Internal Audit Management, Policy and Procedure

Internal Audit Management- How to do this?

The Internal Audit Policy and Procedure describes the internal auditing process to evaluate the effectiveness of Quality Management System (QMS) against the requirements for ISO13485 Standard and Internal business processes.This procedure covers all processes related to ISO 13485:2016. The procedure uses reference to QSI (Qualcy Systems Inc) as the company. You can use your company name, to create your own procedure. You can also refer to our other post for guidance document for helping you to do the audits for  ISO 13485 standard.

PART 820 — QUALITY SYSTEM REGULATION

Subpart B–Quality System Requirements

Sec. 820.22 Quality audit.
Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a re-audit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and re audit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and re-audits shall be documented.

Who is responsible for Internal Audit?

Quality Assurance Manager or the Designee shall:

Ensure that the QSI adhere to the approved audit schedule which include audit at least once in a year.The criteria to be used, the scope of the audit, and the audit frequency within the schedule shall be based on:

(1) Previous audit results.

(2) Results from customer complaint trend analysis.

(3) Major changes in the Quality Management System

(4) The methodology applied: process, product, system audits, and the relative importance and complexity of processes.

(5) Individuals selected must be independent of those having direct responsibility for the activity or process that is being evaluated.

(6) Auditors should be qualified. Qualifications can be based on formal training, experience, or under the supervision of a lead auditor.

(7) Ensure audit results are presented in the Management Review Meetings for improvement.

Lead Auditor/Team shall:

(1) Ensure that previous and or related audits are reviewed as part of the audit process. Also, confirm that participating auditors have met the qualification requirements.

(2) Write an Audit Summary Report within 30 days of the audit.

(3) Document findings and the audit report in the Qualcy EQMS system or using the RF0091 (Internal Audit Report Template).

Auditee shall:

(1) Provide support, information and input as requested by the Auditor.

(2) Respond to the audit findings in timely manner.

(3) Notify the lead auditor of any changes to the action plans, etc.

Requirements for Internal Audit Management

Auditor Qualifications: All auditors shall have the training, education and experience to perform audits. The minimum training and experience requirements for internal auditors are outlined below.

Auditor – Team member: Minimum requirements for audit team members prior to actively participating in audits:

(1) Training of this Procedure (SOP 0012: Internal Audit Policy and Procedure).

(2) At a minimum understanding of the following regulations/standards (current version):

ISO 13485 Standard: This requirement can be met by one of the following:

(1) Completion of Auditor Training or other equivalent auditor training.

(2) On the Job experience (in current or previous company) in a role that includes auditing responsibilities.

Audit Experience: Experience performing audits as an auditor. This requirement can be met by one of the following:

(1) Participating on at least two (2) internal audits as an auditor trainee under the direction of a qualified auditor. These audits will be documented on RF0008, Training Documentation Record.

(2) Experience performing audits as an auditor in current or previous company.

Lead Auditor: Minimum requirements for a lead auditor prior to actively participating in audits:

(1) Same as auditor requirements

Auditing Training: Knowledge and understanding of the audit process. This requirement can be met by one of the following:

(1) Completion of Lead Auditor Training or other equivalent lead auditor training.

(2) On the Job experience (in current or previous company) in a role that includes lead auditor responsibilities.

Audit Experience: Experience performing audits as an auditor. This requirement can be met by one of the following:

(1) Participating on at least two (2) internal audits as an auditor trainee under the direction of a qualified auditor. These audits will be documented on RF0008, Training Documentation Record.

(2) Experience performing audits as an auditor in current or previous company.

Equipment and Computer Access:

The employees should have access to Qualcy EQMS system through a computer equipped with an internet browser.

Procedure for Internal Audit Management

Creating Audit Schedule

(1) The Quality Manager or the designee shall develop a yearly audit and confirm that all elements are scheduled to be audited at least once during the fiscal year.

(2) Frequency may be adjusted based upon audit performance, assessments/audit findings and other Quality System metrics (Internal Failures, External Failures).

Audit Planning

Audit Planning
Internal Audit Policy and Procedure

(1) The lead auditor shall notify the auditee about the audit plan ahead of time.

(2) The lead auditor shall create the audit plan for the audit in the Qualcy EQMS system or the audit plan can be created in paper copies. The lead auditor is the Project Owner of the audit.

The audit reports detailing audit findings and recommendations shall be documented on Qualcy EQMS Audit Project or using the RF0091: Internal Audit Report Template.

Audit findings based on severity can be categorized as:

(1) Major Non-Conformance: A failure in a process or system that potentially compromises the assurance of product quality and/or would likely be cited by a regulatory authority or customer as a significant non-compliance; an element of the Quality System improperly implemented; key records and/or evidences which cannot be properly traced leaving suspicion on their origin; previous observations classified as minor that have not been addressed properly in a timely manner by the site. Major findings require prompt corrective action by the auditee.

(2) Minor NonConformance: An isolated item observed that is not yet serious, but could become a problem if not corrected in a timely manner (auditee management follow-up is required to assure that a systemic problem does not exist);
Note: When a significant number of minor non-conformances are raised in one system area, it could be indicative of the start of breakdown in that system then the classification may be escalated to Major.

 (3) Opportunity for Improvement (OFI): Conditions or poor practices identified by the auditor that do not meet the definition of a non-conformance, yet if corrected may improve the overall quality management system or prevent future non-conformance. These audit findings, when addressed, will likely improve the data, documentation, and/or procedures associated with a facility, product, or operation

The overall audit rating shall be included for the audit. Also an audit conclusion statement shall be included in all audit reports, regardless if they are for a single quality system element or a full quality system assessment. One of the following overall statements can be used to describe the assessment of the effectiveness of the Quality System Elements.

(1) Quality System appears to be in substantial compliance and appears effective. (This statement of compliance should only be used when the audit results in minor or no nonconformances).

 (2) Quality System appears to be in substantial compliance, but requires corrective action in some key or critical area(s). (This statement of compliance should be used when the audit results in no more than three major nonconformances).

(3) Quality System has deficiencies and/or compliance issues that will require significant remediation activities to achieve substantial compliance. (This statement of compliance should be used when the audit results in more than three major nonconformances and/or one or more critical nonconformances).

Records for Internal Audit Management

Audit Records
Internal Audit Policy and Procedure

The approved audit reports will be maintained in the Qualcy EQMS system or using the RF0091 (Internal Audit Report Template). The audit report shall include following sections

(1) The list of participants or the auditee in the audit

(2) The scope of the audit, which may be the processes, functional or business units.

(3) The objective of the audit

(4) The criteria for the audit including the relevant sections of the ISO Standard.

(5) Review of the status of the audit findings from the previous audit. This may include notes regarding the effectiveness of the corrective actions implemented.

(6) Audit notes and descriptions

(7) Audit findings and non conformances. This section shall include the evidence that was sampled, observed, examined and evaluated. Also include reference to the criteria or requirements from the ISO standard or FDA regulations.

(8) Conclusion/summary of the audit including the classification of audit findings

(9) Due date for response for the audit non conformances. The response shall include corrective action plans and due date for completion of corrective actions.

(10) The records for the corrective action taken can be documented in the CAPA system or through change requests. In such cases, the reference for the CAPA can be included in the audit non conformance reports to close the audits.

You can refer to our other post for managing the corrective and preventative actions( CAPA system).

Auditor qualification records will be kept in the auditor training files.

Risk Management

Risk Management table

You can contact us to set up a demo to see the Qualcy  Internal Audit Management Software. Also you can get a word copy of this document.

Leave a Reply

Your email address will not be published. Required fields are marked *