Auditing is often perceived as a technical exercise built around checklists and findings. In reality, it is far more nuanced and human, shaped by preparation, communication, judgment, and an ability to understand how systems operate in practice, not just on paper.

This month, as part of our 25 Years of Tower Mains series, we are sharing 25 things we have learned from 25 years of GxP audits. Some are practical, some philosophical… and some were learned the hard way!

  1. Preparation is key. In all aspects, not just audit conduct. Travel, accommodation, and transfers all matter. A relaxed auditor is a good auditor.
  2. If it isn’t documented, it didn’t happen. And if it is documented badly, it might as well not have happened.
  3. “We’ve always done it this way” is not a control.
    It’s an early warning signal.
  4. The audit starts the moment you enter reception.
    Culture, organisation, and preparedness are visible before the first question is asked.
  5. Clear documentation shows where you’ve been; a robust quality system shows where you’re going.
  6. The CAPA that fixes the system is worth more than 10 that fix individual errors.
  7. If a process depends on one “super-user,” it’s already out of compliance.
  8. The real data integrity risk is rarely the system; it’s the workaround.
  9. Training records tell you who attended. They don’t prove competence.
  10. The phrase “that’s handled by another department” usually means “no one owns it.”
  11. Vendors don’t reduce oversight; they redistribute it.
    Sponsor responsibility is never outsourced.
  12. The longer the SOP, the less likely anyone is to follow it.
  13. If deviations are rare, they’re probably underreported.
  14. Root cause is almost never “human error.”
    That’s a symptom, not a cause.
  15. Metrics without context create false confidence.
  16. The most valuable audit evidence is often found in conversation, not binders.
  17. Inspection readiness is not a project. It’s an operational state.
  18. People remember how you made them feel long after they forget the observation wording.
    Auditing is as much psychology as it is compliance.
  19. Silence is a powerful audit tool.
    Ask a question and wait; the second answer is usually the real one.
  20. Good QA builds bridges. Bad QA builds fear. Only one improves compliance.
  21. If it says a system is “fully validated,” ask for the change control history.
  22. You can assess a quality culture by how comfortable junior staff are speaking up.
  23. Inefficiency is not non-compliance. Just because something appears overly complicated or it’s not how we (the auditor) would do it, doesn’t mean it’s wrong. Be open-minded!
  24. Airport sushi isn’t your friend as an auditor. Keep an eye out for quick food on the go… some quick bites can bite back.

And finally, after 25 years, the biggest lesson learnt…

Audits are not about finding faults. They’re about protecting patients, data integrity, and the credibility of the science.