USDM subject matter experts share the Top 10 observations they see when conducting audits in the United States and abroad.
No matter what the audit platform, there are significant reoccurring themes that continue to plague life sciences companies.
Quick Summary
Across pharmaceutical, biotech, and medical device audits in the U.S. and abroad, the same gaps surface again and again. They cluster in five areas: environmental monitoring, supplier and process qualification, computer system validation, recall and backup processes, and cleaning validation. The good news — every one of these is preventable with disciplined, documented, risk-based programs and a periodic review cadence that proves your validated state is actually maintained.
The Top 10 Recurring Audit Observations
- There is no annual review of environmental monitoring data, nor is there an assessment of the appropriateness of the actions and alert limits that are in place.
- Environmental monitoring programs do not have established investigations or actions for alert limit excursions that occur during a discrete time period.
- Supplier qualification processes are based on annual procurement cost rather than GxP requirements for safety, quality, identity, purity, or potency.
- Supplier qualification processes that allow too long a time period between initial qualification audits and subsequent re-qualification audits.
- Supplier qualification processes that do not take into account supplier performance history and the adjustments to audit frequency.
- Process qualification of critical quality attribute ranges that are not justified based upon design of experiments (DOE) or other science-based rationale.
- Computer system validation to support quality or production systems does not include a periodic review process to evaluate the collective impact of change controls and validated state of control maintenance.
- Recall procedures that do not provision for a mock recall to verify lot genealogy/traceability.
- IT back-up processes that use automated tools and utilities do not include a manual review of backup logs to verify that there were no failures or skipped files. Also, there is no process to investigate or escalate these failures to IT managers.
- Cleaning validation processes do not consider limit of detection, limit of quantification, various materials of construction, and risk parameters (for example, worst-case model compound, solubility, number of difficult-to-clean areas, and total product contact area).
The common thread: most of these observations are not about missing documents — they are about missing review. Limits are set but never reassessed, validations are completed but never periodically re-evaluated, backups run but are never manually verified. Audit-readiness is a maintenance discipline, not a one-time event.
How to Read These Observations
Group the ten into the themes auditors actually probe, and the remediation path becomes clearer:
Five Themes Behind the Top 10
- Environmental monitoring (1-2): review your data annually, justify your alert and action limits, and define what happens — investigation and action — when an excursion occurs.
- Supplier qualification (3-5): qualify on GxP risk to safety, quality, identity, purity, and potency — not procurement cost. Set re-qualification intervals and flex audit frequency to performance history.
- Process & computer system validation (6-7): justify critical quality attribute ranges with DOE or science-based rationale, and add a computer software assurance periodic review that evaluates the collective impact of change controls on the validated state.
- Recall & backup integrity (8-9): run mock recalls to prove lot genealogy and traceability, and manually review backup logs with a defined escalation path for failures and skipped files.
- Cleaning validation (10): account for limit of detection, limit of quantification, materials of construction, and risk parameters such as worst-case model compound, solubility, and total product contact area.
Limits that are never reassessed and validations that are never re-evaluated are the two most reliable findings in any GxP audit.
Building a Sustainable Audit-Ready State
The most durable fix for periodic-review findings is to make the review continuous rather than annual. Treating validation as an ongoing program — not a project that ends at go-live — keeps systems in a demonstrable state of control between inspections. USDM's Cloud Assurance approach and a disciplined validation lifecycle management practice both turn one-time validation into a maintained, evidence-backed state of control. For computerized systems specifically, a modern 21 CFR Part 11 and CSA-aligned approach focuses effort on the highest-risk functions while keeping records and audit trails defensible.
Supplier and recall observations come down to traceable, trustworthy data — without it, lot genealogy, backup verification, and environmental monitoring trends cannot stand up to scrutiny.
Why Trust USDM?
USDM Life Sciences has a combination of over 100 years in regulatory compliance, quality assurance, quality systems, and auditing. USDM’s Global Audits Practice Team perform audits for pharmaceutical, biotech, and medical device companies in the United States and abroad.
Additional Resources
On-demand webinar: Virtual Audits and Inspections
White paper: Best Practices for Virtual Audits and Regulatory Inspections
Checklist: Virtual Audits Checklist
Blog: On-site and Remote Audit Best Practices
FAQ: Recurring Audit Observations in Life Sciences
What are the most common audit observations at life sciences companies?
The recurring themes USDM auditors see most often fall into five areas: environmental monitoring (missing annual data review and excursion handling), supplier qualification (cost-driven rather than GxP risk-driven), process and computer system validation (unjustified ranges and no periodic review), recall and backup integrity (no mock recalls or manual log review), and cleaning validation (incomplete consideration of detection limits and risk parameters).
Why do environmental monitoring programs repeatedly fail audits?
Two reasons dominate: there is no annual review confirming that alert and action limits are still appropriate, and there are no defined investigations or actions for alert limit excursions during a discrete time period. Setting the limits is not enough — auditors look for evidence that the data is reviewed and that excursions trigger a documented response.
How should supplier qualification be structured to pass an audit?
Base qualification on GxP requirements for safety, quality, identity, purity, and potency rather than annual procurement cost. Define appropriate intervals between initial and re-qualification audits, and adjust audit frequency based on each supplier's performance history.
What does a periodic review for computer system validation need to cover?
It should evaluate the collective impact of change controls and confirm that the validated state of control is being maintained over time — not just that the system passed its initial validation. Pairing this with a risk-based computer software assurance approach keeps the effort focused on high-impact functions.
What's frequently missing from cleaning validation programs?
Common gaps include not considering limit of detection, limit of quantification, the various materials of construction, and risk parameters such as worst-case model compound, solubility, number of difficult-to-clean areas, and total product contact area.
Ready to close these gaps before an inspector finds them? USDM's Global Audits Practice Team can assess your quality systems, validation programs, and supplier and environmental monitoring controls against the observations above. Contact us to discuss an audit-readiness assessment.