It's not just covered by hiring compliance people. You need to have an actual quality management system, e.g. a Jira (or whatever) instance that links from bug reports to documentation to code commit to feature deployment. Instead of just having an email address and sometimes letting the engineers know, and the engineers sometimes make a code commit with a message that makes any kind of sense, and engineers sometimes reviewing code, and engineers sometimes forgetting a region to deploy the update to.
You might think these kinds of things are table stakes, and I would agree.
Agree; I make software as a medical device. My point is you often don't have to do that. You just have to fling a lot of paper at an auditor, which can be generated well (as you describe, and as I would do, and the good companies in my example would already do) or badly (which the bad companies in my example would do) where it's basically generated post hoc in a hurry.
You might think these kinds of things are table stakes, and I would agree.