Compliance with US and EU Internal Audit Requirements

Internal audits, or self-inspections as they are called in the European Union, help assess a pharmaceutical company’s quality system and compliance status. When a company performs internal audits, it is essential to have a procedure in place, which your company does have. The United States and the EU have different regulations regarding internal audit records. In short, if you destroy your internal reports, you would be compliant with US regulations, but not with EU regulations.

US Regulations

To further elaborate, it’s important to realize that the US cGMP regulations (21

Code of Federal Regulations

[

CFR

] Parts 210 and 211) do not describe specifically a requirement to conduct or keep records of an internal quality assurance audit. According to published FDA policy, during routine FDA inspections and investigations conducted at any regulated company that has a written quality assurance program, FDA will not review or copy reports and records that result from internal audits under the written quality assurance program (1), and additionally, for medical device manufacturers, the policy is codified at Title 21, CFR, Section 820.180(c) (2). Consequently, a report could be destroyed once all corrections have been performed and implemented. However, one must retain the documentation on the corrective actions as these are covered in 21

CFR

211 (3).

European Regulations
On the other hand, the EU GMP regulations for medicinal products for human use have a chapter dedicated to self-inspections (4), which specifically mention the need for an internal audit report: “All self-inspections should be recorded. Reports should contain all the observations made during the inspections and, where applicable, proposals for corrective measures. Statements on the actions subsequently taken should also be recorded.”

Therefore, self-inspection reports must be prepared, retained in accordance with documentation retention requirements, and most importantly, be provided to the regulators when requested.

In fact, refusal to provide the internal audit report in an inspection can be considered a critical observation. EU inspectors are known to have terminated inspections because of critical observations. This is similar to FDA’s “refusal to co-operate with the inspection” in which FDA would terminate the inspection.

In the EU, the requirement for self-inspections extends to drug substance (i.e., API) manufacturers as specified in the Delegated Act of 28.5.2014 supplementing Directive 2001/83/EC (5), which says, “The manufacturer shall conduct regular internal audits and follow-up on the findings.”

Conclusion
While revising an internal audit procedure, it would be beneficial to check and ensure that it covers a review of the effectiveness of your governance systems for data integrity and traceability (6). Updating procedures when new legislation and guidance is issued will help ensure compliance (7).

It is good practice to design your quality system so that it complies with even the most stringent regulations that apply to your business.

References
1. FDA, CPG Sec. 130.300 FDA Access to Results of Quality Assurance Program Audits and Inspections (FDA, June 2, 2007).
2. FDA, CFR Title 21, Part 820.180 (Government Printing Office, Washington, DC, revised April 1, 2014).
3. FDA, CFR Title 21 Part 211.
4. European Commission, EudraLex, The Rules Governing Medicinal Products in the European Union, Vol. 4, EU Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use Part 1, Chapter 9: Self Inspection.
5. European Commission, Commission Delegated Regulation (EU) No 1252/2014 Of 28 May 2014.
6. MHRA, MHRA expectation regarding self inspection and data integrity (MHRA, Dec. 16, 2013).
7. S. Schmitt, Pharm. Tech. 39 (5) (May 2015).