Most people will have some involvement with being audited. In general audits are classified into one of three different types; namely first party, second party and third party.
First party audits are often called internal audits or self-inspections. Here you are audited by others from your own site. Second party audits are either you auditing a supplier or a customer (of which you are a supplier) auditing you. This leaves third party audits whereby you are audited by a Regulatory Authority or external body. This also leave the notion of corporate audits; audits by people from within the same organisation but from another site. There is a case for classifying these as either 1st, 2nd or 3rd party audits – a discussion we will save for another day!
As a pharmaceutical trainer, auditor and consultant I meet a lot of auditors and look at audit mechanisms a great deal. The following appears to be the case in most pharmaceutical manufacturing sites.
First party audits:
We do these because we have to! Often seen as a regulatory necessity! Areas are often only audited once a year (if that) with limited time given to perform the audits. These audits are often moved “when something more important comes up”, are poorly planned and prepared for, the audit programme is often not adhered to, reports are completed late and non-conformities/ corrective actions highlighted during the audit are rarely completed. Evidence to support that true corrective actions have been taken (that proves that the problem has been sorted for good) are rarely seen.
Second party audits:
These are generally done OK. We like doing these. If it involves us performing supplier audits then it gets us out of the office, involves travel and allows us to meet new people. If it’s us being audited by a customer it gives us an opportunity to show them what we can do and how good we are. This article is not really about this type of audit – we will re-visit these another day.
Third party audits:
These are dealt with completely differently from first party audits. As soon as a site knows that the Regulatory Authority is coming all holidays are cancelled. Teams of people will meet every week to plan the audit, all documentation and records will be re-reviewed and put in a (war) room with an armed guard at the door! There will be none of that “we’ll deal with any non-conformities in due course” with these audits – people are re-trained, procedures are re-issued and facilities repaired whilst the audit is still going on!
Now, I am generalising here, and I am trying to bring an element of fun and humour into this article, so please don’t be offended by this. However – here is the general lesson. We generally pay a bit of lip-service to the first party (internal) audit and take the third party (regulatory) audit much more seriously. And here is where the focus is wrong. Surely if we gave the first party audits much more focus and priority (after all it’s the prime way of evaluating your system) then wouldn’t second and third party audits be much easier to prepare for and be more successful?
I know that having a bad third party audit is a disaster for any site, so they do need to be well prepared for and managed. However giving more focus and effort to our own first party audits pays dividends. This can be summed up with my final thought. Aren’t non-conformities raised at third party audits telling you something about your first party audits? Surely the first party audits should be picking up findings ourselves before the Regulatory Authority finds them!
Of course what I say above involves a lot of generalisation, it does however appear to be generally agreed by people who I meet. If this is not the case in your own organisation then this is great news, and I would be delighted to hear from you in a comment below.
Please feel free to comment. For details of our courses in this area select this link: QMS Courses
THIS ARTICLE WAS FIRST PUBLISHED IN 2012 AND MOST RECENTLY UPDATED IN SEPTEMBER 2022.
Find out about our course ranges