Dr. Christopher Joseph Devine, President, Devine Guidance International
Devine Guidance

Seriously, No Audits Performed Since 2015?

By Dr. Christopher Joseph Devine
Dr. Christopher Joseph Devine, President, Devine Guidance International

Audits are the cornerstone of a QMS.

As the doctor has stated on many occasions, audits are considered one of the cornerstones of an effective quality management system (QMS). Besides being an efficient tool for ensuring the QMS is firing on all cylinders, it is a regulatory requirement imposed by the United States FDA (21 CFR, Part 820.22) and a quality requirement imposed by notified bodies and registrars (Clause 8.2.4 of ISO 13485:2016). Smaller establishments that are just getting started in the medtech industry may not have the resources to perform effective audits; however, not having the resources to perform audits is not a viable excuse. It is an acceptable process to retain the help of an external auditor to render these services. In fact, Dr. D performs dozens of these assessments each year. Chief Jailable Officers (CJOs) have enough on their plates so when the FDA arrives in their lobbies for that cup of coffee and an inspection; having to worry about the basics (e.g., internal audits) just adds to their angst. Remember, having observation-free inspections, commences with the instauration(look-it-up) of a compliant QMS. Enjoy!

Warning Letter – January 24, 2018

The warning letter referenced in this week’s guidance contained 12 violations of the quality system regulation (QSR). Twelve form 483 observations usually end badly for an offending establishment. Can you say warning letter? Seriously, establishments on the receiving end of 12 form 483 observations need to be chopping a significant amount of wood to bring their QMS back into compliance.

Additionally, when nine of the 12 responses provided to FDA come back with the famed, “We reviewed your firm’s response and conclude that it is not adequate,” the agency’s decision to issue a warning letter is solidified. There are not many better attention getters in the medtech industry then being on the receiving end of an agency’s “Dear CJO” letter.

Furthermore, one of the violations noted in the warning letter, which is the topic of this week’s guidance, is the performance of internal audits. The FDA investigator found that audits were last performed in 2015. The establishment stated that audits were being performed; however, they were remiss in documenting these activities. Remember, in the eyes of the FDA, if an activity is not documented in writing, it never happened.

Finally, in accordance with §820.180(c): “Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed, and that any required corrective action has been undertaken.” The CJO could have certified that the audits were in fact performed. Please note, this still does not relieve device establishments from the requirement of documenting the audit activities.

Warning Letter Excerpt

Observation Seven (7). “Failure to establish procedures for quality audits and conduct such audits to assure that the quality system is, in compliance with, established quality system requirements and to determine the effectiveness of the quality system required by 21 CFR 820.22.”

“Specifically, Internal Audit Procedure, QSP-822-00, Rev G, dated 06/30/2016, requires that internal audits are conducted at planned intervals, however, the frequencies have not been defined. Additionally, your firm was not able to provide documentation to demonstrate that you conducted an internal audit of your quality system since 2015.”

“We reviewed your firm’s response and conclude that it is not adequate. While we acknowledge that your firm opened CAPA 1262, dated 10/30/2017, to address the lack of documentation for internal audits and frequency, the CAPA report lacks information as to who the CAPA was assigned, root cause, nor investigation. Further, you state that internal audits were conducted in 2015, 2016, and 2017, however, you have not provided supporting documentation to demonstrate that they were conducted by individuals who do not have responsibility for the area being audited. For example, your response states that the Quality Director conducted a high-level audit of the quality system in 2016. Please provide supporting documentation to demonstrate that management has ensured that the adequacy of your quality system has being adequately assessed by appropriate personnel at defined frequencies.”

21 CFR, Part 820.22 – Quality Audit

“Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system. Quality audits shall be conducted by individuals who do not have direct responsibility for the matters being audited. Corrective action(s), including a re-audit of deficient matters, shall be taken when necessary. A report of the results of each quality audit, and re-audit(s) where taken, shall be made and such reports shall be reviewed by management having responsibility for the matters audited. The dates and results of quality audits and re-audits shall be documented.”

Compliance for Dummies

Compliance for the audit requirement is not rocket science. Dr. D’s recommendation is to always have an audit plan, agenda and sign-in sheet. The audit plan, agenda and sign-in sheet can be shared with FDA as documented evidence of compliance. Remember, actual audit content does not need to be shared with FDA, only documented evidence that they have occurred.

There are only a few elements that need to be considered for an audit program. For example:

  • Make sure an annual schedule for audits is released (as an option, management review meetings can be added to this schedule)
  • Auditors shall be appropriately qualified (recommend using ISO 19011 for guidance)
  • Individuals cannot audit areas in which they own the functional responsibility
  • When deficiencies are noted, corrective action shall be pursued (the ISO requirement is corrective action shall be pursued without undue delay)
  • When deemed to be necessary, re-audits of problem areas shall be scheduled
  • Audit reports are required and shall be shared with area supervisors/managers and executive management (make sure the audit results make it into management review)
  • The dates and results of all audits and re-audits shall be captured

For simplicity sake, the doctor likes to create a matrix that maps the ISO 13485:2016 requirements and 21 CFR, Part 820 requirements. Using this tool ensures that all quality, regulatory and statutory requirements are assessed. Remember (Dr. D’s broken record time), this is not rocket science; however, a little bit of planning and some organizational skills go a long way when establishing an effective audit program.


For this week’s guidance the doctor will leave the readers with just one takeaway. Considering the establishment of an effective audit program is considered a salient requirement for quality management systems, device establishments need to bite the proverbial bullet and construct an effective audit program. Remember, it is acceptable to retain external resources for performing audits; however, it remains incumbent upon the device establishment to actually script a procedure that delineates the tenants of their audit program. In closing, thank you again for joining Dr. D, and the doctor hopes you found value (and some humor) in the guidance provided. Until the next installment of DG, cheers from Dr. D., and best wishes for continued professional success.


  1. Code of Federal Regulation. (April 2017). Title 21 Part 820: Quality system regulation. Washington, D.C.: U.S. Government Printing Office.
  2. Devine, C. (2011). Devine guidance for complying with the FDA’s quality system regulation – 21 CFR, Part 820. Charleston, SC: Amazon.
  3. Devine, C. (2013). Devine guidance for managing key attributes of a FDA-compliant quality management system – 21 CFR, Part 820 Compliance. Charleston, SC: Amazon.
  4. FDA. (January 2018). Inspections, Compliance, Enforcement, and Criminal Investigations. Light Age, Inc. Accessed February 26, 2018. Retrieved from https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm593900.htm

About The Author

Dr. Christopher Joseph Devine, President, Devine Guidance International