A Few Lessons From Our Recent Audits
Five deeper problems we found across this year's audit dataset.
A few weeks back, we shared the insights from our Q1 audit reports across sterile pharma, biologics, contract labs, GLP oversight, medical devices, and computer systems assurance. Fifty findings, zero critical, and most of them were the routine stuff that fills any audit report.
In case you missed it and you’re a paid subscriber:
We wanted to return to that dataset to extract some higher-level lessons applicable to every team out there. A few patterns we saw in that dataset stuck with us after the reports were signed because they pointed to something deeper than the findings themselves.
Talk to us if you need auditing, mock inspection, remediation, or other RA/QA/Clinical support.
1. The system of record can be perfect, and you can still fail the audit
This was sort of the lesson of the quarter, and it showed up just about everywhere.
At a well-run biotech that brought us in, the validation lifecycle management platform was mature, with risk-based thinking very well baked into the computer systems assurance program. But the PDF reports it generated for system periodic reviews came out with the data tables cut off. The reports were built in portrait orientation, and the tables were in landscape orientation. Several reports in a row were all truncated. The data was complete in the system. But the documentation an investigator would actually read was not.
We saw versions of this at other sites, too.
Weighing slips without the balance ID, so the data couldn’t be traced to a calibrated instrument (even though the instrument was calibrated).
Raw spreadsheets were handed over as audit evidence with no review or approval.
An SOP was pointing analysts to a training system that had been replaced a year earlier.
None of these were data problems. It’s the gap between “our data is correct” and “our data is inspection-ready,” and that gap is silently wider than most facilities think. Internal users know the workarounds. They know which report to ignore, which export is the real one, which field is always blank for a reason. An external reviewer, of course, knows none of that, and the gap only becomes visible when someone outside the building asks for evidence. By then, it’s a finding.
Our one piece of advice here: print every report your validated systems can generate and look at the output, not the data behind it.
2. A finding you didn’t fix is often worse than the finding you first had
At a clinical packaging facility, complaint handling cycle time had crept past the 30-day procedural limit. On its own, that’s a minor finding. But the same issue had been flagged at the previous audit two years earlier, and it hadn’t been corrected. Cycle time had actually gotten slightly worse, from about 38 days to 40. So it got written up as a major.
Instead of being about cycle time, the escalation was about what an unresolved repeat finding signals: that the CAPA from the last audit either wasn’t implemented or wasn’t checked for effectiveness. A repeat finding tells our auditors that root cause analysis stopped at the symptom, or that someone closed the CAPA on paper without verifying it worked, or that management review isn’t allocating resources when corrections slip.
This is worth thinking through because it changes how you should treat prior findings. A closed CAPA that didn’t actually fix the problem isn’t neutral. It’s a compounding liability, and the next auditor who finds the same issue shouldn’t grade it the way the first did.
3. Sometimes, nobody owns the supply chain gap until someone asks who does
The most serious single finding from last quarter came from a question that took about thirty seconds to ask.
At a sterile drug manufacturer, the primary packaging containers were sterilized by a contract sterilizer. We asked to see the sterilization assurance. The component supplier’s Certificate of Analysis didn’t mention sterility. The contract sterilizer’s documentation didn’t either, and the drug manufacturer had never audited the sterilizer.
There are three parties in the chain there, each one assuming, apparently, that sterility assurance was somebody else’s job. Under 21 CFR 211, the finished product manufacturer holds ultimate responsibility for the quality of its inputs, and under the FDA’s contract sterilization guidance, the manufacturer and sterilizer share responsibility for the sterilization itself. So the answer to “who owns this?” was “the manufacturer, and they hadn’t been doing it.”