How to Conduct an Audit of an Outsourcing Provider

Published on: 
BioPharm International, BioPharm International-04-02-2008, Volume 2008 Supplement, Issue 4
Pages: 40–45

There are several considerations to keep in mind when auditing an outsourcing provider.

Current regulations require that pharmaceutical companies ensure that all manufacturing—including the manufacture of starting materials—conducted on-site and off-site is compliant with the principles of current good manufacturing practices (cGMPs), as set out by the European Union Guidance1 and the US Code of Federal Regulations.2 Therefore, the expectation from the regulatory authorities for work performed off-site is that these processes must be formally evaluated as part of a quality management system to ensure compliance with the regulations. This is usually accomplished by a gap analysis. This compares the operations and systems of an outsourcing provider to predefined criteria, and evaluates the level of compliance to provide justification for either approving or rejecting the service offered. Dependent on the quality management system and the perceived criticality of the service provided, the audit may consist of only a written questionnaire or may also include a physical inspection and assessment of the facilities and proffered services. For example, the supplier of consumables and reagents would only require a written audit, whereas a supplier of contract test services or manufacturing would require an on-site inspection.

In conducting an audit, the choice of service will inevitably determine the questions that have to be answered. A contract manufacturer will require a different focus than a contracted analytical service, and thus it is useful to have questionnaires available to cover different service providers. The Pharmaceutical Inspection Cooperation Scheme3 publishes some helpful checklists on its publications web site which are available for free and are often used as starting points. It is important to remember, however, that such questionnaires are only memory aids. There is no substitute for the power of observation. One should not slavishly follow lists of questions and lose sight of the inspection process itself.

Selecting an Outsourcing Provider and Determining its Quality Status

Before proceeding to the audit stage, a company should seek to identify an outsourcing provider that can provide high quality services. The selection process is dependent on the service required, and the initial stages may involve a proposed provider recommended by other users. The selection process should be described in a standard operating procedure that includes considerations of how many potential providers should be assessed and against what selection criteria. These criteria may include accreditation to a quality standard, reputation in the industry, past experience, and even location.

Quality Status of the Service Provider

When selecting a provider, the first stage often confirms the existence of the provider's quality system. Outsourcing providers may also cite accreditation by a third party inspection body, such as the UK Accreditation Service (UKAS) or the International Standards Organization (ISO). However, it is necessary to consider the relevance of such accreditation with the required standard. Obviously, any company that will provide manufacturing services must follow cGMP requirements. In Europe, contract manufacturers also must be in possession of the relevant licenses and, if applicable, a letter of inspection from the Medicines and Healthcare products Regulatory Agency (MHRA) that says the provider can be named on licenses. This will contribute to the decision as to whether a postal or physical inspection is required.


Another critical consideration is whether or not a provider will allow an audit inspection to take place. If the provider does not welcome an audit inspection, the provider should be excluded from the approval process.

Confidentiality Agreement

Before an audit can be conducted, a confidentiality agreement must be in place. A confidentiality agreement will enable free discussion of any concerns that arise during the course of an audit. If a provider requests a confidentiality agreement be agreed to in advance of the audit, it is a sign that the firm is accustomed to working in a regulatory environment. It is acceptable, however, to wait to sign the actual agreement until the date of the inspection.

Determining the Scope of the Audit

Before the audit is conducted, there should be an introductory meeting to identify the parties involved to establish the scope of the audit. Audit inspections may cover total compliance of the entire facility to cGMP requirements, or be limited to a specific area, such as a single outsourced analytical test. The audit could therefore be narrow in scope or more general, depending on the service provided.

Planning and Conducting the Audit

The inspection itself is a formal process that should follow a written procedure that is part of your quality management system. The basic objective of the audit is to confirm the presence of the quality systems that are claimed to be in place, and to assess the capabilities of the firm's facilities. It is then necessary to measure these systems and facilities against the required standards and establish the extent of compliance with regulatory requirements.

The audit should be seen as a risk assessment. The questionnaires or memory aids mentioned above are useful in planning the audit and to help ensure that all the relevant areas are covered and assessed. Questionnaires may also lend themselves to the risk assessment process, because each question may be assigned a numerical score on a sliding scale of risk. By such means, it may be possible to score assessment outcomes, and this can be useful in justifying the approval of provider.

An audit agenda is an essential tool to allow the most efficient planning and conduct of the audit. Even in a comprehensive cGMP audit, it may not be possible or practical to look at every aspect of a facility or process, so it becomes necessary to establish the critical points which have the greatest risk of failure or impact on the safety of the product and ensure that these are inspected and assessed.

It is often helpful to divide the inspection into two parts: 1) an evaluation of the existing quality system, including process-specific documents, and 2) the on-site inspection of the facility to confirm the level of operational compliance with the systems and processes described in the documents. During the first part, the documents evaluated should include the quality manual, standard operating procedures, training records, facility equipment records (including qualification, validation, maintenance, and calibration histories), manufacturing specifications, and any record identified as relevant (e.g., out-of-specification results and subsequent investigations). It is often during the review of quality documents that the selection of what is to be inspected can be made, and a basic understanding of the processes can lead to a much more focussed audit.

The on-site inspection will then be carried out in the presence of representatives of the provider. It is important to ensure that all necessary safety precautions are observed. There may be a safety policy document, which should be acknowledged. As the inspection progresses, any observations should be made known as they are encountered. This will allow feedback from the provider's representatives and ensure that no misunderstandings or errors are made by either the auditor or the audited firm.

Communication is a vital element of the audit process, and the attitude and approach of both parties during the inspection can have a significant impact on the success of the audit and the ultimate outsourcing relationship. The audit process should be seen as the start of a working relationship, so part of the auditor's role is to facilitate good communication and, subject to the success of the audit, begin the establishment of a working partnership. Clear lines of communication will be essential in such a relationship to ensure the smooth and problem-free provision of services.

At the end of the audit day or days, depending on the scale of the outsourcing requirement, there should be a close-out meeting between the auditor and facility management during which any observations can be reported and discussed. This is an opportunity to summarize the audit inspection process. There should be no surprises at this point because all the concerns will have been raised throughout the audit and clarified between the auditor and the audited. At this stage, the auditor should state the outcome of the audit. The management of the outsourcing firm should be given an opportunity to respond, but this should be limited to clarification and agreement on any observations that may require corrective action.

Audit Report and Approval

Following the completion of the audit, a written report should be produced summarizing the process, listing any observations, and stating the outcome of the inspection (i.e., approved, not approved, or approved subject to a satisfactory response to any observations made). The report should accurately reflect the audit carried out, and it is common to issue a draft report to the provider to identify any potential inaccuracies. The report should be issued within a defined time scale to the designated outsourcing contact and the to auditors' facility management. A target date should be set for any responses required and a tracking system should be used to follow up on any consequent action plan. Once each item has been completed, the audit will be formally closed.

The final approval of an outsourcing provider should be dependent on both the written approval of the sponsor company's facility management and its quality assurance (QA) department. It is not sufficient for management to approve a provider without the approval of QA, and QA cannot solely approve a provider. It is usual to manage this process under the remit of a department concerned with the management and approval of providers. The provider should then be formally listed on a register of approved providers.

Following the Audit: The Technical and Quality Agreement

Before commencement of any service provision, a technical or quality agreement should be in place covering the services provided.4 In the US, this agreement is not required but is expected; in Europe, the agreement is mandatory. This technical or quality agreement must detail the service provided, quality requirements, and the responsibilities attributed to the contract giver and the contract acceptor. The agreement should be reviewed at a defined interval. This may be done following routine re-assessment of the provider.


All approved service providers are required to be reviewed and re-approved at regular intervals.4 It is advantageous for sponsor companies to develop a formal program of re-approval that includes all providers, from the minor to the critical. As a part of this routine process, all approved outsourcing providers can be re-assessed at a predefined interval to ensure continued compliance with regulatory requirements and the agreements that are in place. Annual auditing is the usual practice, although a longer interval may be acceptable if justified. Re-assessments will usually entail a re-audit following the standard process outlined above and a re-approval to confirm the approval status or, if necessary, to remove the providers from the approved list.

An important consideration here is the change control process mandated by cGMP regulations. If a re-assessment audit shows a provider's performance to be unsatisfactory, then a formal risk assessment must be conducted to assess the impact on any product manufactured since the last audit and, ultimately, to assess the safety of the product and patient.

In between the established dates for re-approval, it is important for sponsor companies to continuously monitor the performance of providers. If the provider's performance begins to falter, the provider's approved status may need to be re-assessed ahead of the established schedule. Examples could be failure to supply a starting material that meets pre-defined specifications or to meet established deadlines. A well-maintained history of performance will allow trend analysis and the potential to stop problems before they become critical.


Regulatory requirements demand that outsourcing providers be part of a system that approves them as fit for purpose. The process of provider selection and approval must be part of the formal quality management system.

Andy McCallum is a quality assurance manager for Tepnel Research Products and Services' pharmaceutical outsourcing division, Livingston, UK, +44 (0)1506 424270,


1. Rules and Guidance for Pharmaceutical Manufacturers and Distributors 2007, MHRA, Pharmaceutical Press, London: 2007.

2. US Food and Drug Administration. Guidance for industry. CGMP in manufacturing, processing, packing, or holding of drugs; cGMP for finished pharmaceuticals. Rockville, MD; 2006.

3. PIC/S Secretariat. Pharmaceutical Inspection Cooperation Scheme. (See publications/recommendations.)

4. Medicines & Healthcare Products Regulatory Agency. Guidance on good manufacturing practices, Part 1: Basic requirements for medicinal products. In: Rules and Guidance for Pharmaceutical Manufacturers and Distributors. London: Pharmaceutical Press; 2007. p 80–81.