Audit Exposure: Why Your Applicable List Is a Governance Risk (And How to Fix It)
- Team Hoodin
- Feb 26
- 3 min read
Most regulatory teams believe they have control over their Applicable List. It exists. It gets updated now and then. It has worked so far.
But audit exposure rarely arises from obvious omissions—a forgotten regulation, an overlooked standard. It emerges more subtly. It begins when confidence in the list's reliability gradually erodes, without anyone really noticing.
As regulatory scope expands—across markets, product variations, and new domains such as cybersecurity and AI—manual structures like spreadsheets and shared documents carry a growing, often invisible, risk. What once functioned as a documentation exercise slowly becomes a governance risk.
Several pressure points tend to drive that shift.
When Rationales Become Impossible to Explain
An Applicable List may clearly state whether a requirement applies. The real exposure emerges when the reasoning behind that decision can no longer be demonstrated with the same clarity.
Consider this: During a review, a notified body asked to see the rationale for why a particular clinical guidance document had been assessed as not applicable for a Class IIb device. The company could show the decision—it said "Not applicable." But they could not show why. The person who made the assessment had left. Notes existed in a forgotten folder. The rationales lived on in institutional memory, not in the structure.
The review continued. But confidence in the entire applicability structure was damaged—and with it, the overall regulatory credibility.
As portfolios expand and interpretations evolve over time, rationales often become abbreviated, inherited, or context-dependent. Under audit, conclusions are not enough. Auditors look for structured reasoning: assumptions, cross-references, historical context.
When rationales are dispersed across spreadsheets, meeting notes, or institutional memory rather than embedded within the applicability structure itself, the focus shifts from traceability to explanation. Over time, confidence erodes—both internally and under scrutiny.
Market Expansion Without Structural Recalibration
Entering new markets increases regulatory obligations. Frequently, these obligations are added to existing structures rather than being structurally integrated.
The Applicable List grows broader, but not necessarily stronger. Separate market interpretations, layered assessments, and parallel documentation create a scope that is technically complete yet difficult to defend as a unified system.
Under notified body scrutiny, fragmented applicability structures become visible. Expansion without recalibration increases exposure.
Time-Bound Interpretations That Disappear
Regulatory transitions involve phased implementation, overlapping frameworks, and interpretations that evolve over time. These decisions are often handled carefully when they are made.
The risk emerges later, when it becomes difficult to demonstrate how those interpretations were anchored within the Applicable List. If time-bound reasoning is not structurally embedded, organisations are forced to rely on retrospective explanation rather than direct reference.
Audit pressure turns historical assumptions into active questions.
Static Procedures in an Expanding Regulatory Landscape
Applicability procedures are typically designed around periodic reviews. Regulatory landscapes do not evolve periodically—they evolve continuously.
Guidance updates, harmonised standards, cybersecurity expectations, AI oversight, and environmental requirements expand the scope incrementally. Manual structures absorb this complexity without necessarily reorganising it.
The procedure may remain compliant.
The defensibility of the Applicable List may quietly degrade.
From Documentation Task to Governance Risk
Under sustained audit pressure, the nature of applicability management changes. It is no longer primarily about identifying relevant regulations. It becomes about demonstrating structural integrity across markets, timelines, and interpretations.
Where manual systems rely on spreadsheets, distributed documentation, and contextual expertise, defending regulatory scope grows increasingly complex as organisations expand.
For manufacturers facing growing scrutiny, the question is no longer whether applicability is documented—but whether it can be defended systematically.
How to Avoid This
Moving from a documentation exercise to a governance discipline requires a shift in mindset. Here are four concrete actions based on the patterns above:
Problem | Action |
|---|---|
Rationales are hidden or untraceable | Embed justifications directly within the Applicable List structure, not in separate documents. Every decision should be traceable to a person, a date, and a source. |
Market expansion without recalibration | Conduct a structural review with every major market addition, not just an add-on. Ask: does the structure still hold? |
Time-bound interpretations disappear | Ensure every interpretation carries a "decision date" and a reference to the guidance that applied at the time. Make history visible. |
Static procedures in a dynamic landscape | Move from periodic to continuous applicability updates. Integrate horizon scanning into the ongoing process. |
Early Access
We are inviting a limited number of regulatory teams to evaluate a structured approach to maintaining and defending the Applicable List ahead of public release.
If you recognise the challenge of defending your applicability decisions under increasing scrutiny, and would like to explore a more structured approach, you are welcome to join the early access programme below.