20 Questions Your Quality Team Should Be Asking Right Now (Part 1/2)
A follow-up to our recent H2 audit trends report that operationalizes that data into practical questions for self-assessment.
Last week, we published a report surfacing the trends we found after analyzing over 30 GxP audits we conducted in the second half of 2025. Read it here if you missed it:
Clear patterns emerged. While firms have largely mastered the basics of GMP documentation, the findings reveal something more concerning: systemic blind spots that cut across organizations of all sizes.
As a companion piece to that (very popular) trends piece, we wanted to make that data even more practical. So, we’ve distilled them into 20 specific questions your quality team should be asking today.
We’re starting with the first 10 below. Talk to us if you can’t answer—or don’t like your answers—to any of these questions.
1. Are your investigations actually closing within your stated timelines, or are they closing late without documented extensions?
Timeline management emerged as the single most prevalent issue category in H2 2025 audits. The pattern isn’t simply “investigations take too long”—it’s more nuanced and more troubling.
At one site, eight separate NCRs were closed after the 30-day target without any extension request on file. One investigation opened in September 2024 wasn't closed until June 2025—nine months later—with no documented justification for the delay.
SOPs that establish timelines create regulatory expectations. When you routinely miss those timelines without documented extensions, you're demonstrating and signalling that your procedures aren't followed.
What to do: Pull your deviation and NCR logs. Calculate the percentage closed within your stated timelines. If it's below ~80%, you have a systemic problem that requires CAPA, not just individual extensions!
2. When extensions are requested, are they approved before the original due date or retroactively?
During one audit, an OOS investigation that had been open for two months received its extension approval in real-time while the auditor was reviewing the record. The original due date had passed over 30 days earlier.
Retroactive extensions aren’t extensions—they’re documentation of failures. An extension approved after the deadline provides no management oversight during the actual investigation period. Auditors (and investigators) view this as evidence that your timeline controls are ineffective.
What to do: Review your extension approval dates against original due dates. Any extension approved after the due date should trigger a separate deviation for the procedural failure.
3. Do your change control procedures actually define extension requirements, or is this left ambiguous?
A change control initiated in February with a 10-day target wasn't closed until April—nearly two months late—with no extension. When our auditors reviewed the governing procedure, they found it didn't address extension requirements at all. If your SOP doesn't define how to request, approve, and document extensions, you haven't actually established the full procedure. Ambiguity in SOPs creates ambiguity in compliance expectations. They invite problems.
What to do: Review your change control, deviation, CAPA, and investigation SOPs. Each should explicitly define: extension request timing, required justification, approval authority, maximum extension periods, and documentation requirements.
4. Do your SOPs specify the notification timelines required by your quality agreements with clients?
Quality agreements define notification requirements. SOPs should operationalize them. In H2 2025 audits, this connection frequently broke down.
In one case, quality agreements with clients required a 5-business-day notification of supplier changes affecting their products. The site's supplier change notification SOP didn't mention client notification timelines at all, let alone align with specific quality agreement requirements.
Remember that quality agreements are contracts. When your internal procedures don't reflect contractual obligations, you're creating conditions for systematic non-compliance. This finding appeared across 45% of the CDMOs we audited!
What to do: Map each client quality agreement notification requirement to a specific SOP section. If the SOP doesn't exist or doesn't match, you have a gap to close.
5. When your suppliers notify you of changes, do you have a defined process to flow that information to affected clients within contractual timelines?
One quality agreement required supplier change notifications to be passed to the client within 5 business days of receipt. The site's SOP addressed initial impact identification within 2 weeks but didn't address client notification at all for products in clinical development stages.
