FDA inspectors don't announce exactly what they'll look at. But after watching companies go through dozens of inspections, certain IT gaps come up again and again. Most of them are entirely avoidable — if you find them before the inspector does.
Here are the five warning signs your IT environment is not ready for a 21 CFR Part 11 or GxP inspection.
1. Shared login accounts in your electronic systems
Part 11 requires that electronic signatures and audit trails be attributable to the specific individual who performed the action. That's impossible if three scientists share a single "lab" login in your ELN or LIMS.
This is one of the most common 483 observations in life sciences IT audits. It's also one of the easiest to prevent — individual accounts cost nothing extra and take an afternoon to set up properly.
2. No documented validation for your electronic systems
Under 21 CFR Part 11 and related GxP regulations, any electronic system used to create, modify, maintain, archive, retrieve, or transmit records that are required by FDA regulations must be validated. Validation means documented evidence that the system does what it's supposed to do consistently.
"We use [Name Brand ELN] and they're compliant" is not validation. Vendor compliance doesn't eliminate your obligation to validate the system in your specific environment, with your specific data and workflows.
A validation package typically includes: Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) documentation, plus a system validation plan and risk assessment.
3. Audit trails that can be disabled or modified
Part 11 requires audit trails to be computer-generated, capturing who changed what, when, and in systems where the original value was changed, what the prior value was. Critically, the audit trail must be protected from modification — including by administrators.
If your IT administrator can edit or delete audit trail entries, you don't have a compliant audit trail. If your audit trail can be turned off from within the application, that's a finding waiting to happen.
4. No documented procedures for system access and user management
GxP inspectors will ask for your SOPs (Standard Operating Procedures) covering how user accounts are created, modified, and terminated. They'll ask how you handle it when someone leaves the company. They'll ask how you review user access lists.
If the honest answer is "we figure it out as we go," you're not ready. User management SOPs are not complex documents — a single-page SOP covering account provisioning, access review frequency, and offboarding is sufficient for most early-stage companies. But it has to exist, be followed, and have evidence of being followed (training records, sign-offs).
5. Data stored in non-validated environments
Regulated data — study results, batch records, spectral data, raw instrument output — needs to live in a validated, controlled environment. That means proper backups, version control, access logging, and if applicable, electronic signature capability.
A shared network drive with no access controls, no audit trail, and no backup verification is not a validated environment. A personal Dropbox is not a validated environment. An Excel file emailed between scientists is not a validated record in a controlled environment.
What to do if you recognized yourself in this list
The goal isn't perfection before your first inspection — it's documented progress and a clear remediation plan. Inspectors distinguish between companies that have identified their gaps and are actively closing them versus companies that don't know what they don't know.
A gap assessment against 21 CFR Part 11 requirements typically takes 2-3 weeks and produces a prioritized remediation roadmap. Most early-stage companies can reach audit-ready status within 60-90 days of starting that work.
The question isn't whether an inspector will notice these gaps. They will. The question is whether you find them first.
Questions about your IT environment? Schedule a free assessment →