Maximizing The Value Of An Internal Audit Program In Pharmaceutical Quality Operations

By Jim Morris, IQS Consulting; and Peter Savin, Beyond GMP Compliance

There are two recent developments in our industry that constitute a seismic change in the way pharmaceutical manufacturers are regulated and, consequently, define what we in industry need to do.

• Firstly, there have been significant staffing cuts within FDA and other government agencies. CDER and CBER, respectively, announced cuts of 1,093 and 224 employees in 2025. This will inevitably limit the regulator’s ability to fulfill its responsibilities and will bring delays in their reviews and approvals and reductions in inspections, etc.
• Secondly, our ability to supply has become a regulatory hot topic, and it is the key driver of the CDER Quality Management Maturity (QMM) Program and EMA’s Guidance to Strengthen Supply Chains. These regulatory initiatives require us to implement practices that go beyond current GMP.

The leaders of major pharmaceutical companies recognize the value of the partnership with regulators in the U.S. and across the globe in collectively advancing pharmaceutical innovation and regulatory science and assuring patient safety. CEOs and board members recognize that ultimate responsibility for patient safety lies with the marketing authorization holder and their management teams across the globe, not the CMO or the distributor.

The recent developments reinforce the need for effective governance of product quality, regulatory compliance, and costs. Achieving these three requirements requires robust processes, clear responsibilities, and engaged management at all levels of the company.

Each time a company experiences a significant deviation or receives an adverse regulatory comment it can lead to an escalation of issues. Simply put, the escalation might follow this sequence and spiral quickly:

• The company didn’t follow a procedure, resulting in a deviation or 483 item, which is a compliance risk.
• The company didn’t have effective control, leading to a product recall or warning letter, an operational risk.
• Top management didn’t know what’s happening, generating a consent decree, a strategic risk requiring an organizational response.

To avoid these undesirable conditions, management at all levels must ensure they are receiving the appropriate data and are able to see things as they really are. Without good information flow and transparency, management is handicapped and is unable to make the right decisions and direct their resources appropriately.

This ability to see things as they really are is a significant challenge for management. In this article we emphasize the importance of risk management and internal auditing as tools to significantly increase information flow and transparency within an organization.

Quality Risk Management

Quality risk management is an essential component of the system of internal control and governance and is regarded as good management practice.

A systematic, standardized, and effective approach to risk management is required to:

• establish a common language and protocols for identifying and communicating risks
• ensure that responsibilities for managing risks are clearly stated, understood, and accepted
• establish appropriate mechanisms for monitoring, reporting, and escalation of risks
• ensure that business objectives are achieved.

However, many companies struggle as they have an inadequate understanding of their responsibility to implement an effective system of internal controls and report significant issues. In these companies:

• some of the risk management processes between departments, site, and corporate lack clarity and could be better connected to ensure they are truly interdependent,
• the risk mapping processes need improvement to allow better access to the information and easier updating,
• there is no centrally prescribed risk management methodology for the deployment of risk maps into business units, which has led to units taking an independent approach,
• the list of significant risks is often perceived as too long, which is seen as distracting focus from the risks that really matter, and
• the strategic focus on risk needs to be refreshed.

A systematic and standardized approach to risk management must be implemented throughout the manufacturing and supply chain, at site and corporate levels.

• Sites need to:
  • map their supply chains, production processes, and the inherent risks in risk registers
  • actively and routinely review and mitigate the risks.
• The corporate level must:
  • understand the risks to the business that each site presents through risk modeling
  • provide the corporate oversight and support to each site as required.

Risk Registers: The primary aim of a risk register is to provide an organized, transparent, and proactive approach by:

• bringing structure to data and metrics
• recording all identified risks so an organization can track their status over time, allowing for a strategic response to emerging threats
• prioritizing which risks need immediate attention, enabling effective resource allocation
• empowering staff to make risk-based decisions rather than escalating everything.

Risk Modelling/Site Profiling: In any network, a chain is a strong as the weakest link. Good governance is vital, and it relies on metrics.

• Senior management needs an executive picture of risks presented by manufacturing operations.
• Risk management of the internal and external generated risks must move from reactivity to proactivity.
• This requires processes that include the strategic business impact of the site and their control systems and effectiveness.

Risk registers and risk modelling/site profiling are integrated, interdependent processes and must be structured accordingly.

Internal Auditing

The risk management approach combined with a tiered internal audit strategy will provide the greatest probability of identifying risks before they become problems for the organization. An approach to a tiered internal audit strategy and program is defined as Levels 1 to 3 in Figure 1 below.

Figure 1: Internal Audit Strategy

The internal audit triangle meets the pharmaceutical quality system requirements for self-inspection and local quality and corporate quality audits. Essentially, it consists of three levels, or tiers.

• Level 1. Compliance Risks – The first level of control. The foundation on which it is all built is Level 1 departmental self-inspection. These identify the many events or isolated failures that occur in all operations. They should identify and drive many small corrective and improvement activities.
• Level 2. Operational Risks – The second level of control. The oversight functions such as QA audits provide a fresh pair of eyes to each department’s self-inspections but also look at processes that run across interfaces between departments. In this way they identify more severe but hopefully less frequent operational issues and risks; normally these would be failures in quality systems rather than the isolated events, which would already be known via Level 1.
• Level 3. Strategic Risks – The third line of defence. Corporate or third-party audits provide independent challenges to the levels of assurance provided by the local operations by bringing an external (to the site) view and perspective. It is intended to identify any blind spots and unknown risks that can occur due to local management being too close to the operation.

Communication is the key to effective and efficient auditing, and all three levels must be aligned, communicating and operating interdependently to ensure that all aspects of the business (including policies, processes, systems, procedures, structures, and measures) are scrutinized for compliance, not only with regulatory requirements but also company standards, policies and the needs of the stakeholder groups.

For any organization to have good corporate governance, the quality culture must be audited by assessing the processes for promoting an appropriate quality culture within the organization.

For a large organization, this is a complex task that requires a mature culture of openness, or transparency. The maturity of the organization becomes evident when conducting internal audits, as it takes a mature culture to communicate openly and operate in a transparent manner. This can be described as a “proactive disclosure” approach to internal auditing. And it is best described using the Johari Window methodology, as outlined in Figure 2 below.

Figure 2: Johari Window

The window represents the totality of information and knowledge about issues, risks, risk management processes, and controls in an organization. As such, it can be considered as a proactive disclosure model. Figure 3 shows the current situation in GMP compliance auditing.

Figure 3: Current Situation – Knowledge of Risks

The horizontal axis at the top of the model indicates the amount of information and knowledge that the auditor gains during the audit (x%). The vertical axis, from top to bottom represents the amount of information and knowledge that the auditee has (y%). Typically, this is greater than the auditor is able to gain during the audit.

The top left box therefore represents the shared knowledge of auditor and auditee, and the bottom left box represents what the fresh pair of eyes of the auditor is able to identify.

Together, these two boxes on the left side represent what is contained in the audit report communicated to senior management. Unfortunately, it is significantly less than the total issues and risks (known and unknown) in the organization being audited.

This is the problem, and it consists of two elements:

• Firstly, the top right box is usually the largest box of knowledge and is known only to the auditee. Therefore, it is hidden and not usually communicated outside the organization being audited. This results in siloed management of the issues, which generates further risk.
• Secondly, the real risk lies in the bottom right box. These risks are unknown to anyone in the organization and therefore go completely unmitigated.

Both boxes on the right side of the window are significant shortcomings in current assurance systems; therefore, a new approach is required. This is provided by the proactive disclosure methodology that drives transparency and open exchange of the risks, issues, and improvements between auditees, auditors, and management (local and corporate). This leads to shared discovery of the unknown risks. The result is maximization of the three known risk boxes and minimization of the unknown risk box. See Figure 4.

Figure 4: Risk Minimization via Proactive Disclosure

Proactive disclosure is not about the auditee presenting all their issues at the opening meeting of the audit. Proactive disclosure is a continuous process, aligned with and utilizing many of the corporate governance processes already in place, e.g., risk registers, governance committees, and the three levels of internal audit.

Proactive disclosure requires more time for exchange and discussion between the auditee and auditor prior to the conduct of the audit. This preparation is essential as it enables greater partnership and results in a more robust audit focused on systemic issues and existing and emerging risks in the operation.

Three aspects are key to successful implementation of total disclosure auditing:

1. A clear mandate and expectation from top management.
2. Active engagement of all stakeholder groups, including the auditee, auditor, and management, in discussing and agreeing on expected behaviors.
3. Mature risk management processes integrated with existing governance processes.

Organizations that have an embedded quality culture and mature systems will be able to adopt the proactive disclosure approach to audit preparation. This will result in more meaningful audits for all parties. The internal audit function is an investment in time and resources; therefore, maximizing the value of the internal audit program is essential, particularly as regulators scale back on-site audits and are quicker to take regulatory action, delay a decision, or request more data when there are perceived weaknesses with a sponsor’s quality program.

A well-designed risk management program, combined with a proactive disclosure approach to internal auditing, will be indicators of a mature quality management system providing management with the information required to truly see things as they really are.

About The Authors:

Jim Morris is founder and principal consultant at IQS Consulting. Investigation and CAPA system improvement is core area of focus for IQS Consulting. Previously, he was vice president of NSF’s Pharma-Biotech Consulting practice delivering consulting, training, and certification services to NSF clients globally.

 

 

Peter Savin has over 50 years’ experience in the pharmaceutical industry, with 25 of it in senior quality, GMP, and corporate governance roles, including the management of governance, risk management, and audit functions. He is currently an independent consultant. His areas of expertise include risk management, quality culture and human error reduction, quality management systems, auditing, deviations, remediation of FDA Warning Letters, consent decrees, and UK MHRA IAG remediation activities.