Blog | The FDA Group

Planning Your 2025 Audits: A Guide for FDA-Regulated Industries

Written by The FDA Group | October 8, 2024

As seasoned experts at The FDA Group, we've guided countless RA/QA leaders through the complex process of annual audit planning.

This guide distills our decades of experience into actionable steps, ensuring your audit program is robust, compliant, and effective. Whether you're planning internal audits or supplier/vendor evaluations, follow these steps to set yourself up for success in the coming year.

Inside FDA's Pre-Approval Inspections with Former FDA Investigator Christopher Smith

1. Review and Analyze Past Audit Data

Planning the next annual audit program begins with a thorough look in the rearview mirror. This retrospective analysis sets the stage for everything that follows, providing crucial context and insights to shape your approach in the coming year.

Specifically, we suggest:

  • Compiling and reviewing all audit reports from the current year.
  • Analyzing findings, observations, and CAPAs.
  • Identifying recurring issues across different audits or departments.
  • Evaluating the effectiveness of previous corrective actions.

But data compilation is just the beginning. The real value lies in the interpretation of this data. Look for patterns and trends that might not be immediately obvious. Are there systemic issues hiding behind seemingly isolated incidents? Are there departments or processes that consistently outperform or underperform?

We sometimes recommend firms make a simple spreadsheet (and possibly corresponding pivot tables) cataloging findings across different functional areas or suppliers. This can quickly highlight problem areas that need more attention in the upcoming audit cycle that you can make sure get prioritized in the next round of audits.

Consider this example from our audit program work with a mid-size medical device manufacturer last year:

Upon reviewing their annual audit data, we noticed that document control issues were flagged in 60% of their audits. At first glance, these appeared to be isolated incidents in different departments. However, we revealed a systemic issue with their document management system. This insight led to a targeted improvement initiative and increased focus on documentation practices in the next year's audits.

This retrospective analysis isn't just about identifying problems — it's also an opportunity to recognize and learn from successes. Identify areas or processes that have shown consistent improvement or maintained high standards. These can serve as internal benchmarks and sources of best practices for other areas of the organization.

Action items:

  • Compile audit reports. Collect all internal audit reports from the current year, gather external audit reports (e.g., supplier audits, notified body audits) and retrieve regulatory inspection reports (if any).
  • Set up a simple findings database. This can be a simple spreadsheet with columns: Audit Date, Audit Type, Department/Supplier, Finding Description, Risk Level, and CAPA Status. Input all findings from collected reports into the database.
  • Analyze recurring issues. Use pivot tables to identify top 5 most common finding categories. Calculate the frequency of each finding category by department/supplier.
  • Evaluate CAPA effectiveness. List all CAPAs implemented in the current year.
    For each CAPA, check if related findings have recurred. Then simply calculate CAPA effectiveness rate (% of CAPAs that prevented recurrence).
  • Consider creating a simple "heat map" visualization. Create a matrix with departments/suppliers on one axis and finding categories on the other. Color-code cells based on frequency of findings (e.g., green for 0-1, yellow for 2-3, red for 4+). Identify hotspots (red cells) for priority attention in next year's audits.
  • Prepare retrospective analysis report. Summarize key trends identified and list out the top 5 areas of concern based on frequency and risk. Highlight any departments or suppliers with notably good or poor performance. Use this to recommend focus areas for next year's audit program.

2. Refresh Yourself on Any Recent Regulatory Changes

In the dynamic world of FDA-regulated industries, yesterday's compliance can quickly become tomorrow's violation. Staying abreast of regulatory changes is not just about avoiding citations; it's about positioning your organization at the forefront of quality and compliance.

We suggest subscribing to FDA and other relevant regulatory body newsletters, as well as our Insider Newsletter. Review any new or updated guidance documents and assess the impact of these changes on your audit program.


But regulatory intelligence goes beyond passive consumption of information. It requires active engagement with the regulatory landscape. Encourage your team to participate in industry working groups or standards committees. This not only keeps you informed but also allows you to contribute to shaping future regulations.

Teams we see do this well designate a "Regulatory Intelligence" team member responsible for monitoring changes and distributing monthly summaries to relevant stakeholders. Consider creating a cross-functional "Regulatory Impact Assessment" team. This team should meet regularly to discuss new regulations or guidance documents and brainstorm on their potential impact across different areas of the organization. This proactive approach allows you to anticipate and prepare for changes, rather than scrambling to react when they come into effect.

For instance, when the FDA released new guidance on computer software assurance for production and quality system software in 2023, we helped our clients quickly integrate these new expectations into their audit checklists for both internal and supplier audits.

Action items:

  • Set up a regulatory monitoring system. Subscribe to FDA email alerts and newsletters, join industry associations (e.g., RAPS, ISPE) for regulatory updates, and set up simple Google Alerts for key regulatory terms relevant to your industry.
  • Create a regulatory change log. Design a spreadsheet with columns: Date, Regulatory Body, Title of Change, Summary, Potential Impact, Action Required
    Assign team member to update the log monthly.
  • Review new/updated guidance documents. List all new or updated guidances relevant to your products/processes. For each guidance, create a brief (1-page) summary of key points and changes. Distribute summaries to relevant department heads. (We do this as a service through our Insider Newsletter.)
  • Conduct impact assessments. For each major regulatory change, use an impact assessment template to evaluate effects on: Product Design, Manufacturing, Quality System, Supply Chain, Labeling, Clinical/Postmarket. Assign action items based on impact assessment results.
  • Update audit checklists. Review each audit checklist against new regulatory requirements and add new checkpoints or modify existing ones to reflect regulatory changes. Make sure to version control updated checklists and distribute to the audit team.
  • Prepare a regulatory intelligence report. Compile a regular report summarizing key regulatory changes. Include status updates on ongoing impact assessments and action items — and present a quarterly summary to senior management.

3. Conduct a Comprehensive Risk Assessment for the Audit Program

A comprehensive risk assessment is the backbone of an effective audit plan, ensuring you're focusing resources where they're needed most.

But effective risk assessment in FDA-regulated industries goes beyond traditional probability and impact matrices. It requires a nuanced understanding of regulatory expectations, product lifecycles, and the intricate web of processes that bring a product from concept to market.

To drive risk assessment into your audit program, we suggest:

  1. Evaluating risks associated with each auditable entity (internal departments, processes, suppliers).
  2. Considering factors such as impact on product quality, patient safety, and business continuity.
  3. Assessing the complexity of processes and previous audit history.
  4. Incorporating new risks identified from regulatory changes or industry trends.

When conducting your risk assessment, it's crucial to look beyond obvious, direct risks. Consider second and third-order effects. For example, a seemingly low-risk change in a supplier's sub-component might have significant implications for your product's overall risk profile.

Teams that do this well use a standardized risk assessment matrix that considers both the likelihood and severity of potential issues. This allows for consistent evaluation across different areas. But don't let standardization lead to complacency. Encourage your team to think creatively about potential risks. Sometimes, the most significant risks come from unexpected quarters.

For a pharma client of ours, we developed a risk-scoring system that weighted factors like direct product impact, compliance history, and process complexity. This helped us identify a contract manufacturer as high-risk due to recent leadership changes and past quality issues, prompting more frequent and in-depth audits. The key insight here wasn't just the individual risk factors, but how they compounded to create a potentially volatile situation.

Remember, risk assessment isn't a one-time activity. It should be an ongoing process, with mechanisms in place to quickly incorporate new information or changing circumstances into your risk calculations.

Action items:

  • Define risk assessment criteria. Establish a 5-point scale for likelihood and severity of risks. Then, create a risk matrix combining likelihood and severity.
    Define your risk categories (e.g., product quality, patient safety, regulatory compliance, business continuity).
  • Identify your auditable entities. List all internal departments and compile all suppliers and external service providers. Enumerate key processes (e.g., design control, CAPA, complaint handling).
  • Gather risk data. Review past audit findings for each entity and collect quality metrics (e.g., defect rates, customer complaints). Assess complexity of processes or criticality of supplied components and consider recent changes (e.g., new equipment, personnel turnover).
  • Conduct risk scoring workshop. Meet with representatives from Quality, Regulatory, Operations, and R&D. For each auditable entity, assess and score risks in each category and document your rationale for each risk score.
  • Create a simple risk register. Compile all risk scores into a centralized spreadsheet and calculate overall risk score for each auditable entity. Then, rank entities from highest to lowest risk.
  • Develop risk mitigation strategies. For the top 10 highest-risk entities, brainstorm potential risk mitigation actions. Assign owners and due dates for each mitigation action.
  • Link those risks to your audit planning. Group auditable entities into risk tiers (e.g., High, Medium, Low). Then, define audit frequency for each risk tier (e.g., High = annual, Medium = biennial, Low = triennial).

4. Define Clear Audit Objectives and Scope

With risks assessed, it's time to set clear objectives for your audit program. This step ensures your audits are purposeful and aligned with organizational goals. But defining objectives is more than just creating a checklist of compliance requirements. It's about articulating how your audit program will drive value for the organization.

We suggest establishing specific, measurable objectives for each audit and defining the scope of audits based on risk assessment results. Consider both compliance verification and process improvement aspects.

When setting objectives, it's crucial to strike a balance between breadth and depth. While it might be tempting to create exhaustive lists of objectives for each audit, this can lead to superficial reviews that don't provide meaningful insights. Instead, focus on key areas where you can drive significant impact.

We recommend using the SMART criteria (Specific, Measurable, Achievable, Relevant, Time-bound) when setting audit objectives. This ensures clarity and facilitates effective evaluation post-audit.

  • For example, for a high-risk supplier, an objective might be: "To assess compliance with data integrity requirements in laboratory operations, focusing on audit trail reviews and change management processes, by Q2 of the coming year."

But don't stop at compliance-focused objectives. Include objectives that speak to process improvement, efficiency gains, or innovation. This shifts the perception of audits from purely policing activities to value-adding exercises.

Consider involving auditees in the objective-setting process. This not only ensures buy-in but can also provide valuable insights into areas that might benefit most from scrutiny or improvement.

Action items:

  • Review your organizational goals. Obtain the latest strategic plan and annual objectives from senior management. Identify quality and compliance-related goals.
  • Analyze regulatory requirements. List mandatory audits required by regulations or standards (e.g., internal audits per ISO 13485). Note any specific areas of regulatory focus (e.g., process validation, data integrity).
  • Consider risk assessment results. Review the top risks identified in the risk assessment and align your audit objectives with high-risk areas.
  • Draft your audit objectives. For each planned audit, write 2-3 SMART objectives. Ensure objectives cover both compliance verification and process improvement and use action verbs (e.g., assess, evaluate, verify) to start each objective.
  • Define audit scope. For each audit, list specific processes, systems, or products to be covered. Identify any exclusions and provide rationale and specify the time period to be covered by the audit (e.g., activities since last audit).
  • Create audit charter template. Design a template including sections for: Audit Title, Objectives, Scope, Auditor(s), Auditee(s), Duration, Key Focus Areas. Make sure the template aligns with any electronic audit management system in use.
  • Develop KPIs for the audit program. Define metrics to measure audit program effectiveness (e.g., % of planned audits completed, average time to close audit findings). Set targets for each KPI.
  • Validate objectives and scope. Review the draft objectives and scope with department heads or subject matter experts. Adjust them based on feedback to ensure relevance and feasibility.
  • Compile an audit planning document. Create a master document listing all planned audits with their objectives and scope. Include rationale for each audit (e.g., regulatory requirement, risk-based, follow-up)

5. Develop an Audit Schedule

With objectives set, it's time to create a tentative schedule for the upcoming year. This schedule should balance regulatory requirements, risk levels, and operational considerations. But effective scheduling is more than just filling out a calendar. It's about creating a rhythm for your audit program that aligns with the broader organizational pulse.

We suggest:

  • Listing all entities requiring audits (internal departments, suppliers, processes).
  • Assigning priority based on risk assessment results.
  • Considering operational cycles and availability of auditees.
  • Accounting for any follow-up audits and potential re-audits.

When developing your schedule, think beyond individual audits. Consider how the timing of audits might create synergies or conflicts. For instance, scheduling supplier audits just before internal process audits might provide valuable insights that inform your internal reviews.

We always suggest using a digital planning tool that allows for easy visualization and adjustment of the audit schedule. This facilitates better resource allocation and helps in identifying potential conflicts early.

Flexibility is key here. While it's important to have a structured plan, build in buffer time for unexpected events or emerging risks that might require rapid response audits. In planning audits for a global medical device company, we staggered supplier audits across different geographic regions to account for local holidays and production cycles. This approach minimized disruptions and ensured auditor availability. It also allowed for knowledge transfer between audits, with insights gained from early audits informing the approach to later ones.

Action items:

  • Create an audit inventory. This should include of all required audits, including internal, supplier, and regulatory audits, and estimate the duration for each audit type.
  • Identify scheduling constraints. Gathe key dates such as product launches, shutdowns, and peak production periods, and note any regulatory deadlines that apply to specific audits.
  • Assess auditor availability. Create a calendar that outlines when internal auditors are available and taking into account any planned leaves or other commitments that may affect scheduling. Contact us to access the industry's best auditors wherever and whenever you need them.
  • Develop a draft audit schedule. We suggest using a Gantt chart or similar tool to visually map out audits throughout the year. High-risk audits should be scheduled earlier to allow time for follow-up, and geographically close supplier audits should be grouped together to optimize travel efficiency. Incorporate buffer time into the schedule by adding an extra 10% between audits to account for unexpected delays or urgent audits. Plan follow-up audits 6-8 months after initial audits for high-risk areas.
  • Create an auditor assignment matrix. This should matches auditors to audits based on their expertise and availability, ensuring that auditors rotate for repeated audits to maintain a fresh perspective.
  • Develop a schedule management process. This should include procedures for requesting changes and criteria for adding or removing audits as needed throughout the year.
  • Set up a schedule tracking system using project management software or a spreadsheet to monitor the status of audits. The system should include fields for the planned and actual audit dates, audit status, auditor(s), report due dates, and report status.
  • Prepare the schedule communication. Create a one-page visual or written summary of the annual audit schedule and drafting an email to distribute the schedule to key stakeholders.

6. Resource Planning and Budgeting

Effective auditing requires adequate resources, both in terms of personnel and budget. This step involves assessing your needs and securing necessary support. But it's not just about numbers — it's about ensuring you have the right mix of skills, experience, and tools to execute your audit program effectively.

We suggest:

  • Evaluating internal auditor capabilities and availability.
  • Identifying gaps in expertise or capacity.
  • Considering engaging external resources (like The FDA Group) for auditor resourcing and project management.
  • Develop a comprehensive budget including travel, tools, and potential external support.

When assessing your auditor pool, look beyond just technical skills. Consider soft skills like communication, critical thinking, and adaptability. These can be just as crucial for effective auditing, especially when dealing with complex or sensitive situations.

If you have a large audit program, consider maintaining a skills matrix for your audit team, mapping their expertise against upcoming audit needs. This helps in identifying training needs or areas where external support might be necessary.

Don't shy away from investing in your audit program. While it might be tempting to view audits as a cost center, a well-resourced audit program can drive significant value through risk mitigation, process improvement, and enhanced compliance. When a recent client of ours expanded into combination products, we helped them identify the need for specialized auditors with both pharmaceutical and medical device experience. This led to a targeted training program for internal auditors and strategic use of our experts for initial audits. The investment paid off not just in terms of compliance, but also in accelerated product development timelines due to smoother regulatory processes.

Consider also investing in audit management software or other tools that can enhance the efficiency and effectiveness of your audit program. These investments often pay for themselves in terms of time saved and improved insights. Our auditors drive their reports directly into systems like Veeva.

Action items:

  • Assess internal auditor capabilities. Start by creating a skills matrix for your current pool of auditors to identify gaps in expertise, such as regulations or technical areas where additional knowledge may be required.
  • Quantify auditor time requirements. Calculate the total number of auditor days needed based on the audit schedule and compare this with the available capacity of your internal auditors.
  • Identify external resource needs. Determine which audits require specialized expertise and estimate the number of days of external auditor support that will be necessary.
  • Research training opportunities. Identify relevant training courses to address any skill gaps, and obtain quotes for both in-house and external training options to develop your internal auditing team.
  • Evaluate audit tools and software. Review your current audit management tools, research new potential tools to improve efficiency, and request demos of the top two or three options.
  • Estimate travel costs. For each off-site audit, estimate travel expenses including flights, accommodation, and per diems, while considering options to reduce travel costs, such as remote auditing where feasible.
  • Compile a detailed budget request. Create a budget spreadsheet that includes internal auditor time (converted to monetary value), external auditor fees, training costs, travel expenses, audit software or tools, and miscellaneous expenses like audit supplies or conference fees.
  • Create a contingency plan. Identify the minimum viable audit program that can be executed if the full budget isn’t approved, and list potential external partners, such as consultants, for surge capacity if necessary.

7. Finalize Audit Tools and Methodologies

With the plan taking shape, focus on the tools and methods that will support effective auditing. This isn't just about checklists and templates – it's about creating a systematic approach that ensures consistency, efficiency, and insight.

Review and update audit checklists and templates, making sure there's alignment with current regulations and standards. Then, develop or refine audit protocols for different types of audits. Consider implementing audit management software for better tracking and reporting.

When developing audit tools, strive for a balance between standardization and flexibility. Standardized tools ensure consistency and completeness, but they should not constrain auditors from exploring unique or unexpected issues they might encounter. 

Teams that do this very well create modular audit checklists that can be quickly customized for specific audit types or focus areas. This balances standardization with flexibility. Clear, concise, and actionable audit reports are crucial for driving change and improvement.

Action items:

  • Review your current audit tools. Inventory all existing audit checklists, templates, and software. Are you satisfied with them?
  • Update audit procedure. Review and revise main audit procedure to reflect any changes in approach. Make sure there's alignment with current regulations and standards. Include clear guidance on remote auditing practices.
  • Create or enhance  your audit checklists. Review each checklist against current regulations and add sections for new focus areas identified in planning. Incorporate prompts for evidence collection.
  • Develop root cause analysis toolkit. Create guidance document on root cause analysis techniques (e.g., 5 Whys, Fishbone diagram). Design template for documenting root cause analysis.
  • Implement audit management software (if applicable). Finalize selection of audit management software and develop an implementation plan including data migration and training. Then you can configure the system to match your audit.

8. Final Review and Approval

The final step is to review the entire plan, make any necessary adjustments, and secure formal approval. It's an opportunity to take a holistic view of your audit program and ensure all elements are aligned and ready for execution.

Conduct a final review of the audit plan with key stakeholders and make any last-minute adjustments based on recent developments. The, secure formal sign-off from senior management and distribute the approved plan to relevant parties, including us if you need an audit resourcing partner.

When conducting the final review, step back and look at the big picture.

  • Does the plan adequately address your major risks?
  • Is it aligned with your overall quality and compliance strategy?
  • Does it have the flexibility to adapt to unforeseen circumstances?

We suggest RA/QA leaders create a concise executive summary of the audit plan, highlighting key focus areas, expected outcomes, and how the plan addresses major risks and regulatory requirements. 

Leveraging External Expertise: The Role of Specialized Firms in Annual Audit Planning

When developing your annual audit plan, partnering with a specialized firm like The FDA Group can significantly enhance the effectiveness and efficiency of your audit program. We  bring a wealth of experience, regulatory knowledge, and resources that can complement your internal capabilities and help you navigate the complexities of FDA-regulated industries.

Here's a quick look at why hundreds of drug, device, and biologic firms work with us to plan and execute their audits:

Comprehensive Audit Coverage

Our clients tap into our global network of experienced auditors, allowing them to conduct audits across various geographic locations and specialized areas. This ensures thorough coverage of the entire supply chain and internal operations.

Deep Regulatory Expertise

With access to +225 former FDA officials and industry experts, we provide up-to-date insights on regulatory requirements and expectations. This expertise is crucial for aligning your audit program with current FDA standards and industry best practices.

Auditor Resource Flexibility

External firms like The FDA Group can quickly scale their support based on your audit needs, providing additional resources during peak periods or for specialized audits without the need for permanent hires.

Standardized Methodologies

Experienced firms bring tried-and-tested audit methodologies, ensuring consistency and quality across all audits, regardless of location or subject matter.

Objective Perspective

External auditors provide an independent, unbiased view of your operations and those of your suppliers, often identifying issues that might be overlooked by internal teams.

Comprehensive Reporting

We provide detailed, actionable audit reports that not only identify issues but also provide practical recommendations for improvement.

Flip through an example of our supplier audit report template below.

 


Join hundreds of firms planning and executing their audits with The FDA Group.

The FDA Group is the premier provider of audit services for FDA-regulated industries. Here's why 17 of the top 20 life science firms work with us to plan and execute their audits.

  • Extensive Experience: With over 2,500 specialists globally and a presence in 63 countries, The FDA Group offers unparalleled expertise and reach for your audit needs.
  • Regulatory Insight: Our team includes over 250 former FDA officials, providing unique insights into regulatory expectations and trends.
  • Customized Approach: We tailor our audit services to your specific needs, offering flexible engagement models from consulting projects to staff augmentation.
  • Quality Guarantee: With a 97% client satisfaction rate and a Total Quality Guarantee, we ensure the highest standards of service.
  • Comprehensive Audit Services: From audit preparation and execution to post-audit activities and CAPA management, we offer end-to-end support for your audit program.
  • Continuous Education: We invest in ongoing education for our auditors, ensuring they stay at the forefront of regulatory changes.
  • Efficient Project Management: With dedicated account management and streamlined processes, we ensure smooth execution of your audit program.
  • Cost-Effective Solutions: Our tiered pricing model offers discounts based on project spend, providing value for both small-scale and large-scale audit programs.

Our auditing services include, but are not limited to:

Read a sample of our auditing case studies:

Read our auditing case studies

📄  Domestic Auditing Project Case Study (PDF)

📄  Global Audit Project Case Study (PDF)

📄  International Audit Project Case Study (PDF)

📄  International PAI Preparation and Remediation Case Study ( PDF)

Fill out our quick contact form below, and we'll reach out to discuss how we can support your specific needs. We're here to help and respond within one business day.