Standard operating procedureTitle: Audit programmes and internal audits conducted by the Audit Advisory FunctionStatus: PublicDocument no.: SOP/EMA/0025Lead authorApproverEffective date: 22/07/2020Name: Edit WeidlichName: Guido RasiReview date: 22/07/2022Signature:Signature:Supersedes:On fileOn fileSOP/EMEA/0025 (16-OCT-17)20/07/202020/07/2020TrackWise record no.: 55301. PurposeThe purpose of this SOP is: to describe the procedure for the internal audit engagement process (including planning, conduct,communication, contradictory procedure, quality assessment, final report, action plan and anyfollow-up actions) conducted in line with: Financial Regulation applicable to the Budget of the European Medicines Agency, as adopted bythe Management Board; Relevant legislation in the fields of human and veterinary medicines; The International Standards for the Professional Practice of Internal Auditing of the Institute ofInternal Auditors; AF-AUD’s Code of Ethics; The Internal Audit Charter of the European Medicines Agency approved by the ManagementBoard; European Medicines Agency Audit Manual; to outline the procedure for establishing the auditors’ risk assessment and assurance map; to outline the procedure for establishing the audit strategy and annual audit programme for yearN 1 for internal audit activities within the European Medicines Agency; to ensure that the rolling programme for years N 2 and N 3 is maintained; to ensure that Trackwise procedure for the annual audit programme is used consistently andcorrectly;Official address Domenico Scarlattilaan 6 1083 HS Amsterdam The NetherlandsAddress for visits and deliveries Refer to us a question Go to 31 (0)88 781 6000An agency of the European Union European Medicines Agency, 2020. Reproduction is authorised provided the source is acknowledged.

to outline the procedure for establishing the Annual Audit Report;It applies to all internal audits conducted at the European Medicines Agency, including auditsconducted with outsourced resources under the direct lead of a member of the Audit Function (e.g. ITaudits, EC framework contract) and follow-up audits respectively.This SOP is not applicable to audits conducted by the Internal Audit Service of the EuropeanCommission and by the Court of Auditors.2. ScopeThis SOP applies to all the Agency, and especially the Audit Function, auditee management andauditees.3. ResponsibilitiesIt is the responsibility of the Head of Audit to ensure adherence to this procedure in particular tocomplete all work with due professional care, objectivity and according to the relevant professionalstandards.It is the responsibility of the Executive Director and auditee management to ensure adherence to thisprocedure, in particular that: the objective of the engagement all information and documents relevant for the scope andobjective of the audit are provided in time; all contradictory procedures are performed within the established deadlines; management’s improvement action plan is prepared and effectively implemented or that seniormanagement has accepted the risk of not taking action and that this is properly communicated inwriting; appropriate attention is given to addressing any recommendations raised by the auditors.All staff audited in line with this SOP must follow the rules defined herein and help ensure the smoothrunning of an audit.The Management Board will be informed on the audit findings and recommendations and on the statusof implementation of improvement actions for issued recommendations in line with the relevantprovisions.4. Changes since last revisionThe SOP has been updated to formalize processes which are taken into consideration during the auditprocess, especially the requirements of the new Data Protection legislation applicable to EMA (EU DPR),effective as of 11 December 2018.There have been other changes in the AF-AUD audit charter and the Code of Ethics however thesechanges have not affected this SOP.5. Documents needed for this SOPAll the below documents/templates can be found on Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 2/14

Audit Plan template Audit Report template Guideline to complete internal audit reports Audit Feedback questionnaire Contradictory Procedure template Annual Audit Report template Checklist for Reviewing Audit Reports for validators SOP/EMA/0121 - How to conduct a procurement procedure: available on the public EMA webpage.6. Related documents Regulation (EC) No 726/2004, as amended. Financial Regulation applicable to the budget of the European Medicines Agency Applicable from 1July 2019, Adopted by the MB on 13 June 2019. Financial Regulation applicable to the General EU Budget Art 118, 9. The International Standards for the Professional Practice of Internal Auditing of the Institute ofInternal Auditors. The Code of Ethics. EMA Risk Register. The Internal Audit Charter of the European Medicines Agency, as adopted by the ManagementBoard. European Medicines Agency Internal Audit Manual. User manual for tracking internal audits, recommendations and actions in Trackwise. Memo on grading of findings.7. DefinitionsDay: working day, excluding weekends, Agency’s holidays, business disastersIIA: Institute of Internal AuditorsIQMCo: Integrated Quality Management CoordinatorED: Executive DirectorDED: Deputy Executive DirectorEXB: Executive BoardHead of AF-AUD: Head of Advisory Function – AuditHoDiv – Head of DivisionHoDep – Head of DepartmentHoTF – Head of Task ForceStandard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 3/14

IAP(s): improvement action plan(s)MB – Management BoardTW: TrackWise (The Agency’s electronic audit tracking management system)For the main definitions refer to Glossary as per the Internal Audit ManualStandard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 4/14

8. Process ma p(s)/ flow chart(s)SOP 25 (Page 1)AF-AUDHead ofDivisionsHead ofDepartmentIQMCordinatorsEXBMBSTART1a) Revise riskassessment andassurance map1b) Providesuggestions on Auditareas2) Determine whichareas require an audit3) Assess Audit TeamSkills and experience4) Draft Audit Strategyand annualprogramme5) Provide input on the draft Audit Strategy and annual audit programme6a) Finalise DraftAudit Strategy andannual programmeYes7) ProvideCommentsNo8) Approval ofplan9) Review Draftstrategy and auditplanYes10) Final auditStrategy and plan6b) Midyear review11) CommunicateAudit Strategy andAnnual planPreparation of Audit Strategy and Annual Audit Plan12) Identify LeadAuditorGo to13Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 5/14

SOP 25 (Page 2)AF-AUD(Admin support)AF-AUD (Lead Auditor)AF-AUD (Head of Audit)Management andIQMCoTimelineFrom12Yes13) Does the expertiseneed to be insourced?No- 60 days openingmeeting14) Follow SOP 012117) Approves audit planand risk assessment15) RequestDocuments fromAuditees- 30 days openingmeeting16) Send draft plan, PD riskassessment and other auditdocuments to Head of Audit.- 25 days openingmeetingNoYes- 20 days openingmeeting18) Send draft audit plan toAuditee Management andIQM Co19) Provide Input todraft audit plan20) Update Draft- 15 days openingmeeting- 10 days openingmeeting21) Approves auditplan- 10 days openingmeetingPlanning of Audit22) Send final audit plan,including privacy notice(and) record of PDprocessing to auditeemanagement and auditeeIQMCo.Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20- 1 day openingmeetingGo to23Page 6/14

SOP 25 (Page 3)AF-AUD(Admin support)Management/ IQMCoordinatorsAF-AUD (Lead Auditor)AF-AUD (Head of Audit)TimelineFrom2223) Opening meetingDay 024) Finalise auditplan25) Fieldwork20 days fromopening meeting26) End of field workPrepare Draft AuditreportNo27) Agreementon findingsand reportYes28) Closing meetingDay 129) Finalise auditreport after exitmeeting commenstDay 430) StartcontradictoryProcedureDay 531) Add commentsto the reportfollowing thecontradictoryprocedure templateNo32) ApproveFinal ReportDay 15Day 24Yes33b) Respond to thecomments thathave not beenaccepted explainingwhyDay 2533a) Initiate IAPProcess34) Prepare IAP35) Review IAP anddiscuss with Head ofAuditPlanning and conduct of audit36) Agree withIAPStep 33a 15 daysStep 33a 20 daysNoYes37) Send comments toManagementGo to38Step 33a 21 daysGo to 41Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 7/14

SOP 25 (Page 4)EDAF-AUD (Head of Audit)Management andIQMCoAF-AUD (Lead Auditor)TimelineFrom37No38) Managementagrees with AF-AUDsuggestionsNo39) Discussdifferences on theaction plan with EDStep 33a 23 days40) Agree on thefinal IAPYes41a) Release FinalReport41b) Release IAPStep 33a 25 days42a) Release theAudit FeedbackQuestionnaire42b) Add Actions totrackwise43) Evaluatefeedback andcommunicate withLead AuditorStep 40 15 days44) Provideevidence to close anactionNo45) Agree withevidenceYes46) Close action intrackwiseConduct of audit and drafting of report47) CloseRecommendation48) Prepare AnnualReport for themanagement BoardEndStandard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 8/14

9. ProcedureStepActionResponsibilityPreparation of Audit Strategy and audit programmes1a) Each Year in August, review the auditors’ risk assessment andAF-AUDassurance maps. The audit strategy (which includes the auditprogramme for year N 1 and rolling programme of audits for yearN 2 and N 3) should begin being drafted.b) Provide information on the audit requirements in all operationalHoDiv and DEDand support areas2Determine which activities and/or projects require audit.AF-AUD3Assess the Audit Team and determine if the team possesses’AF-AUDadequate skills, knowledge and experience to lead the auditactivities.4Draft the audit strategy, annual audit programme for N 1 andAF-AUDrolling audit programme for year N 2 and N 3.5The Executive Board, HoDiv, HoDep and IQMCo provide input toEXB HoDep andthe draft Audit Strategy, annual audit programme for N 1 andIQMCorolling audit programme for year N 2 and N 3.6a) Complete draft audit strategy and annual programme based onAF-AUDinput provided.b) Midyear review drafted based on previous consultations andinput provided by stakeholders.7The Executive Board discusses and endorses on the updated draftAF-AUDEXBaudit strategy, audit programme for year N 1 and rollingprogramme for year N 2 and N 3. Comments are provided on theaudit strategy and annual programme.8MB approves the annual audit programme for year N 1MBIf not approved go to step 9.If approved go to step 109Review audit plan based on previous recommendations from MBAF-AUDthen repeat step 8.10Finalise audit strategy, annual audit programme for N 1 andMBrolling audit programme for year N 2 and N 311Communicate the agreed audit strategy, annual audit programmeAF-AUDfor N 1 and rolling audit programme for year N 2 and N 3. Notifyyear N 1 to Heads of Division, Heads of Department and IQMCo.Publish it on the Internal Audit website.12Identify lead auditor for each audit carried out in year N 1.Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20AF-AUDPage 9/14

StepActionResponsibilityPlanning of Audit13Decide if for an audit, expertise needs to be insourced (FrameworkHead of AF-AUDcontract) .If yes, and the framework contract needs to be used go tostep 14.If the audit is conducted by EMA auditors go to step 15.14Opening Meeting -60 daysFollow SOP/EMA/0121 to insource auditors (framework contract).15Opening meeting -30 daysRequest information and/or documents from the auditeeAF-AUD (AdminSupport)AF-AUD LeadAuditormanagement and IQMCo.16Opening meeting -25 daysSend draft audit plan, checklists, surveys and/or questionnairesAF-AUD LeadAuditorand assessment of private data risk to Head of Audit and backupon electronic document management system.17Review and decide if to approve draft audit plan and riskHead of AF-AUDassessmentIf not approved repeat step 16.If approved go to step 18.18Opening meeting -20 daysSend draft audit plan to auditee management and auditee IQMCoAF-AUD LeadAuditorfor input.19Opening meeting -15 daysProvide input in order to finalise audit plan on the basis of thatManagement andIQMCoscope, objective and samples of engagement.20Opening meeting -10 daysConsider the comments/input from auditee management andAF-AUD LeadAuditorauditee IQMCo. Update draft audit plan.21Opening meeting -10 daysHead of AF-AUDApprove draft audit planStandard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 10/14

22Opening meeting -1 daySend final audit plan, including privacy notice (and) record ofAF-AUD LeadAuditorpersonal data processing to auditee management and auditeeIQMCo.Planning and conduct of audit23Opening MeetingHead of AF-AUD,AF-AUD LeadAuditor,Management/IQMCo24Consider auditee input from opening meeting. Finalise audit plan.AF-AUD LeadAuditor25Fieldwork (5 days or 10 days from opening meeting) Follow the checklists and questionnaires developed and ensureAF-AUD LeadAuditorall steps described are covered. Complete and record all working documents/ questionnaires. Discuss potential issues through appropriate channels;including those detected which may fall outside the originalscope of the audit. If necessary, inform ED/auditeemanagement and auditee IQMCo of any major issues as andwhen they are detected. Collect evidence to document all findings detected.Finalise audit working papers and cross-referencing of auditevidence. Finalise the Checklist for Reviewing Audit ObservationWorksheets and Supporting Evidence and the Checklist forReviewing Working Papers. For any documentation received in paper, copies are filed inaudit master file; electronic documents are filed in the Agency’selectronic document management system in the relevant auditfolder.26End of fieldwork 20 daysPrepare preliminary Draft Audit Report AF-AUD LeadAuditorPrepare a preliminary Draft Audit Report ensuring thatrecommendations are properly graded. Report should be saved in the appropriate folder in theelectronic document management system. Circulate it for review/input among audit team members. Use guideline to complete internal audit reports.Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 11/14

Send preliminary Draft Audit Report to validator and Head ofAF-AUD for review and approval.27Closing meeting - 1Head of AF-AUDAgreement on findings and report Receive, validate and approve the preliminary draft auditreport. Use the Checklist for Reviewing Audit Reports for validators. Send the preliminary draft report to auditee management.If agreement is not reached repeat step 26.If agreement continue to step 2828Closing Meeting day 129Closing meeting 4 days:Head of AF-AUD,AF-AUD LeadAuditor,Management/IQMCoAF-AUD LeadAuditorFinalise audit report taking into consideration input from auditeesraised during closing meeting.30Closing meeting 5 days:Start contradictory procedure by sending Management and IQMCoAF-AUD LeadAuditortemplate.31Closing meeting 15 days:Add comments to the report following the contradictory procedureManagement/IQMCotemplate32 Review the draft audit report. Complete and return Contradictory Procedure form.Closing meeting 24 days:Head of AF-AUDApprove final report Validates the audit report and completes the Checklist forQuality Assurance Review. Approval of audit report by Head of AF-AUD: final audit report.If not approved repeat step 31If approved go to step 33.33Closing meeting : 25 daysa) Initiate IAP Process AF-AUD LeadAuditorDraft IAP(s), with indication of start and end date ofcompletion, person responsible.Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 12/14

Use Improvement Action Plan (IAPs) template.If recommendations are not accepted management should statereasons, suggest alternatives and accept the risk.Extensions might be granted on written request only. No extensionshall be granted for critical recommendations but for cases when areasonable justification is provided and following a consensus ofHead of AF-AUD and ED.b) Respond to the comments that have not been accepted duringthe contradictory explaining why34Date of IAPs process initiated 15 days:Prepare IAP and send to lead auditor for review35Date of IAPs process initiated 20 days:Review IAP(s) submitted by auditee management and IQMCo andManagement/IQMCoAF-AUD LeadAuditordiscuss with Head of Audit36Date of IAPs process initiated 20 days:Head of AF-AUDAgree with IAP If IAP(s) is (are) found acceptable, go to step 38. If IAP(s) is (are) not found acceptable, state reason(s), suggestalternatives(s), if possible, and return IAP(s) to auditeemanagement for action. Continue with step 37.37Date of IAPs process initiated 21 daysSend comments to auditee management AF-AUD LeadAuditorRevise non-acceptable IAP(s) and define new actions anddeadline(s); 38Send the reviewed IAP(s) to audit team.Management agree with AF-AUD suggestionsIf no agreement go to step 39.Management andIQMCoIf agreement go to step 41.39Date of IAPs process initiated 23 days:Head of AF-AUDDiscuss differences with management of the action plan with theED40Agree on the final IAP(s) to address recommendations.ED41Date of IAPs process initiated 25 days:AF-AUD Leada) Release the final audit report with b) accepted IAP(s) and theAuditorcompleted Contradictory Procedure form to ED, DED, Heads ofDivision and Department, all IQMCo.Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 13/14

42Date of IAPs process initiated 25 days:42a) Release audit feedback questionnaire42b) Enter improvement actions into TrackWise43Date of finalising IAP(s) 15 days:Head of AF-AUDManagement andIQMCoHead of AF-AUDEvaluate feedback obtained from questionnaire and communicateresults with lead auditor4445Auditee management implements the actions within deadline(s)Management andindicated in IAP and provides evidence to close action.IQMCoReview the action(s) taken.Head of AF-AUDDecide whether the action(s) address or not the recommendationsIf yes, go to step 46If not, repeat step 4446Close action in TWIQMCo47Once all actions are closed, the recommendation should be closedAF-AUD Leadwithin TWAuditorPrepare the Annual Audit report to the Management Board, asHead of AF-AUD48requested by art. 80.1 of the Agency’s Financial Regulation, on thebasis of the audits conducted during the given year, including allIAPs during that period and send it to the MB for information.This report should be sent at the time that the Annual ActivityReport is submitted to the Management Board.10. RecordsAudit reports and all audit related records (audit plans, checklists, questionnaires, working papers,handwritten notes, documents sent by auditee management, etc.) are to be kept in the Agency’selectronic document management system in the relevant folder: Cabinet/06 CorporateGovernance/06.6 Audit/Internal Audit/Annual Audit Programme/YYYY.Based on Financial Regulation applicable to the General EU Budget Art 118, 9 “The reports and findingsof the internal auditor, as well as the report of the institution, shall be accessible to the public onlyafter validation by the internal auditor of the action taken for their implementation”. All other workingpapers should be considered confidential and for internal use of auditees and AF-AUD only.Standard operating procedure - PUBLICSOP/EMA/0025, 22-JUL-20Page 14/14

SOP 25 (Page 2) AF-AUD (Admin support) AF-AUD (Head of Audit) AF-AUD (Lead Auditor) Management and IQMCo Timeline: Planning of Audit 13) Does the expertise need to be insourced? 15) Request Documents from Auditees 16) Send draft plan, PD ri