Compliance with US and EU Internal Audit Requirements

  Siegfried Schmitt, principal consultant, PAREXEL, discusses how to handle internal audit reports during inspections.   Q. Our internal audit procedure is due for revision. It currently states that internal audit reports will not be made available to inspectors from regulatory agencies and that the reports can be destroyed once all corrective actions have been completed. Is this still compliant with United States and European Union (EU) regulations?   A. Internal audits, or self-inspections as they are called in the EU, help assess a pharmaceutical company’s quality system and compliance status. When a company performs internal audits, it is essential to have a procedure in place, which your company does have. The US and the EU have different regulations regarding internal audit records. In short, if you destroy your internal reports, you would be compliant with US regulations, but not with EU regulations.  To further elaborate, it’s important to realize that the US cGMP regulations (21 Code of Federal Regulations [CFR] Parts 210 and 211) do not describe specifically a requirement to conduct or keep records of an internal quality assurance audit. Considering this, your procedure would be compliant. According to published FDA policy, during routine FDA inspections and investigations conducted at any regulated company that has a written quality assurance program, FDA will not review or copy reports and records that result from internal audits under the written quality assurance program (1), and additionally, for medical device manufacturers, the policy is codified at Title 21, CFR, Section 820.180(c) (2). Consequently, you could, if you so wish, destroy the report once all corrections have been performed and implemented. However, you do have to retain the documentation on the corrective actions as these are covered in 21 CFR 211 (3).   On the other hand, the EU GMP regulations for medicinal products for human use have a chapter dedicated to self-inspections (4), which specifically mention the need for an internal audit report: “All self-inspections should be recorded. Reports should contain all the observations made during the inspections and, where applicable, proposals for corrective measures. Statements on the actions subsequently taken should also be recorded.”   Therefore, self-inspection reports must be prepared, retained in accordance with documentation retention requirements, and most importantly, be provided to the regulators when requested. In fact, refusal to provide the internal audit report in an inspection can be considered a critical observation. EU inspectors are known to have terminated inspections because of critical observations. This is similar to FDA’s “refusal to co-operate with the inspection” in which FDA would terminate the inspection.    In the EU, the requirement for self-inspections extends to drug substance (i.e., API) manufacturers as specified in the Delegated Act of 28.5.2014 supplementing Directive 2001/83/EC (5), which says, “The manufacturer shall conduct regular internal audits and follow-up on the findings.”   While you are revising your internal audit procedure, it would be beneficial to check and ensure that it covers a review of the effectiveness of your governance systems for data integrity and traceability (6). Updating procedures when new legislation and guidance is issued will help ensure compliance (7).   To recap, you are still compliant with US regulations, but as detailed above, this is not the case for EU regulations. It is good practice to design your quality system so that it complies with even the most stringent regulations that apply to your business.   References  1. FDA, CPG Sec. 130.300 FDA Access to Results of Quality Assurance Program Audits and Inspections (FDA, June 2, 2007). www.fda.gov/ICECI/ComplianceManuals/CompliancePolicyGuidanceManual/ucm073841.htm, accessed June 1, 2015. 2. FDA, CFR Title 21, Part 820.180 (Government Printing Office, Washington, DC, revised April 1, 2014), www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?fr=820.180, accessed June 1, 2015. 3. FDA, CFR Title 21 Part 211, www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=211, accessed June 1, 2015. 4. European Commission, EudraLex, The Rules Governing Medicinal Products in the European Union, Vol. 4, EU Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use Part 1, Chapter 9: Self Inspection, http://ec.europa.eu/health/files/eudralex/vol-4/pdfs-en/cap9_en.pdf, accessed June 1, 2015. 5. European Commission, Commission Delegated Regulation (EU) No 1252/2014 Of 28 May 2014, http://ec.europa.eu/health/files/eudralex/vol-1/reg_2014_1252/reg_2014_1252_en.pdf, accessed June 1, 2015. 6. MHRA, MHRA expectation regarding self inspection and data integrity (MHRA, Dec. 16, 2013), http://webarchive.nationalarchives.gov.uk/20141205150130/http://www.mhra.gov.uk/Howweregulate/Medicines/Inspectionandstandards/GoodManufacturingPractice/News/CON355490, accessed June 1, 2015. 7. S. Schmitt, Pharm. Tech. 39 (5) (May 2015), www.pharmtech.com/how-stay-abreast-shifting-regulations-and-remain-compliant.  

Article DetailsPharmaceutical Technology
Vol. 39, No. 7
Pages: 66

Citation:
When referring to this article, please cite it as, S. Schmitt, "Compliance with US and EU Internal Audit Requirements," Pharmaceutical Technology 39 (7) 2015.