Featured

Is Your QMS Ready for an Audit? A Practical 2026 Health Check for APAC Pharma & Biotech

May 28, 2026


If youre reading this with an inspection notice already on your desk, heres the uncomfortable truth: by the time the regulator arrives, your QMS is whatever it has been for the past two years. You cant paper over that gap in three weeks.

But if youre reading this before the notice arrives, you have something most companies dont — time. And the difference between a QMS that quietly fails its first inspection and one that holds up under questioning isnt size, sophistication, or budget. Its whether the system you wrote down actually matches the system your team uses every day.

At Valina Services, weve walked many APAC pharma, biotech, and medical device companies through exactly that gap. The pattern is almost always the same. The SOPs are written. The QMS software is installed. The training matrix exists somewhere. And then, on inspection day, the inspector asks one specific question, and three different people in the room give three different answers.

This guide is the QMS health check we run for our own clients. No fluff, no jargon — just the practical signs that tell us whether a Quality Management System is built for daily use or built for the shelf.

Why QMS Failures Are Different from Process Failures

A process failure is usually obvious. A batch fails. A deviation gets raised. Someone notices and acts.

A QMS failure is quieter. It looks like:

  • An SOP that says one thing while the team does another
  • A change control log with three months of "pending review" entries
  • A CAPA from last years audit that everyone agrees was closed, but nobody can produce the closure evidence
  • A training matrix that hasnt been updated since two people left and one joined

None of these will stop a batch tomorrow. All of them will surface in your next inspection. And regulators in APAC,  particularly HSA, NPRA, TGA, PMDA and CDSCO, are increasingly looking for evidence that your QMS is alive, not just installed.

The frameworks themselves havent changed (ISO 9001, ISO 13485, ICH Q10, GxP, 21 CFR Part 820, EU GMP Chapter 1). Whats changed is how inspectors test them: through traceability, through people interviews, and through cross-referencing what the SOP says with what your records show.

The Six Places a QMS Quietly Fails

We see the same six failure points across companies regardless of size. Walk through these honestly. Every "Im not sure" or "we usually..." is a finding waiting to happen.

1. Document Control

The single highest-impact area, and the one that most companies underestimate.

Ask yourself:

  • Is every controlled document version-numbered, dated, approved, and signed by the right roles?
  • Can you produce the complete revision history of any SOP in under five minutes?
  • Are obsolete documents removed from active circulation — not just marked obsolete in the system, but physically inaccessible to staff?
  • When an SOP is revised, is there documented evidence that affected staff were re-trained before the new version went live?

If you have controlled documents living in shared drives, email attachments, or personal folders alongside the official QMS, thats not a document control system. Thats an inspection finding with extra steps.

2. SOP Lifecycle

SOPs arent a one-time deliverable. They are working instructions that should reflect how the work is genuinely done.

  • Has every SOP been reviewed within its defined periodic review cycle (usually two years, sometimes shorter)?
  • Do your SOPs reference the actual systems, vendors, and tools your team uses today, or last years stack?
  • Is there a clear, documented process for raising a deviation when an SOP genuinely cant be followed as written?

A useful test: pick any SOP at random and walk it down to the bench, lab, or system it describes. If whats happening doesnt match whats written, you have a gap.

3. Change Control

Change control is the discipline most likely to break under operational pressure.

  • Is there a single, documented change control workflow that applies to processes, systems, suppliers, and documentation — not three separate workflows that nobody fully follows?
  • Are change requests linked to a risk assessment, with documented impact analysis?
  • Are change closures linked to evidence of execution: revised SOPs, re-validated systems, re-trained staff?
  • How long do changes sit in "pending" status before theyre closed or withdrawn?

If your change control log has a long tail of stale items, thats not a backlog. Thats an inspectors first question.

4. Deviation and CAPA

CAPA is where good QMS programs become great ones, and where weak QMS programs quietly come apart.

  • Are deviations classified consistently (minor, major, critical) using a documented risk methodology — not the mood of the day?
  • Does every CAPA have a named owner, due date, and evidence of closure — and is the evidence actually attached to the record?
  • Are CAPAs trended over time, with periodic management review, to spot repeat issues?
  • For CAPAs from past audits: is there documented evidence that the corrective action resolved the root cause, not just the symptom?

The trap most companies fall into is closing CAPAs administratively (the form is signed) without closing them substantively (the underlying issue is fixed). Inspectors check the second one.

5. Training Records

Training is where the QMS most visibly disconnects from the people doing the work.

  • Is your training matrix current as of this week, reflecting every joiner, leaver, and role change?
  • Is there documented evidence of competency for every GxP-relevant role — not just attendance records, but actual assessment outcomes?
  • When an SOP is revised, is re-training tracked separately from initial training, with a documented effective date?
  • Can you produce, on request, the complete training history for any individual member of staff?

If you cant, you have an inspection finding that costs you nothing to fix today.

6. Internal Audit and Management Review

A QMS that doesnt audit itself is a QMS waiting for someone else to audit it.

  • Is there a documented internal audit plan covering all critical QMS processes on a defined cycle?
  • Are internal audit findings logged, actioned, and closed with the same rigour as external audit findings?
  • Does management review actually happen on schedule, with documented inputs, outputs, and decisions?
  • Are quality metrics (deviation rates, CAPA closure times, training compliance, complaint trends) reviewed at the management level — not just reported?

A well-run management review is, frankly, the single best evidence of QMS maturity an inspector can ask for. If yours hasnt happened in eighteen months, thats the gap to close first.

The Right-Sizing Problem (Especially in APAC)

Heres what nobody tells small APAC pharma and biotech companies: most QMS templates available online are built for large, multi-site multinationals. Import one of those wholesale and youll end up with a QMS thats bigger than your operation, slower than your team can sustain, and impossible to follow consistently.

The opposite failure is just as common. A startup runs everything in spreadsheets and email threads, calls it "lean," and then cant pass an investor due diligence audit, let alone an HSA inspection.

A right-sized QMS for a 20-person APAC biotech looks fundamentally different from a right-sized QMS for a 200-person manufacturing site. The frameworks are the same. The documentation depth, review cadence, and tooling are not.

When we design or remediate QMS programs at Valina, the first question we ask is never "what does the standard say?" Its "what is the smallest, simplest version of this that will pass an audit, scale with your business, and be honestly maintainable by your team?"

Thats the version that survives.

The Failure Patterns We See Most Often

After years of running QMS assessments and remediations across APAC, the same handful of patterns account for most negative findings:

  • A QMS is designed once, then frozen. No periodic review, no continuous improvement, no evidence the system has adapted to how the business has changed.
  • Strong on paper, weak on traceability. Controlled documents exist, but you cant trace a deviation through to its CAPA, training update, and SOP revision in one continuous chain.
  • The quality team owns everything; line teams own nothing. Quality is treated as a department, not a discipline. Inspectors notice immediately.
  • Validation packages disconnected from QMS records. GxP systems were validated, but the validation lives in folders nobody updates when changes happen.
  • Training compliance is reported, not measured. The dashboard says 100%. The records say something else.
  • A QMS imported from a template, never adapted. SOPs reference processes the company doesnt run, vendors it doesnt use, and roles it doesnt have.

None of these is fatal. All of them are fixable. The companies that struggle are the ones that wait for an inspector to point them out.

How Valina Helps Companies Get QMS-Ready

This is the work we do every week. We help APAC pharma, biotech, and medical device companies in four ways:

  1. QMS Health Check & Gap Assessment. We assess your existing QMS against applicable standards (ISO 9001, ISO 13485, ICH Q10, GxP, 21 CFR Part 11 / EU Annex 11) and the real way regulators inspect in APAC. You get a prioritised gap list, not a 200-page report.
  2. QMS Design & Implementation, Right-Sized. Whether youre starting from scratch or rebuilding, we design a QMS sized to your company, your GxP IT systems, and your regulatory exposure. Built to last, not just to pass.
  3. Audit Readiness & Remediation. From 21 CFR Part 11 as-is assessments to inspection prep and validation-package overhauls after periodic reviews or change management, we map the roadmap, close the findings, and keep you audit-ready.
  4. Digital QMS Implementation & Validation. If youre moving to or upgrading an eQMS, we make sure the system itself is validated to 21 CFR Part 11 and EU Annex 11, and that the migration doesnt break your historical traceability.

Weve been doing this for years, and well tell you honestly when something isnt worth fixing — and when its the only thing worth fixing first.

Final Thoughts

A QMS is, in the end, an answer to one question: can you prove, on demand, that you do what you said you do?

If the answer is yes, an audit is on Tuesday with extra meetings. If the answer is "mostly," youll have findings, manageable ones, usually. If the answer is "well figure it out when they get here," thats when QMS programs fail, careers stall, and product approvals slip.

The companies that pass inspections without drama arent the ones with the biggest QMS. Theyre the ones whose QMS quietly works every day of the year.

If youd like a clear, honest read on where your QMS stands today, before a regulator gives you one, thats exactly the conversation we like having. Get in touch with us, and well help you out.

This blog provides general information and should not be considered regulatory advice. Always consult qualified professionals and refer to the latest applicable guidance regarding your specific compliance requirements.

Posted by Dr Suhanya Parthasarathy, PhD | Valina Services Pte Ltd