This was a very poor way to implement internal audits, but certainly enlightening to me! A lot of companies wait until the end of the year and then try to cram in internal audits at one of the busiest times. There are so many other things going on with holidays and planning for the year ahead that a) internal audits at that time become an extra burden and b) you run the risk that they’re simply a “checkbox” item and ineffectively executed.

Internal audits should be rigorous. They should be one of the harder things that you do in the company because you want to hold the company to a high standard. They should keep you and your company prepared and should challenge you to evaluate your processes.

They also should be prepared for early...


Tips for internal audit planning

1. Spread your activities out

Let’s say you have around 30 processes in your company that make up your SOPs. The way I would divide these up is by quarter, grouping together those that make sense. I find that any more frequently than quarterly tends to get a bit too noisy, but quarterly helps to create a nice, manageable spread throughout the year.

I almost think about like the product realization process - that cocktail napkin sketch again. I set my internal audit schedule as early in the calendar year as possible and identify those processes which have “like” purposes to group together. It helps to be able to identify any systemic or workflow issues if processes are logically grouped.


2. Structuring your audit schedule is important

Oftentimes people seem to use spreadsheets and choose arbitrary dates. These often don’t make a lot of sense and the method of using a spreadsheet tends to prohibit good collaboration. We built an audit workflow into Greenlight Guru in order to provide that visibility, helping those with primary responsibility to create a schedule, specify due dates, assign owners, set reminders and easily share with others.

This workflow facilitates creating a plan, knowing what to do and when, then visibility over results and quality events that may be linked. Being connected is a key factor for doing well with quality and compliance.


3. Treat internal audits as an opportunity

Different companies have different responsibilities and structure when it comes to internal audits. Larger companies might have a certain team assigned, while others who are smaller might share responsibility across the team. Regardless, internal audits are only valuable if you treat them as an opportunity to learn and grow.

I’ve seen companies where auditors are treated like a visit from Police Internal Affairs, with trepidation and an attitude of having to hide from the auditor. This is not conducive to learning from them! Even if you do have issues going on, it’s much better to have these highlighted in an internal audit so that you can work on them before having the FDA come in.


4. Consider using your own team

Even good consultants don’t necessarily have the time or internal knowledge of your company to notice everything. There are things that happen within a company that might not be defined in a process or procedure but are important for the company. This is the kind of information you want to uncover in internal audits - reduce “tribal knowledge” and get it documented.

Taking on the auditing with your own team can be valuable for uncovering these sorts of things. It’s doable if you spread it out over the year. It provides you with a good learning opportunity. This is, of course, a matter of choice (a consultant can be a huge help, particularly to companies who are still learning about compliance), but it’s good experience for your own team if done well.

To that end, provide training - this is key for whoever is doing auditing. Be a resource to them and structure a simple, yet effective training program that allows them to do the job well.

Free Download: Get your FDA QSR & ISO 13485:2016 Internal QMS Audit Checklist. Click here to download your PDF.

Final thoughts

In summary, I’d say don’t be “that” company, the one that panics in December over getting an internal audit done before the end of the year.

Internal audits should be treated as a valuable learning tool, not as a checkbox item to be done in order to please the FDA. Plan them out in a structured way across the year so that each process gets looked at thoroughly.

Consider training your own team members to manage internal audits and help to break down any “tribal knowledge” that might exist in your team. Of course, use a good system to help you organize your internal audits - check out Greenlight Guru’s audit workflow by requesting a demo here.

ISO 13485 2016 quality management system QMS for medical devices PDF download

Jon is the founder and VP of QA/RA at Greenlight Guru (MedTech Lifecycle Excellence platform exclusively for medical technology companies) & a medical device guru with nearly 20 years industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created...

Greenlight Guru Academy: Audit Basics
Register for this free course →
Audit Basics CTA