Internal Audit Reports: Can the FDA Take a Peek? Part 2: Other Agencies

In Part 1 of this article, we explored FDA’s policy on reviewing internal audit reports as outlined in Compliance Program Guidance (CPG) Sec. 130.300, FDA Access to Results of Quality Assurance Program Audits and Inspections, which clearly states that the agency will not review internal audit reports other than in exceptional circumstances as listed in the CPG. Our article also addressed FDA requirements for conducting internal audits and what the Redica Systems platform reveals about FDA inspection observations related to those audits.

In Part 2, we explore how one European agency treats audit reports differently than FDA – specifically, audits of suppliers.

Switzerland Publishes Its Position

In early July 2023, Swissmedic, the Swiss Agency for Therapeutic Products, released a “Technical Interpretation” document titled “Inspection of Company Audit Reports” that was made effective immediately.

 

 

In the Purpose and Scope section, the document states, “In order to assure a harmonized conduct of inspections of establishment license holders, this document summarizes the conditions under which an inspector of the competent Regulatory Authority does have a look into audit reports of a company. It should be distinguished between internal audit reports of a company (including audit reports of different sites within the same group/company) as well as reports from audits of suppliers.”

The agency distinguishes between what constitutes an internal audit vs. a supplier audit as follows:

“Internal audit: A systematic independent and documented process performed by internal staff or by subcontracted third-party auditors for obtaining evidence and evaluating it objectively, to determine the effectiveness and applicability of the required quality assurance system within the company (required by GMP part I, Ch. 1.4, xvii and 9 respectively, GMP part II, Ch. 2.5).Supplier audit: Audit of external suppliers or contractors performed by company auditors (or by subcontracted third party auditors) in order to assess the compliance of suppliers of key services, critical raw materials, or contractors used for out-sourced manufacturing or distribution activities (performed in the context of the requirement in the GMP part I, Ch. 7 respectively, GMP part II, Ch. 16.13 as well by GDP, Ch. 5.2 and Ch. 7).”

Internal Audits No; Supplier Audits Yes

Like FDA, the Swiss agency requires each company to have an internal audit program and explains that its inspectors will verify the company is “planning and performing internal audits and that appropriate follow-up actions are taken and that these activities are documented.”

Also, like FDA, Swissmedic indicates that internal audit reports will not be examined as part of routine inspections to encourage companies to perform rigorous audits and include all findings in the reports.

Regarding supplier companies, Switzerland takes a different position. It expects Good Manufacturing Practice (GMP) and Good Distribution Practice (GDP) regulations and guidance to be followed in supplier operations covered by those policies, and for companies to conduct audits of suppliers to ensure adherence to those good practices:

“Any activity covered by the GMP Guide or GDP guidelines that are outsourced should be appropriately defined, agreed and controlled in order to avoid misunderstandings which could result in a product or operation of unsatisfactory quality.”

Also similar to the recommendations in FDA’s 2016 guidance, Contract Manufacturing Arrangements for Drugs: Quality Agreements, Swissmedic emphasizes that “there must be a written Contract between the Contract Giver and the Contract Acceptor which clearly establishes the duties of each party. Supplier audits may need to be performed as an element to check and verify the compliance of the suppliers.”

The Swiss agency states, “In contrast to internal audit reports, the inspector may at any time review supplier audit reports as part of a routine GMP/GDP inspection or of a product related inspection.” By contrast, FDA tends to treat supplier audits the same way it does internal audits.

It further explains, “supplier audit reports may also be used as an element for providing supporting evidence for the GMP status of a foreign manufacturing site from a country which GMP control system is not accepted by Switzerland.”

Anecdotal data from European companies indicates that EMA member states and MHRA also tend to avoid examination of internal audits but will only look at audit reports for suppliers in unusual circumstances.