3 minute read
ISO 22716
By Robert Low, Lead Management System Specialist
Section 16 of ISO 22716 covers internal audits — the mechanism by which a manufacturer checks its own GMP system rather than waiting for an external certification body to find the gaps first. It is a short section, but it underpins the credibility of everything else the standard requires.
This post is part of a series working through ISO 22716 section by section. The series summary with links to every section is available at the end.
An internal audit is a tool designed to monitor the implementation and status of the company’s cosmetics GMP system, proposing corrective actions where necessary. The framing matters — an internal audit is not a compliance exercise performed to satisfy an external requirement; it is a genuine monitoring tool meant to catch problems before they become external findings.
Approach. Specially designated, competent personnel need to conduct internal audits independently and in detail, either on a regular schedule or on demand. Independence here means the auditor should not be auditing their own area of direct responsibility — someone reviewing their own work is not conducting an independent examination, regardless of how thorough they try to be.
Findings. All observations from an internal audit need evaluating and sharing with appropriate management. This requirement exists to prevent audit findings disappearing into a report that nobody with the authority to act on it ever actually reads.
Follow-up. Internal audit follow-up needs to confirm that corrective action has been satisfactorily completed or implemented — the audit cycle does not end with the findings report. It ends when the findings have actually been addressed and that resolution has been verified.
The most common gap is independence in name only. A documented procedure might specify that auditors must be independent of the area being audited, but in a small company, the practical reality is often that the same handful of people end up auditing each other’s areas in a way that does not provide genuine independent scrutiny. This is a real constraint for smaller manufacturers, and the honest answer is often supplementing internal audits with periodic independent external audits rather than pretending the independence requirement is fully met internally.
The second common gap is the follow-up step. Audits frequently identify findings and even generate corrective actions, but the loop back to confirm those actions were genuinely implemented and effective gets dropped — the audit report exists, the CAPA exists, but nobody closes the loop by checking the CAPA actually worked.
Internal audit findings should generate formal CAPA records just like any other source of nonconformance, rather than being tracked separately in a standalone audit report that disconnects from the main corrective action system. The audit programme itself, along with audit reports and evidence of follow-up, is also a controlled document requiring the same rigour described in the next post in this series — Documentation.
This post is part of the Cornerstone ISO 22716 series. See the full series summary with links to all 16 sections.