European Medicines Agency

Standard Operating Procedure

Title: Conducting Internal Audits, Reporting Results and Follow-up

Public Document no.: SOP/EMEA/0025

Lead Author Approver Effective Date: 08 MAR 06
Name: Elisabeth Braun Name: Thomas Lönngren Review Date: 07 MAR 08
Signature: on file Signature: on file Supersedes:
SOP/EMEA/005 (partially)
Date: 03 MAR 06 Date: 03 MAR 06

1. Purpose
The purpose of this SOP is to give guidance on the preparation of an audit plan, audit report and any
follow-up actions. Please refer to the European Medicines Agency’s integrated quality management
system (IQM) as endorsed by the Management Board on 29 September 2005 and the Guidelines for
Quality and/or Environmental Management Systems Auditing (ISO19011:2002).

2. Scope
This SOP applies to internal audits conducted at the EMEA (1st party audits) and to audits of EMEA’s
contractors (2nd party audits).

3. Responsibilities
It is the responsibility of the IQM advisor and the lead auditor to ensure that this procedure is adhered
to when preparing the audit plans and reports. It is the responsibility of the Executive Director, the
Heads of Unit and Heads of Sector to ensure that opportunities for improvement reported by the audit
team are prioritised on the basis of a risk analysis and that improvement action plans are developed,
adopted and implemented.

4. Changes since last revision

Main changes:
In case of CXMP audits: audit plans must be released 30 days before the start of the audit to allow the
committee members to comment on the proposed audit plan.
Supplementary information and comments may be provided to the findings of the audit report by
auditee management withing 10 days after the release of the report.
Versioning of OFI(s), OFI(s) with IAP, OFI(s) with accepted IAP, closed OFI(s).
Copy of the audit report incl. OFI(s) with accepted IAP(s) to be sent to the Court of Auditors.

5. Documents needed for this SOP (available as templates in Word)

Audit plan form
Audit report form
Opportunity for improvement form (OFI-form)
Audit closure form

6. Related documents
Annual audit programmes
SOP/EMEA/0024: Establishment of audit programme
ISO 19011:2002 Guideline for Quality and/or Environmental Management Systems Auditing
SOP/EMEA/0032: SOP for addressing cross-agency OFIs

Page 1/7
7. Definitions
ACL: access control list (i.e. document permissions set in Documentum)
Audit plan: description of the activities and arrangements for an audit.
Audit programme: set of one or more audits planned for a specific time frame and directed towards a
specific purpose.
Audit team: one or more auditors, of which one is the lead auditor, conducting an audit, supported if
needed by experts with specialised background. The team may include external auditors.
Auditee: organisation to be audited.
Auditee management: staff supervising the organisation whose processes and systems are subject to
audit.
CXMP: CHMP, COMP, CVMP, HMPC.
Day: number of days indicated should be taken as referring to working days.
Findings: the finding resulting from the audit can be:
• Positive findings. These are reported to reinforce good systems and stimulate further
improvements by the auditee or in other areas where they can serve as example
(benchmarking).
• Minor issues, requiring attention or issues where improvement action is ongoing. These will
require improvement action by the auditee but do not need written improvement action plans.
• Major issues, requiring auditee management to adopt written improvement action plans. These
should be forwarded to the audit team who should be kept updated on the implementation of
the planned improvement actions. Major issues are reported as opportunities for improvement
(OFI).
IAP: improvement action plan.
Lead auditor: auditor designated to manage the audit.
OFI: opportunity for improvement

Public Page 2/7

SOP/EMEA/0025, 08 MAR 06
8. Process Map(s)/ Flow Chart(s)

10. Start drafting audit

reports on basis of
19. Enter scores from
START findings & OFIs
feedback
questionnaire in table
11. Closing meeting:
1. Identifiy next audit
present all findings
in the current
and set deadlines for
programme 20. Auditee completes
IAPs.
IAP

12.Finalise & send

2. Start drafting and audit report, OFIs &
preparing of audit feedback 21. Audit team
plan&audit questionnaire to completes audit
auditee closure form

3. Prepare request for

documents, names, 13.
references Supplementary
information 21. Follow-up to
and comments provided within audit needed
10 days by
4. Forward draft audit auditee? yes
plan and info request
to auditee
yes 22. Make note for
no preparation of audit no
programme
14.Audit team to
5. Incorporate any
address & evaluate
comments/input from
comments & to inform
auditee
auditee on outcome
23. Archive report,
OFIs and all audit
documents
15. Auditee elaborates
6. Finalise preparation
IAPs & returns
of audit
completed OFIs with
IAP&feedback
END
questionnaire
7. Review audit
preparation&prepare
opening meeting
16. IAP ok?
yes
no
8. Conduct opening
meeting
17. Auditee reviews,
revises & resubmits
IAP (only once)
9.Perform audit:
collect evidence&list
findings 18. Re-release final
audit report&OFIs
with accepted
IAPs/non-accepted
IAPs with audit team’s
comments

Public Page 3/7

SOP/EMEA/0025, 08 MAR 06
9. Procedure
Step Action Responsibility
1 Identify the audit to be conducted from the current audit programme. Lead auditor

2 Day N-20 (N-40 in case of CXMP audits): Lead auditor &

• Start preparation of the audit plan in time for release 10 days audit team
before the start date of audit.
• In case of CXMP audits, the audit plan must be released 30
days before the start of the audit to allow the committee
members to comment on the proposed audit plan.
• Define which processes (including horizontal processes)
should be subjected to audit, considering information from
previous audits (external and internal), the audit programme,
the risk register, and IQM/Audit risk assessment.
• In case of a horizontal process, indicate if the audit is limited
to a part of it, which interfaces will be included etc.
• Decide on methodology: computer based, interviews,
sample-size, questionnaire(s) etc.
• Start the preparation of checklists.
• Confirm audit team composition. Check confirmation from
appropriate supervisor of volunteer auditors’ and back-ups’
availability.
• Book meeting rooms for opening, interim closing, and
closing meetings in MMS. Indicate room numbers in audit
plan.
3 Day N-15 (N-35 in case of CXMP audits): Lead auditor
• Prepare request to auditee management/IQM co-ordination
team for relevant documents, references and name(s) of
contact person(s).
4 Day N-10 (N-30 in case of CXMP audits): Lead auditor
• Forward draft audit plan, request for information and audit
team composition to auditee management and to IQM co-
ordination team.
• In case of CXMP audits provide questionnaire(s), if
applicable.
• Update audit-tracking sheet.
• Send out meeting requests for opening/interim
closing/closing meetings via Outlook to all participants.
5 Day N-5: Auditee
• Provide IQM advisor/lead auditor with comments/input on management&IQM
the draft audit plan at the latest 1week prior to the start of the co-ordination team
audit.
6 Day N-1: Lead auditor &
• Finalise preparation of audit (e.g. assign responsibility to audit team
each team member, finalise draft audit plan, checklists,
distribute documents etc.) using documents received, quality
manual and IQM documentation.
7 Day N: audit team briefing: Lead auditor &
• Review audit preparation (e.g. finishing touches to audit team
checklists).
• Finalise audit approach prior to the start of the audit.
• Prepare opening meeting.
8 Day N: opening meeting: Lead auditor
• Review the final draft audit plan and explain the audit
methodology, process, and practicalities as laid down in this

Public Page 4/7

SOP/EMEA/0025, 08 MAR 06
 Step Action Responsibility
SOP to auditee management.
• Record the names of the participants and make notes of
information given in addition to documentation already
provided.
• Give auditee management the choice of receiving verbal
reports on findings in interim meetings.
• Agree on date for closing meeting.
9 Day N and subsequent days: perform audit: Lead auditor &
• Collect evidence (e.g. from interviews, documents etc.) to audit team
back up findings.
• List findings (positive and negative, minor and major) in
order of priority to establish OFIs. Identify horizontal (cross-
agency) and vertical (sector/unit specific) OFIs clearly in the
report.
• Convene interim closing meeting(s) if required by any
participant(s).
10 Day N and subsequent days: Lead auditor &
• Start drafting the audit report on the basis of the OFIs and audit team
other findings as well as records resulting from the audit
work using the audit report template.
11 Last day of audit or day agreed upon during opening meeting: Hold Lead auditor
closing meeting:
• Present all findings, highlighting which ones will be covered
by OFIs and thus require written improvement action plans.
• Outline the process to be followed and deadlines to be
respected.
• In case of CXMP audits: set deadlines for the submission of
IAP(s) taking into account the timing of the committee
meetings.
• Indicate the need to request derogation from deadlines in
writing.
• Record the names of the participants.
12 Date of end of audit + 10 days: Lead auditor &
• Finalise audit report and complete OFIs. audit team
• ACL of OFIs to be changed to EMEA_doc_draft_staffonly –
version 1.0.
• ACL of audit report to be changed to:
EMEA_doc_draft_staffonly.
• Make a PDF rendition of the report (ACL: EMEA_doc_
draft_staffonly).
• Send the audit report and OFIs to EMEA management and
the IQM co-ordination team.
• For horizontal/cross-agency OFIs follow the procedure as
laid down in SOP/EMEA/0032.
• Send audit feedback questionnaire to be completed within 20
days.
• Update audit tracking sheet.
13 Date of receipt of audit report and OFIs + 10 days: Auditee
• Supplementary information and comments may be provided management& IQM
to the findings of the report by auditee management within co-ordination team
10 days after the release of the report.
14 Date of receipt of comments + 2 days: Lead auditor &
• Address and evaluate comments raised by auditee audit team
management and inform auditee management of outcome.

Public Page 5/7

SOP/EMEA/0025, 08 MAR 06
 Step Action Responsibility
15 Date of receipt of audit report and OFIs + 20 days: Auditee
• Elaborate improvement action plan(s), with indication of start management& IQM
date and estimated date of completion. co-ordination team
• Complete, sign, and return OFIs to audit team within 20 days
(or in case of CXMP audits within the set deadline);
extensions might be granted on written request only.
• Save the electronic version of the OFI(s) with IAP in the
appropriate Documentum folder as version 2.0.
• Return completed audit feedback questionnaire within 20
days.
• Update audit tracking sheet.
16 Date of receipt of completed OFIs with IAPs + 5 days: Lead auditor &
• If IAP(s) are found acceptable in order to reduce the audit team
risk/eliminate the finding, complete the OFI sheet
accordingly.
• Save the OFI(s) in the appropriate Documentum folder as
version 3.0
• If not acceptable, state reason(s), suggest alternatives(s) – if
possible – and return OFI to auditee management for action.
• If IAP(s) are repeatedly found to be unacceptable (more than
once), go to step 18.
17 Date of return of OFI(s) with non-acceptable improvement action Auditee
plans + 10 days: management&
• Auditee management reviews and revises non-acceptable IQM co-ordination
improvement action plan(s) and sets new deadline(s), go to team
step 16.
18 Date of receipt of last OFI with accepted/non acceptable IAP + 5 Lead auditor &
days: audit team
• Re-release of the final audit report and OFI(s) with accepted
IAP(s)/non-acceptable IAP(s) with audit team’s comments to
all EMEA management and IQM co-ordination team for
information.
• Send a copy of the audit report incl. OFI(s) with
accepted/non-acceptable IAP(s) to the Court of Auditors.
• Update audit-tracking sheet.
19 • Enter scores and comments from feedback questionnaire in Lead auditor
Excel spreadsheet (documentum/docbases/EDMS/IQM/
IQM/Audit/internal audit/audit performance)
20 • Auditee management completes the improvement action Auditee
plan(s) within deadline(s) indicated on OFI(s) with IAP and management/IQM
informs IQM/Audit of completion. co-ordination team
21 • IQM/Audit completes the form ‘audit closure form’ and Lead auditor &
decides about appropriate follow-up measures (e.g. follow-up audit team
audit)
• Save OFI(s) as version 4.0.
• Update audit-tracking sheet.
22 • In case of follow-up audit, make a note for the preparation of Lead auditor &
the rolling audit programme (cf. SOP-EMEA-0024 audit team
Establishment of the Annual Audit Programme).
23 • Archive audit report, OFIs and related documentation in the Lead auditor
appropriate electronic and paper folders.
• Ensure that the tracking sheet is fully updated.

Public Page 6/7

SOP/EMEA/0025, 08 MAR 06
10. Records
Throughout the audit process and prior to the audit closure the audit related hard copies are kept by the
lead auditor and filed on an ongoing basis in the audit file. The electronic audit report and electronic
audit related documents are kept in the internal audit report folder. After the audit closure, hard copies
are stored or archived according to EMEA-SOP-T-1000 and EMEA-SOP-T-1050.

Public Page 7/7

SOP/EMEA/0025, 08 MAR 06