Internal Audits for Cannabis and GMP Facilities: A Complete Guide

Every licensed cannabis producer, pharmaceutical manufacturer and natural health product company in Canada shares one quiet truth: the day a Health Canada inspector arrives is not the day to discover a compliance gap. By then the finding is already on paper. A well run internal audit programme is how disciplined organizations find and fix those gaps first, on their own terms, long before a regulator does.

This guide explains what an internal audit is, why it matters for cannabis and other regulated facilities, how it connects to Health Canada Good Production Practices, and how to build a programme that holds up under inspection. It is written for CEOs, founders, Quality Assurance Persons (QAPs), and quality and regulatory managers who carry the weight of compliance every day. At MF License and Regulatory Consultants (MFLRC), we have spent more than twenty years building and auditing quality systems across cannabis, pharmaceuticals, natural health products and food, and the patterns that separate inspection-ready sites from troubled ones are remarkably consistent.

Executive Summary

An internal audit is a planned, independent and documented check of whether your quality system actually works the way your procedures say it should. It is one of the most cost-effective tools a regulated business has, because it converts hidden risk into a managed corrective action before that risk becomes a recall, a critical observation, or a licence suspension.

Key takeaways:

Internal audits are a quality system expectation, not an optional extra. Health Canada Good Production Practices, EU-GMP and ISO management system standards all rely on the principle of regular self-inspection.
They protect your licence. Internal audits surface problems with records, training, sanitation and recall readiness while you can still fix them quietly.
Independence and competence are everything. An audit by someone who cannot objectively assess the area, or who does not understand the regulations, offers false comfort.
Findings are only useful when closed. A finding without a root cause analysis and a verified corrective and preventive action (CAPA) is just a note.
2025 brought more QAP flexibility. Health Canada streamlining amendments that came into force on March 12, 2025 let processing licence holders name more than two alternate QAPs and let the QAP delegate activities while keeping overall accountability.

What Is an Internal Audit?

In short: an internal audit is an independent, objective and systematic review, performed by or on behalf of an organization, that checks whether its own processes, records and controls meet regulatory requirements and internal procedures, and that recommends improvements.

The Institute of Internal Auditors describes the role of internal audit as providing independent assurance that an organization's risk management, governance and internal control processes are operating effectively. In a regulated manufacturing setting, that translates into a practical question asked again and again: does what we actually do on the floor match what our SOPs, our licence and the regulations require?

Internal audits differ from day-to-day quality checks. A line operator confirming a batch record is complete is doing in-process verification. An internal audit steps back and asks whether the whole batch record system is designed, followed and documented well enough to withstand scrutiny. The 2024 Global Internal Audit Standards from the Institute of Internal Auditors, which became effective on January 9, 2025, organize this work around clear principles of objectivity, competence and evidence-based conclusions.

Why Internal Audits Matter for Cannabis and Regulated Facilities

Why it matters: in regulated industries, the cost of a problem rises sharply the later it is found. An issue caught in an internal audit might cost a few hours of corrective work. The same issue caught in a Health Canada inspection can trigger a critical observation, a recall, holds on product release, or action against your licence.

Cannabis entrepreneurs face many risks, but few loom as large as compliance failures. Producers operate under the Cannabis Act and the Cannabis Regulations, and many also carry obligations under the Safe Food for Canadians Regulations for edibles, plus provincial rules for retail and distribution. An internal audit programme is how a company keeps all of these moving parts aligned at once.

There is also a commercial case. Buyers, investors and international partners increasingly ask to see audit history and CAPA records during due diligence. A producer pursuing export to the European Union, for example, will be expected to demonstrate a mature self-inspection programme as part of its path toward EU-GMP. A strong internal audit record signals operational maturity to everyone who matters.

Internal Audits and Health Canada Good Production Practices

What to do: map your internal audit scope directly to the Good Production Practices requirements under Part 5 of the Cannabis Regulations, so that every GPP element is examined on a defined schedule.

Good Production Practices are the controls that ensure cannabis is produced consistently and is safe for consumers. The Good Production Practices Guide for Cannabis published by Health Canada sets out expectations for sanitation, premises and equipment, standard operating procedures, recordkeeping, testing, and the role of the Quality Assurance Person. Internal audits are the practical mechanism that confirms these controls are working between inspections.

The QAP sits at the centre of this system. The QAP is responsible for the quality of the cannabis produced and for investigating complaints. The QAP and any alternate QAP must hold a valid security clearance when they begin the role. Following the streamlining amendments that came into force on March 12, 2025, processing licence holders may now name more than two alternate QAPs, and the QAP may delegate activities such as lot or batch approval to qualified individuals while retaining overall accountability. You can review the official summary of changes following the streamlining of regulations on Canada.ca.

Typical GPP areas an internal audit should cover:

GPP area	What the audit checks	Common evidence reviewed
Sanitation program	Cleaning is scheduled, performed and verified	Cleaning logs, sanitation SOPs, swab results
Premises and equipment	Design supports contamination control and maintenance	Calibration records, preventive maintenance logs
Standard operating procedures	SOPs are current, approved and followed	Version control, training records, floor practice
Recordkeeping	Records are complete, legible, attributable and retained	Batch records, distribution records, retention logs
Quality assurance	The QAP function operates and lots are approved correctly	Lot release records, QAP delegation records
Recall readiness	The recall procedure is current and has been tested	Recall SOP, mock recall reports, traceability data

Internal Audit Versus External and Regulatory Audits

Why it matters: each type of audit answers a different question and carries a different level of risk. Understanding the difference helps you prepare correctly and decide where to spend effort.

Audit type	Who performs it	Primary purpose	Stakes
Internal (self) audit	Your own staff or a consultant	Find and fix gaps before anyone else does	Low, fully within your control
Supplier audit	You audit a vendor	Confirm suppliers meet your standards	Moderate, protects your inputs
Certification audit	An accredited body (for example EU-GMP, ISO)	Grant or maintain certification	High, affects market access
Regulatory inspection	Health Canada or another regulator	Verify legal compliance	Very high, can affect your licence

A mature programme uses internal and third-party audits together. Self-audits give you frequent, low-cost insight into your own operations. Independent third-party audits, including the support of an external consultant, add fresh eyes and specialist regulatory knowledge that internal teams sometimes lack. For complex or high-stakes preparation, many producers engage professional audit services to run mock inspections that mirror exactly how a regulator would assess the site.

The Internal Audit Process, Step by Step

What to do: formalize the audit cycle so that every audit follows the same disciplined path from planning to closure. A documented, repeatable process is what makes results reliable and defensible.

Plan and define scope. Decide what will be audited, against which requirements, and over what period. Build a risk-based annual audit schedule so higher-risk areas are audited more often.
Prepare the audit. Develop a checklist tied to GPP, your SOPs and applicable regulations. Notify the area, gather background records, and confirm the audit team is independent of the area being reviewed.
Conduct the opening meeting. Confirm scope, schedule and ground rules with the area's management so there are no surprises.
Gather objective evidence. Review records, observe practices on the floor, and interview staff. Interviews are conversations, not interrogations, aimed at understanding how work really happens.
Record findings against criteria. Classify each finding by severity, for example critical, major or minor, and link it to the specific requirement it relates to.
Hold a closing meeting. Present findings clearly, agree on what was observed, and set expectations for corrective action timelines.
Drive root cause analysis and CAPA. For each finding, identify the true root cause, implement corrective and preventive actions, and verify they worked before closing the finding.
Report and trend. Issue a written report, track findings to closure, and analyze trends across audits to target systemic weaknesses.

Audits should run throughout the year at regular intervals rather than waiting for an end-of-year review. Continuous coverage is what gives leadership an accurate, current picture of risk exposure across the whole operation. Where findings point to a recurring process failure, our guidance on avoiding common root cause analysis mistakes can help your team get to the real cause rather than a convenient one.

Building a Risk-Based Internal Audit Programme

Why it matters: a single audit is a snapshot. A programme is a system. International good practice for designing that system is captured in ISO 19011.

ISO 19011, Guidelines for auditing management systems, is the international reference for planning and managing audit programmes. The current edition, ISO 19011:2026, builds on the risk-based approach to auditing introduced in the 2018 edition, with expanded guidance on areas such as organizational context, leadership, virtual audits and compliance. Although ISO 19011 is guidance rather than a certifiable standard, its principles map cleanly onto a cannabis or pharmaceutical self-inspection programme.

A practical programme defines audit frequency by risk, names competent and independent auditors, standardizes checklists and reports, and feeds every finding into a single CAPA system. Documenting the programme in a quality manual and supporting SOPs means the approach survives staff turnover and stands up as evidence during inspection. If you are building this from scratch, structured SOP development and quality system support shortens the path considerably.

Auditor Competence and Objectivity

What to do: choose auditors who combine genuine independence from the area under review with real knowledge of the regulations and the production processes. Without both, an audit gives false assurance.

Competence and objectivity are the two pillars of a credible audit. An auditor who reports to the manager being audited cannot be fully objective. An auditor who does not understand GPP or GMP requirements cannot reliably spot the problems that matter. Six practical signs of a strong cannabis auditor are worth watching for:

They understand GPP and GMP requirements and take time to learn your specific business model before starting.
They respond promptly to questions and concerns from clients, regulators and staff.
They understand production methods, so they can judge issues such as pest control, mould prevention and contamination control in context.
They know the regulatory environment, including Health Canada requirements, security obligations and relevant provincial rules.
They communicate clearly with both management and floor staff, in plain language.
They have relevant experience with comparable regulated facilities and the challenges licensed producers actually face.

What Inspectors Commonly Find, and How Internal Audits Catch It First

Across the sites we have supported, the same categories of finding appear again and again. Documentation gaps lead the list: batch records missing signatures, SOPs in use that do not match the approved version, or training records that do not cover the task being performed. Sanitation and contamination control issues are next, often where cleaning was done but not verified or documented. Recall readiness is a frequent weak point, because many producers write a recall SOP and never test it with a mock recall.

A well designed internal audit catches every one of these before a regulator does. As a concrete example, a processing licence holder we worked with discovered during an internal audit that lot release records did not clearly show who had performed delegated checks on behalf of the QAP. That gap, left unaddressed, could have become a serious inspection finding. Instead, the company implemented a simple delegation log and a short SOP revision, closed the CAPA, and verified the fix in the next audit. The inspector later saw a clean, documented control rather than a problem.

Internal Audit Compliance Checklist

Use this checklist as a starting point for a cannabis or GMP internal audit. Tailor it to your licence type and product classes.

Audit schedule: a risk-based annual schedule covers all GPP areas and is approved by management.
Auditor independence: auditors do not audit their own work or report to the area being audited.
Checklists: current checklists tie each question to a specific regulation or SOP.
SOP control: SOPs are current, approved, version-controlled and match floor practice.
Training records: staff are trained on the procedures relevant to their tasks, with records to prove it.
Batch and distribution records: records are complete, legible, attributable, dated and retained for the required period.
QAP and delegation: the QAP function operates correctly and any delegated activities are documented.
Sanitation: cleaning is scheduled, performed and verified, with supporting records.
Recall readiness: the recall procedure is current and a mock recall has been performed within the last year.
CAPA: findings are linked to root cause analysis, corrective actions are verified, and trends are reviewed.

Common Internal Audit Mistakes to Avoid

Treating the audit as a formality. Checklists ticked without real evidence review give a false sense of safety.
Auditing only before an inspection. A single rushed audit cannot replace continuous, scheduled coverage.
Letting people audit their own work. Lack of independence undermines every conclusion.
Recording findings but not closing them. Open findings with no verified CAPA are themselves an inspection risk.
Ignoring trends. The same minor finding appearing in three audits is a systemic problem, not three small ones.
Poor documentation. If the audit was not written down, for practical purposes it did not happen.

Frequently Asked Questions

Are internal audits legally required for cannabis licence holders in Canada?

Health Canada does not prescribe a single fixed audit frequency in the regulations, but Good Production Practices under Part 5 of the Cannabis Regulations require controls, recordkeeping and a functioning quality assurance system that, in practice, can only be assured through regular self-inspection. Internal audits are the accepted mechanism for demonstrating that these controls work, and inspectors expect to see them.

How often should we conduct internal audits?

Frequency should be risk-based. Higher-risk areas such as sanitation, lot release and recall readiness may warrant quarterly review, while lower-risk areas may be audited annually. The key is a documented, approved schedule that covers every Good Production Practices area over a defined cycle and runs continuously rather than only before an inspection.

What is the difference between an internal audit and a Health Canada inspection?

An internal audit is performed by your own team or a consultant to find and fix gaps on your own terms, with low stakes and full control. A Health Canada inspection is a regulatory verification of legal compliance, with high stakes that can affect your licence. The purpose of internal audits is to make sure that when the inspection comes, there are no surprises.

Who can perform an internal audit?

Anyone with the right competence and independence. The auditor must understand the applicable regulations and production processes and must be independent of the area being audited. In smaller operations this often means using an external consultant, since internal staff may not be independent of the work they would need to assess.

How do internal audits connect to CAPA?

Every audit finding should trigger a root cause analysis followed by a corrective and preventive action. The finding is only closed once the action is implemented and verified as effective. This link between audit and CAPA is what turns an audit from a list of problems into genuine, durable improvement.

Did the 2025 cannabis regulation changes affect the QAP role?

Yes. Streamlining amendments that came into force on March 12, 2025 allow processing licence holders to name more than two alternate QAPs and permit the QAP to delegate activities, such as approving lots before sale, while retaining overall accountability. Internal audits should confirm that any delegation is properly documented.

Can a consultant run our internal audits for us?

Yes, and many producers do exactly that to gain independence and specialist regulatory knowledge. An experienced consultant can run mock inspections, write or refine audit SOPs and checklists, train your staff, and help close findings, while your QAP retains overall accountability for quality.

How MFLRC Can Help

MFLRC is a Canadian regulatory consulting firm with more than twenty years of experience in quality assurance, quality control and regulatory affairs across cannabis, pharmaceuticals, natural health products, food and medical devices. We help regulated businesses turn internal audits from a paperwork exercise into a real defence against compliance risk.

Our internal audit and compliance support includes:

Internal and mock audits that mirror how Health Canada and certification bodies actually assess a site.
Gap assessments that benchmark your operation against GPP, GMP and EU-GMP expectations.
Audit checklists and SOPs tailored to your licence type and product classes.
QAP support and guidance on delegation, lot release and quality system structure.
Validation services and CAPA support to close findings and verify that fixes hold.
Licensing, import and export support for producers expanding into new markets.

Whether you run a cannabis or hemp facility, a pharmaceutical site or a natural health product operation, a strong internal audit programme is one of the best investments you can make in protecting your licence and your reputation.

Need help building or strengthening your internal audit programme? Contact MFLRC for expert guidance tailored to your business.

Book a Consultation

Conclusion

Internal audits are not bureaucracy for its own sake. They are the discipline that lets a regulated business see itself clearly, fix problems quietly, and walk into any inspection with confidence. The organizations that treat self-inspection as a continuous, independent and well documented programme are the ones that protect their licences, satisfy their partners, and grow without nasty surprises.

Start with a risk-based schedule, competent and independent auditors, and a CAPA system that actually closes findings. Build from there, and let the audit log become the clearest evidence you have that your quality system works. When you are ready for an outside perspective, MFLRC is here to help.