Downloaded from journal.pda.

org on June 7, 2014

A Risk-Based Auditing Process for Pharmaceutical

Manufacturers
Susan Vargo, Bob Dana, Vijaya Rangavajhula, et al.

PDA J Pharm Sci and Tech 2014, 68 104-112

Access the most recent version at doi:10.5731/pdajpst.2014.00954
 Downloaded from journal.pda.org on June 7, 2014

COMMENTARY

A Risk-Based Auditing Process for Pharmaceutical

Manufacturers
SUSAN VARGO1, BOB DANA2, VIJAYA RANGAVAJHULA3, and STEPHAN RÖNNINGER4
1
Amgen, Inc., Longmont, CO, USA; 2PDA, Bethesda, MD, USA; 3Divison of Acquired Immunodeficiency Syndrome, National
Institutes of Health (NIH), Bethesda, MD, USA; 4Amgen (Europe) GmbH, Zug, Switzerland ©PDA, Inc. 2014

ABSTRACT: The purpose of this article is to share ideas on developing a risk-based model for the scheduling of audits
(both internal and external). Audits are a key element of a manufacturer’s quality system and provide an independent
means of evaluating the manufacturer’s or the supplier/vendor’s compliance status. Suggestions for risk-based
scheduling approaches are discussed in the article.

KEYWORDS: Audit, compliance, Quality systems, Risk assessment, Risk factors.

LAY ABSTRACT: Pharmaceutical manufacturers are required to establish and implement a quality system. The quality
system is an organizational structure defining responsibilities, procedures, processes, and resources that the manu-
facturer has established to ensure quality throughout the manufacturing process. Audits are a component of the
manufacturer’s quality system and provide a systematic and an independent means of evaluating the manufacturer’s
overall quality system and compliance status. Audits are performed at defined intervals for a specified duration. The
intention of the audit process is to focus on key areas within the quality system and may not cover all relevant areas
during each audit. In this article, the authors provide suggestions for risk-based scheduling approaches to aid
pharmaceutical manufacturers in identifying the key focus areas for an audit.

This article applies the risk-based model as described
in ICH Q9 (1) to the audit scheduling process. This
document was developed as part of PDA’s Paradigm
Change in Manufacturing Operations (PCMO) project
as the second article in the series. The first article on
auditing and good practice quality guidelines and reg-
ulations (GxP) requirements has been published (2).
The content and views expressed are the result of a
consensus achieved by the task force members and are
not necessarily views of the organizations they repre-
sent.
has the larger goal of verifying the compliance status
of the company. Audits are essential to evaluate the
capability of the company or the supplier/vendor to
consistently produce a material or service of the re-
quired quality, adequacy of production and control
procedures, suitability of equipment and facilities, and
effectiveness of the quality management system in
assuring the overall state of control. Audits can focus
on efficiencies associated with manufacturing and test-
ing; however, this type of audit is not within the
primary scope of this article.

Audits, whether they are internally or externally
driven, provide an opportunity for an independent
assessment of the quality system and compliance with
regulatory requirements; see also TR 54 on Quality
Risk Management (3). This type of independent over-
sight, including inspections by regulatory authorities,
*Corresponding Author: Susan Vargo, Amgen, Inc.,
4000 Nelson Road, M/S AC27C, Longmont, CO
80503, USA. svargo@amgen.com
doi: 10.5731/pdajpst.2014.00954
The need for performing audits stems from regulatory
requirements, companies’ responsibilities, and company-
specific business processes. These needs may be the
same or complementary. In any case, the audit process is
under the control, management, responsibility, and au-
thority of the company. These audits are an essential
element of the good practices (2), supporting and en-
abling regulatory compliance, and thus have to be gov-
erned by the company’s pharmaceutical quality system
(PQS; also called quality management system, QMS).
Additionally, a company will have established pro-
cesses for risk acceptance decisions for its operations

104 PDA Journal of Pharmaceutical Science and Technology

 Downloaded from journal.pda.org on June 7, 2014
(including audits), which need to be in compliance
with all applicable regulations. Therefore, the risk
management processes are also governed by the tasks
described in the PQS. The company’s PQS and gov-
ernance model are defined and decided upon by senior
management, having ultimate responsibility for all
matters of quality and compliance, including risk-
based management for audits.
A risk-based management process for audits aids in
determining the audit schedule and the scope. The
output from the audits will challenge or support as-
sumptions and claims of an organization’s compliance
status. None of this alters the fact that any audit is
limited in that the audit can cover and assess a partic-
ular situation on a specific day. However, an audit can
minimize the uncertainty about the compliance status.
By consequence, there remains a residual risk of non-
conformance when there is no audit or even if there is
a successful audit. The audit process will provide
evidence, but not proof, of compliance.
This document is applicable to stakeholders perform-
ing audits to assess GxP compliance. The elements
described focus on audits in the good manufacturing
practice/good distribution practice (GMP/GDP) area;
however, they can be applied to all GxP areas—for
example, good laboratory practice (GLP), good clini-
cal practice (GCP), and good pharmacovigilance prac-
tice (GPvP).
1. General Risk Factors to Consider for a
Risk-Based Auditing Approach
As with all risk-based processes, the decisions, ratio-
nales, and relevant information concerning the audits
must be documented in an appropriate level of detail.
This allows for independent review and traceability,
which may need to be demonstrated during self-audits
or regulatory inspections or customer audits. Indepen-
dent auditors/inspectors should be able to understand
and follow the process determining whether or not a
particular audit is scheduled and, if scheduled, the
scope and timing of the audit. By following this basic
principle, a company can demonstrate that its risk-
based audit process conforms to its quality system and
complies with applicable regulations. There is, how-
ever, a possibility that inspectors from a regulatory
agency may not concur with the company’s audit
process despite a clear rationale supported by scien-
tific justification.
Vol. 68, No. 2, March–April 2014
Suggestions for risk factors to be evaluated in a pri-
oritization matrix include compliance inputs (prior
regulatory inspection/company audit, overall compli-
ance history), operational inputs, and facility inputs.
Each of these risk factors should be weighted based
upon the perceived impact on compliance.
As every manufacturing site is different, it is impos-
sible to list all the different risk factors to be consid-
ered. However, this article does discuss some of the
more common risk assessment inputs used for audit
schedule development. The risks factors discussed in
the following sections (sections 1.1 to 1.5) should be
used as points to consider when assigning a fixed risk
rank to a site/operation. Assigning a fixed risk rank to
a site/operation will aid in the audit scheduling pro-
cess.
1.1 Risk Factors for Operations Performed
The operations at the site can be assigned a fixed risk
rank based on the risk associated with the operations
performed. As an example, high-risk operations usu-
ally include sterile manufacturing, packaging and la-
beling, final product release testing, and excipient
testing. The function of excipient testing is included
under high-risk operations because these raw materials
are a part of the final product formulation and do not
undergo further purification. These operations tend to
have a higher degree of regulatory oversight and are
therefore assigned a higher risk level. Additionally,
supply chain oversight including distribution and
transport practices are regarded as a high risk in to-
day’s environment. Medium-risk operations would in-
clude drug substance manufacturing and solid oral
dosage form manufacturing of drug (medicinal) prod-
ucts, while warehousing (e.g., storage areas for prod-
uct and raw materials) would be considered low-risk
operations if appropriately controlled.
1.2 Site/Facility Risk Inputs
When assessing the risk profile of a manufacturing site
for clinical or commercial products (both drug sub-
stance and drug product) or a supplier/vendor for
materials or a contract laboratory for release testing,
several factors about the facility/site and the equip-
ment should be considered. These factors include fa-
cility design (e.g., the age of the facility and compli-
ance with current expectations on design should be
considered) and maintenance, equipment maintenance
and calibration, and if there have been major changes
105
 Downloaded from journal.pda.org on June 7, 2014
to the facility and/or equipment since the last audit. If
past audits or regulatory inspections have identified
problems with major systems (e.g., air handling sys-
tems/environmental controls or clean utilities), this
information should factor into the risk profile for the
site/facility.
1.3 Product/Process Risk Inputs
Specific information on both product(s) and processes
will be useful in developing the fixed risk rank for the
site/operation. As an example, a multi-product manu-
facturer producing products in multiple profile classes
(parenterals, tablets, capsules, patches) or products
that pose patient safety risks (high potency actives,
hormones, cephalosporins, allergens, etc.) should have
a higher risk rank than a manufacturer producing a
single profile class of product. Additionally, if these
compounds are being manufactured in the same man-
ufacturing areas and/or using shared equipment with
the company’s product, then this information should
be considered in the risk ranking of the site/operations.
Risk ranking criteria can be developed based on the
product class and formulation type. For example, man-
ufacturing of an intravenous (IV) formulation of a
biologic (IV formulation of complex protein with an
adjuvant) is at a higher risk level than an oral tablet of
a well-defined small molecule (oral product).
1.4 Compliance Risk Inputs
The overall compliance elements of a site should be
assigned the highest risk score and given the greatest
weighting when determining the fixed risk rank.
Knowledge of compliance history, through recent reg-
ulatory inspections and company audits, should be
used as an input for assigning a risk ranking. Other
areas to consider when determining the overall risk
associated with the site’s compliance elements may
include criticality rating of inspection/audit findings,
timeliness in addressing findings (adequacy of re-
sponses), and status of corrective actions. In general,
the site’s experience with the health authorities is a
good indicator for compliance status. If available, any
information regarding product issues—such as Field
Alert Reports (FARs) and Biological Product Devia-
tion Reports (BPDRs) submitted to the U.S. Food and
Drug Administration or Notifications submitted to the
EU authorities—recalls, and product complaints
should be reviewed and considered elements of the
overall compliance risk.
106
Figure 1
The elements of a typical audit program.
Other areas that may indirectly affect the compliance
status of a site and should be considered in the assess-
ment include new product introduction to the site,
major changes in key GxP personnel and ownership
(i.e., company buy-out or merger), and, if applicable,
knowledge about “sister” sites’ compliance status and
the company’s contract manufacturing quality moni-
toring visit results, and the outcomes of the site inter-
nal audit program (if available). The dates of the last
regulatory inspection/audit and the dates of the antic-
ipated next regulatory inspection could be considered,
too.
1.5 Business Inputs
Business concerns are not a part of the GMP realm;
however, certain business criticality issues should be
considered as part of your risk ranking process. These
could include the volume of product manufactured or
tested or stored, if the site is single-sourced, and if
there is a licensed/approved back-up site available.
2. Risk-Based Approaches: From Planning
to Completion
The elements of a typical audit program are depicted
in Figure 1. The audit process can be divided in six
steps: scheduling, planning, preparation, conducting
the audit, report generation/issuance/response accep-
tance, and follow-up/closure. Each step is discussed
below.
2.1 Scheduling
A risk-based approach to scheduling audits is a useful
tool to determine the audit frequency for both internal
PDA Journal of Pharmaceutical Science and Technology
 Downloaded from journal.pda.org on June 7, 2014

Table I
Points to Consider When Scheduling a Supplier Audit

Audit Type
Suppliers of materials and services
(calibration and maintenance
services, clean gowns,
transportation providers)
Raw material/solvents
Criticality and
Complexity Potential Questions to Address Risk
Criticality of equipment Is this an autoclave or high-
calibrated/maintained performance liquid chromatography
by the supplier (HPLC) equipment used for every
batch (direct impact), or a water
bath thermometer (indirect impact)?
Criticality of operation Are the gowning materials used in
performed by the aseptic filling or in the bioreactor
supplier area?
Criticality of material Is this a solvent used in the last
to process process step?
Sourcing—regulatory Does the country of manufacture have
maturity of country a mature regulatory system that
of manufacture assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources?

and external audits as well as to determine the length
and the scope necessary for the audit. A tool, for
example, a ranking model (1) is useful in prioritizing
audits based on established criteria identifying rele-
vant risk factors. A prioritization matrix consisting of
risk factors weighted proportionally to a risk level can
be developed to define the audit interval based on
lowest to highest risk.
In determining the risk factors that a company will use
to develop the audit schedule, tables similar to Tables
I and II (4) can be helpful. As an example, Table I
provides suggestions on criticality and risk as related
to an audit of a supplier (i.e., a service provider or a
raw material vendor).
contract manufacturing operations and quality (includ-
ing the QP) could provide information as to the com-
pliance status of the individual contractors. In addi-
tion, laboratory and/or operations staff members who
are in contact with contract manufacturers/laboratories
may have information to contribute to the overall risk
assessment of a contract manufacturer. Participation
of the QP in the scheduling process is useful because
of his or her product knowledge and involvement in
specific quality functions such the lot release decision.
Including the QP may be of particular importance in
multinational companies where the audit program may
be operated remotely from the QP’s site of responsi-
bility.

Once the assessment has been performed, a risk level

A second example is provided in Table II (4). This
table provides suggestions for criticality and risk re-
lated to manufacturing (either for an internal audit or
a contractor audit).
Within the company, several disciplines might be in-
volved in assessing the risk for each site. For internal
audits performed by corporate auditors or performed
by auditors from the site, compliance and quality—
including the qualified person (QP)— could participate
in assessing the risk for the frequency of auditing their
specific site. For external audits performed by corpo-
rate auditors or performed by auditors from the site,
with a rating can be assigned to the audit as a means
of determining frequency. Risk levels can be high,
medium, and low. Typical intervals for the audit fre-
quency, unless specifically required by regulations,
include 12–18 months (high risk), 18 –24 months (me-
dium risk), and 24 –36 months (low risk).
Under the risk-based paradigm, new information ac-
quired during the year could be considered. Changing
suppliers, regulatory issues, product complaints, and
so on may lead to a modification of the audit schedule
during the year. Rationales for these changes can be

Vol. 68, No. 2, March–April 2014 107

 Downloaded from journal.pda.org on June 7, 2014

Table II
Points to Consider When Scheduling an Audit of a Drug Substance or Drug Product Manufacturing
Process

Audit Type Criticality and Complexity Potential Questions to Address Risk

Drug substance (biotechnology &
small-molecule active
pharmaceutical ingredients)
Drug (medicinal)
product—general
Process steps Are there multiple steps that involve
manual or highly technical
operations?
Process controls Are there controls in place to detect
or eliminate errors?
Sourcing—regulatory maturity of Does the country of manufacture have
country of manufacture a mature regulatory system that
assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources?
Dosage form manufacturing Aseptic processing versus nonsterile
process solution dosage form?
Process steps Do operations involve powder
blending versus mixing a true
solution?
Process controls Is sterilization filtration or terminal
sterilization used in solution
processing?
Ability to clean Is this a high-potency or hard-to-
solubilize product?
Intended use Does this product treat a life-
threatening illness versus a sun
screen product?
Sourcing—regulatory maturity of Does the country of manufacture have
country of manufacture a mature regulatory system that
assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources

provided as brief comments to the approved audit edge of the auditee/auditors, the preliminary time-
schedule. frame for the audit, the preliminary scope and objec-
tive of the audit, and the expected duration of the
2.2 Planning audit.

The audit plan defines the audit scope, requirements
and schedule based on the risk assessment results.
Once the schedule has been developed and approved,
the planning phase can be initiated by corporate com-
pliance or the site compliance unit. During planning,
the corporate compliance or site compliance unit
should identify, for each scheduled audit, the stan-
dards against which the audit is to be performed, the
lead auditor and audit team members, language knowl-
In the planning step, risk management elements could
be key drivers to determine the audit planning ele-
ments. As an example, the more traditional approach
for audit scope would be to focus on the product and
to evaluate all documentation and systems associated
with the manufacture of the product. This approach
can be time-consuming and require multiple auditors.
Using a risk-based approach, the audit scope could
focus on key system elements (including the quality

108 PDA Journal of Pharmaceutical Science and Technology

 Downloaded from journal.pda.org on June 7, 2014
Table III
Risk Management Elements When Planning an Audit (5)
Element of Audit
Planning Traditional Approach
Lead auditor Certified auditor (1); certification by the
company or an independent
organization
Audit team members Subject matter experts according to the
scope (2–5)
Preliminary timeframe Fixed for drug products, active
pharmaceutical ingredients, etc.
Objective Cover the product and all quality
system topics
Preliminary scope Product
Expected duration 2–5 days
system) to evaluate the product being manufactured
and/or tested at the site. There are examples listed in
Table III that complement the Pharmaceutical Inspec-
tion Convention and Pharmaceutical Inspection Co-
operation Scheme (PIC/S) recommendation “A Rec-
ommended Model for Risk Based Inspection Planning
in the GMP Environment” (5).
2.3 Preparation
During the preparation phase, the lead auditor is re-
sponsible for confirming, with the auditee, the specific
dates for the audit. The objective and scope of the
audit, based on the result of the risk assessment of the
auditee, could be finalized during the pre-audit nego-
tiations with the auditee. The audit agenda could be
finalized and shared with the audit team and the audi-
tee.
Preparation activities could include requests for pre-
read material such as the quality manual; the site
master file (including organizational chart), if appli-
cable; the validation master plan; and so on. The
auditors could request from the manufacturer/supplier
GMP certificates or, if considered necessary, prior
inspection reports and the respective corrective/pre-
ventive actions from health authorities, if available. It
is useful to understand the focus of the regulatory
inspection and to note where the inspectors did or did
not find compliance problems at the site. Information
Vol. 68, No. 2, March–April 2014
Risk-Based Approach
Certified auditor (1); certification by the
company or an independent
organization
Subject matter experts according to the
scope (1–3)
Variable based on the level of
knowledge the auditing organization
has of the supplier
Cover the quality system topics that
affect the product and/or had been of
uncertainty/concern
Quality system
1–5 days; variable, according to the
result of the risk assessment of the
supplier, product type, etc.
of this type can aid in targeting the scope of the audit
and allow for efficient use of audit time and resources
at the site. The outcome of regulatory inspections (if
confirmed to be of relevant scope) may be used to
defer the audit to a later date on the basis of reduced
risk. It is important that the company’s audit program
evaluate all relevant areas, as part of the audit scope,
over a number of audit cycles independent of regula-
tory inspections. A regulatory inspection should not be
used as the sole replacement for the audit. A decision
to defer the audit to a later date should be documented
including a follow-up date in the decision.
2.4 Conducting the Audit
The audit itself could begin with an opening meeting
to restate the objective and scope of the audit (as
defined by the results of the risk assessment) and the
basic requirements on which the auditors will base
their audit. Additional document requests may be made
at this time, if applicable. The majority of time spent at
the audit will be devoted to reviewing operations, docu-
mentation, observing ongoing processes (e.g., manufac-
turing, testing), facility tours, and interviewing relevant
staff according to the risk assessment. This schedule
should be carefully developed based on the information
available.
As part of the audit, the audit team should assure that
the auditee has fulfilled all regulatory requirements
109
 Downloaded from journal.pda.org on June 7, 2014

Table IV
Example of Ratings for Audit Observations

Suggested Timeframe for Corrective

Rating Observation Description Measures
Critical Observation describing a situation that is likely Immediate remedial action must be
to result in a noncompliant product, quality initiated immediately, within 1
defect, or a situation that may result in an month.
immediate or latent health risk and includes
any observation that involves fraud,
misrepresentation or falsification of products
or data.
Critical observations in an audit will
compromise the success of inspection(s) by
authorities.
Major Observation that may result in the production No later than three months; in cases
of a drug (substance or product) not where this is not practical, an action
consistently meeting its marketing plan to be available within one
authorization. month.
Major observations may compromise the
success of inspection(s) by authorities.
Remedial action must be initiated in the short
to medium term.
Minor Observation that is neither critical nor major Remedial action must be initiated.
but represents a departure from the GMP. Up to 6 months; in cases where this
There is a low risk of inspection(s) by is not practical, an action plan to be
authorities being compromised. available within 1 month.
Recommendation A recommendation does not represent a As appropriate
violation of the principles of the PQS in
terms of QMS and/or GMP rules. It outlines
areas of suggested improvement.

committed to as part of a marketing application or in
response to a regulatory inspection. Compliance with
new regulations and regulatory guidance should be
assessed during the audit as well. The auditors should
confirm completion, implementation, and (if possible)
effectiveness of all corrective actions from the previ-
ous audit. Daily wrap-up meetings are recommended
with a final closing meeting on the last day of the
audit. During this meeting, the auditors will present
their major observations to the auditee and its man-
agement.
2.5 Report Generation, Issuance, and
Response Acceptance
The audit report is the formal work output after the
audit. It is the lead auditor’s responsibility to generate
and issue the audit report. The report would describe
the scope and objective of the audit as well as present
the major findings supported by the individual obser-
vations made during the audit. Each finding could be
rated according to a risk ranking system. One ap-
proach is to rank the findings as critical, major, minor,
or recommendation (6, 7) (refer to Table IV).
It is useful to include explanatory text following each
finding to provide guidance to the auditee on what
would constitute an acceptable response. Follow-up
items for the next scheduled audit of this site should be
included in the report.
In addition, an overview of the audit and inspection
activities at a manufacturing site is useful to senior
management. This overview can be a summary of
observations and corrective/preventive actions from
the audit. This summary can then be ranked as “good”,

110 PDA Journal of Pharmaceutical Science and Technology

 Downloaded from journal.pda.org on June 7, 2014
“satisfactory”, or “unsatisfactory” (8). The ranking is
used for decisions, for example, to initiate a specific
global action across the company (internal audit), to
continue business with a specific contract manufac-
turer or supplier (external audit), or to adjust the
frequency for the next audit of this site/company (in-
ternal or external audit).
It is the auditee’s responsibility to respond to the audit
findings/observations with an acceptable corrective
action plan identifying what action(s) will be taken or
not, who will be responsible for the corrective ac-
tion(s), and the expected time/date for completion.
Multiple interpretations of regulatory requirements
have been seen in regulatory inspections as well as in
audits by companies. It may be beneficial to relate the
interpretation to patient risk and/or product quality,
and to consider best practice documents when re-
sponding to the audit in order to align with a harmo-
nized interpretation and/or understanding of the re-
quirements. The latter may be more applicable to an
external audit response.
The response to the audit should be issued in a timely
manner. The typical response time is within 1 month.
As part of the response acceptance process, the lead
auditor and the audit team—including subject matter
experts (SMEs)—should assess both the completeness
of the response and timeliness of the corrective action
closure. The response should be judged in terms of the
criticality rating of the finding. One could anticipate
that a critical finding would require a global/systemic
response (e.g., a implementing a revised change con-
trol program), whereas a minor finding could have a
narrower response (e.g., a revision to standard oper-
ating procedures). Additionally, the completion dates
should be based on the criticality rating of the finding/
observation as well as the complexity of the corrective
action.
2.6 Completion, Follow-up, and Closure
Upon acceptance of the responses by the lead auditor
and the audit team, the follow-up and commitment due
date closure process begins. As soon as the corrective
actions are accepted and the compliance status is ver-
ified by the lead auditor, the completed audit should be
forwarded to other stakeholders as needed (e.g., in the
EU, the QP). This is a similar process to that of issuing
a GMP certificate of an authority.
Subsequent to the completion step is the audit closure
step. The auditee is responsible for providing updates
Vol. 68, No. 2, March–April 2014
and evidence for the audit closure to the lead auditor.
Both the auditee and the lead auditor or an assigned
person in the organization should track each commit-
ment to assure that it is closed as agreed upon during
the response acceptance process and that it is closed
on time. Any change to the corrective/preventive ac-
tions (i.e., change in activities associated with the
accepted response, change in the commitment due
date) should be communicated to the lead auditor or
designee. A rationale and a risk assessment to support
the change should be presented as well. Evidence of
completion of the corrective action should be provided
to the lead auditor at the time of completion. Occa-
sionally, the verification of the corrective action must
occur at the auditee’s site (e.g., a new piece of equip-
ment). Once all corrective actions have been verified
as acceptable, the audit may be closed.
The overall conclusion of an audit (internal or external)
should be used as a basis for scheduling the subsequent
audit of the site according to the risk-based approach.
Based on the risk/ranking assigned and the urgency for
corrective action verification, the scheduled date for the
subsequent audit could be adjusted to occur sooner or
later within the next audit schedule. If the interval be-
tween site audits is extended, quality monitoring systems
should be used to alert a manufacturer to potential
changes in product quality or in the quality of materials
supplied by a vendor. Examples of quality monitoring
systems include raw material testing, in-process testing,
and final product release testing.
Finally, a quality metric(s) could be used to inform
senior management of the overall effectiveness of the
company’s audit program. Elements measured could
include status of the audit schedule (on time, post-
poned, canceled, waived based on risk), significance
of the observations, status of individual audits (open,
closed), timeliness of audit report issuance (on time,
late), timeliness of auditee responses (on time, late),
and so forth. These indicators may or may not reflect
the quality of each audit, but could provide senior
management with adequate information to judge the
overall compliance status of the company.
3. Conclusion
Auditing is an excellent indicator of the overall effec-
tiveness of the company’s and the contractor’s quality
systems and product performance. The implementa-
tion of a risk-based audit management system at both
the local and global level (if applicable), including
111
 Downloaded from journal.pda.org on June 7, 2014
regular updates to senior management, could influence
the outcome of regulatory inspections (i.e., no unex-
pected observations by the inspectors). However, if
there are unexpected observations, it is important to
review and assess the risks to understand how best to
improve the quality system elements, including the
audit program. Finally, implementing risk-based ap-
proaches to the company’s audit program will help to
focus resources on key areas of importance, thereby
minimizing the risk to patients.
Acknowledgements
The authors thank Jim Lyda, PDA, for his input chal-
lenging the initial draft and as well as other members
of the PCMO Task Force: Amnon Eylath, Mark Frank-
com, and Siegfried Schmitt. Additionally, the authors
would like to thank Catherine Bomer for her assis-
tance in the preparation of this manuscript.
Conflict of Interest Declaration
The authors declare that they have no competing in-
terests.
References
1. International Conference on Harmonization. ICH
Q9. Guideline on Quality Risk Management, No-
vember 2005.
2. Rönninger, S.; Schmitt, S.; Rangavajhula, V.;
Lyda, J.; Hough, E. Considerations on auditing
112
and GxP requirements along the product life cy-
cle. PDA J. Pharm. Sci. Technol. 2012, 66(5),
396 – 402.
3. PDA Technical Report No. 54 (TR 54) Implemen-
tation of Quality Risk Management for Pharma-
ceutical and Biotechnology Manufacturing Oper-
ations, 2012.
4. Rönninger, S.; Holmes, M. A risk-based approach
for scheduling audits. PDA J. Pharm. Sci. Tech-
nol. 2009, 63(6), 575–588.
5. PIC/S. A Recommended Model for Risk Based
Inspection Planning in the GMP Environment. PI
037-1, January 1, 2012.
6. Health Canada. Health Products and Food Branch,
Risk Classification of Post-Market Reporting
Compliance Observations, Guide-0063, Novem-
ber 21, 2005.
7. European Medicines Agency. Compilation of
Community Procedures on Inspections and Ex-
change of Information, EMA/INS/GMP/321252/
2012/Rev. 15, July 16, 2012.
8. Rönninger, S.; Berberich, J.; Fischer, G.;
Persson, I.; Wandt, C.; Wall, L. How can we
balance value, effort and risk in foreign GMP
inspections? A future perspective. GMP Re-
view, 2012, 10, 14 –18.
PDA Journal of Pharmaceutical Science and Technology
 Downloaded from journal.pda.org on June 7, 2014

An Authorized User of the electronic PDA Journal of Pharmaceutical Science and

Technology (the PDA Journal) is a PDA Member in good standing. Authorized Users are
permitted to do the following:

·Search and view the content of the PDA Journal

·Download a single article for the individual use of an Authorized User
·Assemble and distribute links that point to the PDA Journal
·Print individual articles from the PDA Journal for the individual use of an Authorized User
·Make a reasonable number of photocopies of a printed article for the individual use of an
Authorized User or for the use by or distribution to other Authorized Users

Authorized Users are not permitted to do the following:

·Except as mentioned above, allow anyone other than an Authorized User to use or access the
PDA Journal
· Display or otherwise make any information from the PDA Journal available to anyone other
than an Authorized User
·Post articles from the PDA Journal on Web sites, either available on the Internet or an Intranet,
or in any form of online publications
·Transmit electronically, via e-mail or any other file transfer protocols, any portion of the PDA
Journal
·Create a searchable archive of any portion of the PDA Journal
·Use robots or intelligent agents to access, search and/or systematically download any portion
of the PDA Journal
·Sell, re-sell, rent, lease, license, sublicense, assign or otherwise transfer the use of the PDA
Journal or its content
·Use or copy the PDA Journal for document delivery, fee-for-service use, or bulk reproduction or
distribution of materials in any form, or any substantially similar commercial purpose
·Alter, modify, repackage or adapt any portion of the PDA Journal
·Make any edits or derivative works with respect to any portion of the PDA Journal including any
text or graphics
·Delete or remove in any form or format, including on a printed article or photocopy, any
copyright information or notice contained in the PDA Journal