What do auditors want to see? | Audit-ready mapping

The core point: auditors assess rationale, not only performance

A temperature curve that stays within limits is important, but for an audit it is not enough. The auditor wants to trace why the measurement setup was logical, why the chosen acceptance criteria were appropriate and how the results were translated into storage and monitoring decisions.

Many findings do not arise because the area demonstrably failed, but because choices were not recorded well enough. Think of logger positions without rationale, missing calibration certificates, raw data that are not quickly retrievable or deviations that were observed but not formally investigated.

The practical audit question is simple: can you show and explain every choice? The number of measurement points, their placement, the study duration, the test conditions, the acceptance criteria and the permanent monitoring position must all be traceable to an approved protocol, a risk assessment and the mapping report.

The documents an auditor will ask for

Make sure the mapping dossier is not only complete, but also easy to navigate. An auditor usually does not want to search through separate files, but wants to see one coherent dossier in which protocol, execution, results and follow-up are connected.

Approved mapping protocol: prepared and signed before the measurement, with scope, method and acceptance criteria.
Mapping report: results assessed against the criteria, including conclusions and recommendations.
Calibration certificates: for all loggers used, linked to serial number, location and measurement period.
Raw data, spreadsheets and graphs: available per logger and traceable.
Site survey or floor plan: with all logger locations, heights and relevant risk zones.
Deviation reports and CAPA: including assessment, root cause, action and formal closure.
Monitoring placement matrix: the link between mapping results and permanent monitoring sensors.
Relevant SOPs: for example mapping, calibration, alarm handling, data management and deviations.

Need to make the document structure sharper? Also read temperature mapping: protocol versus report and what is included in a mapping dossier.

What auditors want to see for each part

Rationale for measurement points

The auditor wants to see that the number and position of the loggers follow from a risk assessment. Layout, HVAC, doors, air outlets, heat sources, height differences, product zones and loading should visibly be taken into account. A random grid without rationale is weaker than a measurement plan that explains which risk is covered by each position.

More detail is available on how many measurement points are needed for temperature mapping.

Pre-defined acceptance criteria

Acceptance criteria should be in the protocol before the measurement starts. This is not only about the temperature range, but also the allowed duration of a short excursion, the conditions during door tests, any humidity criteria and the way results will be assessed.

Calibration and traceability

Every logger must be traceable to a valid calibration certificate. The report should clearly show which logger was placed at which location, on which date the measurement was performed and which certificate belongs to that device. Traceability prevents discussion afterwards about data reliability.

Data integrity and audit trail

Data must remain original, complete, legible, timely and retrievable. Think of timestamps, access control, audit trail, secure storage and clear export files. If raw data are not available or graphs cannot be traced back to the original measurements, audit risk arises immediately.

Deviations and CAPA

A deviation is not only a temperature excursion. A failed logger, incorrect clock setting, changed logger position or changed test execution can also be a deviation. The auditor expects deviations to be recorded, assessed, investigated and, where needed, closed with CAPA.

Link from mapping to permanent monitoring sensors

A common question is why the permanent sensor is placed in a certain position. The answer should come from the mapping. The fixed sensor is preferably placed at or near a justified worst-case location, such as a hot spot or cold spot, not simply at the easiest position.

Also read hot spots and cold spots in temperature mapping.

Frequency and triggers for re-mapping

An auditor looks not only at the first mapping, but also at when mapping is repeated. Re-mapping is logical after significant changes, such as refurbishment, changed loading, new refrigeration equipment, altered airflow or recurring temperature deviations. Periodic requalification should also be justified.

Approval and roles

An audit-ready dossier states who was responsible for preparation, execution, analysis, review and approval. In GDP and GMP contexts, the role of QA or the Responsible Person is important. The report should be independently reviewed and formally released.

Common audit findings and how to prevent them

Finding	Prevent it with
Sensors are placed at convenient positions instead of mapped worst-case locations.	Derive fixed sensor positions from mapping results and the risk assessment.
The rationale for measurement points is missing.	Record per logger which risk or zone is covered.
Calibration certificates are expired or not quickly available.	Use a certificate index per device ID, location and measurement date.
Acceptance criteria were created only after the study.	Define criteria in the approved protocol before measurement.
Deviations were seen, but not investigated or closed.	Use a deviation and CAPA process with review and sign-off.
No clear link exists between mapping and monitoring.	Create a monitoring placement matrix with rationale per fixed sensor.
Gaps in continuous recording or unclear raw data.	Secure local buffering, data management, audit trail and retention.
No re-mapping after layout or HVAC change.	Link re-mapping to change control and periodic review.

Audit checklist: are you ready?

Approved protocol with roles, scope, methodology, measurement points and acceptance criteria.
Report with results, assessment against criteria, conclusions and recommendations.
Written rationale for the number and position of all measurement points.
Valid, traceable calibration certificates for all loggers used.
Raw data, graphs per logger and site survey with locations.
Deviations investigated, assessed, closed and linked to CAPA where needed.
Monitoring placement matrix from mapping results to fixed sensors.
Data integrity secured with audit trail, time synchronisation and retention.
Justified re-mapping frequency and link with change control.
Report independently reviewed and approved by QA or the Responsible Person.

Sources used

This page is based on practical principles from WHO TRS 992 Annex 5 Supplement 8, EU GMP Annex 15, EU GDP 2013/C 343/01 and the ISPE Good Practice Guide for Controlled Temperature Chamber Mapping and Monitoring. Practice points about common audit questions are used only as context; hard requirements are linked to the guidelines.

From a separate measurement to a defensible dossier

A strong audit dossier shows three things at once: plan, evidence and follow-up.

01

Plan

An approved protocol with scope, measurement strategy, acceptance criteria and rationale for the logger positions.

02

Evidence

Raw data, graphs, hot and cold spots, calibration certificates, conclusions and signed review.

03

Follow-up

Deviations, CAPA, monitoring placement matrix and re-mapping triggers through change control.

FAQ

Frequently asked questions about audits and temperature mapping

Short answers for QA, pharmacies, laboratories and GDP distributors.

Audit questions

What does an auditor want to see in a temperature mapping?

An auditor wants to see the protocol, report, calibration certificates, raw data, graphs, deviation and CAPA records and the rationale for every measurement and monitoring choice.

Why do audit findings arise even when the area remained within range?

Because findings often come from weak documentation. An area can perform well while logger placement, acceptance criteria, calibration, data integrity or deviation follow-up are insufficiently justified.

How do I justify sensor placement?

With mapping results and a risk assessment. Record per logger or fixed sensor which risk, zone or worst-case position is covered.

Which calibration do auditors expect?

Auditors expect valid, traceable calibration certificates for each logger used. The serial number in the data, the certificate and the logger location must be logically linked.

Data, deviations and approval

What does an auditor expect regarding data integrity?

Data must be complete, traceable, timestamped, protected against uncontrolled change and retrievable. Raw data, graphs and report conclusions must be traceable to each other.

How often should I re-map to remain audit-ready?

Map before first use, after significant changes and periodically based on risk. Consider changes in layout, loading, HVAC, refrigeration equipment or recurring temperature deviations.

What is a common audit finding?

Common findings include missing calibration certificates, unjustified sensor placement, criteria defined only afterwards and no clear link between mapping and monitoring.

Who should approve the mapping report?

The report should be independently reviewed and formally approved by the responsible party, for example QA or the Responsible Person in a GDP context.

Want to justify your mapping choices during an audit?

Start with a justified measurement setup or let us review the protocol, logger placement, reporting and monitoring position.

Create a 3D measurement-point proposal Request advice or a quote

What auditors want to see in a temperature mapping