“If you tell the truth, you don’t have to remember anything.”

—Mark Twain

Risk can be defined in various ways, depending on the context. Generally, risk is considered as the possibility of damage, loss or injury; it’s a threat of something potentially going wrong with the activities or organization of the entity or persons concerned. Without a potential adverse consequence occurring, there is no hazard. Audits are one tool of risk assessment.

Risk assessment is the process, identification, analysis and estimation of potential relative adverse hazards, and whether it relates to general financial decisions or environmental, ecological, public or human health risk—and what could happen if a hazard occurs. This is generally done using either or both a quantitative or qualitative risk analysis tools.

Quantitative risk analysis is all about the numbers. The available data is numerical value, structured and statistical, and is used to predict the probability (and acceptability) of a risk event outcome. Risks are scored based on their probability or likelihood of occurring and the impact, should they occur. High-quality data is needed to conduct a quantitative risk analysis, in addition to a well-developed project model and a prioritized list of project risks.

Qualitative risk analysis analyzes trends. It uses more empirical information to create a subjective assessment of risk occurrence. It is an assessment of the probability of a negative event occurring against the potential severity of the risk outcomes (impact), to determine the overall severity of a risk.

The word “audit” is derived from the Latin word “audire,” which means to hear. In general, an audit is an investigation of an existing system, report or entity. There are a number of audits type that can be conducted. Auditing is the onsite verification process, such as inspection or examination, to ensure compliance to requirements. An audit can apply to an entire organization or be specific to a function, process or production step.

The three basic types of audits are product, process and system.

Product audit is an examination (inspection) of a finished product or service (hardware, processed material or software) to evaluate whether it conforms to requirements (that is, specifications, performance standards and customer requirements).

Process audit is a verification that processes are functioning within established limits. It evaluates an operation or method against predetermined instructions or standards, to measure compliance or conformance to these standards, as well as the effectiveness (or validity) of the instructions. It revolves around verification of the manner in which: 1) people; 2) material; and 3) machines, etc., mesh together to produce a product. Process audits are appraisal and analytical in nature.

System audit is an audit conducted on a management system. It can be described as a documented activity performed to verify by examination and evaluation of objective evidence, that applicable elements of the system are appropriate, current and effective. A GMP (good manufacturing practice) quality audit is an example of this.

Some audits are named and classified according to their purpose or scope:

Financial audits typically involve a focus on financial controls as they relate to reporting. These audits focus on accounting controls present in the general ledger. This is an analysis of the fairness of the information contained within an entity's financial statements. It is conducted by a certified public accounting (CPA) firm, which is independent of the entity under review.

Operational audits focus on the review and assessment of a business process. The activities of the business process may result in a direct or indirect financial impact to the organization. An internal audit primarily focuses on operational audits, but it can extend the scope to include accounting procedures that can impact financial reporting. This is a detailed analysis of the goals, planning processes, procedures and results of the operations of a business, likely with recommendations for improvement. The audit may be conducted internally or by an external entity.

Compliance audits review the level of compliance with internal policies or external regulatory requirements. This is an examination of the policies and procedures of an entity or department to determine if it complies with internal or regulatory standards. This audit is most commonly used in regulated industries or educational institutions. This kind of audit is usually conducted by an external entity.

Integrated audits are broader, looking at controls that address financial, operational, compliance and information systems risks. These audits are typically centered on a business cycle or a specific part of a cycle or process. Integrated audits happen when there are two different areas of an audit required. For example, there is a financial audit along with a social audit, or some areas need to be confirmed with a financial audit.

Environmental audits and social audits are mostly engaged by large corporations, nonprofit organizations or in the public sector. An environmental audit is an analysis and evaluation intended to identify environmental compliance and management implementation. A social audit is a way of measuring, understanding, reporting and ultimately improving an organization's social and ethical performance (e.g., child labor, etc.).

Investigative or special audits are investigations of a specific area or individual when there is a suspicion of inappropriate or fraudulent activity. The intent is to locate and remedy control breaches, as well as to collect evidence in case charges are to be brought against someone. A special audit is a bit different from a forensic audit as the special audit is unusually done by internal staff of entity.

For contract manufacturers, many of the above audit types apply.

Auditor

An auditor is an authorized individual who has been qualified to conduct audits. An auditor may be either an internal auditor (an individual whose primary job function is to audit his or her own company) or an external auditor (an individual from outside the company, who typically is employed by an auditing firm who handles different clients). The auditor conducts methodical examination, inspection or review of a condition or situation to find discrepancies. 

Many auditors specialize, depending on their background or experience. They can work as independent external auditors, internal auditors or governmental auditors. Auditors can also work for many different entities, such as a bank or a state government, etc.

GMP Audits

It is primarily the GMP quality system audit that is of concern to dietary supplement manufacturers and sellers. GMP compliance audits are performed by FDA, third-party certifiers and companies performing their own vendor audits. These are typically onsite manufacturing facility audit for compliance with both: 1) FDA GMPs (21 CFR Part 111) and 2) any of the specific certifier’s requirements.

Audit Steps & Process

The first step is to schedule a mutually workable date for the audit that suits both parties. Unlike regulatory audits, which are often unannounced, customer/vendor audits are typically scheduled.

Audit preparation consists of everything that is done in advance by interested parties, to ensure the audit complies with the client’s objective.

Audit process, often called fieldwork, is the onsite data-gathering activities portion of the audit and covers the time period from arrival at the audit location up to the exit meeting. Mainly, auditors look at both the facility and documentation, which is objective evidence. 

Always request to have an exit interview when the onsite audit is complete. Sometimes, any misunderstandings or missing information can be cleared up before the audit is formalized. The close-out meeting can also be the time to have a more detailed discussion about certain observations or discrepancies, as well.

The purpose of the audit report is to communicate the results of the audit. The report should factually show any corrections, errors, gaps, inconsistencies, inadequacies, omissions, etc., that need to be addressed—or not. The report should provide correct and clear information that can be used as an effective management tool in addressing important organizational issues. The audit report usually requires a response regarding corrections or documentation of any deficiencies reported. 

After receiving an audit report, the contract manufacturer must follow up and respond in a timely manner to any changes, corrections or documentation requested. When the responses are accepted, . the audit is concluded. 

The purpose of an audit is to provide a report to the entity institution with the objective findings of the audit (in relation to the audit criteria), as well as an assessment of the compliance and effectiveness of a company’s operations. As a result of an audit, the various stakeholders may evaluate and improve the effectiveness of risk management, control and the governance process over the subject matter of what the audit covered. It can be an effective tool in the management toolbox for gauging and improving operations within a company.

Robin C. Koon is executive vice president at Best Formulations. He has more than 35 years of pharmaceutical experience in a clinical pharmacy practice, retail drug chain operations, in managed-care and in nutraceutical/pharmaceutical manufacturing.

Looking to know more about the regulatory responsibilities of a contract manufacturing partnership? Join us for the "Managing Quality in a Contract Manufacturing Partnership" workshop on Saturday, Nov. 10, at SupplySide West 2018. This workshop is underwritten by Sora Laboratories.

And for information on FSMA timelines and rules along with current data on FDA’s enforcement efforts and findings, join us for the "Are You Prepared for a FSMA Audit?" workshop on Thursday, Nov. 8. This workshop is underwritten by Venable.