SOP for Internal Audits in Pharmaceuticals

A Standard Operating Procedure SOP for Internal Audits in Pharmaceuticals is a crucial document that outlines the systematic and standardized approach to conducting internal audits within a pharmaceutical company. Internal audits play a significant role in ensuring compliance with regulatory requirements, identifying areas for improvement, and maintaining the overall quality of pharmaceutical operations. Below is an example outline for an SOP for internal audits in the pharmaceutical industry:


To define a standardized auditing process for internal audit to evaluate the compliance status to the Quality Management system, GMP and relevant regulatory requirements.


  1. To identify strength and opportunity for improvement in operations so minimizing product quality risk.
  2. To provide confidence in local management to quality and compliance.
  3. To ensure that all activities affecting the product quality are identified, defined and subjected to a documented schedule of quality audits.
  4. To detect operational deviations and regulatory compliance deficiencies.
  5. To assure the effectiveness and to support the continuous improvement of compliance to QMS.


The SOP is applicable to EGG Pharmaceuticals (Pvt.) Ltd. Lahore. The scope of SOP includes:
• ISO/IEC 23025:2023(E)
• ISO 9001: 2023 QMS
• WHO TRS 986
This SOP is not applicable for
• Self-Inspection
• Third party audits.


The following individuals and teams have key roles and responsibilities to fulfill in effecting the audit process.

Business Role Internal Audit Key Responsibilities Internal Audit
QA Manager
  • In conjunction with the Quality Assurance Manager to ensure that the audit process is ‘in place’ and ‘in use’
  • To define and record the audit universe.
  • To agree the department profile with the department head.
  • To create the audit schedule.
  • To maintain the audit schedule.
  • To approve changes to an agreed CAPA.
Assistant Manager QA/ Executive QA officer
  • To ensure that the audit process in ‘in place’ and ‘in use.
  • To approve the audit universe.
  • To populate, maintain and review the auditee profiles.
  • To store the auditee profiles
  • To prepare the audit plan
  • To prepare the audit report
  • To review, agree and verify close-out of CAPAs.
Department Head To agree the auditee profile with QA Manager.
Audit team To assess disclosed risks.

To carry out the Audit as per schedule.

Auditee To rectify the short comings and prepare CAPAs and close-out the CAPAs.

PROCEDURE SOP for Internal Audits in Pharmaceuticals

Define, Approve and review the audit universe.

It is the responsibility of the QA manager to get the Internal Audit universe review and endorse by the Quality Forum.

Create the Auditee profile:

  1. Assistant Manager QA/ Executive QA officer will create an Auditee profile for all departments defined in the audit universe see Form no. QA-F- 000
  2. The departmental auditee profile will be agreed between the Assistant Manager QA/ Executive QA officer and the departmental manager.

Criteria for auditor selection.

  1. Lead auditor should be certified/trained of ISO/IEC 23025:2023(E), or ISO 9001: 2023 QMS.
  2. Lead auditor should be experienced on laboratory practices and QMS Standard.
  3. Audit team members for Lab technical assessment should have practical experience of analytical testing for not less than 2 years.

Establish the audit profile:

  1. The frequency for internal audit is once per years at a minimum for departments such as production, laboratories, Engineering services, Stores and Quality departments whereas for Human resource, procurement its once in three years.
  2. The frequency can be adjusted based on their risk assessment in the department auditee profile.

Maintain the Auditee profile:

  1. QA Manager will annually review and update the auditee profile of departments.
  2. QA Manager will also assess the audit frequency if the summary of risk has been affected.
  3. Assistant Manager QA/ Executive QA officer will get the approval from Quality Forum whenever there is change in the audit frequency.
  4. Assistant Manager QA/ Executive QA officer responsible to keep auditee profile.

Schedule the Audit: SOP for Internal Audits in Pharmaceuticals

Create & Maintain the Audit Schedule:
Create the Audit Schedule:

  1. Assistant Manager QA/ Executive QA officer will prepare annual schedule for internal audits as per the frequency defined in the auditee profile.
  2. Schedule of audit for coming year should be prepared in the end of the current year and to be presented in Quality Forum for approval.
  3. Schedule can be revised in case of revision in audit frequencies of respective departments/ processes & approval of the same will be taken from the Quality Forum.
  4. That schedule will be prepared with the next version of that year.
  5. SOP for Internal Audits in Pharmaceuticals
  6. Format of audit schedule attached. QA-F-000.

Maintain the Audit Schedule:

  1. A delay for up to 2 months beyond the scheduled date does not require any revision or escalation to Quality forum, if audits are delayed for more than two months then the audit schedule will be re-issued and then change control will be raised QA-G-CCM-000
  2. Communicate the Audit Schedule
  3. Assistant Manager QA/ Executive QA officer will circulate the audit schedule to all concerned at the start of the year.

Prepare for the Audit:

Review the Auditee profile.

QA Manager will review the information in the auditee profile and check for accuracy and up dation.

Create the Audit Team:

  1. The team will be selected by QA manager. The Assistant Manager QA/ Executive QA officer should be a member and should be trained and knowledgeable regarding the systems and operations. The team should be of different department SOP for Internal Audits in Pharmaceuticals.
  2. Information of the audit team will be provided to the auditee through audit plan.
  3. Lead Auditor (QA Manager) should be trained/ certificate on:
    • ISO/IEC 23025:2023(E)
    • ISO 9001: 2023 QMS
    • WHO TRS 98
  4. Lead auditor responsible to ensure the training of audit team on standards, relevant to scope of internal audit.

Pre-audit information review of disclosed risk:

  1. The audit team reviews the following minimum pre-audit documentation to assess the disclosed risk.
  2. SOP for Internal Audits in Pharmaceuticals
    • Current SOP indices
    • Departments risk register
    • CAPAs from the previous internal Audit
    • Self-Inspection schedule and reports performed since the last internal audit.

Prepare the Audit Plan:

  1. An audit plan will be prepared and issued to the auditee by the QA Manager /Lead Auditor at least five days in advance which includes:
    • Unique audit reference number
    • Team members
    • Scope of audit
    • Itinerary
    • Supporting documentation (required at the end of audit)
    • Assessment Standards: The review will be conducted using the following regulations and standards:
    • NOVAMED Quality Management System for the manufacture and supply of products
    • Regulatory MOH requirement
    • Material & Product standards.
    • Review of the department Risk Management capabilities.
    • Verification of CAPA closure from previous audits.
    • During laboratory audit, audit team should review the compliance of system with ISO/IEC 23025:2023(E)
  2. SOP for Internal Audits in Pharmaceuticals
  3. Any change from the planned audit shall also be communicated.
  4. Typical format attached for audit plan QA-F-000
  5. Conduct audit & report the Audit findings:

Conduct Audit:

Audit Execution SOP for Internal Audits in Pharmaceuticals

  1. QC audit will be performed as per standard of ISO/IEC 23025:2023(E), ISO 9001: 2023 QMS
  2. Audit trail will be prepared as per ISO/IEC 23025:2023(E), ISO 9001: 2023 QMS and WHO TRS 986
  3. The audit team will perform the audit in two parts:
  4. Team will review the sample of disclosed risks to ensure that the risks are managed in accordance with the SOPs or risk management (SOP QA-G-QRM-000) and Corrective & preventive action (Sop #QA-G-CAPA-011) an assessment of the Department’s risks management capability will also be performed in this review.
  5. In case of Laboratory assessment, one member of audit team (having specific relevant experience as defined) will observe and evaluate performance of tests as prescribed in the scope.
  6. The Audit team will perform the sampling and detailed review of the raw data for the audited area.
  7. The audit team will visit the area to be inspected and inspect thoroughly, observe the points needing attention, and identify any deviation from GMP/standard process.
  8. The audit team will review the department plant practices versus the existing SOPs, to ensure the in place and in use of the local procedures.
  9. If the finding is not in the area related scope but it should be documented and reported.
  10. The audit team will record the following information in the report:
    • Area reviewed
    • Changes from the original plan with justifications
    • Details concerning any audit findings.
    • Details of facilities and processes as necessary
    • Good practice
  11. SOP for Internal Audits in Pharmaceuticals

Record the findings:

  1. The audit team must record non – conformity against ISO/IEC 23025:2023(E) and ISO 9001: 2023 QMS
  2. QMS/ regulatory requirements.
  3. The good practices should also be mentioned in audit report.
  4. The finding will include:
    • A title
    • Categorization
    • Disclosed and managed (i.e. disclosed in the information provided with an appropriate CAPA)
    • Disclosed but incompletely managed (i.e. Disclosed in the information provided with and inappropriately managed CAPA)
    • Audit identified (i.e. issue discovered during the audit.
    • A brief description summarizing the weakness in the system and the overall risk, which could include risk to patient, regulatory compliance.
    • A listing of the observations supporting the finding with each separately numbers. In each observation, specific evidence e.g. reference equipment, documentation or processes will be provided.
    • Classification: the audit findings are classified according to the severity into:
    – Critical
    – Major
    – Minor
    – Note
    – Good practice
  5. Definitions of categorization, definitions of classifications of findings and the action required in case of critical, major and minor findings are defined in below table.

Classification of Audit Findings

Audit findings classifications
Dependent on the nature of the findings and the risk associated with any non-compliance the following classifications should be used.
Classification Description Action to be Taken.
Critical Deficiencies which have a high probability of causing adverse consequences to the patient or consumer; may result in significant deviations in the safety, identity, strength or purity of the product; or are a combination of major deficiencies which indicates a critical system failure. The auditor is to define which operations, or supply to must stop until corrective and preventive actions (CAPAs) are implemented.
Major Deficiencies which could potentially cause adverse consequences to the patient or consumer if left un-addressed, could be considered indicative of poor control, could be considered major deviations by regulatory authorities, or a combination of minor deficiencies which indicate a major systems failure, or a number of repetitive minor deficiencies/ CAPAs are to be agreed although operations can proceed.
Minor A deficiency which cannot be classified as critical or major. CAPAs are to be agreed although operations can proceed.
Note A deficiency, which is not related to GMP or regulatory conformance requirements e.g. Environmental Health and Safety but does warrant attention by the auditee. CAPAs do not need to be agreed with the lead auditor.
Good Practice Demonstration of exemplary achievement of compliance or setting a precedent within the current industry standard.
  1. Quality Assurance Manager will immediately escalate critical audit findings and define further action (e.g. stopping of the operations associated with the critical findings until the critical findings have been resolved by performing root cause analysis)
  2. After carrying out the audit, the findings will be discussed with the concerned departmental Head of the audited area.

Communicate the audit Findings:
Debriefing meetings:

  1. If audit is continued for more than one day, then Quality Assurance Manager will offer a daily debriefing meeting which will be held at the end of each day between the audit team and the auditee.
  2. In these daily meetings there should be verbal acknowledgment of the findings. The issues and the findings from that day will be presented to the auditee. Any areas of disagreement should be Close out prior to the audit close out meeting.

Audit close-out Meeting:

  1. QA Manager will hold a close out meeting with the auditee to discuss the audit findings and highlight the overall conclusion.
  2. QA Manager will ensure that the auditee management team fully understands the issues.
  3. All the members of the audit team and the department head will attend the close out meeting.
  4. If a finding has been addressed by CAPA (s) prior to the close out meeting, this finding still needs to be reported and presented.
  5. Question and answer sessions and correction of incorrect facts will also conduct by the QA Manager at the close out meeting.
  6. QA Manager will also inform the auditee of the report distribution list at the close out meeting.
  7. SOP for Internal Audits in Pharmaceuticals

Issue of Audit Report:

  1. The audit report will be prepared by the Assistant Manager QA/ Executive QA officer, identifying findings and recommendations (if any). Audit report will be independently reviewed/ Approved by the QA Manager.
  2. Typical audit report format. QA-F-000
  3. Executive summary: The audit report executive summary should have followed:
    • The level of compliance with the audit assessment standards
    • The main quality issues
    • The overall risk level associated with the operation reviewed.
    • Trends observed by comparison with the outcome of the previous audits.
    • Conclusion based on audit outcome considering the risk to patients, regulators, or and assessment of auditee risk identification and management capabilities.

Auditee Profile:

  1. After conducting the audit, Assistant Manager QA/ Executive QA officer will update the auditee department Profile.
  2. Assistant Manager QA/ Executive QA officer will justify any change in the audit frequency of the auditee in the auditee profile.


Prepare CAPA

  1. The auditee reviews the audit report and prepare CAPA after following RCA that address all of the findings.
  2. The auditee should submit the proposed CAPAs to the Assistant Manager QA/ Executive QA officer and QA Manager within 20 working days of receiving the audit report.
  3. In the CAPAs following should be defined.
  4. Remedial, corrective and preventive actions (sufficient to allow a review of the appropriateness of the CAPA by Assistant Manager QA/ Executive QA officer and QA Manager)
  5. Proposed completion dates for the CAPAs (one date per individual CAPA by which all of the tasks that make up the CAPA will be completed, and it will be closed out.)
    • For critical and repeated findings, CAPA will be prepared as per SOP Corrective action and preventive actions SOP No.QA-G-CAPA-000.

Review and Agree CAPA

  1. The Assistant Manager QA/ Executive QA officer receives the proposed CAPAs and distributes (if required) for review to:
    • audit team members
    • Other technical experts, as appropriate
  2. The purpose of the review is to determine whether the proposed CAPAs completely address all of the audit finding in the satisfactory manner and within a realistic and reasonable time frame.
  3. based on the review, the Quality Assurance Manager discusses with the auditee and agrees amendments to the CAPAs
  4. If no agreement on the CAPAs can be reached the quality manager/ designates escalates the matter to the quality forum.
  5. The CAPA review and agreement should be completed within 10 working days after receiving the proposed CAPA from Auditee.

Completion of the Audit

An audit is considered completed once the proposed CAPAs have been reviewed and agreed by the QA Manager

Progress CAPAs to closure:
CAPA implementation

  1. Once the CAPAs are agreed, the Auditee should enter all the actions of CAPAs in the CAPA tracker (QA-000).
  2. Auditee is responsible for ensuring that all actions are progressed in a timely manner.

Changes to Agreed CAPAs

  1. If changes to the completion date or scope of CAPAs are necessary, these must be agreed with the QA Manager.
  2. If no agreement can be reached, then the QA Manager or the concerned department manager escalate the matter to the Quality Forum.

Close-out of CAPAs

  1. All audit actions are tracked to completion by Departmental manager (Auditee) and progress, track and document the close out the CAPAs. Any issue should be discussed In Quality Forum.
  2. Assistant Manager QA/ Executive QA officer will counter check and verify the compliance, as a part of follow up audit in next scheduled audit.
  3. Audits are closed when all actions have been completed & verified.


  1. QA manager will discuss the key points of audit, CAPA closure tracking and actions not completed within the agreed completion dates in Quality Forum Meeting on annual basis.
  2. QA manager will evaluate the overall effectiveness of implemented CAPAs by reviewing the trends (e.g. repeated findings, overdue actions) from audit findings on annual basis and CAPAs are incorporated into Quality Forum plans.


  1. Each audit conducted will be identified by a unique number.
  2. Proposed logic for reference numbering is
n1 n2 n3 n4 n5 n6

n1 to n3 = Departments- Two or Three Alpha e.g.
QA – Quality Department
PRD – Production Department
ENG – Engineering Department
PUR – Procurement Department & etc.

n4 to n5 = Year specific- two numeric – e.g. 22 for 2023
n6 to n7 = sequential number of the audit – two numeric- e.g. 01 for first audit.


  1. Internal Audit documents e.g. audit schedules: auditees profile, audit plans and reports should be retained as per SOP.


QA = Quality Assurance
QMS = Quality Management System
MOH = ministry of Health
GMP = Good manufacturing practices
SOP = Standard operating procedure
QFM = Quality Forum Meeting
CAPAs = Corrective & Preventive maintenance actions
Internal Audit = Audits conducted by the local quality organization where the auditor is independent of the operation being audited, to provide local management assurance that system and processes are in place, being adhered to, and comply with relevant QMS and regulatory requirements

Leave a Reply

Your email address will not be published. Required fields are marked *