Blog

Why compliance spreadsheets fail at audit time

Spreadsheets are the world's most-used compliance tool and the single most-cited root cause of quality-system findings. They feel like control — rows, columns, formulas, a named owner — but at audit time they reveal themselves as fragile snapshots of decisions nobody can reconstruct.

The ERP–QMS gap is where spreadsheets multiply

Most manufacturers run production in an ERP (SAP, NetSuite, Epicor, Plex) and quality in a separate QMS — or worse, in Excel. The bridge is typically a spreadsheet someone exports weekly. By day three, the spreadsheet and the ERP disagree on BOM revision, supplier status, or lot disposition. Auditors find the disagreement in minutes.

Version drift and the FINAL_v7_reviewed_RM.xlsx problem

ISO 13485 Clause 4.2.4 and the QMSR equivalents require documented controls over document approval, revision, and obsolescence. Local copies on desktops, SharePoint, and email attachments cannot demonstrate single-source-of-truth control. AS9100D 7.5.3 raises the bar further with configuration-linked document control.

Orphaned records and broken traceability

A CAPA references a nonconformance number that references a work order that no longer exists in the current ERP extract. FSMA 204 will require this same kind of lot-level linkage across trading partners on a 24-hour clock — spreadsheets cannot meet that latency when lot codes mutate through transformation events.

Audit-trail gaps: 21 CFR Part 11 and EU Annex 11

Part 11 §11.10(e) requires secure, computer-generated, time-stamped audit trails for creation, modification, and deletion of electronic records. EU GMP Annex 11 §9 has parallel requirements. Excel's change tracking is user-toggleable, not tamper-evident, and cell-level history is not preserved across saves. FDA's 2018 data-integrity guidance is explicit: spreadsheets require the same Part 11 controls as any other electronic record.

Manual re-keying errors scale linearly with audit scope

A widely cited University of Hawaii study (Panko, 2008) found about 88% of spreadsheets contain errors; enterprise studies put material-error rates at 1–5% of cells. At audit scale — thousands of supplier records, CAPAs, training records — that is a guaranteed finding. Every manual transcription from ERP to QMS spreadsheet is a fresh injection point.

Electronic signatures that aren't

Part 11 §11.50 and §11.70 require signed records to contain the signer's printed name, date and time, and meaning of signature, linked so they cannot be excised and transferred. A typed name in column G is not a compliant e-signature. FDA warning letters in pharma and devices repeatedly cite spreadsheet-based batch and quality records as non-compliant on this point.

What auditors actually do

They ask for the record, then ask for the record behind the record — who changed it, when, why, and against what approved procedure. Spreadsheets can usually produce the first layer; almost never the second.

What operators should do now

Inventory every spreadsheet used in a regulated process — quality, supplier, training, calibration, CAPA, complaint, batch.
Classify each by GxP, Part 11, and Annex 11 applicability. If it supports a regulatory record or decision, it is in scope.
Replace or wrap the highest-risk spreadsheets with a validated system of record that has tamper-evident audit trails and role-based access.
Eliminate ERP to QMS manual exports. Move to event-driven sync so BOM, supplier, and lot data cannot drift.
Require Part 11-compliant e-signatures on any record that closes a regulatory loop (batch release, CAPA closure, training completion).
Run a mock audit specifically targeting spreadsheet-based processes — ask for the record behind the record.

Authoritative sources

Scope your workflow

Turn this into a working system.

Bring one audit you're dreading. We'll wire it against your ERP and QMS and hand back a working version.

Book a demo More resources