Audit Findings and Classification in Pharmacovigilance

Introduction

Audit findings are the primary outputs of pharmacovigilance audits.

They provide evidence regarding:

• Process weaknesses
• Control failures
• Compliance concerns
• Governance gaps
• Improvement opportunities

However, identifying findings is only the first step.

Organisations must also determine:

• Significance
• Risk
• Escalation requirements
• Remediation priorities

Finding classification provides this structure.

Without consistent classification, resources may be directed toward the wrong issues and significant risks may remain inadequately addressed.

What Is an Audit Finding?

An audit finding is a documented observation indicating that:

• A requirement has not been met
• A control is ineffective
• A process is not functioning as intended
• A risk requires attention

Findings should be:

• Objective
• Evidence-based
• Reproducible
• Clearly documented

Opinions are not findings.

Evidence is.

The Purpose of Finding Classification

Classification helps organisations determine:

• Urgency
• Management visibility
• Escalation requirements
• CAPA priorities
• Follow-up activities

A useful principle is:

Classification should reflect risk rather than auditor preference.

The goal is consistency.

Risk-Based Classification

Finding significance should generally reflect:

Patient Safety Impact

Could patients be harmed?

Regulatory Impact

Could non-compliance occur?

Data Integrity Impact

Could critical data become inaccurate or unavailable?

Systemic Impact

Is the issue isolated or widespread?

Detectability

Would the organisation identify the problem quickly?

These factors help determine severity.

Critical Findings

Critical findings represent the highest level of concern.

Typical characteristics include:

• Significant patient safety risk
• Significant regulatory risk
• Major control failure
• Absence of essential processes

Examples may include:

• Failure to submit serious adverse event reports
• Absence of critical pharmacovigilance controls
• Significant data integrity failures
• Major governance breakdowns

Critical findings typically require immediate management attention.

Major Findings

Major findings indicate significant weaknesses that require remediation.

Examples may include:

• Systemic procedural non-compliance
• Repeated reporting delays
• Significant vendor oversight failures
• Ineffective governance processes

Major findings may not represent immediate critical risk but still warrant prompt corrective action.

Minor Findings

Minor findings generally involve limited weaknesses.

Examples include:

• Isolated documentation errors
• Limited procedural deviations
• Localised process inconsistencies

Minor findings should not be ignored.

Multiple minor findings may indicate broader weaknesses.

Observations

Some organisations use observations rather than formal findings.

Observations may identify:

• Improvement opportunities
• Emerging risks
• Potential future weaknesses

Observations help organisations improve before deficiencies become formal findings.

Finding Statements

Strong findings are clear and structured.

A useful format includes:

Requirement

What was expected?

Condition

What was observed?

Risk

Why does the issue matter?

Example:

Requirement:

Vendor audits should be conducted according to the approved audit programme.

Condition:

No vendor audit had been conducted during the previous three years.

Risk:

Significant vendor compliance deficiencies may remain unidentified.

This structure improves consistency.

Root Cause Considerations

Findings describe what happened.

Root cause analysis explains why it happened.

Examples include:

Process Design Failures

Controls are inadequate.

Training Deficiencies

Personnel do not understand requirements.

Resource Constraints

Insufficient personnel are available.

Governance Weaknesses

Oversight mechanisms are ineffective.

Technology Limitations

Systems fail to support compliance.

Strong remediation depends upon understanding root causes.

Systemic Versus Isolated Findings

A critical consideration is whether a finding is:

Isolated

Affects a single activity.

Systemic

Affects multiple activities.

Systemic findings often require greater management attention because their impact may extend beyond the audited area.

Repeat Findings

Repeat findings deserve particular scrutiny.

A repeat finding may indicate:

• Ineffective CAPAs
• Weak governance
• Poor oversight
• Inadequate root cause analysis

Inspectors frequently pay close attention to recurring issues.

Repeated deficiencies often suggest organisational learning failures.

Escalation Requirements

Classification frequently determines escalation.

Example:

The exact model varies by organisation.

The principle remains the same.

Findings and CAPAs

Findings should lead to action.

CAPAs provide the mechanism for:

• Correcting deficiencies
• Reducing recurrence
• Improving controls

A useful principle is:

Findings identify problems. CAPAs create improvement.

For additional discussion see:

[[audit-capas]]

Findings and Metrics

Finding trends can provide valuable governance information.

Examples include:

Number of Findings

Overall audit output.

Critical Findings

Highest-risk deficiencies.

Repeat Findings

Recurring weaknesses.

Closure Timeliness

Responsiveness of remediation activities.

Finding Trends

Changes over time.

These metrics support management visibility.

The QPPV Perspective

Audit findings provide important assurance information.

Particularly relevant areas include:

• Significant compliance risks
• Critical vendors
• Major CAPAs
• Repeat deficiencies
• Governance failures

The QPPV should generally have visibility regarding significant findings affecting the pharmacovigilance system.

Inspection Perspective

Inspectors frequently review:

• Finding classifications
• Escalation activities
• CAPA effectiveness
• Repeat findings

Common questions include:

• Was the issue classified appropriately?
• Were actions timely?
• Did remediation work?

The quality of finding management often influences inspection outcomes.

Common Classification Mistakes

Several weaknesses occur repeatedly.

Severity Inflation

Everything becomes major.

Severity Deflation

Significant issues are minimised.

Inconsistent Classification

Similar findings receive different classifications.

Poor Risk Assessment

Impact is not evaluated appropriately.

Weak Documentation

Rationale is unclear.

These weaknesses reduce confidence in the audit programme.

Characteristics of Mature Finding Management

High-performing organisations generally demonstrate:

Consistent Classification

Standards are applied uniformly.

Risk-Based Assessment

Impact drives severity.

Effective Escalation

Important issues receive visibility.

Strong Root Cause Analysis

Causes are understood.

Sustainable Remediation

CAPAs prevent recurrence.

Continuous Learning

Findings improve the system.

These characteristics support stronger governance.

Key Takeaways

• Audit findings identify weaknesses, risks and improvement opportunities.
• Classification should be risk-based and consistent.
• Critical, major and minor findings represent different levels of risk.
• Root cause analysis is essential for effective remediation.
• Repeat findings often indicate governance weaknesses.
• Findings should drive CAPAs and improvement.
• Inspectors frequently evaluate classification quality and follow-up effectiveness.
• Mature organisations use findings as tools for organisational learning.

References

1. EMA Good Pharmacovigilance Practices (GVP) Module IV – Pharmacovigilance Audits.
2. EMA Good Pharmacovigilance Practices (GVP) Module I – Pharmacovigilance Systems and Their Quality Systems.
3. EMA Good Pharmacovigilance Practices (GVP) Module III – Pharmacovigilance Inspections.
4. Regulation (EC) No 726/2004.
5. Directive 2001/83/EC.
6. Commission Implementing Regulation (EU) No 520/2012.
7. ICH Q9 Quality Risk Management.
8. ICH E2E Pharmacovigilance Planning.