Skip to main content

Work Order QMS Module — Audit Readiness Guide

Classification: Internal — Compliance Operations
Date: 2026-02-13
Artifact: 75 of WO System Series
Status: Proposed
Audience: Compliance Officers, QA Managers, Audit Preparation Teams
Source Artifacts: 20-regulatory-compliance-matrix.md, 70-validation-protocol-templates.md, 74-capa-workflow.md, 64-security-architecture.md

1. Purpose

This guide prepares compliance officers and QA managers to demonstrate WO system compliance during regulatory inspections (FDA), certification audits (SOC 2 Type II), and internal quality audits. It maps common auditor questions to evidence extraction procedures, pre-audit checklists, and response strategies.

2. Pre-Audit Checklist

2.1 Standing Readiness (Maintain Continuously)

ItemFrequencyOwnerVerification
Audit trail chain integrity verifiedDaily (automated)SREcompliance.audit_trail_integrity_check event → all pass
E-signature key validity confirmedWeeklySecurity EngKey expiration monitoring, no revoked keys
CAPA backlog current (no overdue CRITICALs)WeeklyQA ManagerCAPA dashboard: 0 overdue CRITICAL, < 5 overdue HIGH
Access reviews completedQuarterlyAdminUser roster vs. permission matrix reconciliation
DR test results documentedQuarterlySREDR drill report per 66-operational-readiness.md §6.4
Validation evidence packages currentPer releaseQAIQ/OQ/PQ evidence per 70-validation-protocol-templates.md
SOD rules verifiedMonthlyCompliance EngAutomated SOD check report (22-rbac-permissions-matrix.md §5)
Training records currentMonthlyHR / QAAll users with system access have current training records

2.2 Pre-Audit Sprint (2 Weeks Before)

DayActivityResponsible
D-14Review previous audit findings; verify all CAPAs from prior audit are closedQA Manager
D-12Run full audit trail integrity check (all tenants)SRE
D-10Generate evidence packages for last 3 releasesQA
D-8Verify all e-signatures are valid and cryptographically boundSecurity Eng
D-7Conduct mock audit — internal team plays auditor roleQA Manager + Engineering
D-5Address any findings from mock auditEngineering
D-3Prepare auditor workspace (read-only access, evidence folders)Admin
D-1Final readiness check — all items greenCompliance Officer

3. FDA 21 CFR Part 11 Audit Guide

3.1 Common Auditor Questions & Evidence

Auditor QuestionWhat They're Looking ForEvidence LocationExtraction Command
"Show me your audit trail for this work order"Complete, immutable, time-stamped record of all changesWO Audit Trail APIGET /v1/work-orders/{id}/audit-trail?limit=100
"How do you prevent unauthorized changes?"RBAC enforcement, state machine guardsRBAC Matrix + Guard Tests22-rbac-permissions-matrix.md + guard test results
"Show me the electronic signature for this approval"Signer name, date/time, meaning, bound to recordE-Signature APIGET /v1/work-orders/{id}/approvals (includes signature details)
"How do you ensure signature uniqueness?"One signature per individual, verified identityAuthentication Architecture64-security-architecture.md §2 + re-auth flow logs
"What happens if someone modifies a signed record?"Cryptographic hash binding detects tamperingHash VerificationAudit trail chainHash field + verification report
"Show me your system validation documentation"IQ/OQ/PQ protocols and execution recordsValidation Evidence Package70-validation-protocol-templates.md + evidence exports
"How do you handle system access for terminated employees?"Deprovisioning procedure, access review logsAccess Review ReportsG15 deprovisioning procedure + quarterly review
"What is your CAPA process?"Documented CAPA procedure with evidence of executionCAPA RecordsGET /v1/capas?status=CLOSED&limit=10 + 74-capa-workflow.md
"Show me training records for system users"Current training for all users with system accessTraining RecordsG06 training integration records
"How do you control changes to the system?"Change control procedure, version historyRelease History72-deployment-architecture.md + release checklist records

3.2 Evidence Export Procedure

Step 1: Navigate to WO Audit Trail
  GET /v1/work-orders/{id}/audit-trail/export?format=pdf

Step 2: Package includes:
  - Chronological audit entries with chain hashes
  - E-signature records with verification status
  - Approval chain with decision timestamps
  - Risk assessment (if regulatory WO)
  - CAPA references (if any)
  - State transition history with guard evaluation results

Step 3: Verify chain integrity
  Response includes chainIntegrity.verified = true
  If false → STOP. Investigate before presenting to auditor.

Step 4: Present with cover sheet
  - Work Order ID, type, dates, personnel involved
  - Compliance framework(s) applicable
  - Cross-reference to validation protocol

3.3 Part 11 Compliance Demonstration Script

Walk the auditor through a live demonstration:

1. CREATE a test WO (show audit trail entry generated automatically)
2. ATTEMPT unauthorized transition (show guard rejection + audit entry)
3. APPROVE with e-signature (show re-authentication flow)
4. VERIFY signature binding (show hash matches record content)
5. ATTEMPT to modify signed record (show immutability enforcement)
6. EXPORT audit trail (show complete, time-ordered, chain-verified)
7. SHOW access control (demonstrate RBAC enforcement for different roles)

4. HIPAA Audit Guide

4.1 Technical Safeguard Evidence

HIPAA Requirement§ReferenceEvidenceLocation
Unique user identification§164.312(a)(2)(i)User registry with unique IDs per tenantPerson entity + RLS demonstration
Emergency access§164.312(a)(2)(ii)Break-glass procedure + audit trailG10 break-glass records
Automatic logoff§164.312(a)(2)(iii)Session timeout configuration + logsSession management config
Encryption (at rest)§164.312(a)(2)(iv)Cloud SQL TDE configurationGCP encryption documentation
Encryption (in transit)§164.312(e)(1)TLS 1.3 configurationNetwork security config
Audit controls§164.312(b)Immutable audit trailSame as FDA §11.10(e) evidence
Access controls§164.312(a)(1)RBAC + RLS22-rbac-permissions-matrix.md + RLS policy SQL
PHI handling§164.530(c)PHI scanner results, data classificationG09 PHI scanner logs, 63-data-architecture.md

4.2 HIPAA-Specific Evidence Extraction

PHI Access Audit:
  GET /v1/audit-trail?action=READ&dataClassification=L4&timeRange=last30d

  Shows: Who accessed L4 (regulated/PHI) data, when, from where, for what purpose.
  Export: PDF with redacted PHI, access patterns summarized.

Minimum Necessary Verification:
  Demonstrate RBAC filters — VENDOR role sees reduced WO fields
  Demonstrate RLS — tenant A cannot see tenant B data

5. SOC 2 Type II Audit Guide

5.1 Trust Service Criteria Evidence Map

TSCCategoryEvidence Source
CC1.1–1.5Control EnvironmentOrganizational policies, training records, role definitions
CC2.1–2.3Communication & InformationSystem documentation (this artifact corpus), notification architecture
CC3.1–3.4Risk AssessmentRisk assessments on WOs and CAPAs, 64-security-architecture.md §1
CC4.1–4.2MonitoringObservability stack, 66-operational-readiness.md §8
CC5.1–5.3Control ActivitiesRBAC enforcement, state machine guards, compliance engine
CC6.1–6.8Logical AccessAuthentication, authorization, deprovisioning, access reviews
CC7.1–7.5System OperationsDeployment pipeline, change management, incident response
CC8.1Change ManagementWO lifecycle as change control, release process
CC9.1–9.2Risk MitigationCAPA process, risk assessments, circuit breakers

5.2 Evidence Collection Schedule

SOC 2 Type II requires evidence of controls operating over a period (typically 12 months):

EvidenceCollection FrequencyRetentionFormat
Access reviewsQuarterly3 yearsPDF report + screenshots
Change management recordsPer release3 yearsRelease checklist + CI/CD logs
Incident response recordsPer incident3 yearsPIR reports
Vulnerability scan resultsMonthly3 yearsTrivy/Snyk reports
Penetration test resultsAnnually3 yearsExternal pentest report
CAPA recordsPer CAPA7 yearsCAPA export with audit trail
Training recordsPer onboarding + annual3 yearsTraining completion records
DR test resultsQuarterly3 yearsDR drill reports
Uptime/availabilityMonthly3 yearsSLA reports from monitoring

6. Audit Evidence Folder Structure

Prepare a read-only evidence repository for auditor access:

audit-evidence/
├── 01-system-overview/
│   ├── system-design-document.pdf              (from 12-sdd.md)
│   ├── c4-architecture.pdf                     (from 14-c4-architecture.md)
│   ├── data-flow-diagrams.pdf                  (from 15-mermaid-diagrams.md)
│   └── compliance-matrix.pdf                   (from 20-regulatory-compliance-matrix.md)
├── 02-validation/
│   ├── iq-protocol-and-results.pdf             (from 70 IQ)
│   ├── oq-protocol-and-results.pdf             (from 70 OQ)
│   ├── pq-protocol-and-results.pdf             (from 70 PQ)
│   ├── traceability-matrix.pdf                 (from 70 §5)
│   └── deviation-reports/                       (if any deviations during validation)
├── 03-access-control/
│   ├── rbac-model.pdf                          (from 21, 22)
│   ├── sod-rules.pdf                           (from 22 §5)
│   ├── access-review-Q1.pdf                    (quarterly review)
│   ├── access-review-Q2.pdf
│   ├── deprovisioning-logs.pdf                 (G15 records)
│   └── break-glass-audit.pdf                   (G10 records, if triggered)
├── 04-audit-trails/
│   ├── sample-wo-audit-trail.pdf               (representative WO with full trail)
│   ├── chain-integrity-reports/                (daily/weekly verification results)
│   └── e-signature-verification-report.pdf
├── 05-capa/
│   ├── capa-register.pdf                       (all CAPAs in period)
│   ├── sample-capa-complete.pdf                (one full CAPA lifecycle)
│   └── capa-metrics-dashboard.pdf              (from CAPA dashboard)
├── 06-change-management/
│   ├── release-notes/                           (per release)
│   ├── release-checklists/                      (completed checklists)
│   └── database-migration-logs/
├── 07-security/
│   ├── threat-model.pdf                        (from 64 §1)
│   ├── vulnerability-scan-results/              (monthly Trivy/Snyk)
│   ├── penetration-test-report.pdf             (annual)
│   └── sbom/                                    (per release)
├── 08-disaster-recovery/
│   ├── dr-plan.pdf                             (from 66 §6-7)
│   ├── dr-test-results/                         (quarterly)
│   └── backup-verification-logs/                (weekly)
├── 09-training/
│   ├── training-curriculum.pdf                  (G06)
│   └── completion-records/                      (per user)
└── 10-incident-response/
    ├── incident-response-plan.pdf              (from 66 §9.4)
    └── pir-reports/                             (per incident)

7. Auditor Access Protocol

7.1 Read-Only Access Provisioning

Role: AUDITOR (per 22-rbac-permissions-matrix.md)
Permissions:
  - Read all work orders (all statuses, all tenants if external auditor with NDA)
  - Read all audit trail entries
  - Read all approval records and e-signatures
  - Read all CAPA records
  - Read all risk assessments
  - Export audit trail and evidence packages
  - NO create, update, or delete permissions on any entity

Access provisioning:
  1. Create Person record with role AUDITOR
  2. Set time-limited access (audit window + 30 days for follow-up)
  3. Log auditor access as audit events (who audited what)
  4. Revoke access automatically after expiration

7.2 Demonstration Environment

For live demonstrations during audits, use a staging-like environment with synthetic data:

RequirementImplementation
Realistic data volumeSeed 500+ WOs across all statuses with full audit trails
Realistic user population20+ synthetic users across all RBAC roles
Complete CAPA lifecycle3+ CAPAs in various states including CLOSED
Full approval chainsRegulatory WOs with complete e-signature chains
PHI scanner demonstrationSynthetic PHI patterns that trigger detection
DR capabilityDemonstrate backup/restore in demo environment

Never demonstrate with production customer data unless the customer has explicitly consented and the auditor has signed appropriate NDAs.

8. Post-Audit Response

8.1 Finding Classification

Finding TypeResponse TimelineCAPA RequiredRegulatory Impact
FDA 483 ObservationWritten response within 15 business daysYes (CRITICAL priority)Warning Letter risk if unresolved
FDA Warning Letter itemWritten response + immediate corrective actionYes (CRITICAL, escalated)Consent Decree risk
SOC 2 ExceptionDocument remediation plan for next audit periodDepends on severityQualified opinion risk
Internal findingAddress per CAPA priorityDepends on risk scoreNone (improvement opportunity)

8.2 Finding-to-CAPA Workflow

Audit Finding received


Create CAPA record (source: AUDIT_FINDING)
    │ sourceAuditFindingId: [external finding reference]


Risk assessment (mandatory for audit findings)


Root cause analysis (deadline: finding type determines timeline)


Corrective actions → WOs generated → execute


Preventive actions → WOs generated → execute


Effectiveness verification (before next audit cycle)


CAPA closed → evidence packaged for next audit

9. Audit Frequency & Preparation Calendar

Audit TypeFrequencyLead TimePreparation Effort
FDA Inspection (PAI/GMP)Unannounced or 2-week notice0–2 weeksStanding readiness (§2.1)
SOC 2 Type IIAnnual4–6 weeksEvidence collection + auditor scheduling
HIPAA Security RuleRisk-based (HHS/OCR)30–60 days (if announced)Standing readiness + PHI audit
Customer audit (enterprise)Per contract (typically annual)4 weeksTenant-specific evidence
Internal quality auditQuarterly2 weeksMock audit + finding resolution

9.1 Annual Audit Calendar

Q1: SOC 2 evidence collection begins (12-month window start)
    Internal quality audit #1
Q2: Annual penetration test
    SOC 2 mid-period check
    Internal quality audit #2
Q3: DR annual tabletop exercise
    Access review (annual comprehensive)
    Internal quality audit #3
Q4: SOC 2 Type II audit (external)
    Internal quality audit #4
    Annual compliance review (all frameworks)

Standing: FDA inspection readiness maintained continuously

10. Cross-Reference

ConcernSpecification Source
Regulatory compliance matrix20-regulatory-compliance-matrix.md
RBAC and SOD rules22-rbac-permissions-matrix.md
Validation protocols (IQ/OQ/PQ)70-validation-protocol-templates.md
CAPA workflow74-capa-workflow.md
Security architecture (threat model)64-security-architecture.md
DR procedures66-operational-readiness.md §6–7
E-signature architecture17-e-signature-architecture.md
Gap closure (all G01–G28)58-gap-closure-prompts.md
API evidence extraction71-api-endpoint-specification.md
Deployment change management72-deployment-architecture.md §5

An FDA inspector can show up unannounced. A SOC 2 auditor will ask for 12 months of evidence. The only way to be ready is to always be ready. This guide turns the WO system's structural compliance into demonstrable, exportable, auditor-friendly evidence. The system was built for this moment — this guide ensures the people operating it know how to prove it.