A quality management system audit isn’t just a pre-inspection exercise. It’s the diagnostic tool for understanding whether your quality system is actually managing quality, or just producing documentation that looks like it does. The difference matters enormously when your system is under pressure: when batches are failing, when an OOS won’t resolve, when an FDA inspector is in the building.

This checklist covers the core elements of a pharmaceutical QMS aligned with ICH Q10 and FDA/EMA expectations. Work through each section methodically. The questions are designed to probe whether the system works, not just whether documentation exists.

Section 1: Document Control

Document control is foundational. If your document system doesn’t work, if people don’t know which version is current, if documents take 6 months to get approved, if training records don’t match the current document versions, nothing downstream is reliable.

Document Hierarchy and Classification

  • Is there a documented hierarchy of GxP documents (policies, SOPs, work instructions, forms, records)?
  • Is it clear which document types require GxP controls and which don’t?
  • Are all GxP documents given unique identifiers, version numbers, and effective dates?
  • Is there a system (EDMS or controlled physical system) that prevents use of obsolete document versions?

Document Lifecycle Controls

  • Does the document creation and revision process require QA review and approval before a document becomes effective?
  • Is there a defined review cycle (e.g., biennial or triennial review) for all SOPs?
  • Are documents past their scheduled review date identified and tracked?
  • When a document is revised, are all previous versions archived (not deleted) and marked as obsolete?
  • Is there a process to ensure that old document versions are removed from working areas when new versions are issued?

A specific check: Pick 5 SOPs at random. Check whether the training records for the staff performing those procedures show training on the current version, not a previous version. This single check reveals whether your document control and training systems are synchronized.

Forms Management

  • Are blank forms controlled and version-identified?
  • Is there a process to prevent use of obsolete form versions?
  • Are completed GxP forms retained as records?
  • For paper-based recording: are forms pre-printed to prevent post-hoc reconstruction?

Section 2: Deviation Management

Deviations are the primary signal of how well your processes are actually working. A deviation system that finds and closes deviations quickly is good. A deviation system that finds nothing, or finds the same things repeatedly, or closes deviations with superficial corrective actions, is a problem.

Deviation Identification and Reporting

  • Is there a clear procedure for when to open a deviation (and who is responsible)?
  • Are deviations opened at the time they occur, not days later?
  • Is there a classification system (Critical/Major/Minor) with defined criteria for each?
  • Do all areas generating GxP data (manufacturing, QC lab, clinical, warehouse) use the same deviation system?
  • Are “near misses” (events that almost caused a problem but didn’t) captured and trended?

The documentation timing problem: Pull 10 deviation records from the past quarter. Check the date the event occurred vs. the date the deviation was opened. Events that were opened more than 48 hours after they occurred suggest either that staff don’t know the reporting requirement, feel uncomfortable reporting, or are making judgments about what “needs” to be documented. All three are problems.

Investigation Quality

  • Do investigations identify root cause, not just describe what happened?
  • For deviations affecting product quality: is there a documented impact assessment on the affected batch(es)?
  • Are corrective actions proposed in response to the root cause, not just the symptom?
  • Are deviations involving GxP systems linked to the change control or CAPA system as appropriate?
  • Is investigation quality reviewed by QA, not just the conclusion?

Root cause quality check: Pull 5 recent deviation closure records. For each, ask: could the proposed corrective action have prevented the event described as the root cause? If the root cause is “analyst transcription error” and the corrective action is “retrain analyst,” would retraining actually prevent this from happening again, or is there a process design issue (confusing forms, unclear instructions) that made the transcription error likely? Weak root causes lead to recurrences.

  • Is there a periodic review of deviation frequency, type, and location?
  • Are repeat deviations of the same type identified and escalated?
  • Are trending reviews documented and reviewed at quality review meetings?
  • Is the deviation trend data used to identify systemic issues, or does it sit in a report that nobody acts on?

Section 3: CAPA Management

CAPA is the corrective and preventive action system, the mechanism by which quality problems are systematically resolved and prevented from recurring. A CAPA system that generates action items without verifying they worked isn’t a quality system. It’s an action item tracker.

CAPA Triggers and Opening

  • Is it clear when a CAPA should be opened vs. a deviation corrective action?
  • Are CAPAs opened for: repeat deviations, significant audit findings, OOS trends, complaint trends, and data integrity events?
  • Are CAPA timelines defined at opening and tracked?
  • Who reviews and approves CAPA plans before implementation begins?

CAPA Quality

  • Does the CAPA identify the root cause independently from the symptom?
  • Does the corrective action address the root cause directly?
  • Does the preventive action address related situations that haven’t yet caused a problem?
  • Is the scope of the CAPA assessed, does the problem exist in other areas, products, or sites beyond where it was identified?

Scope assessment is the most commonly skipped step. An OOS that was found to be caused by an HPLC audit trail gap shouldn’t trigger a CAPA only for that HPLC. The CAPA should assess whether the same gap exists in other CDS instruments in the same lab, in other labs, in other facilities. The scope of the CAPA should match the scope of the problem, not just the scope of where it was found.

Effectiveness Checks

  • Is there a documented effectiveness check plan for every CAPA?
  • Does the effectiveness check criteria define what “success” means, a specific metric, not just “no recurrence”?
  • Are effectiveness checks actually performed at the planned timeframe?
  • When an effectiveness check shows the CAPA didn’t work, is a new CAPA opened?
  • Are overdue CAPAs and overdue effectiveness checks tracked as a compliance metric?

Check what the data shows: Pull the past 12 months of CAPAs that should have had effectiveness checks completed. How many were completed on time? What percentage showed recurrence? An effectiveness check completion rate below 80% or a recurrence rate above 20% are signals that something is wrong with the CAPA discipline.

Section 4: Change Control

Change control governs modifications to processes, procedures, equipment, facilities, and computer systems that are under GxP control. Without good change control, you don’t know whether your current validated/qualified state reflects what was assessed and approved, or what someone changed six months ago.

Change Control Scope

  • Is there a documented scope for what requires change control?
  • Does change control cover: manufacturing processes, cleaning processes, analytical methods, equipment and facilities, computer systems, SOPs affecting GxP activities, raw material specifications?
  • Are staff aware of the change control requirement, or do some changes get made informally without documentation?

The “informal” change: The most common gap is not that the change control SOP is wrong, it’s that some changes happen outside the system. A manufacturing supervisor who modifies a manufacturing step “temporarily” to solve a production problem. An IT administrator who applies a patch without going through change control because “it was urgent.” An analyst who changes an HPLC method parameter to get a better result without a method change control record. Auditing this requires talking to people, not just reading documentation.

Impact Assessment Quality

  • Does the change control form require an impact assessment that is specific to the change?
  • Does the assessment specifically address: validated state of systems/equipment, regulatory filings, quality risk, need for revalidation or requalification?
  • Are impact assessments reviewed by someone with technical knowledge of what’s being changed?
  • Is QA required to review and approve the impact assessment before the change is implemented?

Post-Implementation Verification

  • Is there a step to verify the change was implemented as planned?
  • For changes requiring testing: is there documented evidence that testing was performed and passed before the change is considered complete?
  • Are changes linked to their supporting documentation (updated SOPs, new training records, updated validation documentation)?

Section 5: Training Program

Training is the mechanism by which procedural knowledge becomes actual practice. A training program that produces completion records without producing competent, compliant practice is documentation overhead, not quality infrastructure.

Training Curriculum and Matrix

  • Is there a training matrix that defines what training each role requires?
  • Does the training curriculum cover GxP fundamentals, role-specific procedures, and site-specific practices?
  • Is the training matrix updated when procedures change?
  • Are new hires prevented from performing GxP activities before completing required initial training?

Training Record Currency

  • Do training records for each employee show training on the current version of every SOP they are required to use?
  • When a document is revised, is re-training assigned and tracked to completion?
  • Are there any gaps where employees are performing GxP activities against outdated training records?

The specific check: Pick 5 employees who regularly perform GxP activities. Cross-reference their training records against the current version of the SOPs governing their activities. Is every SOP they need current in their training record? This check takes about 20 minutes and reveals the state of your training/document control integration immediately.

Effectiveness Assessment

  • Is there a mechanism to verify training was effective, that people actually understood and can apply what they were trained on?
  • For critical GxP tasks: is there practical demonstration or OJT verification, not just read-and-sign?
  • When a training failure is identified (an employee performing a task incorrectly), is it investigated as a training system failure, not just a human failure?

Section 6: Supplier and Vendor Qualification

Your quality system extends to your suppliers. Materials, services, and software that aren’t qualified can compromise product quality and GxP record integrity regardless of how well your internal systems are managed.

Approved Vendor List (AVL) Management

  • Is there a current Approved Vendor List for all critical materials and services?
  • Does the AVL reflect current supplier qualification status?
  • Is there a process to remove suppliers from the AVL when qualification lapses?
  • Are new materials only purchased from AVL-approved suppliers for GxP use?

Supplier Qualification and Monitoring

  • Is there a documented supplier qualification process that assigns qualification tiers based on risk?
  • For high-risk suppliers (API manufacturers, contract labs, software vendors for validated systems): is there documentation of audits, questionnaires, or other qualification activities?
  • Are qualification activities performed at the required frequency?
  • Is there a change notification requirement from suppliers, must they notify you before making changes that could affect your materials or services?
  • Are supplier deviations (complaints, COA failures, service failures) tracked and used in qualification decisions?

The software vendor gap: Many sites have strong supplier qualification for material suppliers but gaps for software vendors. The vendor of your LIMS is a supplier. If your LIMS vendor makes a software change that affects how audit trails work and doesn’t notify you, that’s a qualification failure, but only if your supplier qualification covers software vendors and includes change notification requirements.

Section 7: Internal Audit Program

Internal audits are your primary mechanism for identifying QMS gaps before external inspectors do. An internal audit program that only confirms compliance is missing the point. The goal is to find real problems.

Audit Program Design

  • Is there a documented annual internal audit schedule?
  • Does the schedule cover all GxP areas on a risk-based frequency?
  • Are auditors independent of the areas being audited?
  • Are auditors trained in audit techniques and GxP requirements?
  • Does the audit scope include follow-up on previous audit findings?

Audit Execution

  • Are audits planned with opening meetings, inspection activities, and closing meetings?
  • Do auditors verify compliance, not just review documentation?
  • Are audit findings classified by severity?
  • Are audit reports completed within a defined timeframe after the audit?

Audit Follow-Through

  • Are all audit findings responded to with root cause analysis and corrective actions?
  • Are CAPAs opened for significant audit findings?
  • Is effectiveness of audit corrective actions verified?
  • Do the same findings recur across multiple audit cycles? (If yes, the corrective actions aren’t working.)

Section 8: Quality Metrics and Management Review

Quality metrics are the dashboard for the QMS. Management review is the governance mechanism that ensures the QMS is actually managed.

Quality Metrics

What metrics are you tracking? At a minimum, a functional QMS should be monitoring:

  • Deviation rate, types, and trend
  • CAPA on-time completion rate
  • CAPA effectiveness check completion rate
  • OOS rate and invalidation rate (%)
  • Document overdue review rate
  • Training completion and overdue rate
  • Supplier complaint/rejection rate
  • Change control cycle time
  • Batch failure and rejection rate
  • Audit finding closure rate

Are the metrics being acted on? Pull the last three management review presentations. For each metric that showed a negative trend, is there documented management response, an action item, a CAPA, a resource decision? Metrics that are reviewed and filed without action are not QMS management. They’re compliance theater.

Management Review

  • Is there a documented periodic management review (at minimum annual)?
  • Does the review cover all key quality metrics?
  • Does the review identify areas requiring improvement and assign ownership?
  • Are action items from management review tracked to completion?
  • Does senior management actively participate, or is it a QA-run meeting with management present but not engaged?

Section 9: Product Quality Reviews

Annual Product Reviews (APRs) or Product Quality Reviews (PQRs) are the formal annual assessment of product quality trends. They are a regulatory requirement (21 CFR 211.180(e); EU GMP Chapter 1 §1.10) and a genuine quality tool if done well.

  • Is there an APR/PQR for every commercial product on a defined annual schedule?
  • Does the review cover: batch yield and rejection trends, specification failures, OOS events, complaints, stability data, process capability indices where applicable, CAPA status, regulatory commitments?
  • Are trends analyzed, not just data presented?
  • Are improvement opportunities identified and actioned?
  • Is the APR/PQR reviewed and approved by QA?

The signal in APR/PQR data: A product where yield has been declining for 3 years, OOS rate is 8%, and the same batch failure root cause keeps recurring, that’s a process that needs intervention. If your APR/PQR trend data consistently shows these signals and there are no corresponding improvement actions, that’s a quality governance failure.

Scoring and Next Steps

As you work through this checklist, prioritize findings by:

What affects patient safety or product quality: Any gap that means product of uncertain quality may have been released, or that could lead to a safety issue, is the highest priority regardless of other considerations.

What FDA or EMA would cite: Based on current warning letter patterns and inspection expectations, the highest-cited QMS weaknesses are: CAPA effectiveness (insufficient root cause, no effectiveness check), deviation management (delayed reporting, weak investigation), and training system gaps (outdated training records, no effectiveness assessment).

What’s systemic vs. isolated: An isolated minor gap corrected in one procedure is a small finding. The same gap across 20 procedures means the document review process is broken.

Regulatory Reference Points

QMS ElementKey Regulatory Reference
Document control21 CFR 211.68, 211.186, 211.194; EU GMP Chapter 4
Deviations21 CFR 211.192; EU GMP Chapter 1 §1.12
CAPA21 CFR 211.192; ICH Q10 §3.2
Change control21 CFR 211.100(a); EU GMP Chapter 1 §1.13; ICH Q10 §3.2
Training21 CFR 211.68, 211.192; EU GMP Chapter 2
Supplier qualification21 CFR 211.80-82; EU GMP Chapter 7
Internal audits21 CFR 211.192; EU GMP Chapter 9; ICH Q10 §3.4
Product quality reviews21 CFR 211.180(e); EU GMP Chapter 1 §1.10
Management reviewICH Q10 §3.4