Internal Audit Reports: Best Practices for Shielding Findings from FDA Eyes

Q: My company has an SOP that defines which documents are considered Non-Disclosure Information. The SOP includes findings in our internal audit reports.

Does FDA have the right to see these confidential documents anyway?

A: We get this question frequently, and the answer is not entirely black or white.
First of all, you must remember that FDA is a law enforcement agency, so in principle the Agency has the right to see just about any information it deems necessary to protect public health.
In terms of actual day-to-day operations, FDA’s policy varies according to your product. During routine inspections of medical device manufacturers, FDA has been quite clear it will not ask for or look at your internal audit reports. However, FDA can (and most likely will) want to look at the corrective and preventive actions that come from your audit findings.
So you need to make sure you document in your CAPA or non-conformance reporting system all findings from your internal audit reports that prompt a corrective or preventive action. In addition, for each audit report, you should prepare for the inspector’s review a cover page that states:

  • What was audited
  • Who conducted the audit
  • When the audit occurred

Then you can keep the audit report itself under non-disclosure.

Getting back to my initial point about FDA being a law enforcement agency: if in the interest of public health protection FDA feels it must see an audit report, a management review report or meeting minutes, or a supplier audit report, the Agency can issue a written request for them. Then you would want to heed that request or risk FDA finding your product adulterated under the law.
For inspections of drug-makers and other non-medical device manufacturers, by policy FDA does not look at internal audit reports. But because this policy applies to non-device inspections, the investigator may ask for your internal audit reports and — if you provide them — the investigator may indeed look at them. In non-medical device facilities, you may refuse to provide your internal audit reports if requested and insist on written justification for the review from senior FDA management.
The FDA investigator may take the position that your refusal to provide the reports is a partial refusal to permit inspection. But that position may not be shared by the Agency’s management, so that’s why it’s worth requesting the written justification. If this situation were to occur at your facility, make sure you contact your company’s attorneys and follow their advice.
[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]I personally believe you should not provide access to audit reports without a written request from senior FDA management.[/pullquote]

As someone with 18 years’ experience as an FDA field investigator, I personally believe you should NOT provide access to audit reports without a written request from senior FDA management.

I also believe that any corrective or preventive actions stemming from your internal audits should go into your CAPA or non-conformance reporting system. By doing so, you demonstrate to FDA that you are willing and able to detect, investigate, and implement corrective and preventive actions that ensure your quality system is appropriate and effective.

Answered by Denise Dion, Vice President of Regulatory and Quality Services for EduQuest, who served 18 years at the U.S. FDA as an expert field investigator and was the co-editor of the FDA Investigations Operations Manual (IOM), the field guide for FDA inspectors. Denise also is the developer and lead instructor of EduQuest’s 1.5-day training class called The CAPA Clinic: FDA Rules for Effective CAPA Systems, Failure Investigations and Complaint Management.


Leave a Reply

Your email address will not be published. Required fields are marked *