Top Auditing Issues

Q: From your experience as an API auditor, which top issues do auditors and auditees face?

A: Below are some of the most common findings related to Q1, 9th edition.*

*Note: The information gathered below is based upon our clientele, our Q1 training students, and communications throughout the quality community.

1. Documentation of risk assessments, contingency plans, and management of change, but not closing them out.

2. There has been some auditor confusion with what needs to be contained in risk assessment. Some auditors have interpreted the following Q1, 5.3 requirement to mean that a risk assessment is required to be documented for each of the four (4) items identified below.

Q1, 5.3 states in part 5.3:

“The organization shall maintain a documented procedure to identify and control risk associated with impact on delivery and quality of product…

Risk assessment associated with product delivery shall include:

a) facility/equipment availability and maintenance; and

b) supplier performance and material availability/supply.

Risk assessment associated with product quality shall include, as applicable:

c) delivery of nonconforming product (see 5.10.1);

d) availability of competent personnel.”

However, in most cases after a review of the risk procedure with the auditor and demonstration of the risk assessment methodology and reporting, they understood that the process included an assessment of one or more of these items when a risk was present. Q1 does not require a specific risk assessment to be documented for each item independently, only where there is a risk to one or more of these items.

3. There has been some confusion as to when to document a management of change. The most confusion comes from Q1, 5.11.2 (d) which states “changes to the management system procedures, including changes resulting from corrective and preventive actions . . .” The key to understanding this requirement is knowing:

a) Which other Q1 sections have a change control process. As an example, Q1 has change control processes for many elements including document control, the use of external documents, design changes, etc. If these normal change processes do not create a risk, then would an MOC be needed? Remember, 5.11.2 MOC Implementation states in part, “The organization shall use the MOC process for any of the following that may negatively impact the quality of the product . . .”

b) Whether or not the change introduces a risk. See (a) above. For example, if an API product specification was changed via an errata, it is unlikely that any change would have to occur to the quality management system. However, if a significant change were to occur (e.g., API Spec. 6A from the 19th to the 20th edition and shortly coming 21st edition), both a risk assessment and an MOC should be undertaken since changes to the quality management system will be needed.

4. Critical suppliers

a) Not identifying the scope or location of the critical supplier on the AVL.

b) Not paying attention to outsourced processes requiring validation (e.g., heat treating). In a few cases, outsourced processes requiring validation were treated as noncritical, and as a result, sufficient attention was not given to the Q1, 5.7.1.5 which states in part:

“Validation shall demonstrate the ability of these processes to achieve planned results. Where an organization chooses to outsource a process that requires validation, the organization shall require that the supplier conform to these requirements (see 5.6.1.6).”

This means the identification of controls related to:

  • “required equipment;
  • qualification of personnel;
  • use of specific methods, including identified operating parameters;
  • identification of acceptance criteria;
  • requirements for records (see 4.5); and
  • revalidation”

— Bud Weightman
President, Qualified Specialists, International

Share the Post:

Top Auditing Issues