Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

What, No Internal Audits?

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Although results don’t need to be shared with FDA during an inspection, an audit still should be performed.

For the aerospace, defense, automotive, pharmaceutical or medical device industries, it really makes no difference when it comes to auditing the effectiveness of the quality management system (QMS): An established auditing program is a fundamental requirement. ISO 9001, ISO 13485, AS 9100, and the primary topic of most of Dr. D’s rants 21 CFR, Part 820 compliance, all have elements mandating that quality audits be performed. So the doctor always finds it quite disturbing when a device establishment fails to comprehend the importance of creating an audit schedule and actually performing the audits. In fact, if an establishment does not have the resources to perform these audits, they can pick up the phone and call Dr. D or one of the many consulting companies that provide third-party auditing services. When an investigator from the FDA appears in an establishment’s lobby for a cup of coffee and an inspection, the Chief Jailable Officer (CJO) should realize that this individual is not visiting for noetic (look-it-up) stimulation. The FDA investigator is there to collect evidence of compliance or lack of compliance that can be used to drive additional regulatory action. Not performing audits is definitely a compliance issue that will garner the FDA’s attention during an inspection. Enjoy!

Warning Letter – March 17, 2016

If the date on this warning letter looks familiar, Dr. D referenced this same offending establishment in last week’s guidance (concerns over management oversight). Internal audits are another area, similar to management review, in which device establishments do not have to share the actual audit content with FDA, only documented evidence that they are being performed. That is why it is so darned important to have a released audit schedule, audit plans and agendas to share with the FDA. However, failure to perform audits will always end badly. In fact, an offending establishment that is on the receiving end of multiple Form 483 observations becomes a prime candidate for a prized agency warning letter. Dr. D is pretty sure the CJO is not going to want to attend the award ceremony.

Warning Letter Excerpt

Observation Five (5) – “Failure to perform quality audits at defined intervals and at sufficient frequency to determine whether the quality system activities and results comply with quality system procedures, as required by 21 CFR 820.22.”

“For example, your firm’s quality manual Quality Manual, FSP-14, Revision A, references that internal audits are to be conducted and documented. The frequency and/or intervals are not defined, and your firm has not performed any quality audits.”

21 CFR, Part 820.22 – Quality Audit

“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a reaudit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and reaudit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and reaudits shall be documented.”

Compliance for Dummies

  • Dr. D has written about the importance of a good auditing program on a number of occasions. There are a few salient components that should be the foundation of any internal audit program:
  • An audit schedule published prior to the start of each year
  • Trained auditors in accordance with ISO 19011 (or a qualified auditing firm/consultant approved and listed on the approved supplier’s list)
  • A well-written procedure

The procedure should contain requirements for:

  • Creation of an audit plan
  • Creation of an audit agenda
  • Creation of audit sign-in/interviewee sheets
  • Scheduling opening and closing meetings (if deemed necessary)
  • Creation of audit checklists
  • Classification of audit non-conformances (major and minor), observations and recommendations
  • Pursing mitigation activities (CAPA) for audit non-conformances
  • Writing audit reports
  • Re-auditing problem areas
  • Reporting results of audits into management review
  • Record retention (location and time)

As previously mentioned, the content and results of audits do not have to be shared with FDA during an inspection. However, if audit non-conformances are being loaded into an establishment’s CAPA system, the FDA investigator will be able to connect the dots and determine if the audit program is effective. On another note, nothing drives Dr. D more bonkers than auditing a QMS, finding several glaring non-conformances, and then finding out that the audits being performed paint a rosy picture of a perfect QMS, with no non-conformances noted. Seriously? Audits and CAPAs are a device establishment’s and CJO’s best friend. These tools should be able to identify problems and allow an establishment to make the necessary corrections before our friends from the agency, other regulators, or your notified bodies stumble upon issues.


For this week’s guidance, the doctor will leave the readers with just one takeaway: Audits and the subsequent mitigation activities pursued (CAPA) to correct audit non-conformances are a CJO’s best friend. These tools should not be feared but rather embraced by all device establishments. It is always better for an establishment to have their own auditors identify potential compliance issues versus the FDA. Your CJOs will thank you, and the FDA will be grateful, because they take no pleasure in writing Form 483 observations. In closing, thank you again for joining Dr. D, and I hope you find value in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2015). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system   regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (March 2016). Inspections, Compliance, Enforcement, and Criminal Investigations. Grams Medical, Inc. Accessed May 4, 2016. Retrieved from http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2016/ucm497792.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International