Standard operating procedure

Title: Audit programmes and internal audits conducted by the Audit Advisory Function

Status: Public Document no.: SOP/EMA/0025

Lead author Approver Effective date: 16/10/2017
Name: Edit Weidlich Name: Guido Rasi Review date: 16/10/2019
Signature: Signature: Supersedes:
[Signature on File] [Signature on File] SOP/EMEA/0025 (29-JULY-14)
Date: 09/10/2017 Date: 11/10/2017 TrackWise record no.: 5354

1. Purpose
The purpose of this SOP is:

 to describe the procedure for the internal audit engagement process (including planning, conduct,
communication, contradictory procedure, quality assessment, final report, action plan and any
follow-up actions) conducted in line with:

 Financial Regulation applicable to the Budget of the European Medicines Agency, as adopted by
the Management Board, and its Implementing Rules;

 Relevant regulations in the fields of human and veterinary medicines;

 The International Standards for the Professional Practice of Internal Auditing of the Institute of
Internal Auditors;

 The Code of Ethics;

 The Internal Audit Charter of the European Medicines Agency approved by the Management
Board;

 European Medicines Agency Audit Manual;

 to outline the procedure for establishing the auditors’ risk assessment and assurance map;

 to outline the procedure for establishing the audit strategy and annual audit programme for year
N+1 for internal audit activities within the European Medicines Agency;

 to ensure that the rolling programme for years N+2 and N+3 is maintained;

 to ensure that Trackwise procedure for the annual audit programme is used consistently and
correctly;

30 Churchill Place ● Canary Wharf ● London E14 5EU ● United Kingdom

Telephone +44 (0)20 3660 6000 Facsimile +44 (0)20 3660 5555
Send a question via our website www.ema.europa.eu/contact An agency of the European Union

© European Medicines Agency, 2017. Reproduction is authorised provided the source is acknowledged.
 to outline the procedure for establishing the Annual Audit Report;

It applies to all internal audits conducted at the European Medicines Agency, including audits
conducted with outsourced resources under the direct lead of a member of the Audit Function (e.g. IT
audits, EC framework contract) and follow-up audits respectively.

This SOP is not applicable to audits conducted by the Internal Audit Service of the European
Commission and by the Court of Auditors.

2. Scope
This SOP applies to all the Agency, and especially the Audit Function, auditee management and
auditees.

3. Responsibilities
It is the responsibility of the Head of Audit to ensure adherence to this procedure in particular to
complete all work with due professional care, objectivity and according to the relevant professional
standards.

It is the responsibility of the Executive Director and auditee management to ensure adherence to this
procedure, in particular that:

 the objective of the engagement all information and documents relevant for the scope and
objective of the audit are provided in time;

 all contradictory procedures are performed within the established deadlines;

 management’s improvement action plan is prepared and effectively implemented or that senior
management has accepted the risk of not taking action and that this is properly communicated in
writing;

 appropriate attention is given to addressing any recommendations raised by the auditors.

All staff audited in line with this SOP must follow the rules defined herein and help ensure the smooth
running of an audit.

The Management Board will be informed on the audit findings and recommendations and on the status
of implementation of improvement actions for issued recommendations in line with the relevant
provisions.

4. Changes since last revision

The SOP has been updated to formalize processes which are taken into consideration during the audit
process.

 assessing the audit team and determine if the team possesses’ adequate skills, knowledge and
experience to lead the audit activities.

 identifying lead auditor for each audit carried out in year N+1 formalised

 midyear review process

 deadlines between steps in the process have been updated.

Standard operating procedure

EMA/466177/2017 Page 2/14
There have been other changes in the IIA audit standards, the AF-AUD audit charter and the Code of
Ethics however these changes have not affected this SOP.

5. Documents needed for this SOP

All the below documents/templates can be found on the:

x-drive:\Auditpractices\Checklistsandtemplates

 Audit Plan template

 Audit Report template

 Guideline to complete internal audit reports

 Audit Feedback questionnaire

 Contradictory Procedure template

 Annual Audit Report template

 Checklist for Reviewing Audit Reports for validators

SOP/EMA/0121 - How to conduct a procurement procedure: available on the public EMA webpage.

6. Related documents
 Regulation (EC) No 726/2004, as amended.

 Financial Regulation applicable to the budget of the European Medicines Agency as adopted by the
Management Board, as adopted by the Management Board on 15 January 2014.

 Regulation of the European Medicines Agency laying down detailed rules for the implementation of
certain provisions of the Financial Regulation for the Agency as adopted by the Management Board
on 20 March 2014.

 The International Standards for the Professional Practice of Internal Auditing of the Institute of
Internal Auditors.

 The Code of Ethics.

 EMA Risk Register

 The Internal Audit Charter of the European Medicines Agency, as adopted by the Management
Board on 15 June 2017.

 European Medicines Agency Internal Audit Manual.

 User manual for tracking internal audits, recommendations and actions in Trackwise.

 Memo on grading of findings.

7. Definitions
Day: working day, excluding weekends, Agency’s holidays, business disasters

IIA: Institute of Internal Auditors

Standard operating procedure

EMA/466177/2017 Page 3/14
IQMCo: Integrated Quality Management Coordinator

ED: Executive Director

DED: Deputy Executive Director

EEB: Executive Board

Head of AF-AUD: Head of Advisory Function – Audit

HoDiv – Head of Division

HoDep – Head of Department

IAP(s): improvement action plan(s)

MB – Management Board

TW: TrackWise (The Agency’s electronic audit tracking management system)

For the main definitions refer to Glossary as per the Internal Audit Manual

Standard operating procedure

EMA/466177/2017 Page 4/14
8. Process ma p(s)/ flow chart(s)
SOP 25 (Page 1)

Head of Head of IQM

AF-AUD EXB MB
Divisions Department Cordinators

START

1a) Revise risk 1b) Provide

assessment and suggestions on Audit
assurance map areas

2) Determine which
areas require an audit

3) Assess Audit Team

Skills and experience

4) Draft Audit Strategy

and annual
programme

5) Provide input on the draft Audit Strategy and annual audit programme

6a) Finalise Draft

Audit Strategy and
annual programme

Yes

7) Provide
Comments

8) Approval of
No
plan

9) Review Draft
strategy and audit
plan
Yes

10) Final audit

Strategy and plan
6b) Midyear review

11) Communicate
Audit Strategy and
Annual plan

12) Identify Lead

Auditor
Preparation of Audit Strategy and Annual Audit Plan

Go to
13

Standard operating procedure

EMA/466177/2017 Page 5/14
 SOP 25 (Page 2)

AF-AUD AF-AUD (Lead Auditor) Management and

AF-AUD (Head of Audit) Timeline
(Admin support) IQMCo

From
12

13) Does the expertise

Yes need to be insourced?

No - 60 days opening
14) Follow SOP 0121 meeting

15) Request - 30 days opening

Documents from meeting
Auditees

16) Draft Audit plan and Risk - 25 days opening

Assessment (Checklist, meeting
questionnaires, surveys,

17) Approves audit plan

No
and risk assessment

Yes

18) Send draft audit plan to - 20 days opening

Auditee Management and meeting
IQM Co

- 15 days opening
19) Provide Input to
meeting
draft audit plan

- 10 days opening
20) Update Draft meeting

21) Approves audit

plan
- 10 days opening
meeting

- 1 day opening
22) Send final draft audit meeting
plan to auditees

Go to
23
Planning of Audit

Standard operating procedure

EMA/466177/2017 Page 6/14
 SOP 25 (Page 3)

AF-AUD Management/ IQM

AF-AUD (Head of Audit) AF-AUD (Lead Auditor) Timeline
(Admin support) Coordinators

From
22

23) Opening meeting Day 0

24) Finalise audit

plan

25) Fieldwork

26) End of field work 20 days from

No Prepare Draft Audit opening meeting
report

27) Agreement
on findings
and report

Yes

28) Closing meeting Day 1

29) Finalise audit

report after exit Day 4
meeting commenst

30) Start Day 5

contradictory
Procedure

31) Add comments

to the report Day 15
No following the
contradictory
procedure template

32) Approve Day 24

Final Report

Yes

33b) Respond to the

comments that
have not been Day 25
accepted explaining
why 33a) Initiate IAP
Process

Step 33a + 15 days

34) Prepare IAP

35) Review IAP and

Step 33a + 20 days
discuss with Head of
Audit
36) Agree with
IAP
Planning and conduct of audit

No
Yes
37) Send comments to Go to
Management 38 Step 33a + 21 days

Go to 41

Standard operating procedure

EMA/466177/2017 Page 7/14
 SOP 25 (Page 4)

Management and
ED AF-AUD (Head of Audit) AF-AUD (Lead Auditor) Timeline
IQMCo
From
37

No

38) Management
agrees with AF-AUD
suggestions

No

39) Discuss
Step 33a + 23 days
differences on the
action plan with ED

40) Agree on the

Yes
final IAP

41a) Release Final

41b) Release IAP
Report

Step 33a + 25 days

42a) Release the

Audit Feedback 42b) Add Actions to
Questionnaire trackwise

43) Evaluate
feedback and Step 40 + 15 days
communicate with
Lead Auditor

44) Provide
evidence to close an
action

No

45) Agree with

evidence

Yes

46) Close action in

trackwise

47) Close
Recommendation

48) Prepare Annual

Report for the
Conduct of audit and drafting of report

management Board

End

Standard operating procedure

EMA/466177/2017 Page 8/14
9. Procedure
Step Action Responsibility

Preparation of Audit Strategy and audit programmes

1 a) Each Year in August, review the auditors’ risk assessment and AF-AUD
assurance maps. The audit strategy (which includes the audit
programme for year N+1 and rolling programme of audits for year
N+2 and N+3) should begin being drafted.

b) Provide information on the audit requirements in all operational HoDiv and DED
and support areas

2 Determine which activities and/or projects require audit. AF-AUD

3 Assess the Audit Team and determine if the team possesses’ AF-AUD
adequate skills, knowledge and experience to lead the audit
activities.

4 Draft the audit strategy, annual audit programme for N+1 and AF-AUD
rolling audit programme for year N+2 and N+3.

5 The Executive Group, HoDiv, HoDep and IQMCo provide input to EXB HoDep and
the draft Audit Strategy, annual audit programme for N+1 and IQMCo
rolling audit programme for year N+2 and N+3.

6 a) Complete draft audit strategy and annual programme based on AF-AUD

input provided.

b) Midyear review drafted based on previous consultations and

AF-AUD
input provided by stakeholders.

7 The Executive Group discusses and agrees on the updated draft EXB
audit strategy, audit programme for year N+1 and rolling
programme for year N+2 and N+3. Comments are then provided
on audit strategy and annual programme.

8 MB approves the annual audit programme for year N+1 MB

If not approved go to step 9.

If approved go to step 10

9 Review audit plan based on previous recommendations from MB AF-AUD

then repeat step 8.

10 Finalize audit strategy, annual audit programme for N+1 and MB

rolling audit programme for year N+2 and N+3

11 Communicate the agreed audit strategy, annual audit programme AF-AUD

for N+1 and rolling audit programme for year N+2 and N+3. Notify
year N+1 to Heads of Division, Heads of Department and IQMCo.
Publish it on the Internal Audit website.

Standard operating procedure

EMA/466177/2017 Page 9/14
 Step Action Responsibility

12 Identify lead auditor for each audit carried out in year N+1. AF-AUD

Planning of Audit

13 Decide if for an audit, expertise needed to be insourced Head of AF-AUD

(Framework contract) .

If yes, and the framework contract needs to be used go to

step 14.

If the audit is conducted by EMA auditors go to step 15.

14 Opening Meeting -60 days AF-AUD (Admin

Support)
Follow SOP/EMA/0121 to insource auditors (framework contract).

15 Opening meeting -30 days AF-AUD Lead

Auditor
Request information and/or documents from the auditee
management and IQMCo.

16 Opening meeting -25 days AF-AUD Lead

Auditor
Draft audit plan, checklists, surveys and/or questionnaires and
send to Head of Audit and backup on electronic document
management system.

17 Review and decide if to approve draft audit plan and risk Head of AF-AUD
assessment

If not approved repeat step 16.

If approved go to step 18.

18 Opening meeting -20 days AF-AUD Lead

Auditor
Send draft audit plan to auditee management and auditee IQMCo
for input.

19 Opening meeting -15 days Management and

IQMCo
Provide input in order to finalise audit plan on the basis of that
scope, objective and samples of engagement.

20 Opening meeting -10 days AF-AUD Lead

Auditor
Consider the comments/input from auditee management and
auditee IQMCo. Update draft audit plan.

21 Opening meeting -10 days Head of AF-AUD

Approve audit plan

Standard operating procedure

EMA/466177/2017 Page 10/14
 22 Opening meeting -1 day AF-AUD Lead
Auditor
Send final audit plan to auditee management and auditee IQMCo.

Planning and conduct of audit

23 Opening Meeting Head of AF-AUD,

AF-AUD Lead
Auditor,
Management/
IQMCo

24 Consider auditee input from opening meeting. Finalise audit plan. AF-AUD Lead
Auditor

25 Fieldwork (5 days or 10 days from opening meeting) AF-AUD Lead

Auditor
 Follow the checklists and questionnaires developed and ensure
all steps described are covered.

 Complete and record all working documents/ questionnaires.

 Discuss potential issues through appropriate channels;

including those detected which may fall outside the original
scope of the audit. If necessary, inform ED/auditee
management and auditee IQMCo of any major issues as and
when they are detected.

 Collect evidence to document all findings detected.

 Finalise audit working papers and cross-referencing of audit

evidence.

 Finalise the Checklist for Reviewing Audit Observation

Worksheets and Supporting Evidence and the Checklist for
Reviewing Working Papers.

 For any documentation received in paper, copies are filed in

audit master file; electronic documents are filed in the Agency’s
electronic document management system in the relevant audit
folder.

26 End of fieldwork + 20 days AF-AUD Lead

Auditor
Prepare Draft Audit Report

 Prepare a preliminary draft audit report ensuring that

recommendations are properly graded.

 Report should be saved in the appropriate folder in the

electronic document management system.

 Circulate it for review/input among audit team members.

 Use guideline to complete internal audit reports.

 Send preliminary draft audit report to validator and Head of AF-

Standard operating procedure

EMA/466177/2017 Page 11/14
 AUD for review and approval.

27 Closing meeting - 1 Head of AF-AUD

Agreement on findings and report

 Receive, validate and approve the preliminary draft audit

report.

 Use the Checklist for Reviewing Audit Reports for validators.

 Send the preliminary draft report to auditee management.

If agreement is not reached repeat step 26.

If agreement continue to step 28

28 Closing Meeting day 1 Head of AF-AUD,

AF-AUD Lead
Auditor,
Management/
IQMCo
29 Closing meeting +4 days: AF-AUD Lead
Auditor
Finalise audit report taking into consideration input from auditees
raised during closing meeting.

30 Closing meeting +5 days: AF-AUD Lead

Auditor
Start contradictory procedure by sending Management and IQMCo
template.

31 Closing meeting +15 days: Management/

IQMCo
Add comments to the report following the contradictory procedure
template

 Review the draft audit report.

 Complete and return Contradictory Procedure form.

32 Closing meeting + 24 days: Head of AF-AUD

Approve final report

 Validates the draft audit report and completes the Checklist for
Quality Assurance Review.

 Approval of draft audit report by Head of AF-AUD: final audit

report.

If not approved repeat step 31

If approved go to step 33.

33 Closing meeting : +25 days AF-AUD Lead

Auditor
a) Initiate IAP Process

 Draft IAP(s), with indication of start and end date of

Standard operating procedure

EMA/466177/2017 Page 12/14
 completion, person responsible.

 Use Improvement Action Plan (IAPs) template.

If recommendations are not accepted management should state

reasons, suggest alternatives and accept the risk.

Extensions might be granted on written request only. No extension

shall be granted for critical recommendations but for cases when a
reasonable justification is provided and following a consensus of
Head of AF-AUD and ED.

b) Respond to the comments that have not been accepted during

the contradictory explaining why

34 Date of IAPs process initiated +15 days: Management/

IQMCo
Prepare IAP and send to lead auditor for review

35 Date of IAPs process initiated +20 days: AF-AUD Lead

Auditor
Review IAP(s) submitted by auditee management and IQMCo and
discuss with Head of Audit

36 Date of IAPs process initiated +20 days: Head of AF-AUD

Agree with IAP

 If IAP(s) is (are) found acceptable, go to step 38.

 If IAP(s) is (are) not found acceptable, state reason(s), suggest

alternatives(s), if possible, and return IAP(s) to auditee
management for action. Continue with step 37.

37 Date of IAPs process initiated +21 days AF-AUD Lead

Auditor
Send comments to auditee management

 Revise non-acceptable IAP(s) and define new actions and

deadline(s);

 Send the reviewed IAP(s) to audit team.

38 Management agree with AF-AUD suggestions Management and

IQMCo
If no agreement go to step 39.

If agreement go to step 41.

39 Date of IAPs process initiated +23 days: Head of AF-AUD

Discuss differences with management of the action plan with the

ED

40 Agree on the final IAP(s) to address recommendations. ED

41 Date of IAPs process initiated +25 days: AF-AUD Lead

Auditor
a) Release the final audit report with b) accepted IAP(s) and the

Standard operating procedure

EMA/466177/2017 Page 13/14
 completed Contradictory Procedure form to ED, DED, Heads of
Division and Department, all IQMCo.

42 Date of IAPs process initiated +25 days:

42a) Release audit feedback questionnaire Head of AF-AUD

Management and
42b) Enter improvement actions into TrackWise
IQMCo

43 Date of finalising IAP(s) +15 days: Head of AF-AUD

Evaluate feedback obtained from questionnaire and communicate

results with lead auditor

44 Auditee management implements the actions within deadline(s) Management and

indicated in IAP and provides evidence to close action. IQMCo

45 Review the action(s) taken. Head of AF-AUD

Decide whether the action(s) address or not the recommendations

If yes, go to step 46

If not, repeat step 44

46 Close action in TW IQMCo

47 Once all actions are closed, the recommendation should be closed AF-AUD Lead
within TW Auditor

48 Prepare the Annual Audit report to the Management Board, as Head of AF-AUD
requested by art. 84.1 of the Agency’s Financial Regulation, on the
basis of the audits conducted during the given year, including all
IAPs during that period and send it to the MB for information.

This report should be sent at the time that the Annual Activity
Report is submitted to the Management Board.

10. Records
Audit reports and all audit related records (audit plans, checklists, questionnaires, working papers,
handwritten notes, documents sent by auditee management, etc.) are to be kept in the Agency’s
electronic document management system in the relevant folder: Cabinet/06 Corporate
Governance/06.6 Audit/Internal Audit/Annual Audit Programme/YYYY.

Based on Financial Regulation Art 99, 6 “The reports and findings of the internal auditor, as well as the
report of the institution, shall be accessible to the public only after validation by the internal auditor of
the action taken for their implementation”. All other working papers should be considered confidential
and for internal use of auditees and AF-AUD only.

Standard operating procedure

EMA/466177/2017 Page 14/14