Header Navigation

  • May 21, 2026
  • A few minutes

Your Compliance Audit Is in 30 Days. Here's What to Actually Do.

FAA, FDA, OSHA, and FINRA audit prep in 30 days: documentation triage, completion rate red flags, and what auditors actually ask for in the first hour.

Rob Walz headshot.

Rob Walz

Content Marketing Director

Worker in a safety vest using a tablet on a modern automated manufacturing factory floor with a robotic arm in the background.

The notification landed in your inbox this morning. The auditor will be on site in 30 days.

If you run training operations for a regulated industry, you know what comes next: a month of late nights, spreadsheet archaeology, and a slow-rising dread about whether the records you have will actually hold up.

Take a breath. Thirty days is enough. But only if you spend it on the right things.

What auditors actually do.

Most teams spend their prep month re-running training. That is the wrong instinct.

Auditors care about three things, regardless of which agency sent them:

  1. Did the required training happen?
  2. Can you prove it with documentation that holds up?
  3. If a record was wrong or missing, what did you do about it?

That last one trips people up. Auditors expect to find gaps. What they do not forgive is gaps you should have caught yourself.

Week 4 (30 to 23 days out): Confirm your scope.

You cannot prepare for an audit you have not defined so the first 48 hours are scope work.

Get the audit notice in front of you and answer these in writing: which population is being audited (everyone, a single site, a specific role), which regulations apply (be specific to the CFR section or FINRA rule), and what the audit window covers (the past year, the past three years, since the last audit). If the notice is vague, call the lead auditor's office and ask. They will tell you.

Then pull your training matrix. If you do not have one, build a fast version in a spreadsheet: rows are roles or job codes, columns are required courses, cells show frequency and retention requirements. This is the document the auditor will mentally use whether you produce it or not. You need to see what they will see.

If you have a training management system (like Administrate), this data is already collated for you.

By the end of week 4, you should have three artifacts on your desk:

  • A one-page scope summary you can hand to your team.
  • A current training matrix mapped to the regulation in scope.
  • A list of every system that holds training records. The LMS, the HR system, the spreadsheet on someone's desktop, the paper sign-in sheets in a binder somewhere.

That last one is the one most teams underestimate. Records living outside your LMS are the records that will sink the audit.

Week 3 (22 to 15 days out): Documentation triage.

Now you find the gaps.

Pull a complete training record for a random sample of employees in scope. Ten is fine for a small audit. Thirty for a larger one. Pick names you would not pre-screen. The point is to see what the auditor will see.

For each person, verify:

  • Every required course for their role is completed and current.
  • The completion date falls within the required interval (annual, biennial, before assignment, whatever the regulation says).
  • The record names a verifiable instructor or system, includes a date, and is signed or electronically attested.
  • The course version completed is the current approved version, not a deprecated one.
  • For roles with effectiveness requirements, a test score or competency check is on file.

You will find gaps. Group the gaps into three buckets:

Bucket one: training that did not happen and needs to. Schedule it this week.

Bucket two: training that happened but the record is missing or weak. Reconstruct the record. Sign-in sheets, calendar invites, email confirmations, and instructor attestations all help.

Bucket three: training that happened, has a record, but the record is wrong (wrong version, wrong date, missing field). Correct it through your normal record-correction process and document the correction.

Document your gap analysis itself. When the auditor asks what you found in your self-review, you want to hand them a list with disposition status, not a blank stare.

Week 2 (14 to 8 days out): Completion rates and red flags.

Pull completion rate reports for every required course in scope, broken out by role and location. Look for the patterns auditors look for.

Anything below 95 percent completion on required training is a red flag.

Anything below 90 percent will draw a finding.

If you see numbers in the 80s, you have a problem to fix this week, not explain away next month.

Pay attention to the patterns auditors weight more heavily than the overall rate:

  • Repeated late completions for the same individual. Suggests the person is not actually being trained on time and someone is back-dating.
  • Bunching of completion dates. If 200 people completed a course on the same date and you do not run a class that size, the auditor will assume the records are fabricated.
  • Site-by-site or manager-by-manager variation. If one location runs at 99 percent and another at 78 percent, the auditor will spend their time at the 78 percent location.
  • Records older than the retention requirement. OSHA generally wants three years for most training records. The FAA wants longer for crewmember training. The FDA expects records for the life of the product plus retention. Know your number.

For every red flag, prepare a one-paragraph written explanation and a corrective action you have already started. "We identified this in our pre-audit review and have implemented X" is the answer auditors want to hear.

Week 1 (7 days out to the day before): Dry run and team prep.

The last week is rehearsal.

Pick a colleague who has never seen the records, hand them the scope summary, and ask them to produce a complete training history for five named employees in 30 minutes. Time them. If they cannot do it, the auditor cannot either, and that itself is a finding.

Walk your team through what audit day will look like. Identify who answers what. Train your people to do three things:

  1. Answer the question that was asked, not a question that sounds related.
  2. Say "I will get that for you" when they do not know, then actually get it.
  3. Never speculate about why something is missing. Speculation becomes a finding.

On the documentation side, stage your records. Auditors typically request a long list of items in the first hour. If you can produce the first ten requests cleanly, the audit changes character. You stop being a problem to investigate and start being a partner who has their house in order.

What auditors actually ask for.

The specific requests vary by agency, but the patterns are consistent. Be ready to produce, within an hour of a request:

A complete training history for any named employee in scope. Course title, completion date, instructor or delivery method, version of the curriculum, and any effectiveness check.

Your training matrix. Which roles are required to complete which courses at what frequency, with the regulatory citation that drives each requirement.

Curriculum documentation for any course in scope. Learning objectives, content outline, approval date, current version number, and the change history if the curriculum has been updated.

Instructor qualification records for anyone delivering instructor-led training. Credentials, currency, and the records of any required instructor recurrent training.

Records of corrective action for any training failure. A test that was failed and retaken, a recurrent that was missed and made up, a curriculum that was updated after an incident.

The agency-specific pieces sit on top of that common core.

For FDA work under 21 CFR Part 11, expect specific questions about your electronic record system: who has access, how signatures are bound to records, how records are protected from alteration, and how you would recover them if your system went down. Under Part 210/211, expect to demonstrate that production staff were trained to the current SOP version before they did the work.

For FAA Part 142 or 121 training centers, expect a deep dive on instructor authorizations and curriculum approvals, with the auditor cross-referencing your training center certificate. Recurrent intervals will be checked to the day.

For OSHA, expect site-specific questions tied to the hazards present at the site. Hazard communication, lockout/tagout, respiratory protection, bloodborne pathogens, and fall protection are the perennial focus areas. Annual refresher cycles will be checked across the population, not just sampled.

For FINRA, expect questions about Firm Element completion rates, Regulatory Element through CRD, your Annual Compliance Meeting documentation, and how your supervisors are trained on their supervisory responsibilities.

Administrate makes audits run on autopilot.

You will get through this audit. But will the next one will be easier or harder than this one?

The teams that spend the month after an audit panicking about the next one are running training operations on systems that were not built for the job. A general-purpose LMS is built to deliver content. A Training Management System is built to schedule training, track it, report on it, and prove it happened in the format an auditor expects. The difference shows up the next time an auditor asks for records and you have 30 days to find them.

If the version of your next audit you want involves pulling a complete record in 30 seconds instead of 30 days, that change starts now, not on day one of the next 30-day countdown.

Learn more about Administrate for compliance and audits.

About the author

Rob Walz

Rob Walz Content Marketing Director

Robert Walz serves as Content Marketing Director at Administrate, bringing 6 years of dedicated experience in the Learning and Development industry.

Tags: Compliance

Ready to get started?

Schedule a call with a member of our team.

Book a demo

Subscribe

Focused professionals working at laptops and desktop monitors in a modern office, analyzing code or technical data.