SBS - The Best Value in QMS software

Requirement to save original, handwritten internal audit notes?

W

Watchwait

#1
Reality Check: Is anyone aware of a written requirement, or if not an FDA/ISO expectation that original, handwritten internal audit notes be maintained (Read: physically or electronically retained) once the detailed audit report is completed? As a healthy practice, we destroy such notes, but I'm wondering if others have an opinion or experience with this specific issue?
:thanx:
 
Elsmar Forum Sponsor
#2
Re: Save Internal Audit Notes?

Reality Check: Is anyone aware of a written requirement, or if not an FDA/ISO expectation that original, handwritten internal audit notes be maintained (Read: physically or electronically retained) once the detailed audit report is completed? As a healthy practice, we destroy such notes, but I'm wondering if others have an opinion or experience with this specific issue?
:thanx:
No requirement that I'm aware of. However, I've always believed that (depending on the actual notes) they're a credible record of an audit being done. In most cases, the report which is generated doesn't include much of the detail of what the auditor actually did - all the objective evidence, if you like - and what they observed regardless of non-compliance etc.

I can't conceive of a typed report which would contain such detail and still be readable by management and I'd question why that would be included anyway.

The 'quick and dirty' notes of an auditor are very useful, however, in preparing for subsequent audits - either as part of evaluating corrective actions or in planning the 'next' audit of a process etc.

No, I wouldn't be getting rid of them, I'd keep them for posterity!
 
Last edited:

GStough

Staff member
Super Moderator
#4
Re: Save Internal Audit Notes?

Reality Check: Is anyone aware of a written requirement, or if not an FDA/ISO expectation that original, handwritten internal audit notes be maintained (Read: physically or electronically retained) once the detailed audit report is completed? As a healthy practice, we destroy such notes, but I'm wondering if others have an opinion or experience with this specific issue?
:thanx:
I'm not aware of any requirement right off-hand, but we keep our internal audit notes as part of our audit files, but they do not necessarily go into the audit reports. One reason we keep them is for audit trails when auditing related processes. However, when asked for an audit report by our 3rd party auditors, I always make sure that they only see the final report and none of the auditors' notes.

Hope this helps....:bigwave:
 
W

Watchwait

#5
Re: Save Internal Audit Notes?

As an FDA regulated company, my experience has been that as long as requirements are met, "less is more". A formal audit report needs to contain adequate detail to describe the requirement, the observation and any evidence of non-compliance. Raw audit notes (IMHO) are analogous to yellow sticky notes. Don't use them in the 1st place - or if you must - get rid of them once their purpose is served. As a matter of practice, we prepare two documents for every internal audit:

1) An "Audit Record", containing information essential to and required by FDA, e.g., description of areas/functions audited, attendees, date/place of audit, etc., and a blanket statement reading: "...required corrective actions, if any, were noted & an action plan for their implementation was developed, as required..."

2) An audit report detailing the requirement, the finding, evidence of non-conformance, etc.

During a facility inspection, FDA only has access to the "Audit Record" - hence our approach to separate the two documents. But again, as to retaining the raw audit notes - assuming the Audit Report is adequately comprehensive, they serve little purpose other than to create yet another trail in the event of (gulp!) "discovery"...:2cents:
 
C

Craig H.

#6
Re: Save Internal Audit Notes?

As an FDA regulated company, my experience has been that as long as requirements are met, "less is more". A formal audit report needs to contain adequate detail to describe the requirement, the observation and any evidence of non-compliance. Raw audit notes (IMHO) are analogous to yellow sticky notes. Don't use them in the 1st place - or if you must - get rid of them once their purpose is served. As a matter of practice, we prepare two documents for every internal audit:

1) An "Audit Record", containing information essential to and required by FDA, e.g., description of areas/functions audited, attendees, date/place of audit, etc., and a blanket statement reading: "...required corrective actions, if any, were noted & an action plan for their implementation was developed, as required..."

2) An audit report detailing the requirement, the finding, evidence of non-conformance, etc.

During a facility inspection, FDA only has access to the "Audit Record" - hence our approach to separate the two documents. But again, as to retaining the raw audit notes - assuming the Audit Report is adequately comprehensive, they serve little purpose other than to create yet another trail in the event of (gulp!) "discovery"...:2cents:
I can understand your reluctance to keep these notes, but I make it point to keep mine. Of course they wouldn't do anyone else much good. I have been accused of writing in Chinese because of my distinctive handwriting.

Seriously, it helps me to go back to my original notes when I go to audit an area again a year later.
 
R

Roland Cooke

#7
Re: Save Internal Audit Notes?

I was party to a mini-fight between one of our clients and our auditor. Without getting into too much detail, I thought that both sides were in the wrong! :D

The auditor was insisting the client needed to keep the notes. He/she was wrong, because - as the client insisted - it doesn't say that anywhere.

But the client's other audit documentation just indicated that an audit had taken place and that these were the X non-conformities that were detected. That's not good enough in my opinion.

FDA typically wants evidence that internal audits have taken place.

On an ISO13485 audit I want to see evidence of Internal Audit planning (both strategic and 'tactical'), coverage, effectiveness etc etc. If you can do that without keeping the audit notes, I'm good with that.
In the case above, the client clearly couldn't.


(Some clients create a final report that includes a full description of the audit process, depending on the content (of course!) that can be acceptable.)


Edit: And of course, even though FDA can't insist on seeing your behind-the-scenes process, you may end up wanting to demonstrate to FDA that your Internal Audit process is robust, in exactly the same way.
 
#8
Re: Save Internal Audit Notes?

I was party to a mini-fight between one of our clients and our auditor. Without getting into too much detail, I thought that both sides were in the wrong! :D

The auditor was insisting the client needed to keep the notes. He/she was wrong, because - as the client insisted - it doesn't say that anywhere.

But the client's other audit documentation just indicated that an audit had taken place and that these were the X non-conformities that were detected. That's not good enough in my opinion.

FDA typically wants evidence that internal audits have taken place.

On an ISO13485 audit I want to see evidence of Internal Audit planning (both strategic and 'tactical'), coverage, effectiveness etc etc. If you can do that without keeping the audit notes, I'm good with that.
In the case above, the client clearly couldn't.


(Some clients create a final report that includes a full description of the audit process, depending on the content (of course!) that can be acceptable.)


Edit: And of course, even though FDA can't insist on seeing your behind-the-scenes process, you may end up wanting to demonstrate to FDA that your Internal Audit process is robust, in exactly the same way.
Roland - how can you say that the client was right in regard to 'where does it say that?" It's generally accepted under 'records which give evidence of the effective implementation etc. etc.' yada yada......

Auditor's notes, as the FDA person said are what really shows what was done......didn't you let your client know that's what they should do anyways.....???:notme:
 
R

Roland Cooke

#9
Re: Save Internal Audit Notes?

Roland - how can you say that the client was right in regard to 'where does it say that?" It's generally accepted under 'records which give evidence of the effective implementation etc. etc.' yada yada......

Auditor's notes, as the FDA person said are what really shows what was done......didn't you let your client know that's what they should do anyways.....???:notme:
You're not wrong! :D

My memory is hazy, especially after New Year :eek:, I think my issue was with the auditor's presentation of the finding (but now I'm as guilty as he is :D).


My point is that (from painful experience!) there are notes...and notes. I see all sorts. :rolleyes:
Whatever system you have, however the evidence is recorded and presented, it needs to meet the criteria you correctly highlighted.
 

Al Rosen

Staff member
Super Moderator
#10
The FDA is not entitled to view your audit results, only evidence that you have done them. Actually, a signed statement from top management that the audits were done would be sufficient. For those not familiar with this, I refer you to 21cfr820.180(c)
(c)Exceptions. This section does not apply to the reports required by 820.20(c) Management review, 820.22 Quality audits, and supplier audit reports used to meet the requirements of 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed, and that any required corrective action has been undertaken.
Isn't this the FDA Forum?
 
Thread starter Similar threads Forum Replies Date
B Put on escalation by customer? is there a requirement to notify registrar? IATF 16949 - Automotive Quality Systems Standard 6
E Translation requirement labels EU Medical Device Regulations 4
Ed Panek Does this FDA Requirement Apply to international (not USA) distributors for USA based manufacturing companies? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
A MDR requirement where unit of use packaging is too small for UDI carrier EU Medical Device Regulations 1
C Requirement for Revision of Standard in all Documentation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
K ROHs compliance requirement REACH and RoHS Conversations 1
E Language requirement DoC EU Medical Device Regulations 3
I QMS monitoring, measurement, analysis and evaluation requirement - Template ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
J Requirement for Signature on Document Document Control Systems, Procedures, Forms and Templates 11
C Non-sterile reusable surgical instruments - FDA sterilization requirement Other Medical Device Related Standards 2
L Water requirement for Non-sterile topical OTCs Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
C Requirement to link Quality Manual to ISO 9001 clause numbers? ISO 13485:2016 - Medical Device Quality Management Systems 13
B FDA requirement for CAPA Signoff ISO 13485:2016 - Medical Device Quality Management Systems 6
W Pfmea function requirement and failure mode FMEA and Control Plans 6
Y 510k requirement for bringing in gloves Medical Device and FDA Regulations and Standards News 0
S PSUR - MDR First Submission Requirement? EU Medical Device Regulations 2
J When PPAPs are not a contractual requirement APQP and PPAP 9
I Overwhelmed with attribute MSA requirement for visual inspection IATF 16949 - Automotive Quality Systems Standard 8
Brizilla Employee Data Privacy Policy - ISO 9001:2015 requirement(s)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
P Clinical Trial Requirement - No equivalent devices in the market CE Marking (Conformité Européene) / CB Scheme 3
J Requirement for Retention of Records of Withdrawn Documents of External Origin Document Control Systems, Procedures, Forms and Templates 3
T ISO 17025: Lockout/Tagout Requirement ISO 17025 related Discussions 1
A The requirement of the PMS plan--suitable indicators and threshold values EU Medical Device Regulations 0
S Battery powered device - electrical protection requirement IEC 60601 - Medical Electrical Equipment Safety Standards Series 18
K Regulatory requirement of SaMD with machine learning component IEC 62304 - Medical Device Software Life Cycle Processes 3
A ASL requirement when the supplier is certified for ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
P Regulatory or registration requirement for disinfectant in ASEAN Registrars and Notified Bodies 1
P IATF 16949 requirement - error-proofing in control plan IATF 16949 - Automotive Quality Systems Standard 3
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
D ISO 14971:2019 vs MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks" ISO 14971 - Medical Device Risk Management 5
B IATF16949 audit requirement - Auditor request UCL and LCL must be show Xbar-R, IATF 16949 - Automotive Quality Systems Standard 7
J 21 CFR 821 Medical Device Tracking Requirement 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
J Is Device Tracking Card an actual requirement under FDA regulation? Other US Medical Device Regulations 0
W Misinterpretation of requirement acceptable as root cause? Problem Solving, Root Cause Fault and Failure Analysis 19
S ECG Cable Banana to Snap or Tab electrode Adapters -- ISO 10993 Requirement Other Medical Device Related Standards 0
D IATF 16949 Requirement for CMMI in a Global Company Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 0
W Regarding Requirement for Hi pot & Leakage Current test Station Set-up IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
L Stage 2 audit - Requirement for 3 months of records ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Requirement to manufacture under a quality management system EU Medical Device Regulations 4
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
T ISO 17025:2017 requirement 5.7.b. about maintenance the integrity of the management system ISO 17025 related Discussions 1
I Laboratory Fridge / Freezer Inventory - Requirement(s) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
A Several sections of traditional 510(K) have the same or similar requirement of content. US Food and Drug Administration (FDA) 4
S Requirement to Conduct New Shelf-life Testing? (re-do testing for design change) EU Medical Device Regulations 3
C Compliance with ISO 17025 requirement 8.4.2 - Controls - Records recovery ISO 17025 related Discussions 4
Q User Requirement Specification for HR (Human Resource Management System) Manufacturing and Related Processes 1
P Obstruction alarm requirement ISO 80601-2-12 Other Medical Device Related Standards 2
P Electrosurgical Device User Need: Cord Flexibility -> Requirement Other Medical Device and Orthopedic Related Topics 4
C Industrial scales and MSA (IATF 16949 requirement 7.1.5.1.1) IATF 16949 - Automotive Quality Systems Standard 30
C ISO 13485 Requirement in Australia/NZ for class 1? ISO 13485:2016 - Medical Device Quality Management Systems 1

Similar threads

Top Bottom