deviations not reported or poorly documented

✅ Missing source documentation or unverified data

✅ Delays in SAE reporting

✅ Gaps in IP accountability logs or temperature records

✅ CVs or GCP training certificates expired or absent

Let’s explore a few of these in detail with corresponding root causes.

Case Study 1: Outdated Informed Consent Forms

Finding: Subject 1102 was consented using version 1.2 of the ICF, while version 1.3 had already been approved by the IEC two weeks prior.

Risk: This constitutes a GCP violation and may compromise subject rights and regulatory acceptability.

Root Causes:

• ✅ Lack of ICF version control procedure at site
• ✅ No centralized ICF version tracker in the ISF
• ✅ Training not updated after protocol amendment

Recommended CAPA: Implement a controlled ICF issuance log, revise SOPs to include version management, and train all staff within 48 hours of any ICF revision notification.

Case Study 2: Protocol Deviations Unreported

Finding: Multiple subjects missed their Day 28 follow-up visits due to holidays, but these were not logged as protocol deviations.

Risk: Impacts data consistency and breaches the predefined visit window.

Root Causes:

• ✅ Site staff unclear on what constitutes a deviation
• ✅ Absence of protocol deviation tracking log
• ✅ Infrequent CRA visits or data verification

Recommended CAPA: Develop deviation definitions guide, use a deviation capture template, and conduct refresher training on protocol timelines.

Case Study 3: Missing Signatures on Delegation Logs

Finding: The sub-investigator was delegated IP management duties but had not signed the delegation log.

Risk: Violates GCP accountability standards and invalidates related entries in the IP logbook.

Root Causes:

• ✅ Delegation logs not updated in real time
• ✅ PI oversight lacking in supervision of staff additions
• ✅ Poor handover documentation during staff transitions

Recommended CAPA: Enforce mandatory weekly PI reviews, digitize delegation logs with access restrictions, and create SOPs for onboarding documentation.

Case Study 4: IP Temperature Excursions Not Reported

Finding: The temperature logs showed excursions beyond +8°C for 4 hours, but no deviation or impact assessment was documented.

Risk: May compromise drug integrity and violate sponsor storage conditions.

Root Causes:

• ✅ Site staff unaware of excursion thresholds
• ✅ Lack of 24/7 temperature monitoring alerts
• ✅ No predefined excursion response plan

Recommended CAPA: Upgrade to digital data loggers with alarms, introduce a temperature deviation SOP, and conduct IP handling training for all new staff.

Data Trending and Heatmap Tools for Audit Findings

To gain insights into repeat findings, QA teams should trend audit data across multiple sites or studies. Use tools like:

• ✅ Heatmaps – to visualize high-risk categories (e.g., Consent vs Safety)
• ✅ Pareto Charts – to identify top 20% findings causing 80% issues
• ✅ RCA Dashboards – linking root causes to SOPs and functions

Below is an example heatmap from 10 recent audits:

Audit Category	Finding Frequency	Risk Severity
Informed Consent	8/10 audits	High
IP Accountability	5/10 audits	Medium
SAE Reporting	6/10 audits	High
CVs & GCP Certificates	7/10 audits	Low

Data-driven decision-making ensures that limited QA resources are directed to the most impactful areas.

Conclusion

Understanding common internal audit findings and digging into their root causes enables QA teams to go beyond checklists and drive meaningful compliance improvements. By trending issues, standardizing CAPA, and integrating lessons into SOP revisions and training, clinical organizations can elevate their inspection readiness and quality culture. Remember, each finding is an opportunity for system strengthening—not just correction.

References:

• ICH E6(R2) GCP Guideline
• FDA Compliance Program Guidance Manual
• EMA GCP Compliance Resources