Internal Audit Reports: Can the FDA Take a Peek?

Is it True that Health Regulatory Authorities Do Not Have Access to Internal Audit Reports?

Yes and no.

It is true that FDA has a policy not to review internal pharma company audit reports during facility inspections, although there are circumstances where the reports must be provided.

In the case of FDA, investigators can ask for evidence that a company has an internal audit program and that it has been properly implemented and is being performed effectively by the appropriate personnel.

FDA’s current thinking is covered in Compliance Program Guidance (CPG) Sec. 130.300, FDA Access to Results of Quality Assurance Program Audits and Inspections, published June 2007.

FDA’s Compliance Programs, accumulated in what is known as the FDA Compliance Program Guidance Manual (CPGM), provide instructions to FDA personnel for conducting activities to evaluate industry compliance with the FD&C Act and other laws administered by FDA. They are published by the agency and available through the Freedom of Information Act (FOIA).

The policy on internal inspection reports, according to the CPG, is “not to review or copy a firm’s records and reports that result from audits of a quality assurance program when such audits are conducted according to a firm’s written quality assurance program at any regulated entity. The intent of the policy is to encourage firms to conduct quality assurance program audits and inspections that are candid and meaningful.”

In other words, the agency wants companies to perform robust internal audits to find gaps in its GMP programs and correct them, and if those reports were available to FDA, the auditors performing them would be reluctant to report the company’s “dirty laundry” in reports available to FDA.

During facility inspections, some FDA investigators may ask for audit reports, but according to CPG 130.300, they are not entitled to see them. It is appropriate to politely tell the investigator what they are entitled to see per the CPG is “written certification that such audits and inspections have been implemented, performed, and documented and that any required corrective action has been taken.”

What are the Requirements for Performing Internal Quality Audits?

FDA’s expectations for pharma companies to perform internal quality audits are not codified in 21 CFR 211 but in 21 CFR 820, which covers medical devices. Though not generally cited in a pharma company inspection, it is the source of the expectations. 

§ 820.22 Quality audit: 

“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made, and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”

The main elements include the expectation that a company:

• Has a procedure for conducting internal quality audits against the pharma quality system
• Assigns individuals to conduct audits who are not in the area being audited
• Takes corrective actions when gaps are found
• Produces an audit report that is shared with management of the area audited
• Documents the dates of the audits and reaudits and the results.

What are the Issues FDA is Citing on 483s Regarding Internal Audits?

A search of the Redica Systems Enforcement Analytics platform was conducted to learn what FDA is citing at pharma companies in the area of internal audits. It was conducted for calendar years 2012 to 2022, looking at the category: Quality System > Audit > Internal Audit Program

Over that ten-year period, 20 form 483 Observations were found. Here is a comparison at a high level showing the deficiencies that were observed:

Here are example audit procedure issues that agency investigators observed as documented in the 483s:

• Quality audits were not performed at defined intervals and sufficient frequency to determine whether the quality system activities and results comply with quality system procedures.
• The procedure does not describe the qualification process for selected internal auditors.
• The firm’s internal auditing procedure…pertains only to assessing compliance with drug Good Manufacturing Practices (GMPs) and does not include requirements to assess compliance with pertinent medical device Quality System Regulations such as management controls, design controls, and purchasing controls.
• The procedure does not require the evaluation of all elements of each system audited on a regular basis to “certify” the system as compliant as only certain elements of an audited system may be covered…
• Failed to conduct…audits of your device contract manufacturer as defined by Internal Audit Control SOP
• Internal audit program…allows department managers to conduct internal audits on areas under their responsibility. 
• Your firm failed to establish a procedure for quality audits to determine the effectiveness of the quality system. There is no documentation available for review to indicate if and when the required annual quality audits were performed.

Circumstances When Internal Audit Reports Must be Made Available

While FDA investigators cannot review internal audit reports during a routine inspection, there are circumstances per CPG 130.300 in which access to the audit reports is permitted, for example, under the following circumstances:

• In a “Directed” or “for-cause” inspection and investigations of a sponsor or monitor of a clinical investigation;
• In litigation (for example, and not limited to, grand jury subpoenas, discovery, or other agency or Department of Justice law enforcement activity (including administrative regulatory actions));
• During inspections made by inspection warrant where access to records is authorized by statute; and
• When executing any judicial search warrant.

It is important to know there are circumstances in which internal audit reports may be discoverable. Why? There may be a propensity to take shortcuts or write using internal acronyms or informal language if the author believes the report is only for internal use. The quality of internal audit reports should be the same as any reports that may be asked for by agency investigators.

In summary, FDA doesn’t review internal audits as a matter of standard procedure. A big part of the reason is that they want companies to foster robust internal audit capabilities wherein employees feel free to call out areas for improvement without automatically signaling problems to FDA.

FDA is able to review internal audits in certain situations, however. So while internal audits aren’t routinely inspected by FDA, they may be if it is warranted.