Anyone working in GxP, QA, CSV, or IT knows there’s nothing random about FDA warning letters. The same themes appear year after year, because the fundamentals of good CSV and data integrity still aren’t being embedded into everyday practice.
And that’s exactly why these findings matter: they highlight where organisations lose control not through dramatic failures, but through the quiet, familiar gaps everyone intends to fix “when there’s time.”
This is one of the most common findings because so many organisations believe their validation is complete when it isn’t. The FDA expects a validated state and clear evidence that the system is fit for its intended use, which is reinforced in guidance such as Computerized Systems Used in Clinical Investigations. In practice, inspectors continue to see missing or superficial IQ/OQ/PQ activities, systems going live without a formal validation report, and no traceability connecting requirements, risks, and tests. When these foundational gaps exist, every other control becomes unstable, because you cannot demonstrate the system performs reliably in the environment where it is used.
Data integrity has become one of the most scrutinised areas in inspections, for one simple reason: if the data isn’t trustworthy, nothing downstream can be. FDA and global regulators expect ALCOA+ principles to be consistently applied to every electronic system, yet warning letters show how often basic controls are missing. Shared or generic accounts, uncontrolled data changes, and gaps in electronic record management make it almost impossible to reconstruct who did what and when. When the origin or accuracy of data is questionable, it signals a breakdown in the quality system itself, and inspectors treat it accordingly.
Audit trails are essentially the diary of your system. They reveal the truth, not the story you think is happening, but the one that actually is. However, many organisations still fail to enable audit trails for critical GMP actions, or they enable them but never review them. Annex 11 and modern interpretations of periodic review make it clear that audit trail capture and review are core lifecycle activities, not optional extras. When inspectors ask to see evidence of audit trail review and there is none, it immediately undermines confidence in the reliability of your records.
Change control is one of the subtle areas where systems quietly drift out of their validated state. A system might have been perfectly validated at go‑live, but if changes are introduced without impact assessments, without appropriate re‑testing, or without documentation, you can no longer assert that the system is still validated. Good practice guidance repeatedly connects change control and periodic review, because both ensure continuity of control. If an organisation cannot explain why a change was made, what it impacted, or how it was evaluated, inspectors see this as a major risk.
Backups and disaster recovery plans are often treated as technical housekeeping rather than compliance commitments. Yet the FDA views them as critical controls. A backup you have never attempted to restore is not a safeguard, it’s a hypothesis. Guidance on computerised system lifecycle management emphasises the need for defined, tested, and periodically reviewed backup, restoration, and archival processes. Being able to show when you last performed a test restoration, what the outcome was, and how issues were corrected sends a powerful message of competence and control.
Access control issues consistently show up in warning letters because they cut directly to accountability. If privileges are not restricted, monitored, or periodically reviewed, individual accountability disappears. Shared admin accounts, uncontrolled permission changes, and insufficient oversight of who can modify or delete GxP‑relevant data expose organisations to significant regulatory and operational risk. Modern GxP expectations emphasise least‑privilege access, individual credentials, and routine access review, all of which demonstrate proactive rather than reactive management of system security.
As more organisations adopt SaaS, cloud platforms, and outsourced services, vendor qualification has become a growing point of failure. FDA guidance clearly states that outsourcing does not transfer responsibility. Sponsors and regulated companies remain accountable for ensuring that systems are fit for purpose, even if they are hosted, maintained, or configured by external providers. Inspectors expect to see documented evidence that you understand your vendor’s validation practices, security controls, change management processes, and support arrangements. Without this, your reliance on them becomes a compliance exposure.
SOPs are the bridge between intention and action. When SOPs governing CSV, data integrity, access control, backup, and periodic review are missing or outdated, inspectors assume (and usually correctly) that practice is inconsistent as well. Outdated procedures often signal outdated behaviours. Good practice literature demonstrates that the most effective SOPs are short, role‑clarified, and reflect how systems operate today, not how they worked five years ago. When procedures are allowed to fall behind the reality of system usage, the entire governance structure begins to erode.
Traceability is the backbone of credible validation. Without a robust Requirements Traceability Matrix, you cannot convincingly demonstrate that all critical requirements were tested with appropriate depth and rigour. Best‑practice discussions consistently highlight that an RTM links user requirements, risk assessments, test cases, and final approval in a clear, defensible chain. Inspectors can immediately tell when traceability is superficial, incomplete, or reverse‑engineered. They expect traceability that helps them quickly understand how the system’s functionality was verified, not one that obscures the story.
Periodic review is one of the most frequently missing lifecycle activities. Many organisations validate their systems well initially but fail to reassess them over time. A robust periodic review covers technical status, incidents, deviations, change history, access, audit trails, backup testing, and overall fitness for intended use. It is the mechanism that ensures the system you validated is still the system you are using. Inspectors see the absence of periodic review as a sign that the organisation treats validation as a project rather than an ongoing commitment.
Taken together, these ten findings form a very clear message: the organisations that succeed during inspections treat CSV and data integrity as continuous responsibilities. They rely on recognised guidance, align their processes with Annex 11 and Part 11, and build pragmatic, risk‑based behaviours into their daily operations. They don’t wait for inspections to expose weaknesses. They create systems that are dependable because they are maintained with intention, oversight, and routine attention.
And that’s the shift regulators want to see.