Work Order QMS Module — Audit Readiness Guide

Classification: Internal — Compliance Operations
Date: 2026-02-13
Artifact: 75 of WO System Series
Status: Proposed
Audience: Compliance Officers, QA Managers, Audit Preparation Teams
Source Artifacts: 20-regulatory-compliance-matrix.md, 70-validation-protocol-templates.md, 74-capa-workflow.md, 64-security-architecture.md

1. Purpose

This guide prepares compliance officers and QA managers to demonstrate WO system compliance during regulatory inspections (FDA), certification audits (SOC 2 Type II), and internal quality audits. It maps common auditor questions to evidence extraction procedures, pre-audit checklists, and response strategies.

2. Pre-Audit Checklist

2.1 Standing Readiness (Maintain Continuously)

Item	Frequency	Owner	Verification
Audit trail chain integrity verified	Daily (automated)	SRE	`compliance.audit_trail_integrity_check` event → all pass
E-signature key validity confirmed	Weekly	Security Eng	Key expiration monitoring, no revoked keys
CAPA backlog current (no overdue CRITICALs)	Weekly	QA Manager	CAPA dashboard: 0 overdue CRITICAL, < 5 overdue HIGH
Access reviews completed	Quarterly	Admin	User roster vs. permission matrix reconciliation
DR test results documented	Quarterly	SRE	DR drill report per 66-operational-readiness.md §6.4
Validation evidence packages current	Per release	QA	IQ/OQ/PQ evidence per 70-validation-protocol-templates.md
SOD rules verified	Monthly	Compliance Eng	Automated SOD check report (22-rbac-permissions-matrix.md §5)
Training records current	Monthly	HR / QA	All users with system access have current training records

2.2 Pre-Audit Sprint (2 Weeks Before)

Day	Activity	Responsible
D-14	Review previous audit findings; verify all CAPAs from prior audit are closed	QA Manager
D-12	Run full audit trail integrity check (all tenants)	SRE
D-10	Generate evidence packages for last 3 releases	QA
D-8	Verify all e-signatures are valid and cryptographically bound	Security Eng
D-7	Conduct mock audit — internal team plays auditor role	QA Manager + Engineering
D-5	Address any findings from mock audit	Engineering
D-3	Prepare auditor workspace (read-only access, evidence folders)	Admin
D-1	Final readiness check — all items green	Compliance Officer

3. FDA 21 CFR Part 11 Audit Guide

3.1 Common Auditor Questions & Evidence

Auditor Question	What They're Looking For	Evidence Location	Extraction Command
"Show me your audit trail for this work order"	Complete, immutable, time-stamped record of all changes	WO Audit Trail API	`GET /v1/work-orders/{id}/audit-trail?limit=100`
"How do you prevent unauthorized changes?"	RBAC enforcement, state machine guards	RBAC Matrix + Guard Tests	22-rbac-permissions-matrix.md + guard test results
"Show me the electronic signature for this approval"	Signer name, date/time, meaning, bound to record	E-Signature API	`GET /v1/work-orders/{id}/approvals` (includes signature details)
"How do you ensure signature uniqueness?"	One signature per individual, verified identity	Authentication Architecture	64-security-architecture.md §2 + re-auth flow logs
"What happens if someone modifies a signed record?"	Cryptographic hash binding detects tampering	Hash Verification	Audit trail `chainHash` field + verification report
"Show me your system validation documentation"	IQ/OQ/PQ protocols and execution records	Validation Evidence Package	70-validation-protocol-templates.md + evidence exports
"How do you handle system access for terminated employees?"	Deprovisioning procedure, access review logs	Access Review Reports	G15 deprovisioning procedure + quarterly review
"What is your CAPA process?"	Documented CAPA procedure with evidence of execution	CAPA Records	`GET /v1/capas?status=CLOSED&limit=10` + 74-capa-workflow.md
"Show me training records for system users"	Current training for all users with system access	Training Records	G06 training integration records
"How do you control changes to the system?"	Change control procedure, version history	Release History	72-deployment-architecture.md + release checklist records

3.2 Evidence Export Procedure

Step 1: Navigate to WO Audit Trail
  GET /v1/work-orders/{id}/audit-trail/export?format=pdf

Step 2: Package includes:
  - Chronological audit entries with chain hashes
  - E-signature records with verification status
  - Approval chain with decision timestamps
  - Risk assessment (if regulatory WO)
  - CAPA references (if any)
  - State transition history with guard evaluation results

Step 3: Verify chain integrity
  Response includes chainIntegrity.verified = true
  If false → STOP. Investigate before presenting to auditor.

Step 4: Present with cover sheet
  - Work Order ID, type, dates, personnel involved
  - Compliance framework(s) applicable
  - Cross-reference to validation protocol

3.3 Part 11 Compliance Demonstration Script

Walk the auditor through a live demonstration:

CREATE a test WO (show audit trail entry generated automatically)
ATTEMPT unauthorized transition (show guard rejection + audit entry)
APPROVE with e-signature (show re-authentication flow)
VERIFY signature binding (show hash matches record content)
ATTEMPT to modify signed record (show immutability enforcement)
EXPORT audit trail (show complete, time-ordered, chain-verified)
SHOW access control (demonstrate RBAC enforcement for different roles)

4. HIPAA Audit Guide

4.1 Technical Safeguard Evidence

HIPAA Requirement	§Reference	Evidence	Location
Unique user identification	§164.312(a)(2)(i)	User registry with unique IDs per tenant	Person entity + RLS demonstration
Emergency access	§164.312(a)(2)(ii)	Break-glass procedure + audit trail	G10 break-glass records
Automatic logoff	§164.312(a)(2)(iii)	Session timeout configuration + logs	Session management config
Encryption (at rest)	§164.312(a)(2)(iv)	Cloud SQL TDE configuration	GCP encryption documentation
Encryption (in transit)	§164.312(e)(1)	TLS 1.3 configuration	Network security config
Audit controls	§164.312(b)	Immutable audit trail	Same as FDA §11.10(e) evidence
Access controls	§164.312(a)(1)	RBAC + RLS	22-rbac-permissions-matrix.md + RLS policy SQL
PHI handling	§164.530(c)	PHI scanner results, data classification	G09 PHI scanner logs, 63-data-architecture.md

4.2 HIPAA-Specific Evidence Extraction

PHI Access Audit:
  GET /v1/audit-trail?action=READ&dataClassification=L4&timeRange=last30d

  Shows: Who accessed L4 (regulated/PHI) data, when, from where, for what purpose.
  Export: PDF with redacted PHI, access patterns summarized.

Minimum Necessary Verification:
  Demonstrate RBAC filters — VENDOR role sees reduced WO fields
  Demonstrate RLS — tenant A cannot see tenant B data

5. SOC 2 Type II Audit Guide

5.1 Trust Service Criteria Evidence Map

TSC	Category	Evidence Source
CC1.1–1.5	Control Environment	Organizational policies, training records, role definitions
CC2.1–2.3	Communication & Information	System documentation (this artifact corpus), notification architecture
CC3.1–3.4	Risk Assessment	Risk assessments on WOs and CAPAs, 64-security-architecture.md §1
CC4.1–4.2	Monitoring	Observability stack, 66-operational-readiness.md §8
CC5.1–5.3	Control Activities	RBAC enforcement, state machine guards, compliance engine
CC6.1–6.8	Logical Access	Authentication, authorization, deprovisioning, access reviews
CC7.1–7.5	System Operations	Deployment pipeline, change management, incident response
CC8.1	Change Management	WO lifecycle as change control, release process
CC9.1–9.2	Risk Mitigation	CAPA process, risk assessments, circuit breakers

5.2 Evidence Collection Schedule

SOC 2 Type II requires evidence of controls operating over a period (typically 12 months):

Evidence	Collection Frequency	Retention	Format
Access reviews	Quarterly	3 years	PDF report + screenshots
Change management records	Per release	3 years	Release checklist + CI/CD logs
Incident response records	Per incident	3 years	PIR reports
Vulnerability scan results	Monthly	3 years	Trivy/Snyk reports
Penetration test results	Annually	3 years	External pentest report
CAPA records	Per CAPA	7 years	CAPA export with audit trail
Training records	Per onboarding + annual	3 years	Training completion records
DR test results	Quarterly	3 years	DR drill reports
Uptime/availability	Monthly	3 years	SLA reports from monitoring

6. Audit Evidence Folder Structure

Prepare a read-only evidence repository for auditor access:

audit-evidence/
├── 01-system-overview/
│   ├── system-design-document.pdf              (from 12-sdd.md)
│   ├── c4-architecture.pdf                     (from 14-c4-architecture.md)
│   ├── data-flow-diagrams.pdf                  (from 15-mermaid-diagrams.md)
│   └── compliance-matrix.pdf                   (from 20-regulatory-compliance-matrix.md)
├── 02-validation/
│   ├── iq-protocol-and-results.pdf             (from 70 IQ)
│   ├── oq-protocol-and-results.pdf             (from 70 OQ)
│   ├── pq-protocol-and-results.pdf             (from 70 PQ)
│   ├── traceability-matrix.pdf                 (from 70 §5)
│   └── deviation-reports/                       (if any deviations during validation)
├── 03-access-control/
│   ├── rbac-model.pdf                          (from 21, 22)
│   ├── sod-rules.pdf                           (from 22 §5)
│   ├── access-review-Q1.pdf                    (quarterly review)
│   ├── access-review-Q2.pdf
│   ├── deprovisioning-logs.pdf                 (G15 records)
│   └── break-glass-audit.pdf                   (G10 records, if triggered)
├── 04-audit-trails/
│   ├── sample-wo-audit-trail.pdf               (representative WO with full trail)
│   ├── chain-integrity-reports/                (daily/weekly verification results)
│   └── e-signature-verification-report.pdf
├── 05-capa/
│   ├── capa-register.pdf                       (all CAPAs in period)
│   ├── sample-capa-complete.pdf                (one full CAPA lifecycle)
│   └── capa-metrics-dashboard.pdf              (from CAPA dashboard)
├── 06-change-management/
│   ├── release-notes/                           (per release)
│   ├── release-checklists/                      (completed checklists)
│   └── database-migration-logs/
├── 07-security/
│   ├── threat-model.pdf                        (from 64 §1)
│   ├── vulnerability-scan-results/              (monthly Trivy/Snyk)
│   ├── penetration-test-report.pdf             (annual)
│   └── sbom/                                    (per release)
├── 08-disaster-recovery/
│   ├── dr-plan.pdf                             (from 66 §6-7)
│   ├── dr-test-results/                         (quarterly)
│   └── backup-verification-logs/                (weekly)
├── 09-training/
│   ├── training-curriculum.pdf                  (G06)
│   └── completion-records/                      (per user)
└── 10-incident-response/
    ├── incident-response-plan.pdf              (from 66 §9.4)
    └── pir-reports/                             (per incident)

7. Auditor Access Protocol

7.1 Read-Only Access Provisioning

Role: AUDITOR (per 22-rbac-permissions-matrix.md)
Permissions:
  - Read all work orders (all statuses, all tenants if external auditor with NDA)
  - Read all audit trail entries
  - Read all approval records and e-signatures
  - Read all CAPA records
  - Read all risk assessments
  - Export audit trail and evidence packages
  - NO create, update, or delete permissions on any entity

Access provisioning:
  1. Create Person record with role AUDITOR
  2. Set time-limited access (audit window + 30 days for follow-up)
  3. Log auditor access as audit events (who audited what)
  4. Revoke access automatically after expiration

7.2 Demonstration Environment

For live demonstrations during audits, use a staging-like environment with synthetic data:

Requirement	Implementation
Realistic data volume	Seed 500+ WOs across all statuses with full audit trails
Realistic user population	20+ synthetic users across all RBAC roles
Complete CAPA lifecycle	3+ CAPAs in various states including CLOSED
Full approval chains	Regulatory WOs with complete e-signature chains
PHI scanner demonstration	Synthetic PHI patterns that trigger detection
DR capability	Demonstrate backup/restore in demo environment

Never demonstrate with production customer data unless the customer has explicitly consented and the auditor has signed appropriate NDAs.

8. Post-Audit Response

8.1 Finding Classification

Finding Type	Response Timeline	CAPA Required	Regulatory Impact
FDA 483 Observation	Written response within 15 business days	Yes (CRITICAL priority)	Warning Letter risk if unresolved
FDA Warning Letter item	Written response + immediate corrective action	Yes (CRITICAL, escalated)	Consent Decree risk
SOC 2 Exception	Document remediation plan for next audit period	Depends on severity	Qualified opinion risk
Internal finding	Address per CAPA priority	Depends on risk score	None (improvement opportunity)

8.2 Finding-to-CAPA Workflow

Audit Finding received
    │
    ▼
Create CAPA record (source: AUDIT_FINDING)
    │ sourceAuditFindingId: [external finding reference]
    │
    ▼
Risk assessment (mandatory for audit findings)
    │
    ▼
Root cause analysis (deadline: finding type determines timeline)
    │
    ▼
Corrective actions → WOs generated → execute
    │
    ▼
Preventive actions → WOs generated → execute
    │
    ▼
Effectiveness verification (before next audit cycle)
    │
    ▼
CAPA closed → evidence packaged for next audit

9. Audit Frequency & Preparation Calendar

Audit Type	Frequency	Lead Time	Preparation Effort
FDA Inspection (PAI/GMP)	Unannounced or 2-week notice	0–2 weeks	Standing readiness (§2.1)
SOC 2 Type II	Annual	4–6 weeks	Evidence collection + auditor scheduling
HIPAA Security Rule	Risk-based (HHS/OCR)	30–60 days (if announced)	Standing readiness + PHI audit
Customer audit (enterprise)	Per contract (typically annual)	4 weeks	Tenant-specific evidence
Internal quality audit	Quarterly	2 weeks	Mock audit + finding resolution

9.1 Annual Audit Calendar

Q1: SOC 2 evidence collection begins (12-month window start)
    Internal quality audit #1
Q2: Annual penetration test
    SOC 2 mid-period check
    Internal quality audit #2
Q3: DR annual tabletop exercise
    Access review (annual comprehensive)
    Internal quality audit #3
Q4: SOC 2 Type II audit (external)
    Internal quality audit #4
    Annual compliance review (all frameworks)

Standing: FDA inspection readiness maintained continuously

10. Cross-Reference

Concern	Specification Source
Regulatory compliance matrix	20-regulatory-compliance-matrix.md
RBAC and SOD rules	22-rbac-permissions-matrix.md
Validation protocols (IQ/OQ/PQ)	70-validation-protocol-templates.md
CAPA workflow	74-capa-workflow.md
Security architecture (threat model)	64-security-architecture.md
DR procedures	66-operational-readiness.md §6–7
E-signature architecture	17-e-signature-architecture.md
Gap closure (all G01–G28)	58-gap-closure-prompts.md
API evidence extraction	71-api-endpoint-specification.md
Deployment change management	72-deployment-architecture.md §5

An FDA inspector can show up unannounced. A SOC 2 auditor will ask for 12 months of evidence. The only way to be ready is to always be ready. This guide turns the WO system's structural compliance into demonstrable, exportable, auditor-friendly evidence. The system was built for this moment — this guide ensures the people operating it know how to prove it.

1. Purpose​

2. Pre-Audit Checklist​

2.1 Standing Readiness (Maintain Continuously)​

2.2 Pre-Audit Sprint (2 Weeks Before)​

3. FDA 21 CFR Part 11 Audit Guide​

3.1 Common Auditor Questions & Evidence​

3.2 Evidence Export Procedure​

3.3 Part 11 Compliance Demonstration Script​

4. HIPAA Audit Guide​

4.1 Technical Safeguard Evidence​

4.2 HIPAA-Specific Evidence Extraction​

5. SOC 2 Type II Audit Guide​

5.1 Trust Service Criteria Evidence Map​

5.2 Evidence Collection Schedule​

6. Audit Evidence Folder Structure​

7. Auditor Access Protocol​

7.1 Read-Only Access Provisioning​

7.2 Demonstration Environment​

8. Post-Audit Response​

8.1 Finding Classification​

8.2 Finding-to-CAPA Workflow​

9. Audit Frequency & Preparation Calendar​

9.1 Annual Audit Calendar​

10. Cross-Reference​