Writing Audit Observations Part-II

Audits are generally a social exercise where the auditor represents the human face of his/her Company to the auditee. As such, auditors act as a sort of ambassador, not only for quality but also for his/her company itself. Therefore, through an auditor’s professionalism and “soft-skills,” the auditor is given the opportunity to influence the auditee in his/her Companies own interpretations of the quality standards as well as Companies expectations of quality.

In this particular article I tried to give few ideas/ suggestions regarding writing the observation & recommendations in the final audit report.

The audit report provides an objective description of the states of compliance and control with respect to the Audit Scope found at the time of the audit. An audit is a sampling, not a detailed inspection or investigation. The purpose of the audit report’s observations section is to list observations and findings that have the potential to impact the safety, identity, strength, efficacy, quality, or purity of the Scope product.

It may be helpful to distinguish here between the meaning of “findings” and “observations.” A “finding” is a quality concern that may be described as the “observed systemic failure” whereas “Observations,” on the other hand, are those objective noncompliance examples seen during the audit that give credence to the quality concern claim being made in the finding. For example, “Ensure that sampling practices do not have the potential to contaminate product (i.e., the finding). For example, it was observed that sampling scoops were being stored in direct contact with exterior surfaces of production equipment and there was no procedural requirement to do otherwise” (i.e., the supporting observations). Observations must be a clear violation of the audit standard(s). That is, the auditor may observe practices that would be clear GMP/GLP violations at an API or pharmaceutical finished dosage form facility but the same practices are not necessarily GMP violations in other industries. Put   another way, the quality assurance/control practices found at a commodity chemical manufacturer following ISO 9001 are different from the quality assurance/control practices found at a API/ finished pharmaceutical plant following GMP. Both plants have controls to assure the quality of their products but the degree of assurance is different. Auditors must respect these differences, not expecting more than the usual and customary requirement for the industry being audited. For example, second person verification of most laboratory calculations as well as the manual entry of analytical results into a LIMS is expected for API and finished dosage form manufacturing plants; however, there is no such requirement in plants operating to excipient GMP or ISO 9001 quality management systems (Packing material manufacturer)

In general, reported observations should be grouped together into related findings. However, a balance should be made between reporting all observations in a single finding and reporting all observations as individual findings. For example, it would be inappropriate to have a single finding stating “ensure that production practices are compliant” just to group all observations made during the production tour into a single observation. Likewise, it would be inappropriate to make each observation into its own finding (i.e. individual observation) Of course, auditors must use discretion in deciding whether to group observations into a larger system finding or report them as discreet, standalone observations. This discretion should be based upon (1) the criticality and impact of the observation to patient safety and product quality and (2) the auditor’s intent to ensure specific actions are implemented to address the finding.

Auditing Vs. Consulting

The auditor’s role is to audit (literally, to listen), being concerned THAT (not HOW) a practice is compliant, and helping an auditee understand the WHAT and WHY of the regulation/requirement when the practice is not compliant. A consultant’s role, on the other hand, is to consult (literally, to give advice), helping an auditee understand HOW to implement a regulation/requirement or how to do so in a more efficient way When an auditee has no idea how to make a system or practice compliant to the requirement, it may be possible for the auditor to offer several examples of what a compliant practice/system might look like. When doing so, however, the auditor must be careful not to provide examples seen at other companies, even without mentioning a company name, as these practices can be considered proprietary (i.e., intellectual property). It is best to offer recommendations that too verbally during the audit, not in written recommendations as part of the audit report. This is an example of how auditors are companies’ quality ambassadors, communicating how Company interprets guidance and requirements but still allowing the auditee to think about if and how to implement changes to their organization.

When offering written recommendations, the auditor is acting as a consultant and should do so only with extreme caution because there are potential legal and financial consequences to telling a company outside of auditors company HOW they should operate their business. For example, if an auditee implements a recommendation provided in an audit report, they are doing so at auditor companies request; therefore, they may be able to bill associated costs back to auditor's company. Also, if the recommendations were implemented and the company experiences an equipment or system failure, causing injury or loss and/or damage to infrastructure or production capability, the supplier may have legal recourse to sue Auditor’s Company (and the auditor!) for financial damages, even if the implementation was faulty and not as intended by the lead auditor. Therefore, recommendations should be extremely rare in audit reports with external partners (i.e suppliers) and even used cautiously in internal audit reports.

Recommendations, by their very nature, indicate than no quality standard requirement has been violated. Recommendations, rather, tell the auditee what the auditor believes they should do. In fact, the word “should” is generally used to describe a recommendation. Therefore, it is not appropriate to tell the auditee what they “should” do as part of an audit observation having a critical, major, or minor rating because to do so is to provide the auditee with their CAPA response before they have performed a root cause investigation (RCI) or determined the extent of any potential systemic problem.

When recommendations are included in the audit report, they are not to be written as statements. Recommendations are best written in the form of a suggestion (e.g., “To better control [X], it is recommended that [Y] be considered.”).

Finally, recommendations, by their nature, are optional. It is auditee’s choice to implement them or not.

Hope after reading this article you are now in good frame of mind to write more effective audit Observation.