Document Control Is Broken: The 5 Mistakes That Fail Every External Audit

Document control is boring until it's not.

Most quality managers know their document control system has issues. That "archived" folder everyone still accesses. Those training records that don't quite match the current SOP version. The supplier specification that's been sitting in someone's email for six months without proper review.

Here's the thing: document control violations are rarely about not having a procedure. Every company has a document control SOP. The failures happen in the implementation. The auditor doesn't care what your procedure says. They care what actually happens when someone needs to revise a form, train an operator, or retrieve a specification.

With the FDA's new Quality Management System Regulation (QMSR) taking effect February 2, 2026^[3], document control requirements just got stricter. The QMSR harmonizes 21 CFR Part 820 with ISO 13485:2016, which means your document control system needs to meet both FDA expectations AND international standards.

Let's talk about the five mistakes that fail every audit (and how to fix them before your auditor arrives).

Mistake #1: Obsolete Documents Are Still Accessible

The Problem

You retired the old version of your CAPA procedure. You marked it "OBSOLETE" in your document management system. You even moved it to an "Archive" folder.

But it's still on the shared drive. And operators can still open it.

This is the most common document control failure. ISO 13485:2016 Clause 4.2.4(f) requires organizations to "ensure that obsolete documents are promptly removed from all points of issue or use."^[4] The regulation doesn't say "mark as obsolete." It says removed.

What Auditors Look For

• Check if obsolete documents are physically accessible (on shared drives, in paper binders, on manufacturing floors)
• Open random folders on shared drives looking for duplicate versions
• Ask operators which procedure they follow and where they access it
• Verify that only current versions are available at points of use

Real Example

A recent FDA warning letter cited a medical device manufacturer for failing to maintain Device Master Records (DMRs) as required by 21 CFR 820.181.^[5] The issue? Multiple versions of manufacturing instructions were found on the production floor. Operators were using a mix of current and obsolete procedures. The company couldn't demonstrate which version had been used for specific device lots.

The Fix

• Physical removal: Delete obsolete files from shared drives. Don't rely on folder names like "Archive" or "OLD."
• Controlled archive: Store obsolete documents in a separate system with read-only access and restricted permissions.
• Version control at point-of-use: Use QMS software with automatic version control. When Version 2 is approved, Version 1 automatically becomes inaccessible.
• Regular audits: Monthly spot checks of shared drives and manufacturing areas for duplicate documents.

Mistake #2: No Evidence of Actual Document Review

The Problem

Your document control procedure requires that changes be "reviewed and approved" before use. You have a form with signature blocks. The form has signatures.

But did anyone actually review it?

Auditors increasingly distinguish between approval (signing off) and review (actually reading and evaluating). 21 CFR 820.40(a) states: "Documents shall be reviewed and approved for adequacy by an individual(s) in the same or equivalent function."^[6]

The key word: adequacy. You can't determine if a document is adequate without actually reviewing it.

What Auditors Look For

• Review comments: Is there evidence that reviewers provided feedback? Or are all approvals just signatures with no commentary?
• Review timing: If a 47-page SOP was "reviewed" in 15 minutes, that's a red flag.
• Subject matter expertise: Were the reviewers actually qualified to assess the document's technical content?
• Response to feedback: If reviewers raised concerns, is there documentation showing how those concerns were addressed?

The Scenario Auditors Ask About

Auditor: "Tell me about the last revision to your Corrective Action procedure."

You: "We revised it three months ago. Here's the approval form with signatures."

Auditor: "Great. What changes were made?"

You: (flipping through the document) "Um, let me find that..."

Auditor: "What feedback did the reviewers provide during the review cycle?"

You: "The form shows it was approved."

Auditor: (writes observation)

The Fix

• Review meetings: For significant changes, hold a review meeting. Document attendees, discussion points, and decisions.
• Redline tracking: Require all changes to be tracked (redline/strikethrough). Include a summary of changes in the revision history.
• Reviewer comments: Use a review checklist or comment log. Reviewers must document what they checked and any concerns.
• Adequate review time: Build in realistic review periods. A complex design control procedure needs more than 24 hours for meaningful review.

Mistake #3: Training Records Don't Match Document Versions

The Problem

You revised your sterilization procedure in March. You trained the operators in April. But the training records don't specify which version they were trained on.

Six months later, the auditor asks: "Are operators trained on the current procedure?" You check. The current version is Rev 4, approved in September. Your training records from April are for... which revision? You're not sure.

This gap appears in FDA citations regularly. One warning letter noted: "Training procedures require employees to be trained 'to perform the assigned responsibilities'... however no records were provided to demonstrate that employees who performed design control activities had been trained to the design control procedure."^[7]

What Auditors Look For

• Version-specific training: Do training records explicitly state which document version was used?
• Training after changes: Is there a process to identify affected employees and retrain them when documents change?
• Current training status: Can you quickly prove that all current operators are trained on the current version?
• Effectiveness checks: Is there evidence that training was effective (not just attendance records)?

Document version confusion is also one of the most common drivers of ineffective CAPA investigations — when operators follow different procedure versions, root cause analyses become impossible.

The Fix

• Version in training records: Training records MUST include document number, title, AND revision/version.
• Change impact assessment: When a document changes, identify who needs retraining. Document the assessment even if the answer is "no retraining required."
• Training matrix with versions: Maintain a matrix showing employee name, document, version trained on, date, and current version. Flag mismatches immediately.
• Retraining triggers: Define clear triggers for when retraining is required (new employees, significant changes, performance gaps, annual refreshers).

Mistake #4: External Documents Without Control

The Problem

You have excellent control over your internal SOPs, work instructions, and forms. But what about:

• ISO standards and regulatory guidance
• Supplier specifications and quality agreements
• Industry standards (AAMI, ASTM, etc.)
• Software user manuals and validation protocols from vendors

These are external documents, and ISO 13485:2016 explicitly requires that you control them.

Clause 4.2.4(h) states: "The organization shall ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled."^[4]

What Auditors Look For

• List of external documents: Do you have a controlled list of which external documents you rely on?
• Version control: Are you using the current version of ISO 13485? Or did you print a copy in 2016 and never update it?
• Supplier documents: Do you have a process to review and approve supplier specifications before use?
• Change notifications: When a standard or regulatory guidance changes, how do you know?

Real Example

A medical device company used ISO 10993 (biocompatibility standards) for material selection. During an audit, the auditor asked which version they were using. The quality manager pulled up the document: ISO 10993-1:2009.

The problem? The current version was ISO 10993-1:2018, with significant changes to evaluation pathways. The company had been using an outdated standard for three years without realizing it.

The Fix

• External document register: Maintain a controlled list of all external documents your QMS relies on. Include document title, number, version, date, and where it's used.
• Subscription services: Use a standards subscription service (ISO, ASTM, etc.) that notifies you of updates.
• Annual review: Once per year, verify that all external documents in your register are still current.
• Supplier specs as controlled documents: Treat supplier specifications like internal documents. Assign a document number, track revisions, control distribution.

Mistake #5: Change Control That Doesn't Track Impact

The Problem

You have a change control process. Every document change goes through review and approval. But here's what doesn't happen:

• Impact assessment across the QMS
• Identification of related documents that need updating
• Verification that changes were implemented correctly
• Communication to affected personnel

21 CFR 820.40(b) requires that all document changes be reviewed and approved.^[6] But beyond approval, ISO 13485:2016 Clause 4.2.4(b) requires that "changes are identified."^[4] This means tracking what changed, why it changed, and what else is affected.

Real Example

A company revised its incoming inspection procedure to add a new test requirement. The procedure was approved and released. Six months later, during an audit, the auditor asked to see incoming inspection records for recent material lots.

The records didn't show the new test. Why? Because the related work instruction and inspection form were never updated. The operators were still using the old process. The procedure said one thing; reality was another.

The Fix

• Change impact checklist: When any document changes, complete a checklist: What training is needed? What other documents reference this one? What records will change?
• Related documents field: In your document management system, link related documents (cross-references). When one changes, the system flags related documents for review.
• Implementation verification: After approval, verify implementation. For SOPs, this might mean observing the process. For forms, check that the new form is in use.
• Communication plan: Document how the change will be communicated. Email isn't enough. Hold meetings, update training, post notices.

The 15-Minute Document Control Health Check

You don't need a full audit to identify document control gaps. Here's a quick health check you can run today:

References

1. U.S. Food and Drug Administration. 21 CFR 820.40 - Document Controls
2. Compliance Insight. FDA 483 Observations 2024: Key Regulatory Issues
3. Theoris. QMSR Final Rule 2024: ISO 13485 Transition & Compliance Guide
4. ISO 13485:2016, Medical devices - Quality management systems - Requirements for regulatory purposes, Section 4.2.4
5. The FDA Group. FDA Warning Letter Breakdown: Four Letters Reveal Cascading Control Failures
6. U.S. Food and Drug Administration. Medical Devices; Quality System Regulation - 21 CFR Part 820
7. GXP Training. FDA Warning Letters Reveal Training Gaps in Life Sciences