Grading, Categorisation and Reporting of Internal Audit Findings

Step-by-Step Guide to Grading Internal Audit Findings in Pharma

Internal audits are a cornerstone of Good Manufacturing Practice (GMP) compliance, playing a pivotal role in maintaining product quality, regulatory adherence, and continuous improvement within pharmaceutical manufacturing environments. A systematic approach to grading internal audit findings pharma professionals is essential to ensure clear communication, appropriate corrective action prioritization, and effective quality risk management.

This tutorial provides a comprehensive, stepwise approach to grading, categorising, and reporting internal audit findings, focusing on critical, major, minor, and observation levels, aligned with regulatory expectations from FDA, EMA, MHRA, PIC/S, and WHO guidelines.

Step 1: Preparing for the Audit and Defining Grading Criteria

Before conducting internal audits, it is imperative to establish a robust grading system for audit findings. This system must be aligned with international GMP expectations, such as those described in EU GMP Guide, Volume 4 and FDA’s 21 CFR Parts 210 and 211. The grading system serves as a decision matrix to evaluate findings based on their potential impact on product quality, patient safety, and regulatory compliance.

Define Grading Categories

Critical Finding: Represents a significant deviation that indicates a direct or probable impact on patient safety or product sterility and efficacy. These findings are often linked to regulatory compliance failures that could lead to product recalls or regulatory sanctions.
Major Finding: A deviation from established procedures or regulations that could adversely affect product quality or system integrity but does not immediately threaten patient safety.
Minor Finding: A non-compliance or lapse that does not currently affect product quality or patient safety but indicates a weakness in the quality system that could escalate if left unaddressed.
Observation: A good practice or slight deviation noted with no immediate impact on product quality or compliance, intended for awareness and continuous improvement.

Also Read: Periodic Stock Verification Procedure in GMP Warehouses

It is important to ensure the audit team is trained to apply these definitions consistently. Many organizations use detailed guidance documents or checklists that include examples of findings for each grading category. This consistency mitigates subjective interpretations and supports impartial reporting.

Establish Criteria Based on GMP Regulations and Quality Risk Management

Audit grading should be closely tied to risk assessment principles detailed in ICH Q9 and applicable GMP regulatory references. For example, a failure in aseptic processing controls that could lead to microbial contamination is a typical critical finding. In contrast, incomplete documentation not related to product quality may be classified as minor. The audit preparation phase should also clarify boundaries and examples to aid auditors.

Step 2: Conducting the Audit and Identifying Findings

During the audit execution phase, the auditor’s focus must be on objective evidence collection. This evidence can include documents, records, interviews, and observations made on the manufacturing or quality system operations.

Systematic Observation and Note Taking

Follow the predefined audit plan and checklist systematically.
Document deviations or non-conformances clearly, noting the exact reference, such as SOP clauses, work instructions, or regulatory requirements.
Record facts rather than opinions, ensuring transparency and traceability.
Where appropriate, photograph or scan records, or collect objective evidence to support findings.

Care must be taken to separate objective facts from subjective interpretations. Auditor neutrality is key to maintaining credibility of the grading process.

Initial Grading of Findings

Based on the evidence collected, the auditor categorizes each finding according to the grading criteria set forth in Step 1. This initial grading usually guides the urgency of follow-up actions and communication with management.

Critical examples: Product contamination risks, failure in sterility assurance, falsification of documents.
Major examples: Incomplete validation documentation, deviations not investigated properly, inadequate training records affecting critical operations.
Minor examples: Minor labeling inconsistencies, non-critical procedural lapses.
Observations: Opportunities for improvement with no non-compliance but worth noting (e.g., suboptimal housekeeping in non-product areas).

Step 3: Formalising and Reporting Audit Findings

Once findings are identified and graded, the next crucial step is compiling a clear, comprehensive internal audit report that supports decision-making by management and quality teams. Effective reporting facilitates prioritised corrective actions and regulatory readiness.

Also Read: Closing Internal Audit Actions: CAPA, Follow-Up and Effectiveness Checks

Structuring the Internal Audit Report

The report should include the following elements:

Executive Summary: Overview of the audit scope, objectives, and general outcome.
Audit Scope and Methodology: Clear definition of the areas audited, audit dates, and checklist or standards applied.
Findings Summary Table: A tabulated overview showing number and type of findings categorized as critical, major, minor, and observations.
Detailed Findings Section: Each finding described in detail, including reference to applicable standards, evidence, grading rationale, and potential impact.
Conclusions and Recommendations: Summary of overall compliance status and suggestions for corrective/preventive actions.

The internal audit report must adhere to data integrity principles and be formally approved by the audit lead or QA management before distribution. Confidentiality and controlled access to the report are also important to maintain compliance with internal policies and regulatory expectations.

Communicating Findings Effectively

During exit meetings, auditors must present findings clearly and professionally, justifying the grading of each finding with factual information and regulatory reference points. This prevents misunderstandings and helps management prioritize responses.

The report should be distributed to relevant stakeholders in the manufacturing, quality, regulatory, and validation departments. Where critical or major findings exist, timely notification to senior management and possibly regulatory affairs is essential to mitigate risks rapidly.

Step 4: Follow-up and Monitoring Based on Grading

The grading of internal audit findings directly influences the corrective and preventive action (CAPA) process. The management review and quality system must ensure that findings are resolved within timelines appropriate to their severity and regulatory expectations.

Developing Corrective and Preventive Actions (CAPA)

Critical Findings: Immediate and robust CAPA plans with full root cause analysis, risk mitigation strategies, and management oversight. Often require expedited timelines and regulatory notifications.
Major Findings: CAPA with defined timelines, verification of effectiveness, and documented follow-up. May include retraining, procedural revision, or equipment maintenance.
Minor Findings: CAPA usually with longer timelines, focusing on system improvements to prevent escalation.
Observations: Typically addressed through continuous improvement initiatives without formal CAPA but documented for transparency.

Also Read: Risk Assessment of Extended Storage of Intermediates in Warehouse

Verification of Effectiveness and Closure

Once CAPA plans are implemented, verification or re-audit is necessary to confirm that the corrective measures adequately address the root cause and prevent recurrence. The closure of audit findings should be documented and approved by QA management to ensure compliance and readiness for regulatory inspections.

The process should be integrated into the overall Quality Management System, facilitating trending and continuous risk assessment as part of the ongoing quality improvement process.

Step 5: Leveraging Audit Findings for Quality Improvement and Regulatory Compliance

Beyond immediate corrective actions, grading internal audit findings pharma teams should focus on using audit results for strategic quality improvements aligned with ICH Q10 pharmaceutical quality systems.

Trend Analysis and Risk-Based Improvements

Regular analysis of audit findings by category enables identification of systemic issues versus isolated incidents. Critical and major findings are signals for potential vulnerabilities requiring systemic change, while minor findings and observations identify opportunities for refinement.

This approach supports continuous improvement initiatives and risk-based decision making, key themes in regulatory frameworks such as PIC/S and WHO GMP guidelines.

Preparation for Regulatory Inspections

Accurate grading and transparent reporting of internal audit findings demonstrate a mature quality system to inspectors. Documentation showing timely and effective CAPA responses to findings close to regulatory criticality helps establish compliance confidence during FDA, EMA, or MHRA audits.

Referencing industry standards and guidance, such as the FDA’s guidance on quality system regulation, can enhance internal audit toolkits with regulatory best practices.

Training and Competency Development

Use audit findings and grading outcomes as valuable training material to enhance personnel awareness and competency. This supports a quality culture and proactive risk mitigation across pharmaceutical manufacturing, QA, QC, validation, and regulatory functions.

In summary, a methodical approach to grading, categorising, and reporting internal audit findings is essential in pharmaceutical environments to maintain GMP compliance, ensure product integrity, and uphold patient safety. Following this step-by-step tutorial aligns with regulatory expectations and supports robust quality management systems.