January 12, 2023

In FDA and ISO environments, quality audits are a process of examination and substantiation that procedures, records, and activities are effectively aligned with desired objectives.

The FDA and other regulatory bodies throughout the world require audits for product quality and safety. Companies that comply with 21 CFR Part 211 (pharmaceuticals), 21 CFR Part 606 (blood products), and 21 CFR Part 820 (medical devices) are among those required to perform quality audits.

Likewise, international quality standards such as ISO 9001, ISO 14001, and ISO 13485 require audits of the quality system for certification.

Furthermore, the abovementioned regulations and standards extend the audit requirement to a company’s suppliers. By doing so, suppliers are held equally accountable for the products and services they provide.

Why do External Quality Audits Fail?

External quality audits fail because an auditor has not been satisfied that proper demonstration of controls exist. The more effectively proof of controls is provided, the more favorable the audit. Without proof, auditors assume that a process is not operating consistently.

Compliance is the desired outcome of a quality audit, which can often obscure the true purpose of quality practices. A mature quality system that manages risk and facilitates improvement through evidence-based decisions is more likely to demonstrate compliance by design. In other words, compliance is the result of the system’s functionality, not just a point-in-time goal.

While all regulated companies need quality audits, not all audits are successful. Here are some of the most common reasons why they fail.

#1: Poor Documentation

In regulated environments, if something is not documented, it didn’t happen. Compliance entails proper documentation, review, and approval of procedures and any changes in those procedures. Therefore, a solid document management solution is an essential foundation of any QMS because it impacts all other quality processes.

In addition, new or revised audit standards continue to place more emphasis on documentation.

In fact, a majority of audit findings stem from documentation issues.

Lack of accuracy or completeness of documentation is glaringly visible to an auditor. Therefore, the most common audit observations are in companies with manual and spreadsheet-based systems. It’s inherently harder to review unstructured data in paper documents for accuracy.

Improving document management within the quality system can eliminate a significant audit bottleneck by closing gaps. Furthermore, automating all document-based tasks, including routing, review, revision, and approvals demonstrates a controlled environment of repeatable processes. An enterprise QMS (EQMS) provides a centralized, secure repository for easy search, editing, check-in/check-out, and approvals.

#2: Inadequate CAPA and Nonconformance Processes

Since it’s impossible to expect perfect quality, regulators require a clear corrective action and preventive action (CAPA) process to control nonconformances. CAPA and nonconformance processes are separate yet inextricably related. A nonconforming product doesn’t follow its specified and approved requirements.

For example, FDA 21 CFR Part 820 requires a process for handling device nonconformances, including identification, documentation, evaluation, and disposition. While all nonconformances may not require CAPA, there must be a process in place to determine the type of nonconformance to properly investigate and correct it.

Deficiencies related to CAPA and nonconformances are common reasons for FDA Form 483 observations and warning letters. These issues are common in companies that rely on paper forms and spreadsheets for the collection of CAPA and nonconformance data. As a result of the spreadsheet method, it is easy for manual errors to occur. Furthermore, a non-systematic approach to descriptions and classifications can leave classification up to the judgment of the user.

An EQMS automates all CAPA-related tasks through standardized workflows and data collection. In addition, it is easy to launch CAPAs from within another process, for example, audit findings or nonconformances.

#3: Ineffective Internal Quality Audit Process

An effective internal audit process is key to successful external audits by a regulatory or certification body, or a customer or supplier. Often, it’s human nature to confirm where things work well. Unfortunately, the result is often missing gaps that are the result of human error.

Furthermore, poor auditor selection or a poor audit practice is cited in many 483 observations. Common violations include a lack of written audit procedures, inadequate procedures, or procedures not being followed.

As an example, auditing CAPAs in a spreadsheet prepared by a quality manager may show that CAPAs are being closed in a timely manner. While the key performance indicator is being achieved, a deeper dive may reveal that the proper reviews and signatures are not being obtained, or cannot be located. Suddenly, the CAPA process is out of compliance.

To improve internal audits, develop a repeatable internal audit program that uses recommended best practices. An EQMS can greatly improve the process by automating all phases, from planning and scheduling through execution, verification, and completion. The platform provides a secure workspace for the audit team to gather and manage all information related to every audit. It also gives the auditor visibility into the entire QMS in real-time.

#4: Poor Training Management Practices

Training records are among the first things that auditors look at. Training, like audits, is not a one-time event. The ongoing nature of training management makes it difficult to sustain accurate and timely records within a manual system. Training coordinators spend most of their time on basic tasks, including routing, follow-up, verification, and tracking of training completion.

Furthermore, the objective is not just to achieve 100% training completion. New standards and regulation demand an iterative approach to training. A citation of “poor training” in a Form 483 usually refers to not training people based on their roles, not training them on the right content, and not testing them effectively. All of these are hard to do manually.

An EQMS automates training tasks. It facilitates the training, testing, and re-training of hundreds or thousands of users regardless of geographic location. Testing, test verification, grading, and documentation of each user’s training history are also automated. If an auditor opens a random training record, the system will readily show the user’s training and proof of competency.

#5: Lack of a Risk Assessment

Quality management best practices require a risk-based approach. Without a good risk assessment, organizations may direct controls towards lower risks, which can result in audit findings and unnecessary exposure. If lack of risk controls are obvious to an auditor, it’s clear that there are deficiencies in the quality system. Furthermore, it’s indicative that a reactive approach to risk is at play as opposed to an ongoing organizational commitment to proactively identify and reduce risk.

An EQMS can prioritize controls to focus on the highest risks. While there is no definitive criteria for which risk assessment works best, a risk management solution helps an organization review scenarios to determine where the highest risks are present. After the risk assessment, companies should mitigate and prevent identified risks through controls.

#6: Unconnected Quality Processes

An audit requires input from other quality processes (document management, training, supplier management, nonconformance, etc.). Audit findings may lead to quality activities such as CAPA and training. This is why audits should digitally integrate with other quality processes. A manual system lacks such connectivity. Manual processes also perpetuate departmental silos and fragmented information.

Integrating audit management with CAPA, training, and other quality processes in an EQMS creates connected, digital master records. Users, stakeholders, and auditors will be able to find all the documents they need in one place.


Auditors across the board want to see that your quality processes are in a state of control, and as a result, in compliance with the criteria they are auditing for. The more efficiently you can provide clear and repeatable evidence, the better your audits will go. Automating and digitizing written policies, training procedures, and processes for incident investigations creates a highly auditable paper trail of the performance of controls.

Today, an EQMS is a prerequisite for maintaining audit readiness. It’s the key to demonstrating to auditors that your processes are reliable and safe. It’s also the single most important tool for risk management and mitigation and continuous improvement.

About the Author

Stephanie Ojeda is Director of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 15 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.


AssurX White Paper: GMP Audits