7 Reporting the Results of an Audit

The auditor should provide written audit results (i.e. an audit report) for the sponsor to make the auditee recognize audit findings and take the opportunity to make improvements. It will be useful to provide an opportunity for the auditor to give an explanation about audit results to the sponsor at the time of submitting the audit report. To preserve the independence of auditing, the auditor must not be directly involved in the corrective and preventive action (CAPA) process.
7.1 Preparation of an Audit Report
The auditor should prepare an audit report based on the results of the evaluation. When an auditing department manager has been appointed, the audit report should be prepared by the auditor and if necessary reviewed or approved by the manager.
The contents of an audit report will be as follows:
• Information that identifies the trial, such as the chemical name or identification code of the investigational drug, the trial title, and the protocol number.
• The person to whom the audit report will be submitted.
• The date of issuing the audit report.
• The subject of the audit.
• The site of the audit.
• The scope of the audit.
• The name(s), title and address of the auditor (s)(and the auditing department manager).
• The name and address of the auditee.
• The date/period of the audit.
• The results of the audit, including audit findings (grading of the findings may be included).
• A list of all persons receiving a copy of the audit report.
The following information may be contained in an audit report depending on the objective(s) of the audit:
• Suggestions for improvement and advice for CAPA.
• Responses to the audit findings.
• The results of the auditor’s confirmation of the auditee’s response.
7.2 Persons to whom Audit Reports are submitted
The auditor should submit an audit report to the sponsor. The auditor may give a copy of the audit report to the sponsor’s auditee. In such a case, the auditor should pay special attention to ensuring the confidentiality of the contents of the report and should handle the report with due caution. Concerning audit reports, ICH GCP 5.19.3 (d) states the following:
‘To preserve the independence and value of the audit function, the regulatory authority(ies) should not routinely request the audit reports. Regulatory authority(ies) may seek access to an audit report on a case-by-case basis when evidence of serious GCP non-compliance exists, or in the course of legal proceedings.’