What Auditors Ask When They Don’t Agree With You

There is a particular kind of audit conversation that rarely begins dramatically.

No one has found a missing certificate. No procedure has collapsed. No one has discovered that the company ignored a regulation it should have known about. The discussion begins with something much smaller, and usually more polite.

The auditor reads a conclusion, looks up from the file and asks why the organisation reached it.

The answer is given. The regulatory team explains the decision, refers to the relevant requirement and describes how the conclusion was reached. For a moment, the room remains calm. Then the auditor asks another question, not because the first answer was necessarily wrong, but because another interpretation is possible.

That is the moment many organisations are less prepared for than they realise.

Regulatory teams spend a great deal of effort documenting what they concluded. They document that a regulation applies, that a requirement does not apply, that a product falls within a particular classification, that a guidance update does not require action, or that a local market requirement is already covered by an existing process. These conclusions may be entirely reasonable. They may even be correct.

That is a different standard.

A regulatory conclusion is easy to document when everyone in the room already agrees with it. The difficulty appears when someone competent, informed and professionally sceptical reads the same material and sees another possible answer. In Regulatory Affairs, that situation is not exceptional. It is ordinary. Many important decisions sit in areas where regulations, guidance documents and authority expectations require judgement rather than mechanical application.

The uncomfortable question is therefore not whether the organisation has a rationale.

That is where many files become thinner than they first appear.

A product classification may explain why the final class was selected, but not why the next higher class was rejected. A non-applicability decision may state that a requirement does not apply, but not which trigger conditions were examined and why they were not met. An impact assessment may conclude that a regulatory update requires no action, but not explain which product assumptions, markets or planned changes were considered. A local market assessment may state that a national requirement is covered by the main regulatory framework, but not show whether the local obligation was independently reviewed or merely assumed away.

From inside the organisation, these gaps can be difficult to see. The conclusion feels familiar. The people who made the decision may remember the discussion. The answer may have been accepted in previous reviews. Over time, the organisation begins to trust the conclusion because it has become part of the regulatory landscape.

An auditor does not inherit that familiarity.

The auditor enters the file from the outside. They do not know which conversations took place, which alternatives were rejected, which assumptions were obvious at the time or which interpretation was considered and dismissed. They see the record. If the record only contains the final answer, they are left to decide whether the organisation made a controlled regulatory judgement or simply documented the end of an internal discussion that is no longer visible.

That distinction matters because disagreement is not the same as non-compliance.

A notified body reviewer may disagree with a classification without immediately concluding that the manufacturer is wrong. An auditor may question a non-applicability rationale without asserting that the requirement definitely applies. A competent authority may challenge an interpretation because the reasoning is not sufficiently visible, not because the final conclusion is impossible.

The problem, in those situations, is not that the organisation lacks an answer.

A defensible regulatory position is not merely a conclusion with a citation attached. It is a conclusion that shows how the organisation handled the possibility of being wrong. It demonstrates that the relevant regulatory text was considered, that product and market context were used, that alternative interpretations were visible, and that the chosen position was not the accidental result of habit, convenience or inherited assumptions.

This is especially important in areas where reasonable disagreement is predictable. Software classification under MDR Rule 11 is one example. Determining whether a software function informs, drives or directly influences clinical management can involve judgement. Borderline product classification, national implementation differences, local market obligations, cybersecurity expectations, AI-related functionality and “no impact” conclusions for regulatory updates all create similar situations. The issue is not that every possible interpretation must be analysed endlessly. The issue is that the organisation should be able to show why the reasonable alternatives did not prevail.

That is often what auditors are really probing when they continue asking questions.

If the answer becomes weaker with each follow-up, the concern grows. If the rationale depends on one person’s memory, the concern grows. If the file shows the conclusion but not the route to it, the concern grows. If the organisation cannot explain why a plausible alternative was rejected, the issue becomes less about the regulation and more about control over regulatory reasoning.

This is why some audit conversations become uncomfortable even when the original decision remains defensible. The organisation may have reached a good conclusion but preserved it badly. It may know what it believes, yet be unable to show how that belief was tested. It may have a regulatory position, but not a position that can withstand informed challenge.

The practical implication is significant.

Regulatory teams should not only ask whether their conclusions are documented. They should ask whether their conclusions still make sense when read by someone who does not already agree with them.

That shift changes the purpose of rationale. Rationale is not a note explaining why the organisation thinks it is right. It is evidence that the organisation understood the decision space. It shows which facts mattered, which sources were relied upon, which assumptions were used and why alternative conclusions were not adopted. Done well, it allows someone outside the original discussion to reconstruct the judgement without needing to trust the people who made it.

That is the level of traceability many organisations assume they have until a difficult audit proves otherwise.

The most revealing audit question is therefore not always “why did you conclude this?”

It is often the next question.

Organisations that can answer that question calmly usually have more than documentation. They have control over their regulatory reasoning. Organisations that cannot answer it may discover that their regulatory position is weaker than it appeared, not because the conclusion was wrong, but because the disagreement was never properly governed.

That is the real test of defensibility.

Not whether everyone agrees with your regulatory conclusion.

Whether the conclusion remains standing when someone competent does not.