FDA investigators rarely cite a facility for the questions everyone expects. They more often cite the gaps no one thought to probe. Over the past ~12 months, we’ve run hundreds of audits for drug manufacturers and thought it would be worthwhile to look back on the trends that emerged from those reports.

We picked out five specific areas—that relate to specific questions—which tended to be a gap or failure point. Each of these you’ll also find pretty commonly in Form 483 observations and warning letters.

We’ve distilled those five questions, explained exactly why the FDA cares, and highlighted the specific weaknesses we keep uncovering, even in otherwise well-run QMSs.

Use the observations that follow as a pressure test: if you can’t answer these questions with documentary evidence in under five minutes, you have a vulnerability worth fixing now, before the next investigator walks through the door. Talk to us to schedule an audit or mock inspection.

1. “Show us how the Quality Unit reviews every audit-trail event tied to critical CGMP data.”

FDA’s data-integrity Q&A guidance spells out pretty explicitly that metadata (timestamps, user IDs, status flags) form part of the record, so they must be checked with the same rigor as the primary result.

Many companies still rely on paper printouts (initialed and archived) while ignoring the underlying electronic data. Even when audit trails are enabled, they’re often only reviewed reactively, after a deviation or investigation.

We regularly find shared admin accounts, infrequent password changes, and no routine, independent review process. In some cases, the audit trail is being generated but no one knows how to access it.

As one of our senior GMP drug auditors remembered:

“At one site, we asked to see the audit trail for a critical HPLC system used to release commercial batches. The QC manager gave us a signed chromatogram printout, but when we asled for the electronic audit trail, they realized no one had reviewed it in over six months. It showed deleted injections and post-run reprocessing events that weren’t documented anywhere else. Quality had assumed IT was ‘monitoring’ it, but there was no ownership or procedure in place.”

A defensible program hinges on a written scope that names the specific events to inspect, assigns an independent reviewer, and makes sure exceptions flow straight into CAPA trending (instead of disappearing into email threads).

• Define a clear SOP that identifies what constitutes GMP-critical data and which systems generate relevant audit trails.

• Assign independent reviewers (not the original user or system owner) responsible for reviewing both the data and its audit trail before batch disposition.

• Train reviewers to identify key events (e.g., logins, deletions, edits) and confirm that no unexpected actions occurred.

• Build audit-trail review into routine batch release, and make sure findings feed into deviation and CAPA systems.

Test yourself: Can you pull an audit trail from a critical system and show who reviewed it and when, before the batch was released?

2. “Walk us through how you qualify—and continually monitor—each SaaS or cloud platform that holds CGMP data.”

The FDA’s CSA guidance confirms that outsourcing infrastructure does not outsource responsibility; vendor systems must still meet Part 11 and data integrity expectations. If these systems store, transmit, or process GMP-relevant data, they fall squarely within the scope of Part 11. The burden of qualification, monitoring, and data integrity still rests with you—even if someone else hosts the system.

Yet we routinely find life-science companies treating cloud LIMS or eQMS providers like stationery suppliers. Risk assessments are missing, vendor audits rely on glossy brochures, quality agreements languish unsigned, and nobody can produce the last penetration-test summary. Worse, there's rarely any process for requalification or monitoring of performance and security controls post-implementation.

During a recent vendor qualification review, for instance, we asked for evidence that a cloud-based LIMS had been formally qualified. The client had implemented it over two years earlier. They had a PowerPoint from the vendor and an email confirming the system “met 21 CFR Part 11,” but no risk assessment, audit, or quality agreement. When we asked how they monitored the vendor’s performance, they admitted they hadn’t looked at any uptime reports or security updates since go-live. IT managed the system and QA wasn’t involved at all.

Here’s what firms should be doing:

• Identify every system that stores or processes GMP data, even if it’s hosted externally or accessed via browser.

• Conduct formal risk assessments and classify GMP-critical SaaS providers accordingly.

• Qualify each system during onboarding via document reviews, remote audits, penetration test summaries, and/or SOC 2 Type II reports.

• Establish a signed quality agreement detailing roles, responsibilities, data ownership, backup protocols, and change-control notification processes.

• Review SLAs quarterly and establish a cadence of vendor requalification, especially when system functionality or regulatory expectations change.

Test yourself: Can you produce a signed quality agreement, initial qualification documentation, and the last SLA performance review for each of your cloud-based GMP systems?

3. “Which molecule did you declare worst-case for cleaning validation, and how did you defend that choice?”

The FDA expects manufacturers to take a risk-based, scientifically justifiable approach to cleaning validation, especially in multiproduct facilities. That means selecting a worst-case product based not just on potency, but on toxicity, solubility, and cleanability. A blanket “strongest product” rule is no longer acceptable.

We find that way too many companies fall back on outdated rules of thumb (like “1/1000 of the lowest therapeutic dose”) without linking limits to actual toxicological assessments. Others assume the most potent product is automatically the hardest to clean, which isn’t always true. Recovery studies are often performed only once (if at all), and rarely revalidated when equipment, products, or cleaning agents change.

A notable anecdote from one of our auditors:

I was auditing a multi-product facility and asked how they selected their worst-case product for cleaning validation. The response: ‘It’s the one with the lowest dose.’ When I dug deeper, I found that the selected API was highly soluble and cleaned easily with water, while another compound with poor solubility and no validated clean-in-place process had never been included in validation studies. The toxicology report for that API was also outdated and unsigned. Their rationale hadn’t been revisited in over five years despite several portfolio changes!

If this sounds like your validation program:

• Use HBELs or ADEs (Acceptable Daily Exposure values) to determine toxicological risk. These should be developed or verified by a qualified toxicologist.

• Evaluate each product’s solubility, dose, and manufacturing frequency to determine which poses the highest risk of cross-contamination.

• Document and defend your worst-case selection in your cleaning validation protocol.

• Perform surface-specific recovery studies for all equipment types and materials of construction.

• Reassess your worst-case compound selection any time your product portfolio changes or new risks are identified.

Test yourself: Can you show toxicological justification, swab recovery studies, and rationale for how your worst-case compound was selected, and when that rationale was last revisited?

4. “Show the documented effectiveness checks for your three most recent GMP changes.”