What Our Auditors Are Finding Lately: 10 Trends Across GxP Audits

Over the second half of 2025, our auditors conducted a diverse portfolio of engagements spanning pharma manufacturing, clinical supply chains, medical device operations, biologics production, and lab services across three continents.

These were deep dives into quality systems at companies ranging from emerging biotechs preparing for their first FDA pre-approval inspection to established global CDMOs handling hundreds of client audits per year.

What struck us wasn’t the critical findings (there were virtually none). Rather, it was the consistency of the minor and major observations. The same themes appeared again and again: documentation gaps that made otherwise solid processes look questionable, timeline management that seemed reasonable in practice but failed on paper, and procedural ambiguities that left companies exposed to regulatory risk they hadn’t fully recognized.

This report synthesizes those findings into practical guidance. We’ve anonymized every example to protect our clients, but we’ve preserved enough operational context that you should be able to see yourself—or your suppliers, or your CMOs—in these scenarios.

Talk to us if you need auditing, mock inspection, remediation, or other RA/QA/Clinical support.

What’s in this dataset

This trends report uses only the audit reports in our project set from July to November 2025. The set includes audit engagements across a few distinct contexts:

• Mock Pre-Approval Inspections (PAI): Five-day mock PAIs at U.S.-based pharma sites preparing for ANDA submission, including DPI and SMI manufacturing.
• Routine GMP Vendor Audits (API and Finished Dosage): Audits of high-volume generic manufacturers in India producing oral solids for the U.S. market under USFDA and MHRA approvals.
• Supplier Qualification Audits: First-time and re-qualification audits at CDMOs in China providing API synthesis, drug product manufacturing, and ADC conjugation.
• GLP-to-GMP Gap Assessments: Gap assessments at R&D laboratories transitioning to GMP-compliant batch release testing, evaluated against 21 CFR Part 211 and ICH Q7 to support Phase 3 and commercial readiness.
• cGMP Packaging and Labeling Audits: Audits of clinical and commercial packaging and labeling operations supporting multinational trials.
• Medical Device and Primary Packaging Audits: Audits of ISO 13485-certified device and packaging component manufacturers, including combination products and primary packaging, assessed against ISO 13485, ISO 15378, and 21 CFR Part 820.
• Clinical Trial Sponsor Oversight (BIMO): Mock BIMO inspections for IDE studies evaluating sponsor oversight, monitoring, data integrity, and device accountability under 21 CFR Parts 812 and 820.
• Secondary Packaging and Distribution Audits: Monitoring audits of logistics providers handling temperature-controlled storage, packaging, and global distribution under EU GDP and 21 CFR Part 211, with emphasis on thermal mapping and deviation management.

Again, no company or site names are used in the trend descriptions below, and we haven’t added any facts beyond what those reports contain. Confidentiality is paramount to us.

Stats and trends at a glance

The dataset:

• 33 audits analyzed across August–November 2025
• 5 countries: United States, India, China, Ireland, Netherlands
• Audit types: GMP vendor qualification, mock PAI, gap assessments, ISO 13485 medical device, clinical packaging/GDP, mock BIMO, biologics/ADC CDMO
• Regulatory frameworks: 21 CFR 210/211, 21 CFR 820, 21 CFR 58, ISO 13485, ISO 15378, EU Annex 13, ICH Q7/Q9/Q10

Finding severity breakdown:

• Critical findings: 0 (0%)
• Major findings: ~12 (~15%)
• Minor findings: ~50 (~60%)
• Recommendations: ~25 (~25%)

Top finding categories (by % of audits affected):

• Documentation and change control — 70%
• Supplier/vendor oversight — 45%
• Investigation and CAPA timeliness — 40%
• Facility and equipment gaps — 35%
• Complaint handling backlogs — 25%
• Data integrity vulnerabilities — 25%
• APR/management review gaps — 20%
  
  

Repeat findings:

• 20% of audits had findings that recurred from prior years
• Recurring issues included: complaint backlogs, facility door gaps, PM backlogs, late QA approvals
• Root cause: CAPA effectiveness checks not performed or not defined

Geographic performance:

• China: Cleanest outcomes; 3 of 5 audits had zero major findings
• India: Consistent; 1–3 minor findings typical; administrative gaps (expired licenses/certificates)
• United States: Widest variance; startup facilities showed qualification debt
• Ireland: Middle of the pack; procedural alignment gaps between global and local SOPs
• Netherlands: Logistics scope only; no significant findings

Patterns to watch:

1. Supplier notification timelines missing from SOPs — quality agreements require it, procedures don’t address it
2. Retroactive change control extensions — deadlines missed, extensions approved 30+ days later with no justification
3. No transport validation — ~30% of facilities rely on logistics providers without product-specific validation
4. Startup qualification debt — HVAC, EM, media fills pending without consolidated project plans
5. CAPA effectiveness checks skipped — corrections completed, but no verification they actually worked

What’s working:

• Zero critical findings across the entire dataset
• Strong environmental monitoring at established CDMOs
• Mature document control at ISO-certified facilities
• Effective audit trail implementations in validated electronic systems
• Open, responsive engagement from audit hosts at closing meetings

Below, we expand on the themes we actually saw in the reports. For each, you'll find: what we observed, how often, representative examples (generalized to protect identity), and prescriptive actions you can take.

1. Documentation and change control remained the biggest gap

In roughly 70% of audits (the same as our prior analysis), we observed some form of documentation gap.

Documentation deficiencies appeared more than any other finding category—not because facilities lacked procedures, but because the procedures weren’t consistently followed or didn’t address common edge cases.

We see that FDA investigators routinely pull change control and investigation records and calculate cycle times. Overdue records without extensions suggest a facility that either lacks oversight or tolerates delays.

We see a lot of warning letters specifically cite "failure to thoroughly investigate unexplained discrepancies" and "failure to establish and follow written procedures"—exactly the kind of findings that emerge when documentation discipline breaks down.

A few recommendations:

• Build explicit “stop-the-clock” rules into your deviation, OOS, and change control SOPs. Define who may grant an extension, when (before the deadline, not after), what justification is required, and what the maximum allowable extension period is.
• Require real-time extension entries with documented scientific or operational rationale and a new committed due date.
• Audit your SOP-to-template alignment. Every SOP that references a template should reference a controlled template with a document number, and that template should be easily retrievable.
• Implement periodic “documentation hygiene” checks—monthly or quarterly reviews of open records approaching deadlines, with escalation to management for any records past 80% of their target timeframe.

2. Investigations and CAPAs were too slow (or missing entirely)

Observed in roughly 50% of our audits here, even when investigations were eventually completed correctly, the timing often created problems. And in some cases, situations that clearly warranted CAPA investigation never actually triggered one.

FDA's OOS guidance (May 2022) emphasizes the importance of timely investigation, specifically noting that delays can compromise the ability to meaningfully investigate.

Warning Letters frequently cite "failure to complete investigation within [X] days as required by your procedure"—a finding that's trivially easy for investigators to document by comparing record dates to SOP requirements.

A few recommendations:

• Make sure you’re tracking investigation and CAPA cycle times as a KPI reported to management review. You should also have clear escalation triggers (e.g., 80% of target timeline) that require management attention before deadlines are missed.
• Train analysts explicitly on real-time OOS recognition. Use visual aids in the laboratory showing what an OOS result looks like for common test methods. Require analysts to flag results before leaving for the day.
• Define CAPA triggers for QA oversight failures: any error in QA review that reaches downstream processes should automatically generate a CAPA evaluation.
• Review your deviation-to-CAPA ratio. A very low ratio may indicate that CAPAs are being avoided rather than appropriately applied. This is a great metric suprisingly few teams keep in their reporting.

3. Facility and equipment qualification gaps kept appearing

Observed in approximately 40% of these audits, these findings were most prominent at sites undergoing expansion, preparing for new product launches, or transitioning between development and commercial phases.

21 CFR 211.42(c) requires that buildings have “suitable size, construction and location to facilitate cleaning, maintenance, and proper operations.”

FDA investigators often look for evidence that equipment is appropriately qualified before use and that environmental conditions are controlled. A site with visible gaps in qualification (incomplete protocols, missing baselines, undated stickers) signals potential control problems throughout the operation.

A few recommendations:

• We suggest most teams consolidate all open qualification activities into a single Quality Plan with clear ownership, deadlines, and dependency mapping. Track this plan in your management reviews.
• Define precise verification methods for utilities and equipment calibration, and include those methods in SOPs. Don’t assume operators know how to verify calibration status—write it down!
• Implement a labeling standard that requires durable, printed labels with document numbers where appropriate. Eliminate handwritten labeling on equipment and storage areas used for GxP operations.
• Establish clear rules for what happens when qualification activities are delayed: who is notified, how is the delay documented, and what interim controls apply.

4. Supplier and vendor oversight was underdeveloped

The gaps here (present in 35% of these audits) weren’t about whether suppliers were qualified, but about whether the procedural infrastructure around supplier oversight was adequate to manage ongoing relationships and change notifications.

A few recommendations:

• Audit your SOPs against your quality agreements. Every requirement in a quality agreement should trace to a specific SOP with clear procedural steps for compliance.
• Define stage-specific notification requirements (development, clinical, commercial) so that clients at all stages receive appropriate change communication.
• Make sure your quality agreements specify applicable regulatory standards (GMP, GDP, ICH Q7, IPEC, etc.) so that both parties understand compliance expectations.
• Implement a mechanism to flag when suppliers rated as “under evaluation” or “provisional” are being used for production—this should trigger escalation and accelerated qualification.
• Validate transportation and distribution: conduct seasonal challenge studies, add logistics providers to your ASL, and ensure temperature excursions trigger documented deviation handling.

5. Annual product reviews and management reviews were late or incomplete

The pattern here was consistent in 30% of the firms we audited: companies understood the requirement for annual reviews but hadn’t implemented them with the rigor that regulatory expectations demand.

21 CFR 211.180(e) requires annual review of “quality standards of each drug product to determine the need for changes in drug product specifications or manufacturing or control procedures.”

APQR findings frequently appear in Warning Letters when reviewers can demonstrate that known quality issues weren’t addressed or that required elements were missing. Management review is the mechanism by which senior leadership demonstrates awareness of quality status—incomplete reviews suggest leadership isn’t engaged.

A few recommendations:

• Treat APQR deadlines as compliance-critical: track them in dashboards, assign clear ownership, and escalate approaching deadlines to management.
• Make sure your APQRs encompass a holistic review across all strengths and markets. Create templates that require cross-referencing between strengths.
• Align review periods: all data sources feeding into an APQR should cover the same time period.
• Hold at least one documented management review before any regulatory inspection using controlled templates that capture all required inputs and outputs.
• Include complaint aging metrics in management review and require action plans when aging trends deteriorate.

6. Data integrity and lab practices showed some vulnerabilities

In about 30% of these audits, lab findings were related to procedural gaps rather than actual data manipulation, but procedural gaps create the conditions where data integrity problems can go undetected.

We pretty frequently see the FDA cite around lab data integrity issues, including failure to review audit trails, inadequate investigation of anomalous results, and incomplete documentation of who performed testing.

The FDA’s 2018 guidance on this is extremely important reading.

A few recommendations:

• Make sure you have an SOP defining expectations for analytical method validation reports: required elements, acceptance criteria, report structure, and review/approval workflow.
• Sequence sampling activities correctly: no composite sampling until individual container identification testing is complete and approved.
• Implement signature logs or ensure that all laboratory analysts are identifiable from data worksheets—either through signature logs or by requiring full signatures on the first page of each worksheet.
• Make sure your data integrity assessments cover any equipment with user-specific access, passwords, and audit trails—regardless of how the equipment is classified!
• Enhance your labeling and sample management procedures to capture all required information, including storage location, storage conditions, and both unopened and opened expiry dates.

7. Complaint handling and QA oversight need to be tightened

We saw these problems in about 25% of our audits. Complaint handling procedures generally existed, but their execution revealed gaps in timeliness and completeness.

21 CFR 211.198 requires written procedures for handling written and oral complaints and requires that complaints be reviewed by the quality control unit. 21 CFR 820.198 (for devices) requires similar procedures.

We see FDA investigators often pull complaint logs and calculate aging, so a backlog of overdue complaints is one of the most visible indicators of a quality system under stress.

A few recommendations:

• Enforce intake timelines through system alerts and escalation. If complaints aren’t logged within one business day, someone should be notified.
• Lock complaint forms electronically so they cannot be closed without required sections being completed—or formally remove sections that are no longer required.
• Track complaint aging as a KPI reported to management review. Establish acceptable thresholds and escalation procedures when thresholds are exceeded.
• Treat QA oversight lapses—errors that QA should have caught but didn’t—as CAPA-worthy events requiring investigation and corrective action.

8. Batch record completeness issues persisted

Observed in approximately 25% of audits, these were often minor findings, but their persistence suggests that GDP training and batch record review need reinforcement.

21 CFR 211.186 requires that batch production and control records include “documentation that each significant step in the manufacture, processing, packing, or holding of the batch was accomplished.” Incomplete batch records—even for minor fields—create an overall impression of documentation weakness that can color an investigator’s assessment of the entire operation.

A few recommendations:

• Reinforce your GDP training with specific emphasis on “why” rather than just “what”—operators should understand that incomplete checkboxes create traceability gaps, not just procedure violations.
• Implement batch record review checklists that verify all required fields are completed before the record advances to the next review stage.
• Ensure material reconciliation procedures are followed and verified during QA review. Discrepancies should trigger investigation before batch release.
• Eliminate handwritten variable data on labels where possible; preprinted labels with verification checks are more reliable.

9. Sampling procedures required enhancement

This was an issue in about 20% of the audits. Sampling findings often related to misalignment between what suppliers provided and what regulatory requirements demanded.

Remember that 21 CFR 211.84(d)(1) requires that “representative samples of each shipment of each lot shall be collected for testing.” The regulation explicitly permits reduced testing schemes based on appropriate criteria, but those criteria must be documented.

Accepting supplier-selected samples without performing your own sampling creates a compliance gap that FDA investigators have specifically targeted.

A few recommendations:

• Make sure your sampling procedures follow regulatory requirements (21 CFR 211.84) for representative sampling from all containers.
• If reduced sampling is used, document the risk-based justification including statistical rationale, supplier history, and applicable regulatory provisions.
• Require identification testing on samples drawn from containers—not on samples pre-provided by suppliers.

10. Deviation and CAPA timeline management need better definition

This finding relates to the gap between internal timelines and external obligations—something we found in about 20% of these audits.

While the FDA doesn’t specify exact timeframes for deviation closure, the expectation is that investigations are “timely” relative to the nature of the deviation. More importantly, contractual obligations under quality agreements create legal exposure that extends beyond FDA enforcement.

A few recommendations:

• Define timeframes in SOPs for delivering final deviation investigation reports and CAPA plans to impacted clients—not just for internal closure.
• Align internal procedures with your quality agreement requirements. Conduct periodic audits to verify this alignment.
• Make sure you have escalation procedures for chronically delayed deviations, including management notification and resource assessment.

A quick recap (and what it means for you)

Across this dataset, the same problem areas surfaced repeatedly: documentation and change controls, investigation timeliness, equipment qualification, supplier oversight, annual product reviews, data integrity in laboratories, complaint handling, and batch record completeness. These aren’t new issues by any means. They’re the exact areas inspectors target first because they’re visible, auditable, and often indicative of broader quality system health.

The encouraging finding is that most facilities were generally in control. We recorded virtually no critical findings. The concerning finding is that the gaps we did observe were remarkably consistent across geographies, company sizes, and regulatory frameworks. Companies that think they’re different often aren’t.

If you can’t produce:

• Closed change controls with documented extensions (requested before deadlines)
• Complete training records linked to role-based curricula
• Timely investigations with real-time OOS recognition
• Qualified utilities and equipment with current calibration
• Current vendor files with signed quality agreements specifying applicable standards
• On-time APRs covering all strengths and markets
• Reliable laboratory data with clear audit trail practices
• Complaint records showing timely intake and complete QA follow-up
• Complete batch records with all checkboxes and timestamps

...then you’ve got vulnerabilities worth addressing now, before your next inspection.

A few questions to pressure-test your systems

Looking across these findings, here are 10 questions every firm should be able to answer with documentary evidence at hand. If the answer is “not right now,” you may have a vulnerability worth closing before your next inspection.

1. Can you show a closed change control package that includes objective evidence of implementation—not just a description—and can you demonstrate that any extensions were requested and approved before the original deadline?
2. If an investigation or change control goes past its due date, do you have a real-time extension approval with scientific or operational justification on file, or would you be left explaining a retroactive request?
3. Does your training curriculum map directly to each individual’s role, and can you show timely completion records for every employee, including annual GMP refreshers and job-specific qualifications?
4. For your last three OOS investigations, can you demonstrate that they were opened within one business day of the analyst recognizing the OOS result—not when the data was discovered during subsequent review?
5. When you check your utilities and equipment logs, can staff explain exactly how they verify calibration status—and is that method written into an SOP that anyone can follow?
6. Can you produce a controlled Approved Supplier List with current QA approvals, and can you show that every supplier in active use is covered by a signed quality agreement that specifies applicable regulatory standards (GMP, GDP, IPEC, etc.)?
7. Are your Annual Product Quality Reviews up to date, covering all strengths and markets for each product, and do your management review minutes explicitly cover complaint aging, CAPA effectiveness, and audit trends?
8. Do your laboratory procedures include an SOP for analytical method validation that defines report structure and acceptance criteria, and can you demonstrate that composite samples are only prepared after individual container identification testing is complete and approved?
9. If we pulled a random batch record today, would every required checkpoint—including BOF/MOF/EOF sample verifications, sample withdrawal times, and material reconciliation—be completed, initialed, and dated?
10. Can you demonstrate that every complaint in the past six months was logged within one business day, includes documented QA follow-up, and is reflected in your management review metrics?

Need an auditing, mock inspection, or remediation partner? Let’s talk.

If these findings sound uncomfortably familiar, you’re not alone. Even well-run organizations stumble on documentation, training, investigations, or oversight when the pressure of daily operations takes precedence. The difference between a clean inspection and a Form 483 often comes down to whether you’ve pressure-tested these systems before regulators do.

That’s where we come in. We connect you with former FDA investigators and seasoned industry experts who specialize in:

• Auditing — Supplier qualifications, internal audits, and global GxP audits tailored to your operations.
• Mock inspections — Pre-approval and surveillance-style inspections that reveal vulnerabilities before the agency does.
• Remediation support — Targeted consulting and staff augmentation to close gaps, draft SOPs, retrain teams, and strengthen your QMS.

Whether you need a single subject matter expert, a full audit team, or on-demand support to execute corrective actions, we can match you with the right expertise quickly.

Let’s talk about how we can help you identify and close compliance gaps—so your next inspection outcome is never left to chance. Drop us a line to start the conversation.