Quality Audits Management. What do we need to take into account? Quality Audits managed according to QMS
Quality Audits Management System
The Quality Audits should be managed according to the Quality Management System requirements, that should include:
- A risk based planification system for audits to be performed within a certain period of time.
- Effective training and qualification programs for the auditors, including clear requirements for their approval.
- A well defined system for planning, performing, reporting and evaluating audits.
- An efficient system for handling non compliances until its closure.
Audits Life Cycle Management
In order to improve the audits management and to achieve consistent results, audits should be managed using a PDCA life cycle approach (see Figure 2).
At the beginning of each auditing cycle, usually every year, an Audit Plan shall be defined, including the type of audits to be performed, their timing, reference documents required and the responsible auditors.
Both first-party audits (internal audits) and second-party audits (audits to suppliers and subcontractors) shall be planned. Third-party audits (audits and inspections from authorities and official bodies) expected to be held in the company during the Auditing Cycle could also be included in the Plan, in order to provide a wider overview and to allow a better resources allocation. All these audits could be scheduled in a same Audit Plan, or different Audit Plans can be prepared for each type of audit.
First-party audits program
All Quality Management System standards require conducting internal audits on a regular basis, in order to verify the level of compliance of the QMS with the standard requirements and to provide tools for the continuous improvement. Most of the times, these internal audits are expected to be scheduled at least every year, although this frequency can be increased in case needed (i.e. when mayor changes are planned, or when the audits results show a poor level of control).
Thus, the complete system should be reviewed as a minimum every year, but this revision could be splitted into partial assessments along the auditing period, to allow a better fit of this requirement within the activities of the company, a better selection of specialized auditors and a more specific approach to the different areas to be audited. Moreover, according to the results obtained in each area, a specific follow up can be scheduled, including additional of-program audits in case needed.
Having this in mind, partial audits can be programmed along the year, assigning the most suitable auditors and time for each area.
Second-party audits program
According to GXP requirements, critical suppliers should be included in the Audits Plan. In some cases, there are clear regulatory requirements or expectations that stablish a minimum frequency for these audits that should be to be considering when stablishing in the Audit Plan (i.e. API suppliers should be audited at least every 3 years).
However, there are so many additional types of suppliers, with no specific existing requirements, but with direct or indirect impact over the product/data quality, that should also be assessed and approved, and maybe included in the Audits Management System. The approval criteria and auditing frequency for all these types of suppliers should be established using a Risk Based Approach.
Different risk factors should be considered during this assessment, including, of course, criticality of supplies or services provided, existing QMS in place and official certifications or the continuous quality assessment of services and products provided. This risk-based approach will provide criteria for stablishing a calendar for the suppliers and subcontractors audits, considering their level of concern and their priority within the global picture.
Throughout the year, programmed audits will be carried oud according to internal procedures, and by qualified auditors. Each audit carried out will be recorded and followed up as described in the auditing policies of the company.
Audits can be performed using own resources or can be outsourced to specialized auditors or auditing companies. In both cases, the auditors qualification, the operating procedures and the generated documents and records must be in compliance with the internal policies of the company. It is important to remember that this type of providers shall also be included in the scope of the suppliers assessment and approval, and may be included in the auditing program too.
Audits Plan compliance review
At the end of each auditing cycle, compliance with the Audit Plan shall be verified, in order to check that all the scheduled audits for this period of time have been properly completed. In the event of non-compliance with the provisions, the cause of the non-compliance shall be stated and justified.
According to the results of this revision, the new Audit Plan for the next auditing cycle will be prepared, also considering the results of the audits performed. Areas requiring special attention on the basis of previous audits, non-conformity reports or corrective action reports will be considered for scheduling additional audits.