What an FDA auditor actually sees when they look at your security controls

When the auditor opens the change-control log, they’re not looking for what you did. They’re looking for what you didn’t document. The patches you applied without a ticket. The emergency access granted on a Friday afternoon and never reviewed. The configuration change that made the system “work better” but bypassed the validation envelope.

This isn’t paranoia. It’s pattern recognition. After a few hundred 21 CFR Part 11 inspections, an auditor knows where the gaps live, and they walk the hall asking the questions designed to surface them.

Three control areas FDA scrutinizes most

Change control on validated systems. Section 11.10(e) of 21 CFR Part 11 doesn’t just ask whether you can change the system — it asks whether the change is captured, attributed, and reversible. The most common finding here isn’t “you made an unauthorized change.” It’s “you made an authorized change with a control-owner who didn’t sign off, on a record that was never closed in the QMS.” The auditor will want to walk a specific change end-to-end. Pick one before they do.

Access control and periodic access review. Privileged accounts, shared service accounts, terminated-employee access — these are the perennial gaps. The auditor isn’t impressed that your IAM tool can produce a report; they want to see the quarterly access review with a control-owner signature on it, dated within the review window. If your last review was nine months ago and you have a quarterly SOP, you have a finding.

Audit trail completeness. This is the one that surprises companies. Auditors will pull a record and follow the audit trail backwards through the system — every edit, every login, every export. Gaps in the trail (system reboots that weren’t logged, log retention that aged out before the audit window, integrations that wrote bypass-the-trail) become the inspection’s centerpiece. The standard isn’t “comprehensive logging.” It’s “no gaps in the trail for any record under inspection.”

"The auditor's question isn't 'do you log everything?' It's 'walk me through this change.'"

Common findings, and what they actually mean

A finding doesn’t always mean what it says. “Inadequate change control documentation” usually means one of three things, and the right response depends on which:

• Missing control-owner sign-off. The fix is process, not technology. Add the sign-off to the change ticket template; backfill recent changes within reason.
• Gap in the periodic access review cycle. The fix is the review cadence, not the IAM tool. Document the SOP, perform the review, sign it.
• Undocumented emergency change. The fix is the after-action: the change happened, that’s reality. The evidence trail captures it, the review approves it retroactively, the SOP gets updated to reflect that emergency changes need documentation within 24 hours of resolution.

None of these require new technology. All of them require process discipline that holds up over time, not just at audit time.

The audit-day playbook

By the morning of the inspection, the work is mostly done. What’s left is execution:

• Have the right people in the room. The control owner for any system the auditor names should be available within fifteen minutes. Not “I’ll get you her email.” Available.
• Don’t volunteer information. Answer the question asked. If the auditor asks about change control, talk about change control. They have a list of questions; they’re not interested in your tour of the SIEM.
• When the trail has a gap, name it. “There’s a gap in the audit trail between January 12 and January 14 due to a system migration. We have the migration runbook and the post-migration validation. Want to see them?” Naming a gap is much stronger than letting the auditor find it.

The companies that handle inspections well aren’t the ones with perfect controls. They’re the ones with documented controls, owned controls, and honest controls.

If your next FDA inspection is sooner than you’d like and your security control evidence isn’t where you want it, let’s talk.