Audit Findings: Definition, Categories, Requirements, and How to Write

An audit is a systematic, evidence-based assessment of whether a process, product, or system complies with defined requirements such as regulations, standards, or contractual obligations. Audit findings are the documented results of such assessments, confirming either conformity or deviation from the specified criteria.

Audit findings arise from various types of audits, including internal, mock, and external audits. Findings are commonly categorized by severity into critical, major, minor, observations, and repeat findings, with each category reflecting different levels of compliance impact and risk.

Frequent areas where findings occur include document control, training management, corrective actions and preventive actions (CAPA) management, change control, supplier management, validation, environmental monitoring, and others. 

The key standards guiding audit finding management are ISO 19011:2018 for auditing management systems and ISO/IEC 17021-1:2015 for bodies providing audit and certification of management systems.

Effective writing of audit findings demands clarity, objectivity, evidence linkage, categorization, and traceability. The use of the 5 C’s framework of criteria, condition, cause, consequence, and corrective action is often suggested. Managing findings follows a lifecycle from identification and documentation through CAPA implementation, verification, and ongoing monitoring. 

An electronic quality management system (eQMS) software supports audit findings management by centralizing records, automating CAPA workflows, providing root cause analysis tools, generating reports, and linking evidence to findings. 

SimplerQMS is a life science-focused eQMS, supporting compliance with FDA regulations for pharmaceuticals and medical devices, EU GMP, EU MDR, EU IVDR, ISO standards, and other industry requirements. SimplerQMS integrates audit management with centralized quality management, enabling organizations to efficiently address audit findings and strengthen their overall quality system.

What Are Audit Findings?

Audit findings are documented results collected through objective evidence during an audit. Audit findings confirm whether a process, product, or system conforms or deviates from defined criteria, such as regulatory requirements, internal procedures, or contractual obligations.

Audit findings play a central role in the audit process, highlighting strengths, weaknesses, and areas of risk. Audit observations identify nonconformities and improvement opportunities and promote accountability across departments.

Audit findings are essential for compliance and quality assurance. In regulated industries, such as life sciences, the audit process supports adherence to quality system requirements, and the findings lead to actionable results. Audit findings ensure regulatory expectations are met, establish a documented history of system performance, and guide quality improvements.

U.S. FDA inspectors issue Form 483 to document audit observations of potential GMP violations. In the EU, similar findings are reported in GMP inspection reports by competent authorities. ISO 9001:2015 and ISO 13485:2016 audits rely on documented findings to verify compliance with international quality management standards.

What Are the Types of Audits That Generate Findings?

Audit findings are generated through several types of quality audits, each serving a specific purpose in evaluating compliance and operational capabilities. The quality audits differ by scope and the auditor’s origin.

The key types of audits that generate findings are listed below.

• Internal Audits: Internal audits are evaluations conducted by impartial, qualified personnel within the organization who are not involved in the audited process, or by qualified external contractors. Internal audits help identify issues proactively and support continuous improvement.
• Mock Audits: Mock audits are a subtype of internal audits designed to simulate external inspections. Mock audits prepare teams for regulatory or certification audits by identifying weaknesses before actual assessments.
• External Audits: External audits are evaluations performed by independent parties outside the organization. External audits include regulatory, certification, customer, and supplier audits, each with unique objectives.
• Regulatory Audits: Regulatory audits are external inspections performed by government agencies or authorized organizations such as the FDA, national competent authorities in the EU, or notified bodies. Regulatory inspections verify compliance with applicable laws, regulations, and industry guidelines.
• Certification Audits: Certification audits are external assessments performed by certification bodies. Certification audits assess conformity to standards like ISO 9001 or ISO 13485 for issuing or renewing certifications.
• Customer Audits: Customer audits are external evaluations initiated by clients to assess whether suppliers meet contractual, quality, and compliance requirements. Customer audits often focus on operational capability, compliance, and process controls.
• Supplier Audits: Supplier audits are external evaluations conducted by organizations on their suppliers. Supplier and customer audits are similar in nature, but differ in perspective; one is conducted by the client, while the other is conducted by a company evaluating its own suppliers.

What Are the Categories of Audit Findings?

Audit findings are separated into categories based on their severity and impact on compliance. The exact categorization terminology varies depending on the applicable requirement, the company’s internal procedures, and the auditor.

Below are the most common types of audit findings used across quality and regulatory audits in the life science industry.

1. Critical Findings: Indicate a serious breach that directly impacts patient safety. Critical findings often reflect a significant risk related to the quality system or may involve potential product quality issues or data fraud.
2. Major Findings: Represent significant nonconformities that could impact product quality or lead to regulatory noncompliance if left unaddressed. Major findings often result from process failures or inadequate controls.
3. Minor Findings: Highlight isolated issues that do not pose an immediate risk to product quality or patient safety but still represent a deviation from established procedures or requirements. Minor findings may indicate areas needing procedural reinforcement.
4. Observations: Refer to comments or suggestions where no clear nonconformity exists, but where potential improvement or clarification is advised. While observations do not require formal corrective actions, they should be considered for continuous improvement.
5. Repeat Findings: Occur when a previously identified nonconformity has not been resolved effectively. Repeat findings are considered higher risk as they show a lack of effective root cause analysis or CAPA system. Repeat findings often escalate the severity of audit observations.

Different regulatory frameworks and standards use varying terms for audit finding categorization. The terms used in life science–related regulatory frameworks and standards for different types of audit findings are outlined below.

• Food and Drug Administration (FDA): FDA uses Official Action Indicated (OAI), Voluntary Action Indicated (VAI), and No Action Indicated (NAI).
• European Good Manufacturing Practices (EU GMP): EU GMP refers to deficiencies that are classified as critical, major, and other.
• Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme (PIC/S) GMP Guide: PIC/S GMP mirrors EU-GMP using critical, major, and other deficiencies, and comments.
• International Organization for Standardization (ISO): ISO defines major non-conformity, minor non-conformity, Opportunities For Improvement (OFI), and conformity.

1. Critical Findings

A critical finding is a deficiency that has a significant impact on patient health and product safety. This classification applies when the deficiency poses a direct risk to consumers, such as the potential for a contaminated medicinal product reaching the market. Within the audit process, critical findings demand immediate attention due to their severity, regulatory implications, and the urgent need to protect public health. Critical findings indicate a systemic failure within the quality system or manufacturing operations.

Common critical findings include cross-contamination between products, misrepresentation or falsification of records, as well as the use of raw materials of unknown quality. Such findings often stem from improper facility design that compromises product safety, failure in data integrity, or lack of established specifications.

Critical findings carry the highest risk level and may lead to product recalls, suspension of GMP or manufacturing authorization for medicinal products, or issuance of an OAI letter for FDA-regulated industries. Such findings are not isolated but reflect broader, systemic weaknesses in the quality system that affect multiple processes or departments.

Resolution of critical findings requires immediate containment actions to minimize risk, followed by a structured and documented root cause analysis (RCA). The organization must implement and verify the effectiveness of corrective and preventive actions. Senior management involvement is essential at all stages of root cause analysis and implementation of corrective actions to ensure accountability, oversight, and resource allocation. Monitoring of the CAPA effectiveness is required to confirm that systemic gaps have been fully addressed.

2. Major Findings

A major finding is a significant deficiency that may impact product or service quality or regulatory compliance, but does not meet the threshold for a critical finding. According to ISO/IEC 17021-1:2015, a major non-conformity affects the capability of the management system to achieve its intended results. Major findings compromise the effectiveness of the quality management system.

Typical examples of major findings are inadequate training of key personnel, poor documentation practices such as missing records, or unauthorized deviations from approved instructions. Ineffective training management, lack of resources, and limited control over documented instructions are frequent root causes.

The impact of major findings usually relates to product or service quality, delays in operations, or decreased customer satisfaction and trust. While not always leading directly to regulatory actions, the presence of multiple major findings, their likelihood of recurrence, and the compliance history of the auditee are key factors considered by regulators when determining the need for action. Major findings can be either systemic or isolated, but in most cases, they reflect broader quality system failures that require structured remediation.

Resolution of major findings requires a detailed root cause analysis followed by a corrective and preventive action plan. Implementation of CAPAs must be properly documented, and the effectiveness of the corrective measures must be verified within a predefined timeframe. Senior management must be informed of major findings and engaged throughout the resolution process.

3. Minor Findings

A minor finding refers to a deviation from requirements that has a limited impact on product or service quality or the effectiveness of the management system. A minor finding is defined in PIC/S and EU GMP guidelines as “other deficiencies”, and in ISO standards as a “minor non-conformity”. Minor findings highlight areas of noncompliance that require correction but do not indicate a serious risk. While the urgency for resolution is lower compared to critical or major findings, timely and appropriate follow-up remains essential.

Common causes of minor findings include procedural inconsistencies, incomplete documentation, minor process deviations, or isolated errors that do not compromise product or service quality. Root causes of minor findings often involve temporary lapses in training or unclear work instructions.

The impact of minor findings is limited and generally does not lead to regulatory action, operational delays, or reputational damage unless they are repeated or ignored. In the FDA context, minor findings usually result in a VAI letter, signaling that correction is expected but no enforcement is planned. Minor findings are typically isolated and do not reflect systemic failure. However, accumulation of minor findings in the same process over time may signal systematic weaknesses.

Resolution of minor findings is handled within the organization’s CAPA system. Corrective actions are implemented to ensure the issue does not recur. While management involvement is not always required at the highest level, accountability for minor findings closure must still be clearly defined.

4. Observations

An observation is not a non-conformity but rather a remark made by the auditor to highlight a potential area where the system could be improved. An observation is referred to as a “comment” in PIC/S guidance and an “Opportunity for Improvement (OFI)” in ISO standards. Observations are relevant in audits as they support continuous improvement and encourage proactive quality enhancements.

Common causes of observations include small inefficiencies, inconsistencies in document formatting, or informal practices that are not completely covered by procedures. Root causes are often linked to minor gaps in standardization or documentation rather than failures in training or process execution.

The impact or risk level associated with observations is negligible. Observations do not lead to regulatory action, operational delays, or reputational harm. These findings are isolated and do not indicate systemic failure. Observations serve as guidance rather than a mandate.

Observations typically require no corrective action. However, preventive actions may be initiated if the organization chooses to act on the suggestion and improve the area identified. Addressing observations demonstrates quality maturity, regulatory readiness, and a commitment to continuous improvement.

5. Repeat Findings

A repeat finding is an audit observation previously identified in an earlier audit that remains unresolved or has reoccurred despite claimed corrective action. This type of finding signals a failure to address underlying issues and reflects poor CAPA effectiveness. Repeat findings undermine confidence in the quality system and the organization’s ability to implement sustainable improvements.

The most common causes of repeat findings include inadequate root cause analysis, ineffective or incomplete CAPA implementation, and insufficient or missing effectiveness checks. These failures often reflect gaps in the organization’s ability to analyze problems deeply and apply sustainable solutions.

The risk level associated with repeated findings is elevated. Repeated findings are considered risk multipliers and may trigger regulatory actions. Operational delays and reputational damage become more likely as regulators and clients interpret repeated issues as systemic weaknesses.

Resolution of repeat findings requires a deep and comprehensive root cause analysis, followed by robust corrective and preventive actions. CAPAs must be monitored closely, with clear accountability and documented evidence of effectiveness.

What Are the Common Areas Where Findings Occur?

Audit findings often occur in key quality processes and operational areas where compliance and process control are essential.

The common areas where audit findings occur are listed below.

• Document Control and Data Integrity: Issues such as outdated procedures, incomplete records, or failure to maintain data traceability and retrievability.
• Training and Competency: Gaps in training records, lack of evidence of competence, or staff performing tasks without current qualification.
• Quality Investigations and Root Cause Analysis: Incomplete investigations, superficial root cause analysis, or failure to address all contributing factors.
• Risk Management: Missing or inadequate risk assessments or failure to update the assessments after major process changes.
• Change Control: Unapproved changes, incomplete impact assessments, or a lack of follow-up to verify change effectiveness.
• CAPA: Weak corrective and preventive actions, delayed or incomplete CAPA execution, or lack of documented effectiveness checks.
• Supplier Management: Missing supplier qualification records, outdated or incomplete agreements, or gaps in ongoing supplier monitoring.
• Validation: Incomplete validation protocols, inadequate execution or documentation of validation activities, or missing evidence of ongoing process verification.
• Environmental Monitoring: Inadequate temperature mapping of high-risk equipment, such as stability chambers, or environmental alarms that have not been properly investigated.
• Calibration and Maintenance: Overdue calibration or maintenance activities, missing calibration records, or use of uncalibrated equipment.
• Cleaning Procedures: Lack of validated cleaning processes, incomplete cleaning logs, or inadequate verification of cleanliness.
• Internal Audits: Missed internal audit schedules, incomplete reports, or ineffective follow-up on previous findings.

What Are the Audit Management Requirements Related to Audit Findings?

Audit management requirements related to audit findings are outlined below.

• ISO 19011:2018: ISO 19011 is an international standard that guides auditing management systems. Clause 6.4.8 specifies that audit findings must be based on objective evidence and can indicate conformity, nonconformity, or opportunities for improvement. ISO 19011:2018 requires that each finding be documented, referenced to the audit criteria, and communicated to the auditee during the audit process.
• ISO/IEC 17021-1:2015: ISO/IEC 17021-1 specifies requirements for bodies that audit and certify management systems. Clause 9.4.5 mandates that audit findings be identified and recorded to enable an informed certification decision. Findings that indicate non-conformity must include clear references to a specific requirement and evidence observed. This clause also requires that findings be discussed with the auditee to ensure understanding before the audit is concluded.
• PIC/S Guidance on Classification of GMP Deficiencies: The Pharmaceutical Inspection Co-operation Scheme (PIC/S) is an international cooperative arrangement between regulatory authorities aimed at harmonizing GMP inspection requirements and procedures. PIC/S guidance defines the classification of GMP deficiencies, aiming to set a harmonized framework for assessing the severity and potential impact of audit findings within pharmaceutical inspections.

How to Write Effective Audit Findings?

To write effective audit findings, auditors must use objective evidence that is directly linked to the applicable requirement, as well as clear and concise language.

The main steps to document audit findings are the following.

1. Use a Standardized Format: Structure audit findings consistently, typically including the requirement, evidence, and conclusion. A standardized format ensures uniformity and facilitates easier review, even when different auditors are involved.
2. Be Clear and Concise: Present the audit finding in straightforward language without ambiguity, avoiding overly technical or vague statements.
3. Stay Objective and Evidence-Based: Base conclusions solely on verifiable audit evidence, not opinions or assumptions.
4. Link Each Finding to a Requirement: Reference the exact clause of regulation, standard, guideline, or internal procedure that was not met to justify the finding.
5. Classify the Finding: Indicate the severity, such as critical, major, minor, or observation, according to the applicable categorization system. Note any repeated audit findings.
6. Link to Corrective Actions: Connect the finding to required corrective or preventive actions, when provided by the auditee, to maintain effective audit oversight and CAPA follow-up.
7. Use Professional, Neutral Tone: Maintain a factual and impartial tone, focusing on the issue rather than individuals or subjective impressions.
8. Ensure Traceability: Record details so that the audit finding can be traced back to the audit evidence, location, date, and responsible process or department.

What Are the 5 C’s of Audit Findings?

The 5 C’s of audit findings provide a structured approach for documenting and communicating issues identified during an audit.

The 5 C’s of audit findings are listed below.

1. Criteria: The standard, regulation, guideline, or internal requirement against which the audit is performed, and all evidence is evaluated.
2. Condition: The actual situation or evidence observed during the audit.
3. Cause: The underlying reason why the condition occurred, often determined through root cause analysis.
4. Consequence: The potential or actual impact of the condition on patient safety, product or service quality, compliance, or operations.
5. Corrective Action: The specific action proposed or required to address the cause and prevent recurrence.

What Is the Lifecycle of an Audit Finding?

The lifecycle of an audit finding outlines the sequential steps from discovery to long-term monitoring, ensuring that issues are fully addressed and prevented from recurring. The audit finding lifecycle sequential steps are described below.

1. Identification: The auditor detects the deficiency/nonconformity, or opportunity for improvement, during the audit process.
2. Documentation: The finding is recorded in detail by the auditor using documents such as an audit finding report template, including evidence and reference to the applicable requirement.
3. Communication: The finding is formally presented to the auditee, ensuring understanding of the issue, its classification, and its potential impact.
4. Response Planning: The auditee develops a plan to address the finding, outlining corrective and preventive actions, responsible personnel, and timelines.
5. Implementation of CAPA: The corrective and preventive actions are implemented by the auditee, with evidence gathered to demonstrate completion and effectiveness.
6. Verification and Closure: The auditor verifies that the actions taken effectively resolve the issue and meet compliance requirements, after which the finding can be formally closed. Auditors may use audit findings tracking templates to monitor closure.
7. Monitoring for Recurrence: The auditee should monitor related processes to ensure the issue does not reappear. The auditor should check for recurring findings during the next audit.

How to Respond to Audit Findings?

To respond to audit findings, an auditee must follow a structured approach to ensure timely resolution and prevention of recurrence. The main stages of response to audit findings are the following.

1. Acknowledge the Finding: Confirm receipt and understanding of the issue, avoiding disputes unless there is a factual error.
2. Conduct Risk Assessment: Evaluate the severity, impact, and urgency of the finding in terms of patient safety, product or service quality, compliance, and company operations.
3. Take Immediate Action (If Necessary): Implement short-term measures to contain or mitigate any immediate risks. In life sciences, immediate actions may be necessary in case of critical findings.
4. Perform Root Cause Analysis: Identify the underlying reason for the finding using systematic investigation methods, like the 5 Whys or Fishbone diagram.
5. Develop a Corrective Action Preventive Action (CAPA) Plan: Define steps, responsibilities, and timelines to resolve the finding and address the root cause.
6. Submit Response Within Required Timelines: Provide the completed action plan to the auditor or inspector before the deadline.
7. Implement CAPA: Implement controls or process improvements to prevent recurrence.
8. Provide Evidence or Supporting Documentation: Follow up on findings closure with the auditor. Submit records, logs, updated procedures, or training evidence that demonstrate completion of CAPAs.
9. Monitor and Verify Effectiveness: Track the implemented measures over time to confirm their effectiveness.

How to Present Audit Findings to Management?

To present audit findings to management, the steps below shall be followed.

1. Summarize Key Findings Upfront: Provide a brief overview focusing on the most significant issues, their categorization, and relevance to compliance or product/service quality, or patient safety.
2. Focus on Business Impact and Risk: Highlight how the findings affect regulatory status, market access, operational efficiency, product quality, and the company’s reputation.
3. Align Findings with Strategic Objectives: Show how resolving the findings supports broader company goals, such as market expansion, customer satisfaction, or certification maintenance.
4. Explain Root Causes Clearly: Present root causes of deficiencies in simple terms, highlighting any systemic issues. Avoid technical complexity that could obscure the message.
5. Present Corrective Actions and Timelines: Outline planned or ongoing actions, responsible departments, and expected completion dates.
6. Offer Recommendations or Support Needed: Specify any resources, cross-department collaboration, or management decisions required for resolution.
7. Prepare for Questions: Anticipate possible challenges, clarifications, or concerns from management and have supporting evidence ready.

What Are the Common Challenges When Managing Audit Findings?

The most common challenges when managing audit findings are listed below.

• Incomplete or Vague Root Cause Analysis: Failure to identify the true underlying cause can lead to ineffective corrective actions and, subsequently, repeated findings.
• Poor Documentation and Evidence Handling: Missing, incomplete, or disorganized records make it difficult to track progress, demonstrate compliance, and achieve timely closure.
• Lack of Accountability and Ownership: Unclear assignment of responsibility for addressing findings results in delays and inconsistent follow-through.
• Overdue or Incomplete Corrective Actions: Actions are not completed within agreed timelines or are only partially implemented.
• Ineffective Follow-Up and Verification: Lack of proper verification to confirm that corrective measures are effective allows problems to persist.
• Inconsistent Categorization of Findings: Inconsistently categorizing the severity of findings can lead to disproportionate responses or missed priorities.
• Resource Constraints: Limited personnel, time, or budget hinder the timely and thorough resolution of findings.

How Does QMS Software Support Effective Audit Finding Management?

QMS software is a digital platform designed to manage quality processes and support compliance with regulatory and industry requirements. QMS software functions by centralizing quality processes and records, automating workflows, and ensuring traceability of actions across all stages of quality management.

Quality management software with audit management capabilities supports the effective and compliant handling and resolution of audit findings.

The main features and capabilities of an eQMS for audit findings management are outlined below.

• Centralized Audit Finding Repository: Within an eQMS, all findings are stored in a secure, searchable system with complete audit trails. A unified eQMS platform enhances traceability, simplifies retrieval during inspections, and ensures data integrity for regulatory compliance.
• Automated CAPA Workflow Management: In QMS software, audit findings can be linked directly to corrective and preventive actions with task tracking. Configurable workflows, alerts, due dates, and responsible owner assignments improve efficiency and accountability.
• Root Cause Analysis Tools: An eQMS can provide structured templates for root cause analysis methodologies such as 5 Whys or Fishbone diagrams. This promotes consistent, in-depth analysis and prevents superficial responses to audit findings.
• Dashboards and Reporting: Within a QMS software, visual summaries of open, overdue, and resolved findings are available through customizable views and reports. This supports management reviews, continuous improvement, and readiness for regulatory inspections.
• Documentation and Evidence Linking: An eQMS enables direct linkage of SOPs, training records, and other compliance evidence to each finding.
• Audit Scheduling and Follow-Up Automation: An eQMS streamlines audit scheduling and automates follow-up by sending notifications and reminders. This strengthens oversight of findings closure and helps prevent recurrence.

SimplerQMS is a life science quality management software with broad and integrated QMS process support, including a built-in audit management module. SimplerQMS supports compliance with key life science requirements such as FDA 21 CFR Parts 210, 211, and 820, EU GMP, ICH Q10, EU MDR, EU IVDR, ISO 13485, and ISO 9001, among others.

SimplerQMS enables life science companies to manage audit findings efficiently, maintain regulatory readiness, and strengthen their quality system by combining centralized data, automation capabilities, and traceability of actions.