Audit principles ISO 19011

3. Rashid Mahmood
Plant Manager, Dyson Research Laboratories (Pvt.) Limited

4.  ISO 9000
 “ A systematic, independent and documented
process for obtaining audit evidence and evaluating
it objectively to determine the extent to which audit
criteria are fulfilled”

5.  “An examination of a product, process, service, or
installation or their design and determination of its
conformity with specific requirements or, on the
basis of professional judgment, with general
requirements (ISO/IEC 17000 definition).”

6.  Wikipedia
 “Quality audit is the process of systematic examination of
a quality system carried out by an internal or external quality
auditor or an audit team”
 Generalized
 “Quality audit is defined as a systematic and independent
examination to determine whether activities and related results
comply with planned arrangements and whether these
arrangements are implemented effectively and are suitable to
achieve objectives “

7.  Inspection: Focuses on “WHAT”
 Audit: Focuses on “WHY”
Audit Inspection

8.  Inspection: Focuses on an “ACTION”
 Audit: Focuses on “PROCESS”
 Definition of Process
 “a set of interrelated or interacting activities that
transforms inputs into outputs.”(ISO)

10.  Inspection: “QUANTITATIVE”
 Audit: “QUALITATIVE”
 Inspection: “SIMPLE”
 Audit: “COMPLEX”
 Inspection: Creates “ACTIONS”
 Audit: Creates “RECOMMENDATIONS”
 Inspection: More “CONCURRENT”
 Audit: More “RETROSPECTIVE”

11.  Inspection: Focuses “WORKPLACE, WORK
EQUIPMENT OR WORK ACTIVITIES”
 Audit: Focuses “MANGEMENT SYSTEM”
 Inspection: “VISUAL/OBSERVATIONAL”
 Audit: In addition “EVIDENCE
COLLECTION”
 Inspection: May involve “LOCAL MANAGEMENT”
 Audit: Independent of “LOCAL MANAGEMENT”

12.  Inspection: WHO GMP details “REQUIREMENTS
AND FREQUENCY”
 Audit: WHO GMP no details “REQUIREMENTS
AND FREQUENCY”
 Inspection: “MORE FREQUENT
 Audit: “LESS FREQUENT

13.  Chapter 1: Quality Assurance
 Chapter 7: Contract Production andAnalysis
 Chapter 8: Self Inspections & Quality Audits
 Whole chapter comprising of 9 clauses

14.  Chapter 9: Personnel
 Key Personnel (9.12; authorized person)
 Chapter 15: Documentation (15.1 General principles)
 Chapter 9: Personnel
 Key Personnel (9.14; the person approving batch for
market has to ensure that)

15.  To verify conformance to standard (i.e; cGMP, DRAP
regulations, ISO 9001:2015 etc)
 To verify effectiveness of quality management system
 To verify objective evidence showing conformance to
the required processes.
 To assess how successfully processes have been
implemented

16.  To verify conformance to standard (i.e; cGMP, DRAP
regulations, ISO 9001:2015 etc)
 To verify effectiveness of quality management system
 To verify objective evidence showing conformance to
the required processes.
 To assess how successfully processes have been
implemented

17.  To judge the effectiveness of achieving any
defined target levels
 To provide evidence concerning reduction and
elimination of problem areas and
 A hands-on management tool for achieving
continual improvement in an organization
 To fulfill customer requirements

18.  Pharmaceutical manufacturers commonly use
audits as an effective mechanism to verify
compliance with GMP regulation. GMP audits
are done with two important goals:
 to verify that manufacturing and Control systems
are operating under a state of control.
 Audits permit timely correction of potential
problems.

19.  Audits can be used to establish a high
degree of confidence to remain under an
adequate level of control by managements
 Any failure in their proper implementation
may be published publicly and may lead to
a revocation of quality certification/
registration/ licensing (loss of business/loss
of reputation)

20.  Internal Audit
 External Audit
 Regulatory Audit

21.  Also called “First Party Audit”
 “An audit conducted by the organization itself of
its own management system and procedures”
 Objective: To ensure compliance with
established criteria, performance reviews and
continual improvement

22.  Also called “Second Party 'Audit”/ “Supplier’s Audit”
 “An audit conducted by parties having an interest in the
organization”
 Objective:
 To perform assessment of suppliers by customers or by
any other party
 To appraise performance of suppliers/customers
 Capability verification

23.  Also called “Third Party Audit”
 “An audit conducted by independent auditing
organization for review or issuance of certificates”
 Objective:
 To verify organization’s compliance with requirements
of standard.

24. GUIDELINES FOR AUDITING
MANAGEMENT SYSTEM

25.  1-Scope
 2-Normative references
 3-Terms & definitions
 4-Principles of auditing
 5-Managing an audit program
 6-Performing an audit
 7-Competence & evaluation of auditors

31.  Six principles to be followed:
1. Integrity
2. Fair Presentation
3. Due Professional Care
4. Confidentiality
5. Independence
6. Evidence Based Approach

32. 1. Integrity: foundation of professionalism

33. 2. Fair Presentation: the obligation to report
truthfully and accurately
 Audit findings, audit conclusions and audit
reports should reflect truthfully and accurately
the audit activities.
 Significant obstacles during audit and unresolved
diverging opinions between audit team & auditee
should be reported.
 The communication should be truthful, accurate,
objective, timely, clear and complete

34. 3. Due Professional Care: the application of
diligence and judgment
4. Confidentiality: security of information
5. Independence: the basis for impartiality of
audit and objectivity of the audit conclusion
6. Evidence based approach: the rational method
for reaching reliable and reproducible audit
conclusions in a systematic audit process

35. 1. Auditors
2. Procedures
3. Work Instructions
4. Records
1. Audit Report
Pre-Audit
During Audit
Post Audit

36.  To be performed prior to audit:
1. Establish initial contact with auditee
2. Document review
a. Review of manuals & procedures
b. Websites, pre audit reports etc
c. Audit plan
d. Audit checklist
e. Observations
f. Feasibility
3. Audit team formation (Roles & responsibilities)

37.  To be performed during audit i.e; on audit site:
1. Meeting with top management
2. Conduct opening meeting
3. Collecting evidence
a. Interview
b. Observation
c. Document review
4. Generating audit evidence
5. Verification of audit evidence with criteria

38. 6. Generating audit finding (CAR, OFI)
7. Audit review meeting
8. Closing meeting

39.  To be performed after audit:
1. Audit report
2. Verification of activities by physical visit or
document review (Follow up audit)
3. Close out of audit findings

40. 1. Establish initial contact with auditee:
a. Communication with auditee
b. Confirmation of authority to audit
c. Requesting information on audit scope, objectives, methods and
audit team
d. Request documentation & records
e. Proposed timings
f. Arrangements of auditing
g. Agree on attendance of observers
h. Any area of concern or interest
i. Any rules & regulations

41. Audit Scope:
 “Extent & boundaries of audit”
 It is defined in terms of physical location, organizational units,
activities & processes to be audited & time or duration of audit
Audit Criteria:
 “Set of policies, procedures or requirements used as reference
against which audit evidence is compared”
 DRAP regulations, FDA GMP, WHO GMP, ISO standards,
company policies, manuals, SOPs, specifications, work
instructions are examples of audit criteria

42. Audit team:
 Should be selected based on skills & competence needed to
achieve audit objectives within the defined scope.
 Members:
 One or more auditors
 Technical expert
 Team leader
 Team leader
 Assigns duties & responsibilities to team members
 Plans, directs & controls the activities of audit
 In some cases he may alone perform all the activities

43.  Auditor
 Responsible to perform activities as assigned by team leader
 Technical expert
 Also called “Sector Expert” who has special experience & knowledge of
audit area
 Interpreter
 May be required where language or cultural difference are faced
 Arbitrator
 To resolve any dispute or issues during the audit due to conflict of interest
 Guide
 To assist or guide the auditor during audit
 Observers
 Trainee auditors from junior management or from audit organiation who
pursue their career in auditing

44.  Audit Plan: To be developed by team leader
 It should include or reference following items:
 Audit objectives
 Audit scope
 Audit criteria & reference documents
 Location
 Total time duration
 Audit team members
 description of sites, activities and processes & allocation
of resources

45.  Audit Plan: To be developed by team leader
 It my also include:
 Names of auditees
 Audit language
 Roles & responsibilities of team members
 Audit report topics
 Classification of CARs/NCRs
 Logistics
 Issues related to confidentiality
 Any arrangements for audit follow-up actions

46.  Audit Checklist
 To be prepared by audit members
 Series of questions on audit
 An aid or guide during audit
 Think “What to look at” & “What to look for”

47.  Advantages of Checklist
 Gives an aid or guide
 Helps to control the pace of audit
 Tool to record response of auditee
 Helps maintain guided sequence
 Nothing is forgotten
 Sets priorities of questions
 Reduces workload during audit
 Reflects auditor’s professionalism
 Provides space to write audit notes

48.  Disadvantages of Checklist
 Items/questions not written are left over
 Confinement to checklist items
 Prevents auditor from observations and open mindness
 It may become a tick list
 If it has many questions, it may irritate auditee
 May stifle initiative and process analysis

49.  Prepare a logically effective and efficient audit plan, showing
a documented list of activities that the team would perform
during on-site auditing, showing:
 Areas/departments of company to be covered
 All timings and activities of the audit team for duration of the
audit
 The activities of the plant where the audit would commence
 The progression from the first activity to the next, and so on, until
complete

50.  Prepare an audit checklist and any other work
documents that you feel are necessary or
appropriate for use during the audit; use any of 3
chapters of WHO GMP as audit criteria. Prepare
maximum of 10 questions
 Compose an audit team stating the roles of
members

51. 1. Meeting with top management
 Keep top management aware of the audit activities
 Points to be audited for top management
 Commitments of top management
 Continual improvement
 Implementation and communication of quality policy
 Monitoring & measurement of quality objectives
 Provision of resources
 Compliance with legal & other requirements
 KPIs monitoring
 Commitment towards customer satisfaction

52. 2. Opening Meeting
 Objective:
 Establishment of communication with auditee
 Confirmation of agreement on audit
 Confirmation of audit objectives
 Explanation of audit plan
 To be done by lead auditor

53. 2. Opening Meeting
 Activities:
 Introduction of all participants
 Attendance
 Agenda distribution
 Audit plan distribution
 Open meeting by explaining the purpose of audit
 Explanation of responsibilities of lead auditor,
auditor, observer & guide
 Briefing auditee about audit
 Confirm audit objectives

54. 2. Opening Meeting
 Activities:
 Confirm scope of audit
 Confirm audit criteria
 Confirm audit language
 Confirm availability of resources & facilities
 Discuss professional conduct/confidentiality
 Confirmation of auditing methods & strategies
 Confirmation of time table
 Solving auditee’s conflict/response

55. 2. Opening Meeting
 Activities:
 Explanation of conditions where audit can be
terminated
 Explanation of appeal system
 Discussion on audit report
 Audit follow-up actions
 Confirmation of time of closing meeting
 Give opportunity to auditee to ask any questions

56. 3. Collecting evidences
 What is audit evidence
“Records, statements of facts or other
information which are relevant to audit
criteria & verifiable” (ISO 19011)
 “Pieces of information collected by auditor
to determine whether the system being
audited is in accordance with the
established audit criteria”

57. 3. Collecting evidences
 A variety of methods may be used:
 Interviews
 Observations
 Review of documents & records

58.  Interviews
 Select the right person
 Interview persons that manage, perform, and verify
activities with responsibility & authority for work
 Conduct interviews at the agreed time & location
 Explain the reason for interview
 Record the response & important information
obtained for future reference
 Explain the reason for interview

59.  Interviews
 Questioning techniques (5 Ws & one H)

60.  Observations
 Must be highly observant
 Must keep eyes & ears open
 Record any evidence collected by observation; it can
be used later by the audit team to report any non
conformance

61.  Review documents & records
 One of the best tool for collecting evidence
 Check if document is approved, current , controlled
& relevant?
 Check if records are properly maintained &
controlled?

62.  Review documents & records
 Examples of documents & records
 Policies, objectives, manuals
 SOPs. Work instructions
 Soft & paper data
 Purchase records
 Storage & dispensing records
 Manufacturing records
 Cleaning records
 Validations
 Stability data etc etc

63.  Audit trail
 “Set of records, or activities that follow a particular
sequence or chronological order”
 During interviews, observations & questioning auditor can
build an audit trail by asking questions which are interrelated
or in a sequence to identify any observation

64.  Audit sampling
 Samples are audited; it is not practical to observe
every function, area, process, documents or records
 2 methods of audit sampling:
 Judgment based sampling
 Knowledge
 Skill
 experience
 Statistical sampling
 Statistical techniques e.g; probability, attributes based or
variable based sampling

65.  Controlling the audit
 Dos
 Ask open ended questions
 Be on time
 Be prepared
 Be impartial
 Be composed
 Listen
 Talk to the right person
 Remain focused

66.  Controlling the audit
 Dos
 Build audit trail
 Be honest, fair, professional
 Be knowledgeable
 Try not to be biased
 Be polite & calm
 Give compliments

67.  Controlling the audit
 Don’ts
 Don’t panic
 Don’t be rude
 Don’t be aggressive
 Don’t be timid
 Don’t ask duplicate questions
 Don’t rely on guides & auditee
 Don’t rely on statements only

68.  Controlling the audit
 Don’ts
 Don’t ask leading questions
 Don’t ask close ended questions
 Don’t nit-pick
 Don’t trust on memory
 Don’t be biased
 Don’t compare with other sections or
companies

69.  Controlling the audit
 Don’ts
 Don’t ask tricky question
 Don’t assume or presume anything
 Don’t shower too many questions
 Don’t let auditee lead the audit
 Don’t act superior
 Don’t talk down
 Don’t talk to irrelevant persons

70.  Controlling the audit
 Be mentally prepared for
 Aggressive auditees
 Timid auditees
 Missing people
 Missing documents
 Missing keys
 Prepared samples
 Special cases
 Local issues & cultural customs

71.  Audit finding
 “Result of evaluation of the collected audit
evidence against audit criteria” (ISO 19011:2011)
 Audit finding may be non-conformity or conformity
 Non-conformity: “The non-fulfillment of a requirement”
 Non conformity and its objective evidence must be
recorded.

72.  Writing statement of non-conformity
 Brief overview of non-conformity
 Failure in the system
 Audit evidence
 State the requirement (e.g; applicable GMP/ISO clause
and description)
 “Management review meeting was no conducted last year as per
schedule No. 123. No evidence of conducting management review
meetings as per management review meeting schedule.
 9.3. Management Review, the management shall review the
organization’s QMS at planned intervals

73.  Corrective action report (CAR)/NCR
 Major NCR where,
 Total breakdown of a process or procedure which is
critical to QMS or product or service
 Total absence of a requirement mentioned in standard .
 A number of minor lapses in system, which when taken
together suggest a total or important breakdown in the
process

74.  Corrective action request (CAR)/NCR
 Minor NCR where,
 A lack has been identified in a process, activity, product
or service in the operation of QMS but its severity is not
high
 There is a minor non-compliance in a system which is
not affecting the process or quality.

75.  Corrective action report (CAR)/NCR
 *Opportunity for improvement (OFI) where,
 Areas which are in compliance but may further be
improved
 Concerns are not yet serious enough to issue NCR/CAR
 Deficiencies are seen in which there is a doubt
 * these are also called “Observations” or “Comments”

76.  Audit review meeting
 To be conducted by lead auditor team memebres
after completion of audit
 During this meeting:
 All of the observations, evidences gathered are reviewed by
audit team leader
 Audit conclusion is made for presentation to client
 Decisions are taken on grading NCs as major, minor or OFI

77.  Closing meeting
 To be conducted by lead auditor on auditee’s
premises
 Participants may include:
 Responsible people from department, functions or processes
which are audited
 Other interested parties
 Top management representative

78.  Closing meeting
 Items of closing meeting
 Attendance sheet
 Purpose, scope and objectives of audit
 Thanks giving to auditee for cooperating
 Method of audit reporting
 Describe strengths & weakness
 Explain NCRs, OFIs
 Distribute NCR/CAR forms
 Explain the process of closeout of NCs

79.  Closing meeting
 Items of closing meeting
 State final decision & conclusion
 Explain confidentiality
 Tell time duration of submission of audit report
 Explain audit follow up process
 Thanks to client/management
 Quick fixes should not be accepted
 Any conflict/objection by auditee should be managed tactfully &
respectfully.

80.  GMP classification
 Critical NC:
 Major NC:
 Minor NC/Others:

81.  Critical NC
A deficiency which has produced, or leads to a
significant risk of producing either a product which
is harmful to the human or veterinary patient or a
product which could result in a harmful residue in a
food producing animal.

82.  Critical NC
A critical deficiency also occurs when it is observed
that the manufacturer has engaged in fraud,
misinterpretation or falsification of products or data.

83.  Critical NC
May consist of several related deficiencies, none of
which on its own may be critical, but which may
together represent a critical deficiency or systems
failure and should be explained and reported as such

84.  Major NC
A deficiency that is not a critical deficiency which
 has produced or may produce a product, which does
not comply with its marketing authorisation; OR
 does not ensure effective implementation of the
required GMP control measures; OR
 indicates a major deviation from the terms of the
marketing authorisation; OR

85.  Major NC
A deficiency that is not a critical deficiency which
 indicates a failure to carry out satisfactory
procedures for release of batches or a failure of the
authorised person to fulfil his/her required duties;
OR

86.  Major NC
A deficiency that is not a critical deficiency which
 indicates a failure to carry out satisfactory
procedures for release of batches or a failure of the
authorised person to fulfil his/her required duties;
OR

87.  Major NC
A deficiency that is not a critical deficiency which
consist of several “other” related deficiencies, none of
which on its own may be major, but which may
together represent a major deficiency or systems
failure and should be explained and reported as such.

88.  Minor NC
 A deficiency which cannot be classified as either
critical or major, but which indicates a departure
from good manufacturing practice.
 (A deficiency may be “other” either because it is
judged as minor, or because there is insufficient
information to classify it as major or critical)

89.  Use of subjective words (should be avoided)
“Very Bad/Poor”
“Disappointing”
“I think”
“My opinion”
“Careless”
“No where”

90.  Overstating the deficiency (should be
confined to sampled problem)
“Many of the SOPs were not approved”
“Majority of workers were untrained”
“A few of analysts know calibration procedure”
“Most of the areas were dirty”

91.  Exclamation words (should be avoided)
“Regretfully”
“Amazingly”
“Like ever”
“Hopefuly”

92.  Lack of Clarity (should be clear)
“The purified water hose not hung to hook”
“The opening to the manometer in the wall had been
covered with adhesive tape.
The lid of stainless steel container showed adhesive
tape remainder

93.  Lack of Clarity (should be clear)
“The purified water hose not hung to hook”
“The opening to the manometer in the wall had been
covered with adhesive tape.”
“The lid of stainless steel container showed adhesive
tape remainder”

94.  Operating beyond audit criteria (remain within
criteria)
“Surrounding of the factory was dirty”
“Flow of sections was not unidirectional”

95.  Repetition of deficiencies (Remain
comprehensive)
1- “Procedure of training was not being followed;
assessment was done on unapproved format”
2- “Schedule of training was not prepared as per SOP
of training”

96.  Merging deficiencies of different
clauses/groups in one
“Operator was not wearing mask and was mixing
batch without supervision”

97.  Over emphasizing
“The requirements of clause abc and xyz relating to
calibration of equipment had not been met as several
calibrations had not been completed:”
a.Temperature and humidity recorders had not been calibrated
b.Calibration due dates have passed on some balances.
c.Pressure testing equipment was out of calibration date and
did not have a warning sign

98. Non-conformity
The non-fulfillment of a specified requirement
Non-conformance:
A deficiency in a characteristic, product specification,
process parameter, record, or procedure that renders the
quality of a product unacceptable, indeterminate, or not
according to specified requirements

99. Deviation
Departure from an approved instruction or established
standard.
Discrepancy:
Departure from an approved instruction or established
standard.
Incident:
Operational event which is not part of standard
operation

100.  Readout the case studies & find out
the non-conformity (if any), classify
the NC and mention the applicable
GMP clause.

107.  Audit report
 Verification of activities by physical visit or
document review
 Closeout of audit findings

108.  Audit report
 It is a summary of audit conclusion,
findings, and other audit activities
performed during audit
 It is prepared by auditor team member or
lead auditor
 It must provide a clear, concise, complete, and
accurate record of the actual audit

109.  Audit report may include:
 Audit objectives
 Audit scope & criteria
 Auditee information (names, designation etc)
 List of audit team members & other
participant
 Dates and location
 Executive summary
 Stengths & weakness of auditee

110.  Audit report may include:
 Audit findings
 Evidences (documents, records etc)
 NCRs
 OFIs
 Audit conclusion
 Statement on the degree on fulfillment of
audit criteria

111.  Audit report may also include:
 List of reference standards, documents used
during audit
 Any exclusions or areas not covered
 Agreed follow up plans
 Distribution list of audit report

112.  Audit report distribution:
 Should be timely
 Any delay must be communicated
 Be distributed to auditee, management,
regulatory bodies (where applicable), client or to
certification body