The QMS Frankenstack: Why Quality Teams Are Running 8 Tools and Still Failing Audits

Most quality teams have quietly assembled a frankenstack of Excel, SharePoint, email, standalone LMS, and AI tools that don't talk to each other. Here's what's in it, why it breaks, and how a compliant spreadsheet collapses the whole thing.

Nobody planned to build a frankenstack. It happened one reasonable decision at a time.

First there was Excel — for the document master list, CAPA tracking, supplier evaluations, inspection logs. Then SharePoint, because the file server was getting messy and IT said it would fix version control. Then email for approvals, because nobody had time to implement a workflow tool. Then a standalone LMS when the auditor asked for training records and the spreadsheet wasn't convincing enough. Then ChatGPT started getting used for CAPA root cause drafting and someone asked if that was compliant. Then someone bought a module from an eQMS vendor for document control specifically, but it didn't integrate with the CAPA tracker, so the CAPA tracker stayed in Excel.

That's six tools. Most quality teams are running eight.

The result isn't a quality management system. It's a quality management archipelago — islands of data separated by manual handoffs, dependent on individual memory, and genuinely difficult to navigate when an auditor asks to trace a corrective action from the original nonconformance through to effectiveness verification.

This article is about what's actually in the typical quality frankenstack, why each piece was a reasonable choice that created unreasonable problems, and what it looks like to collapse it into something coherent without spending $100,000 a year.

The Eight-Tool Stack, Explained

Here's the stack that most ISO 9001-certified small to mid-size manufacturers are running, assembled piece by piece over years of reasonable individual decisions.

Tool 1: Excel — The Core

Excel is where everything started and where most of it still lives. The document master list. The CAPA log. The supplier evaluation matrix. The calibration schedule. The internal audit tracker. These are legitimate use cases that Excel handles adequately — until you need version history, approval records, or audit trail, at which point the adequacy stops.

Tool 2: SharePoint (or a Network Drive)

SharePoint gets added when someone realizes the Excel files on the shared drive don't have access control, version history, or a reliable way to prevent someone from opening a controlled document and editing it. SharePoint has better permissions management than a network drive. But as multiple QMS practitioners have noted, SharePoint isn't a QMS. It's a document repository. The document approval workflow — who reviewed it, who approved it, on what date, at what revision — still has to be managed manually or via email. SharePoint doesn't know what a "controlled document" is. It doesn't enforce approval before distribution. The compliance layer is still you.

Tool 3: Email — The Approval Workflow

Email became the approval workflow because it was the path of least resistance. Someone updates a procedure, sends the file to the manager, manager replies "approved," document gets published. This works until an auditor asks for the approval record for a revision from seven months ago and you're searching through email threads trying to reconstruct a chain that was never designed to be evidence.

The specific problem: email approval creates a record that proves intent to approve, not that the correct version was approved. Multiple drafts circulate, someone replies to an older thread, the approval lands on a version that differs from what got published. "By the time QA approves the final version," one compliance expert put it, "no one is entirely sure what was actually approved."

Tool 4: Standalone LMS

The training records problem gets solved with a Learning Management System when the Excel training log becomes unconvincing to auditors. A real LMS tracks completions, generates certificates, sends reminders. But it doesn't connect to the document control system. When a procedure gets revised, the LMS doesn't automatically know that the people who use that procedure need to be retrained. Someone has to manually create the training assignment in the LMS. If they forget, or misidentify the affected roles, the gap between document revision and training record goes untracked — until an auditor connects the dots.

Tool 5: A Nonconformance / CAPA Tool (That Doesn't Integrate)

At some point, the Excel CAPA tracker gets replaced with a dedicated CAPA tool — either a standalone product or a module purchased from an eQMS vendor. This is the right call in principle. The CAPA tool has structured workflows, root cause sections, effectiveness verification fields. The problem: it doesn't connect to the document control system (still in SharePoint/Excel), doesn't connect to the training records (still in the LMS), and doesn't connect to the supplier records (still in Excel). When an auditor wants to trace from a customer complaint through the CAPA to the updated procedure to the retraining — that trace requires jumping across four tools, reconciling data that was never designed to link.

Tool 6: AI Tools for QMS Tasks

ChatGPT and Copilot are now being used across quality teams for CAPA root cause drafts, procedure writing, internal audit report generation, and management review summaries. This is largely invisible to the QMS — the outputs get pasted into existing tools without any record of how they were generated, whether they were reviewed for accuracy, or whether the resulting document is compliant. It's a new layer of untracked input on top of an already fragmented system.

Tool 7: Paper

Despite everything else going electronic, paper persists. Incoming inspection forms on clipboards. Nonconformance tags on rejected parts. Sign-off sheets for training completion. These get scanned eventually, or manually transcribed into the relevant spreadsheet, or sometimes just filed in a binder. The data they contain never makes it into the connected system because there is no connected system.

Tool 8: Outlook / Teams

Not a QMS tool, but doing QMS work: approval decisions made in Teams chat, action items tracked in Outlook tasks, internal audit findings communicated in email threads. This is where institutional knowledge goes to disappear. When someone leaves, their Teams messages and Outlook tasks go with them. The decisions that were made, the context for why something was done a certain way — none of it is in the QMS record.

What This Stack Costs — In Money and Time

The hard costs of the enterprise-tier eQMS that most people assume is the alternative are substantial. MasterControl starts at $25,000 per year and commonly exceeds $100,000. Qualio is $12,000 for the platform plus $3,000 per user annually. These price points make sense for medical device companies with 21 CFR Part 11 requirements and the compliance budget to match. They don't make sense for a Tier 2 automotive supplier running a 10-person quality team on an ISO 9001 budget.

So the frankenstack persists — not because quality managers don't see the problems, but because the canonical fix costs more than they can justify.

The softer costs are harder to price but are real. A 2026 analysis found that quality teams using fragmented systems spend significant time on manual data reconciliation between tools — checking that what's in the CAPA tracker matches what's in the document master list matches what's in the LMS, because none of these things sync automatically. Every piece of that reconciliation is time that isn't going into actual quality work.

And then there's audit prep — the semi-annual or annual process of pulling the whole stack together, verifying it's current, and hoping the auditor doesn't ask a question that requires tracing across systems that don't connect.

What "Collapsing the Stack" Actually Means

Collapsing the frankenstack doesn't mean buying a $100,000 enterprise eQMS. It means asking a different question: what do all these tools actually need to do, and is there a simpler way to do it that meets the compliance requirements?

The compliance requirements for ISO 9001 Clause 7.5 are actually pretty clear:

• Documents must be controlled (identifiable, current version accessible, obsolete versions managed)
• Changes must be traceable (who changed what, when)
• Approvals must be documented
• The right people must have access to the right information

Most of the frankenstack exists because none of the individual tools does all of these things, so additional tools get bolted on to cover the gaps. SharePoint covers access control but not approval workflow. Email covers approval intent but not approval evidence. Excel covers tracking but not history. The LMS covers training completion but not the link to document revisions.

The alternative: a compliant spreadsheet that does all of these things natively. Not a workaround. Not a convention that depends on discipline. A spreadsheet where:

• Version history is architectural — every change is recorded with user identity and timestamp, automatically, tamper-evidently
• Approval workflows are built into the document lifecycle — the revision can't be published without completing the approval step, and the approval record lives in the document
• Access control is role-based and enforced — not a password-protect hack, actual user-level permissions
• Training linkage is traceable — when a document is revised, the impacted records can be connected to that revision

This isn't a description of an enterprise eQMS. It's a description of what compliance requires, stripped of everything else. For the 80% of quality processes that live in spreadsheets anyway, the right answer isn't a different software category — it's a spreadsheet that's built to be compliant.

The AI Layer: Where It Fits and Where It Doesn't

AI tools are now embedded in quality workflows whether quality managers intended them to be or not. The question isn't whether to use them — it's whether the outputs are going into a compliant record.

The legitimate uses are real: AI can accelerate CAPA root cause drafting, flag inconsistencies in procedure language, generate training assessment questions, and summarize management review inputs. These are real time savings.

The problem is that in the typical frankenstack, these outputs land in a Word document, get pasted into a SharePoint file, and get approved via email — with no record of the AI involvement, no review trail for the generated content, and no way for an auditor to determine how the document was produced.

In a compliant spreadsheet environment, AI-generated content that goes into a controlled document is subject to the same review and approval workflow as anything else. The audit trail captures the revision, the review, the approval — regardless of whether a human or an AI drafted the first version. The compliance question isn't about the generation; it's about the review and approval. If that process is documented, the tool used to draft doesn't matter.

This is actually an advantage of the compliant-spreadsheet approach over the enterprise eQMS: the flexibility to integrate new tools without rebuilding the compliance infrastructure. The compliance layer isn't in the tool that generates the content — it's in the system that controls, approves, and records the result.

What the Collapsed Stack Looks Like

For a manufacturer running ISO 9001 (or transitioning to IATF 16949), the collapsed stack looks like this:

Document control: Compliant spreadsheet with version locking, approval workflows, and tamper-evident history — replacing the Excel master list + SharePoint storage + email approvals combination.

CAPA tracking: Compliant spreadsheet with structured workflow fields, root cause linkage, and effectiveness verification records — replacing the standalone CAPA tool that doesn't integrate with anything.

Supplier evaluation: Compliant spreadsheet with audit trail — the supplier scoring and re-evaluation records that currently live in an uncontrolled Excel file, now version-controlled.

Training records: Completion logs in a compliant spreadsheet, linked to the document revision that triggered the training requirement — not a separate LMS that has to be updated manually when procedures change.

Internal audit findings: Structured in a compliant spreadsheet, with action items that trace to closure — not an email thread.

This isn't one software platform replacing eight. It's one compliance architecture applied to the spreadsheet-based workflows that already exist, removing the patchwork of workarounds built around tools that weren't designed for compliance.

SheetLckr was built for exactly this use case. The interface is a spreadsheet because that's what quality teams know. The compliance infrastructure — version history, approval workflows, access control, audit trail — is underneath it, running automatically. The goal isn't to replace the spreadsheet with something unfamiliar. It's to make the spreadsheet the compliant record it was always pretending to be.

The Real Question

The frankenstack persists because quality managers are making the right individual decisions with the wrong frame. Each new tool solves a real gap in the previous tool. The gap never closes because the frame is wrong.

The right frame isn't "which tool solves this specific compliance gap." It's "what does compliant data architecture look like, and how do I get there without a six-figure budget and a six-month implementation?"

The answer is a spreadsheet that was designed to be compliant — not patched to be compliant, not supplemented by four other tools to be compliant, but designed from the ground up with compliance as the architecture.

That's a different product category than enterprise eQMS. It's also a different product category than Excel. It's the thing that sits between them, which is where most quality teams actually are.