Audit Management Module
Explore this topic in more depth to build a complete picture of your quality and compliance operations.
Explore
Glossary Term
Internal Audit
The risk-based, scheduled, independent examination of a quality management system to verify it operates as designed and complies with applicable regulations and standards.
Internal audit (or self-inspection) is the firm's own pre-inspection of its quality system. A mature program finds the issues regulators would find, and closes them first.
On this page
What an internal audit is
An internal audit is a scheduled, risk-based, independent examination of an organization's quality management system to verify it operates as designed and complies with applicable regulations, standards, and internal procedures. In EU GMP terminology, the equivalent activity is called self-inspection.
The activity is conducted by the firm's own qualified auditors (or contracted auditors acting on behalf of the firm), not by regulators or third-party certifiers. The findings are owned by the firm and feed into its corrective and preventive action (CAPA) system and Management Review.
Internal audit is one of the principal mechanisms by which ICH Q10's enabling systems — CAPA, change management, and management review — gain assurance that they are operating as intended. ISO 19011 (Guidelines for auditing management systems) provides the canonical methodology applied across both pharmaceutical and medical device quality systems.
What internal audit is for
The purpose isn't to confirm everything works. It's to find what doesn't work, before a regulator does, and to close the gap. Programs that consistently report zero findings aren't impressive. They're evidence that the program isn't looking hard enough.
Why internal audit defines inspection readiness
A firm's internal audit program is one of the strongest predictors of how it will perform during an external inspection. Mature programs find the issues regulators would find, capture them as findings, route them to CAPA, and close them with effectiveness evidence. By the time the regulator arrives, those issues are documented history rather than open observations.
Inspectors evaluate the internal audit program directly. They review the audit schedule, the scope coverage, auditor qualification, finding classification, finding closure status, and how findings feed into Management Review. A weak internal audit program (incomplete coverage, late audits, findings open past due, no Management Review escalation) frequently surfaces as a 483 observation in its own right, separate from the underlying quality issues the program should have caught.
Inspector note: When I review a firm's internal audit program, I look at three things. First, does the audit schedule reflect risk, or is every area audited annually regardless? Second, are the findings real, or do all audits show 'no significant issues'? Third, do findings close on time with evidence of effectiveness, or do they age out? A program that fails any of those three isn't a program I trust to surface problems.
Where internal audit is required and how regulators describe it
Internal audit obligations sit in every major GxP framework and several supporting standards:
- 21 CFR Part 820 — Quality Management System Regulation (QMSR, effective February 2, 2026): incorporates ISO 13485:2016 by reference (including §8.2.4 internal audit at planned intervals) and retains targeted device-specific requirements. Under the former QSR (in force through February 1, 2026), §820.22 was the explicit internal-audit clause.
- 21 CFR §820.35(b) (QMSR) / former §820.180(c) (QSR): internal audit reports remain shielded from routine FDA inspection access, with limited cause-based exceptions.
- 21 CFR §211.180(e): Drug GMP. Written records of quality unit reviews of records and procedures.
- EU GMP Chapter 9 — Self-Inspection: independent, detailed, by designated competent persons.
- ICH Q10: internal audit as the assurance mechanism over the enabling systems (CAPA, change management, management review).
- ISO 13485:2016 §8.2.4: internal audits at planned intervals; now reachable through QMSR by reference.
- ISO 9001:2015 §9.2: same intent, broader application.
- ISO 19011:2018: canonical methodology.
- PIC/S PI 041-1 §5: data governance and DI self-inspection as part of the audit program.
- PIC/S PI 054-1 (July 2021): Recommendation on Pharmaceutical Quality System Effectiveness; PQS evaluation that IA programs feed into.
- PIC/S PI 056-1 and PI 057-1 (January 2025): Guidance and Aide Memoire on Remote Assessments; formalises remote-inspection methodology relevant to IA and Supplier Audit.
- FDA 21 CFR Part 600s: Biologics internal review expectations parallel §211.
The internal audit lifecycle
A complete internal audit moves through five stages, each producing controlled evidence:
- Audit program planning. Risk-based schedule covering all QMS areas; frequency reflects criticality, recent findings, regulatory changes; approved by senior management.
- Individual audit planning. Scope, objectives, criteria, dates, lead auditor and team identified; checklist prepared.
- Audit execution. Interviews, document review, observation, evidence sampling; findings recorded with objective evidence; closing meeting confirms findings.
- Finding classification and reporting. Critical / major / minor or NC / observation / OFI classification; audit report distributed to auditee and MR; findings routed to CAPA per severity.
- Finding closure and effectiveness verification. CA/PA implemented with evidence; effectiveness verified after defined period; closed by independent reviewer; reported to MR.
What strong internal audit programs share
Programs that hold up at inspection share consistent habits:
The 'no findings' red flag
An internal audit program that consistently reports no significant findings across all areas is either auditing things that can't fail, or it isn't finding things that exist. Both possibilities are inspection findings. A healthy program produces a stream of minor findings, an occasional major, and closes both to time.
- Risk-based audit schedule — high-risk areas more often; schedule re-evaluated annually
- Comprehensive scope coverage — every QMS area on a defined cadence; computerized systems and DI included
- Auditor independence enforced — no auditing own work or direct reports; cross-functional auditing
- Auditor qualification documented — ISO 19011-based training; shadowing; lead-auditor mentorship
- Findings are real and graded honestly — issues at every audit; consistent severity; no pressure to under-report
- Audit checklist current — updated for ICH Q9(R1), MHRA DI guide, Annex 11; under document control
- Findings routed to CAPA — major triggers CAPA; minor tracked separately within defined timelines
- Closure timelines tracked — finding aging dashboards; overdue escalates
- Effectiveness verification before closure — 'action confirmed effective', not just 'action implemented'
- Program metrics feed Management Review — standing input
How Complere runs the internal audit lifecycle
Internal audit only earns its place in the quality system if it actually surfaces issues, classifies them honestly, and closes them with evidence. Complere is built around that loop. Your audit program runs end-to-end on the platform — from the annual schedule through finding closure — without the spreadsheets and email threads that usually undermine the chain of custody.
When your team plans the year, every audit carries its scope, objectives, criteria, assigned auditors, and target dates as part of the record. The schedule isn't a separate file someone keeps current; it's part of the workflow itself. When an audit runs, findings are captured in the moment, classified against your own severity scheme, and given owners and due dates immediately. Nothing sits in someone's notebook waiting to be transcribed.
Auditor, reviewer, and approver signatures are role-based, with each signature carrying its meaning so you can show who reviewed, who approved, and who closed each step. The independence rule your auditors live by is supported by the workflow — the system knows who can sign what — and the history of every action lives in a per-record audit trail you can hand straight to an inspector.
The link between findings and CAPA is where most internal audit programs lose their grip, and where Complere holds it tight. Major findings flow into CAPA without re-keying; the CAPA references the finding, and the finding references the CAPA, so the closed-loop view satisfies the effectiveness expectation regulators look for. Aging dashboards and notifications keep overdue items visible to the people who can move them, and your management review pulls audit-program metrics from the same place the work lives.
Your audit checklists, finding categories, severity scales, and site-specific fields adapt to how your organization works, not the other way around. The checklists themselves are controlled documents in Complere — so when ICH Q9(R1), the revised MHRA DI guide, or new Annex 11 expectations come out, the update to your audit programme goes through the same review and approval discipline as any other controlled SOP, with the version history and approval signatures right next to the checklist content. Complere handles the workflow and the evidence; the judgement — what to audit, how hard to look, when a finding is critical — stays with your auditors. That's how it should be.
Frequently asked questions
Common questions about Internal Audit sourced from regulatory references and inspection patterns.
What's the difference between an internal and an external audit?
An internal audit is conducted by the firm's own qualified personnel (or contracted auditors acting on the firm's behalf) to assess the firm's own quality system. An external audit is conducted by an independent third party — regulators (FDA, MHRA, EMA), notified bodies (for CE-marked devices under MDR), certification bodies (for ISO 13485 / ISO 9001), or customers under a quality agreement. Internal audit findings are owned by the firm; external audit findings carry regulatory or commercial consequences.
Is 'internal audit' the same as 'self-inspection'?
Yes, with different regulatory vocabulary. EU GMP Chapter 9 calls the activity 'self-inspection'; FDA, ISO 13485, and ISO 9001 call it 'internal audit.' The underlying activity — independent, scheduled, risk-based assessment of the QMS by qualified personnel — is the same, and ISO 19011 applies as the methodology under either name.
How often should internal audits be conducted?
Regulations don't prescribe a fixed frequency. The general industry practice is to audit each QMS area at least annually, with higher-risk areas audited more often. ISO 19011 requires a risk-based program — frequency reflects criticality, recent findings, regulatory changes, and the maturity of the area being audited. A schedule that audits every area at the same cadence regardless of risk is a finding pattern, not best practice.
Who is qualified to perform an internal audit?
Personnel independent of the area being audited, with documented training in audit methodology (ISO 19011 §7 covers competence expectations). Cross-functional auditing — QA personnel auditing manufacturing, manufacturing personnel auditing QA — is common and supports the independence requirement. Auditors cannot audit their own work or the work of their direct reports.
What's the difference between an observation and a non-conformance?
A non-conformance (NC) is a clear failure to meet a requirement — a regulation, standard, SOP, or specification. An observation is a weakness, gap, or area for improvement that doesn't itself rise to non-compliance but warrants attention. NCs are routed to CAPA; observations are tracked separately within defined timelines. ISO 19011 §6.4.8 covers finding classification. Severity scales (critical / major / minor) vary by firm but should be defined in the audit SOP.
Does FDA inspect internal audit reports?
Generally no. Under the former QSR, §820.180(c) shielded internal audit reports from routine FDA access; under the QMSR (effective February 2, 2026), §820.35(b) carries forward the equivalent protection. FDA still verifies that the program exists and is functioning — schedule, scope coverage, auditor qualification, finding closure — but does not routinely read the underlying audit reports themselves. Notified bodies, MHRA, and other inspectorates apply their own access rules; many will review findings on request.
Does internal audit cover computerised systems and data integrity?
Yes, and the expectation has tightened. PIC/S PI 041-1 §5 makes DI self-inspection an explicit part of a mature audit program, and MHRA inspections increasingly probe whether the firm's internal audit cycle includes DI-focused review of computerised systems. Treating DI as IT-only and outside the QA audit scope is a recurring 483 pattern.
What happens when internal audit findings don't close on time?
Overdue findings are themselves a finding pattern — inspectors look for them. The mature response is an aging dashboard surfaced to the responsible owners, escalation through a defined path when an item ages past its target, and visibility at Management Review so senior leadership owns the backlog rather than the audit team. Findings that age out without closure indicate a quality system that finds problems but doesn't fix them, which is harder to defend at inspection than a system that finds fewer issues but closes them all.
Continue Exploring
Explore related topics, modules, and compliance resources for a deeper understanding of your quality system.
See Internal Audit in action during a Complere demo
Walk through how Complere operationalizes this concept inside a validation-ready quality system.