Tips for Structuring Your Internal Audit Program (and Mistakes to Avoid)

January 1, 2023

Tips for Structuring Your Internal Audit Program (and Mistakes to Avoid)

After a refreshing holiday break, there’s one question you need to ask yourself as you head into the new year: Do we have a plan in place for internal auditing this year?

I kid, but only a bit. The start of the new year is a good time to consider the state of your internal audit program. 

What is your plan to carry out your internal audits throughout the coming year? Do you feel confident you can carry out that plan? 

How did internal audits go last year? Did you identify opportunities for improvement and act upon them? Or are you still scrambling to catch up on the issues you identified last year?

If you don’t feel confident about your internal audit program, then right now, at the beginning of a new year, is the perfect time to do something about it. If you act now, you can avoid the mad scramble that accompanies a disorganized and delayed internal auditing program. 

BONUS RESOURCE: Click here to download your free PDF of our FDA QSR & ISO 13485:2016 Internal QMS Audit Checklist.

What happens when you leave internal audits to the last minute?

Let’s begin with a story. Several years ago I was working with a company that had had some problems with an FDA inspection, which was part of why they brought me in to help them. We needed to do a lot of work on their quality system and procedures to get them up to scratch. 

This was at the end of the year, in December. I had a meeting with the president of the company and some senior team members, and I asked them if I could review their internal audits for the year. The color drained from their faces. They hadn’t given any thought to internal auditing, and we were weeks from the end of the year. 

Now, FDA requires that you conduct internal audits according to a schedule that you, the manufacturer, have prepared in advance. Some processes are more critical than others and must be audited at least once a year, while for others you may be able to justify auditing them every other year. 

Unfortunately for this company, the schedule they had documented required them to conduct an internal audit of all their processes once per year. They were panicking, and rightfully so. 

Should you use consultants for your internal audits?

In this case, the company had little recourse but to call in consultants to help them complete their internal audits. 

If you’re wondering whether contacting a consultant to perform an internal audit on an incredibly short deadline is a good idea, I’ll give you the answer right now. It’s not. 

Why? Because the best way to conduct an internal audit is to be present and interact with the people in charge of the processes that you’re auditing. In this case, the consultant couldn’t even be there in person. It was so late in the year that the consultant had to audit the company’s processes remotely. And even then, they found plenty of issues that needed to be addressed. 

But this company made it out of the woods, right? The consultant got the audit done in time and they had their audit reports completed by December 31st. Sure, it was just a checkbox activity and they only did it because they had to, but at least they were starting the new year on a positive note, right? 

As you may have guessed, that was not the case. And the reason for that was the company’s policy regarding internal audits and CAPA

What are the downstream consequences of a poor internal audit program?

The company’s policy stated that any issues found in an internal audit must lead to a CAPA. That is a huge mistake! Just because an issue has been found in an audit, that does not mean that you should automatically start a CAPA.

As we’ve discussed previously,  CAPA should be reserved for systemic issues that aren’t addressed by following your other procedures (such as your procedures for complaints or nonconformances). 

But this company’s policy stated they had to open these CAPAs. There were about 30 issues identified by the consultant, and now their own policy was telling them they had to issue a CAPA for each one. 

So, instead of starting fresh in the new year, this company (which was already struggling) had just buried themselves under a mountain of CAPAs.

That story may sound extreme, but unfortunately, it’s not an isolated incident. A lot of companies treat internal audits as a box they need to check at the end of the year. As you can see, that approach can have some serious consequences—even threatening the existence of your company. 

I am happy to say, however, it doesn’t have to be that way.

4 tips to improve the internal audit program at your medical device company

There are a number of steps you can take to make internal audits not only less burdensome, but more enlightening and productive.

Spread your internal audit activities out

By now you can see why leaving all your audit activities until the end of the year creates a mess. But carrying them out all at once during any time of year can be pretty difficult. 

Instead, I find that breaking up the auditing activities by quarter creates a nice, manageable spread. Anything more frequent tends to get too noisy. 

Remember, you’re allowed to create your own schedule for internal audit activities. If you have around 30 processes in your company that make up your SOPs, you can divide those up between quarters, grouping together similar or related processes.

One advantage to grouping processes with related purposes is that it will help you identify any systemic or workflow issues as you audit them. 

Treat internal audits as an opportunity for improvement

Different companies have different responsibilities and structures when it comes to internal audits. A larger company may have a specific team assigned to them; a smaller company may be sharing responsibility across the organization. 

Regardless of structure, internal audits are only valuable if you treat them as an opportunity to learn and grow, which will ultimately help you improve your external audit outcomes.

I’ve seen companies where auditors are treated like a visit from Police Internal Affairs. Everyone acts as though they need to hide things from the auditor so they don’t get caught. This is not conducive to learning and improving! 

The whole purpose of internal audits is to ensure that you are finding any issues and solving them as a team—before FDA shows up at your door. There’s nothing wrong with discovering you have a problem, highlighting the issue, and then fixing it. That’s what internal audits are there for, but you won’t get that benefit if you view them as an adversarial event that everyone just has to endure.

Consider using your own team to conduct internal audits

First, let me be clear that I have nothing against consultants per se. Consultants can be a huge help, especially for early stage medical device companies that are still learning about compliance. 

But even good consultants don’t necessarily have the time or internal knowledge of your company to notice everything during an internal audit. There are things that happen within a company that might not be defined in a process or procedure, but are still important for making everything work. 

This type of “tribal knowledge” is something you want to uncover and document during internal audits. Doing your own audits with your own team is invaluable when it comes to discovering this sort of knowledge and simply getting a better understanding of your organization as a whole. 

If you’re unsure about doing internal audits yourself because you or your team lacks the right training, I’d encourage you to check out Greenlight Guru Academy, which includes some incredible classes and resources on conducting successful audits.

BONUS RESOURCE: Click here to download your free PDF of our FDA QSR & ISO 13485:2016 Internal QMS Audit Checklist.

Choose a tool that’s purpose-built for managing audits

A lot of companies tend to rely on spreadsheets for their internal auditing scheduling. 

Spreadsheets are great tools, but they’re not really built for the job of setting up and carrying out internal audits. They tend to prohibit good collaboration more than they enable it, and adding one more spreadsheet to the list of documents and spreadsheets everyone has to keep track of is a recipe for missing dates. 

The problems with providing visibility and keeping track of dates and audit activity owners are why we built an Audit Management workflow into our QMS at Greenlight Guru. Within this workflow, your team can create a schedule, specify due dates, assign owners, set reminders, and easily share it with others—all within your eQMS.

With Greenlight Guru, you get a dedicated Audit Management workflow that allows you to assign audit-related tasks to your team and track everyone’s progress towards due dates. You’ll be able to manage tasks, follow-ups, communications, and any actions that result from audit findings, as well as escalate high-risk findings for investigation and monitor low-risk findings for recurrence.

If you’re ready to start getting the most out of your internal audits, then get your free demo of Greenlight Guru today.

Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.

FDA QSR & ISO 13485:2016 Internal Audit Checklist
Download Now
FDA QSR & ISO 134852016 QMS Internal Audit Checklist - Slide-in Cover
Search Results for:
    Load More Results