Third-Party Audits: Ensuring That Excipients Meet cGMP Requirements

Published on: 
, , , , ,
Pharmaceutical Technology, Pharmaceutical Technology-09-01-2018, Volume 2018 Supplement, Issue 4
Pages: s8, s10–13

Increasingly stringent audit requirements will make third-party accredited GMP audits critical for pharmaceutical excipients and raw materials.

In today’s regulatory environment, and with the importance of delivering quality medicines to patients, regulators continue to place even more responsibility on pharmaceutical companies. Although more companies are outsourcing manufacturing, it remains their job to ensure that raw materials used in their medicines, including excipients, are safe, of high-quality, and sourced from reputable suppliers who adopt appropriate manufacturing practices.  

In turn, excipient suppliers face a growing number of on-site audits and related information requests to ensure that their facilities and products meet the expectations of their customers (pharmaceutical companies) and regulators (1). The burden placed on audit teams at both suppliers and pharmaceutical companies is daunting. 

Current audit burden facing pharma

With the introduction of the Falsified Medicines Directive (FMD) (2) in Europe and the Food and Drug Administration Safety and Innovation Act (FDASIA) (3) in the United States, regulators have made clear that the buck stops with pharmaceutical marketing authorization holders. It is their responsibility to verify that current good manufacturing practices (cGMP), ascertained from a formalized risk assessment of the excipient and its intended use, are documented and in place for excipients used in drug products.  To meet this expectation, pharmaceutical companies are emphasizing on-site supplier audits and relying less on information provided from paper audits or questionnaires filled out by suppliers.

For decades, pharmaceutical companies have audited some of their excipient suppliers, but the audits typically took place every three-to-five years, and each one typically required only one day to complete. As cGMP requirements for excipients have become more stringent, it can be difficult to audit even the smallest excipient suppliers in one day, at least in any comprehensive way. What has typically happened is that audits have been rushed and compromised. 

In response, pharmaceutical companies have increased requests for more and longer (i.e., one-to-two-day) on-site audits. The problem with on-site supplier audits is that they are costly, both to the company performing the audit and the supplier that is being audited. For pharmaceutical companies, audits require spending on travel and accommodations for the auditing team, plus hourly rate for any contract auditors they hire. They must also budget for writing the audit report and follow up work.  

Suppliers often reject requests for audits due to resource constraints and because pharmaceutical customers are not their core markets and the sales value of their business is too low to justify the time required for the audit. Based on business case and customer priority, excipient suppliers have historically hosted limited on-site audits from pharmaceutical companies. However, many excipient suppliers have hundreds or even thousands of customers and find it physically and economically impossible to host on-site audits for all of them.  In addition, not all pharmaceutical company auditors are sufficiently trained in excipient GMPs, adding layers of complexity and burden to the excipient supplier.

Based on the growing need for verified excipient quality and safety information and to help alleviate the audit burden, pharmaceutical companies, excipient suppliers, and other pharmaceutical industry stakeholders have joined together to develop voluntary excipient cGMP consensus standards (4,5). These voluntary standards facilitate the use of third-party qualified auditors who have been specifically trained to audit excipient manufacturing facilities to ensure their compliance with both cGMP and current good distribution (cGDP) practices.

Recognized consensus standards and auditing programs 

Today, there are two voluntary consensus standards and auditing programs designed to assess excipient GMPs (6): 

The EXCiPACT certification scheme (7), certified against EXCiPACT cGMP and good distribution standards (5), which are published as an annex to the International Organization for Standardization (ISO) 9001:2015 Quality Systems standard. The EXCiPACT certification scheme was launched in 2012 and includes the GMP and good distribution practice (GDP) for excipients as an Annex of ISO-9001, the competency of the auditors, and the independence of the certification bodies as an annex of the ISO-17021. 

The NSF Health Sciences Excipient Certification Program (NSF-ECP), which certifies against the NSF/IPEC/ANSI 363: Good Manufacturing Practices (GMP) for Pharmaceutical Excipients standard.  The program was launched in March 2015 and may be used by all excipient manufacturers, regardless of ISO 9001 certification status.  The program is accredited by the American National Standards Institute (ANSI) and operated with oversight of NSF Corporate Quality and Compliance.  

The purpose of these certification programs is to apply a consistent approach to inspecting and auditing excipient suppliers for conformance to appropriate excipient cGMPs. In addition, these independent, high quality, third-party certification programs include the use of credible certification bodies (CBs) who employ qualified auditors who have been shown to be competent in the related standards, to issue audit reports and certificates.  Use of these independent CBs help to address concerns about any potential conflicts of interest.  As shown in Figure 1, the cumulative number of excipient GMP certificates has steadily accelerated during the past five years.  

Credible third-party certification involves both an independent assessment declaring that specified requirements pertaining to a product, person, process, or management system have been met and also that the certifying body has independent oversight to ensure impartiality and freedom from conflicts of interest. The third-party certification is more robust than first-party certification, in which an individual or organization providing goods or services offers assurance that it meets certain claims, and second-party certification, in which an association to which the individual or organization belongs provides the assurance (1). 

Audit options

Unlike the one-day excipient audit conducted by pharmaceutical companies, initial EXCiPACT and NSF-ECP certification programs require several days to complete and include annual surveillance audits. Qualification and verification of auditor competency and independence is key to ensuring the validity of the certification. Using auditors specifically trained and certified to excipient cGMP standards helps ensure consistent and relevant audits. The publication of the certification program, as well as criteria for approving certification bodies and auditors, should be considered as an added value for recognition of certification audits. In addition, in third-party audits, report findings are more likely to be based on excipient GMPs and less prone to auditor bias. 

Regulatory acceptance of accredited third-party party audits for assessing the quality and safety of regulated products is not new.  In October 2002, FDA implemented the Medical Device User Fee and Modernization Act (MDUFA), which authorized third-party Accredited Persons (AP) to conduct medical device facility inspections (8). 

Then, based on the agency’s recognition of the increasingly global nature of the industry, and the number of medical device manufacturers, in 2012 the International Medical Device Regulators Forum (IMDRF) designed and adopted the Medical Device Single Audit Program (MDSAP) (9) to allow for greater coverage in auditing manufacturers as opposed to relying solely on government resources from individual countries.   

Similarly, based on pioneering work by the Global Food Safety Initiative (GFSI) to develop and implement a voluntary certification program for the food industry, the FDA Food Safety Modernization Act (FSMA) final rule, “Accreditation of Third-Party Certification Bodies to Conduct Food Safety Audits and to Issue Certifications,” established a voluntary program for the accreditation of third-party certification bodies to conduct food safety audits and to issue certifications of foreign facilities and the foods for humans and animals they produce (10).


Relying on these third-party certification programs allows responsible parties to redirect their internal resources toward assessment of any relevant issues that may be outside the scope of the standard.  

Although third-party excipient cGMP certification can help pharmaceutical companies verify appropriate excipient cGMPs are in-place and being followed, certification does not exempt a pharmaceutical company from executing and documenting formalized risk assessments to identify appropriate excipient cGMPs based on intended use and criticality. In addition, in some cases a certified excipient cGMP audit report may need to be supplemented with additional information (outside the scope of the standard) to justify use of an excipient. The pharmaceutical company may need to acquire further verification, including but not limited to quality agreements, special questionnaires, teleconference discussions, and even on-site meetings and/or audits to address specific issues or concerns.


Best practices for utilizing cGMP audit reports

Through partnering and communication with excipient suppliers, pharmaceutical companies should strive to understand whether a third-party excipient cGMP certification is in place and, if not, whether a supplier might be seeking such certification.  

To help justify the acceptance of third-party excipient cGMP audit reports to a regulatory inspector, in lieu of a second-party audit and report, it is important for a pharmaceutical company to develop and document a standard operating procedure (SOP). Establishing SOPs would allow them to promptly utilize the audit report/certificate. 

The SOPs should describe the following:

  • How the company performs and documents excipient risk assessments to identify appropriate excipient cGMPs based on intended use and criticality 

  • Details for how the company qualifies the certification program(s) as well as when and how they can use an excipient cGMP certification audit report 

  • How certificate expiration will be monitored and tracked to ensure its validity

  • Where and how audit reports will be received, reviewed, and accepted actions to take if and when an issue arises with excipient quality.

Note: Inappropriate application to products outside the scope of the certification must be avoided. For example, certification of other grades cannot be inferred if only NF grade product has been included in the scope of certification. 

Critical process steps to cGMP certification

As shown in Figure 2, critical steps in the certification/recertification process include:

  • Step 1–Certification plan.The excipient supplier develops and documents an internal certification plan including appropriate SOPs for certification, drafting of an audit report, and certificate handling. Best practice is to ensure that the excipient supplier is ready for certification and that any gap assessment is conducted separately from the certifying body audits, to ensure the absence of bias.

  • Step 2–Certification audit.The excipient supplier schedules a certification audit with a certifying body (communication between supplier and certifying body). The certifying body conducts an excipient GMP audit of the excipient supplier’s facility (this requires communication between supplier and certifying body). Within an agreed upon period of time, the qualified auditor writes a report that is reviewed by a panel of the certifying body, approved, and issued.  It is critical that the audit report not contain any confidential or proprietary information about the supplier, because this information could delay providing the report to pharmaceutical companies  (this requires communication between the certifying body and the supplier).

  • Step 3–Payment.The certifying body issues an invoice to the excipient supplier (again, requiring communication between certifying body and supplier). Excipient suppliers pay the invoice, which will not be issued until payment has been received. This step, depends on communication between the supplier and the certifying body).

Note:  Payment for an audit by the excipient supplier should not be viewed as a conflict of interest as long as the certification program chosen includes the use of credible, independent, registered, third-party certification bodies employing qualified auditors who are demonstrated to be competent in the relevant standard (11). 

  • Step 4–Certificate. After receipt of payment, the certifying body issues the cGMP certificate to the excipient supplier. After receiving the cGMP certificate, the excipient supplier notifies pharmaceutical customer(s) .

  • Step 5–Audit report. After receiving the audit report from the certifying body, the excipient supplier determines their process for sharing a copy of the report with their pharmaceutical company customer(s).

  • Step 6–Surveillance audit. The supplier schedules a surveillance audit with the certifying body prior to cGMP certificate expiration, allowing sufficient time for scheduling/executing the audit and invoice payment.

Note: The frequency of certification audits (annually, as required by the EXCiPACT standard) should be compared with the traditional pharmaceutical company audit frequency, which often only occurs every three-to-five years, if at all.

As previously stated, the pharmaceutical company is ultimately responsible for ensuring the quality and safety of the ingredients that it uses for manufacturing. Key questions that pharmaceutical manufacturers should consider when documenting, justifying, and developing a risk ranking and mitigation strategy should include the following :

  • Is the certificate from an accredited third-party certification body?  

  • To what standard was the audit performed?

  • What is covered by the standard?

  • Has the auditor (training and report) and process been adequately assessed?

  • In addition to the cGMP certificate, has a risk assessment been conducted to determine the need for further supplier audits that would cover needs not addressed in a routine audit?

  • Have necessary internal SOPs been developed to document the strategy and any necessary steps taken to ensure proper execution?

  • Have criticality and ranking of excipients been performed and documented?

  • Where are the certificates and audit reports going to be stored?

  • Who is responsible for reviewing the audit reports and determining whether the excipient supplier meets defined cGMP requirements?

  • Is specific excipient product that is used included within scope of the third-party certification?

  • Who is responsible for tracking certificate expiration dates and providing notification for any potential issues? 

  • Have the necessary agreements/contracts been put in place (e.g., supplier certifications, audit reports, notifications of change, quality agreements, other) with the supplier to ensure a continued supply of excipients that meet the defined GMP requirements?

  • Are there items outside the audit/certificate that require follow up with the excipient supplier?

  • Is technical due diligence required to achieve the enhanced understanding necessary for pharmaceutical quality by design?

  • Is there any additional risk involved, or are there concerns that are not stated within the scope of the cGMP audit and certifications?

Note: Pharmaceutical companies should consider and manage for risks with suppliers and supplied excipients, and should have documented evidence that shows whether or not the supplier is addressing any potential concerns.

When pharmaceutical manufacturers audit suppliers, results can vary depending on the training, experience, and levels of bias among those performing the audits. Third-party audits offer an standards-based alternative.

Followup communications required

Often, a third-party audit cannot cover all technical aspects. Therefore, certain proprietary or ad hoc issues or concerns should be addressed via followup (phone, email/mail, in-person, other) with the supplier after the audit and audit report. Suppliers who choose to use third-party certification bodies and excipient cGMP audit reports and certificates to support their conformance to excipient cGMPs will need to select certifying bodies that have been qualified and approved by EXCiPACT or NSF-ECP, because these programs will have the ability to:

  • Manage for continued certification

  • Handle confidential information securely

  • Communicate when certification is suspended or withdrawn

  • Conduct audits and issue reports within a predefined period of time (e.g., 30 days of audit)

  • Provide excipient cGMP certificates without delay together with corresponding audit report

  • Provide notification in the event that a certificate is suspended or withdrawn

  • Provide notification if scope of certification changes

  • Help establish and maintain a channel of communication to facilitate execution of above bulleted items.

Demand for audits is increasing

Today, global regulatory authorities require objective evidence that an excipient supplier has implemented and complies with the principles of cGMP and GDP in the manufacture and distribution of excipients. As a result, an escalating number of second-party audits are being performed, globally, to justify quality and safety compliance of ingredients used in drug products. The sharp increase in the number of these audits is putting a strain on resources at both pharmaceutical companies and excipient suppliers. In addition, the training, experience, and bias from pharmaceutical company auditors is highly variable compared to the standardized qualification requirements of auditor used by third-party certification programs.

Third-party auditing and certification of excipient suppliers can assist in the development, manufacture, and supply of safe and effective medicinal products. Properly executed third-party audit and certification programs referencing consensus-based excipient cGMP and GDP standards, such as EXCiPACT and the NSF/IPEC/ANSI 363 US National Standard, deliver benefits to excipient suppliers and pharmaceutical companies, as well as regulators, by reducing the audit burden without compromising patient safety.  Such third-party audit and certification programs raise quality expectations to an industry acceptance level and enhance patient safety.  

The concept of third-party cGMP certification offers pharmaceutical manufacturers, excipient suppliers, and regulators a proactive way to ensure cGMP requirements are being met. This approach, already used in the medical devices and food sectors, and offers the pharmaceutical industry an opportunity to improve quality and safety assurance. 


1. IPEC 

on Third-Party Audit and Certification Programs.
2. EU Directive, 2011/62/EU, amending EU Directive 2001/83/EC, “Medicinal Products for Human Use, With Regards to the Prevention of the Entry into the Legal Supply Chain of Falsified Medicinal Products,” (Brussels, June 08, 2011).
3. FDA, Update on the FDA Safety and Innovation Act (FDASIA) of, March 28, 2018.
4. NSF/IPEC/ANSI 363: Good Manufacturing Practices (GMP) for Pharmaceutical Excipients.
5. EXCiPACT Certification Standards for Pharmaceutical Excipient Suppliers: Good Manufacturing Practices, Good Distribution Practices.
6. A. Shanley, “Certifying Excipient GMPs,”, Sept 08, 2015.
7. EXCiPACT is a registered trademark of EXCiPACT asbl.
8. FDA Accredited Persons Inspection Program.
9. FDA Medical Device Single Audit Program (MDSAP).
10. FDA, “Summary: Accreditation of Third-Party Certification Bodies to Conduct Food Safety Audits and to Issue Certifications,”
11. T. Scott, “Pharmaceutical Excipient Regulations: How the EXCiPACT Certification Scheme can Reduce the Audit Burden for both Suppliers and Users,” Industrial Pharmacy, 57, 4-6 (April 2018).

Article Details

Pharmaceutical Technology
Supplement: APIs, Excipients, & Manufacturing 2018
September 2018
Pages: s8, s10–13


When referring to this article, please cite it as D.B. Klug, R.D. Lindblad, D.G. Muse, K. L. Ulman, P. Walsh, and P.S. Zawislak, "Third-Party Audits: Ensuring That Excipients Meet cGMP Requirements," Pharmaceutical Technology APIs, Excipients, & Manufacturing 2018 (September 2018).

About the Authors

David B. Klug is vice-chair of user relations at IPEC-Americas. Ralph D. Lindblad, ASQ CQA, is product quality manager, Catalent Pharma Solutions. Douglas G. Muse is associate consultant for compendial affairs at Eli Lilly & Company. Katherine L. Ulman, is president of KLU Consulting. Phyllis Walsh is associate director of Merck and Company, Inc. Priscilla S. Zawislak is global regulatory affairs advocacy manager at Dow Pharma, Food & Medical Solutions.