Quality Assurance SOP: How to Structure One That Holds Up in an Audit

I once watched a quality manager fail an audit, and not because the company made bad product. She just couldn’t show the auditor how they knew it was good product. The parts were fine. The process was fine. Her people were good at their jobs. But the auditor asked “show me the procedure you follow to release a lot,” and she pulled up a document that was three years old, referenced a machine they no longer owned, and hadn’t been signed since 2023.

That gap, between what people actually do and what’s written down, is where quality assurance lives or dies. A quality assurance SOP is the document that closes it. Done right, it isn’t paperwork. It’s the thing that lets you prove, to a customer or an auditor or yourself, that quality wasn’t an accident. The stakes are real: for the average manufacturer, the cost of poor quality runs somewhere between 5 and 30 percent of gross sales, according to quality management research - and the biggest slice of that isn’t scrap, it’s the failures that slipped through because no one could prove the system worked.

I’m Yuval, CEO of Glitter AI. We build tooling that turns the way people actually work into clear, followable documentation, so I spend a lot of my time reading SOPs that work and even more reading ones that don’t. Here’s how to write a quality assurance SOP that holds up.

Turn quality know-how into audit-ready SOPs in minutes

Teach your co-workers or customers how to get stuff done – in seconds.

Start for Free

Replay video

0:00 / 0:00

What a quality assurance SOP actually is

Let’s get the terms straight first. People mix them up constantly, and it causes real problems in audits.

Quality control is the act of checking the product: inspecting parts, measuring tolerances, catching defects. If you want the procedural side of that, I wrote a full step-by-step guide to quality control procedures that covers inspection mechanics in detail, and a quality control SOP formalizes those checks into a controlled document.

Quality assurance is the system that makes quality control reliable and repeatable. It’s the layer sitting above inspection: who is trained to inspect, how often gauges are calibrated, how nonconformances get escalated, how a lot gets released or held. A quality assurance SOP documents that system.

So a QA SOP isn’t “how to inspect a widget.” It’s “how this organization makes sure widgets get inspected correctly, every time, by qualified people, with records that prove it happened.” It sits one level up from a standard procedure on the production floor and ties the individual procedures together into something defensible.

If you only remember one thing: a quality control procedure tells someone what to do. A quality assurance SOP tells an auditor why they can trust that it got done.

The structure that survives an audit

Auditors are pattern matchers. They’ve seen thousands of SOPs, and they’re looking for specific things in specific places. Give them the structure they expect and the audit gets shorter. Here’s the skeleton I recommend, in order.

1. Header and control block

Every QA SOP needs a control block at the top. This is the first thing an auditor checks and the first thing most homegrown SOPs get wrong.

• Document number and title
• Version number and effective date
• Author, reviewer, and approver (with signatures or e-signature records)
• Next scheduled review date
• A revision history table

The control block is what makes the document controlled rather than just a file someone saved somewhere. If your SOP can’t answer “is this the current version and who approved it,” nothing else in it matters.

2. Purpose

One short paragraph. Why does this procedure exist, and what quality risk does it manage? Auditors use this to judge whether the rest of the document actually delivers on what it claims. Keep it specific. “This SOP defines how finished goods lots are inspected and dispositioned prior to release” beats “This SOP ensures quality.”

3. Scope

What this SOP covers and, just as importantly, what it doesn’t. Name the products, lines, sites, or process stages it applies to. Scope creep is a top audit finding: a procedure that claims to cover everything but was clearly written for one line. Be honest about the boundaries.

4. Definitions and references

Define the terms a new inspector wouldn’t know, and list the standards, specs, and related procedures this SOP depends on (ISO 9001 clauses, customer specs, calibration SOPs). This section is where you cross-reference deviation management and your CAPA process so the SOP doesn’t pretend to live in isolation.

5. Responsibilities

Roles, not names. “QA Inspector,” “Quality Manager,” “Production Supervisor.” Spell out who performs each step, who reviews, and who has the authority to release or hold product. An auditor will walk up to one person on the floor, ask “who can put a lot on hold?”, and check the answer against this section. They should match.

Turn quality know-how into audit-ready SOPs in minutes

Teach your co-workers or customers how to get stuff done – in seconds.

Start for Free

Replay video

0:00 / 0:00

6. The procedure itself

The core. Numbered, sequential steps written in the imperative (“Verify the calibration sticker is current,” not “calibration should be verified”). For a QA SOP specifically, the procedure usually covers:

1. Receiving inspection - what gets checked when material arrives, sampling plan, acceptance criteria
2. In-process checks - which points in production get QA verification and at what frequency
3. Final inspection and disposition - the criteria and steps to release, rework, or reject a lot
4. Nonconformance handling - exactly what happens when something fails, including who gets notified and how the material is segregated
5. Records - what gets recorded, where, and how long it’s retained

Each step should name the record it produces. A step that generates no evidence is a step an auditor can’t verify, and to an auditor that means it might not be happening at all.

7. Records and retention

List every form, log, and record the procedure creates, where it’s stored, and the retention period. This is what turns “we inspect everything” into “here is the inspection record for lot 4471, signed, dated, retained per our seven-year policy.”

8. Revision history

A table at the end: version, date, description of change, who approved it. This proves the document is alive, not abandoned. An SOP with no revisions in four years tells an auditor nobody is reviewing it, which is itself a finding.

How the QA SOP connects to audits

A common mistake is treating the QA SOP and the audit as two separate worlds. They’re the same world. The audit is just someone checking whether the SOP is real.

Write the SOP so it can be audited against itself. Practically, that means:

• Every requirement is verifiable. If the SOP says “inspectors are trained,” there must be a training record the auditor can pull. Don’t write requirements you can’t evidence.
• Frequencies are explicit. “Periodically” is unauditable. “Every 4 hours of run time, recorded on Form QA-12” is auditable.
• The SOP references its own internal audit. Most quality systems require periodic internal audits of the procedure. Reference that schedule inside the SOP so the loop is closed and visible.

The internal audit itself usually deserves its own short SOP, but the QA SOP should at least point to it. When an external auditor sees that you audit your own QA procedure on a schedule and actually act on what you find, the conversation shifts from “prove you have quality” to “show me your last internal audit.” That’s a much shorter, friendlier audit.

Wiring in CAPA: the part most SOPs skip

Here’s where good QA SOPs pull away from great ones. Most procedures handle the happy path well enough: inspect, pass, release. Far fewer handle the unhappy path with the same rigor, and the unhappy path is exactly what auditors and customers care about most.

When inspection finds a problem, two things have to happen, and your QA SOP should route both explicitly:

1. Immediate disposition - segregate, hold, label the nonconforming material so it can’t ship. This is containment.
2. Root cause and prevention - open a corrective action (CAPA) so the same failure doesn’t recur. This is the systemic fix.

The QA SOP should not contain your entire CAPA process, that’s its own procedure, but it must define the trigger and the handoff. Something like: “Any nonconformance exceeding [threshold], any repeat defect, or any customer complaint shall be logged as a deviation and escalated to CAPA per QA-CAPA-001 within 24 hours.”

That one linking sentence is what makes the difference in an audit. It shows the auditor that your QA system doesn’t just catch defects, it learns from them. A QA SOP that detects problems but has no defined path to deviation management and corrective action is a smoke detector with no fire department attached.

I’ve watched companies pass audits with imperfect product because their CAPA linkage was airtight. I’ve also watched companies with great product fail because they couldn’t show what they did the last time something went wrong. Auditors don’t expect perfection. They expect a system that responds. Failure to investigate discrepancies - exactly the kind of gap a missing CAPA trigger creates - ranked among the top five most-cited FDA 483 observations in FY2024, appearing in inspections across domestic and foreign drug manufacturers alike.

Writing it so the floor actually follows it

A QA SOP that’s technically perfect but unreadable gets ignored, and an ignored SOP is worse than no SOP at all, because now there’s a documented gap between what you say and what you do. That gap is the single most damaging thing an auditor can find.

A few things that consistently work:

• Write at the level of the person doing the work. Your most junior qualified inspector should be able to follow it without asking questions.
• Show, don’t just tell. Screenshots of the actual system, a photo of a correctly labeled hold tag, an image of a passing part next to a failing one. Visual steps get followed far more reliably than walls of text. This is the core argument in my manufacturing SOP guide, and it applies double to QA.
• One procedure, one job. If your QA SOP is trying to cover receiving, in-process, final, and supplier audits all at once, split it. Auditors and operators both prefer focused documents.
• Keep it current. Set the review date and actually review it. The fastest way to fail an audit is an SOP describing equipment or steps that no longer exist.

The hardest part of all this isn’t knowing what good looks like. It’s the friction of capturing how people actually work and keeping it updated as the floor changes. That’s the specific problem we built Glitter to solve: you walk through the process once, and it produces a clean, step-by-step, visual SOP you can drop straight into your quality system. The point isn’t the tool, though. The point is that your QA SOP should reflect reality, because in an audit, reality is exactly what gets checked.

Turn quality know-how into audit-ready SOPs in minutes

Teach your co-workers or customers how to get stuff done – in seconds.

Start for Free

Replay video

0:00 / 0:00

A quick checklist before you call it done

Before a QA SOP goes into your quality system, run it against this:

• Does it have a complete control block with approver and review date?
• Is every requirement backed by a record an auditor could pull?
• Are all frequencies stated as specific numbers, not “periodically”?
• Does it define the explicit trigger and handoff to CAPA?
• Does it reference its own internal audit schedule?
• Could your most junior qualified person follow it unaided?
• Has it been reviewed within its stated review cycle?

If you can answer yes to all seven, your quality assurance SOP will do what it’s supposed to do: let you prove, on any given day, that quality wasn’t luck.