Audit Readiness Checklist for Business Central in Regulated Industries

audit · compliance · gxpMarch 26, 2026

Being compliant and being audit-ready are not the same. A compliant system is one that meets regulatory requirements. An audit-ready system is one where the evidence of compliance can be retrieved, presented, and explained clearly and without delay during an inspection. In practice, systems that are compliant but not audit-ready generate findings during inspections — not because the requirements are not met, but because the evidence cannot be produced.

This article describes what inspectors look for when they review a Business Central implementation in a regulated environment, and provides a 20-item self-assessment checklist for audit preparation.

What inspectors look for

Inspectors reviewing an ERP system in a GxP environment are typically looking for evidence of four things: that the system was validated; that data integrity requirements are met; that access control is appropriate; and that changes to the system are managed and documented.

A validated system has a documented validation package — URS, test protocols, executed test records, deviation log, and validation summary report — that demonstrates the system was tested against requirements before being placed in service. An inspector who asks for the validation documentation and receives a dense folder of test scripts without a clear summary report, without traceability to requirements, or with unanswered deviations will raise a finding.

The 20-item audit readiness checklist

Validation documentation

  1. Validation Summary Report (VSR) exists, is approved, and is current
  2. URS is available and approved by QA
  3. IQ/OQ/PQ protocols and executed records are available and complete
  4. All deviations from validation testing are documented, assessed, and closed
  5. The validation package has been reviewed and confirmed as current within the last 12 months (periodic review)

Access control

  1. Every active BC user has an individual account — no shared logins
  2. User accounts are assigned to permission sets that reflect the user's job role
  3. A current role matrix exists, linking each job function to its BC permission set
  4. Terminated users have been deactivated promptly — an access control review has been conducted in the last 6 months
  5. System administrator access is restricted and logged

Audit trail

  1. The Change Log is configured for all GxP-relevant tables
  2. The Change Log configuration is documented and included in the validation package
  3. Change Log entries cannot be deleted or modified by any user, including administrators
  4. The audit trail has been tested and the test evidence is available

Lot and batch traceability

  1. All GxP-relevant items have mandatory lot tracking enabled
  2. A complete forward and backward traceability demonstration can be produced for any lot within 30 minutes
  3. Expiry date management is configured and validated

Change control

  1. A documented change control procedure is in place and has been in use since the system went live
  2. All post-validation changes to BC configuration have change control records
  3. The change control records include an impact assessment on validated status

How to prepare the evidence package

The evidence package for a BC inspection should be a structured document set that can be navigated by someone unfamiliar with the system. It should open with the VSR and a system description, followed by the access control documentation, followed by the Change Log configuration evidence, followed by the traceability demonstration procedure. Supporting documents — test protocols, deviation reports, change records — are referenced and retrievable on request.

The person responsible for presenting the evidence package during an inspection should have practiced the presentation. This sounds obvious but is frequently neglected. The ability to navigate from the VSR to a specific test record, or from a lot number to its complete history, within a few minutes, is a demonstration of system mastery that builds inspector confidence.

Common findings in BC audits

Change Log not configured for all relevant tables: this is the most common finding. The Change Log is configured for some tables but not all. Finding this requires comparing the Change Log configuration against the list of GxP-relevant tables in the URS.

Shared logins or inactive accounts: user management reviews are not performed regularly. Accounts exist for departed employees, or multiple people share credentials for a service account.

No change control for BC updates: the organisation did not assess BC's automatic SaaS updates for impact on validated functionality. Major wave updates were applied without review.

Validation package out of date: the system has changed since the original validation, but the validation documentation has not been updated. The VSR does not reflect the current configuration.

No periodic review: the original validation is more than 12 months old and no periodic review has been conducted.

The difference between compliant and audit-ready

A compliant system meets regulatory requirements. An audit-ready system meets them and can demonstrate it. The gap between these two states is documentation quality, retrieval speed, and presentation clarity. Closing that gap requires scheduled preparation — an annual audit readiness review using a checklist like this one, followed by remediation of any gaps found.

Download the full audit readiness checklist for Business Central as a PDF using the link below.