Common Data Integrity Points of Failure: Neglecting Audit Trails and Their Review

When acquiring and deploying computerized systems in GxP regulated environments, it’s important that companies opt for software that incorporates suitable electronic audit trail functionality.

The audit trail functionality serves as a pivotal component and extension of technical controls, granting companies the ability to oversee and validate alterations or activities occurring within the system. Consequently, this establishes a transparent record of system events.

But can companies avoid regulatory scrutiny regarding audit trail compliance?

In industries like pharmaceuticals where data integrity and accountability are critical, regulatory agencies have become increasingly stringent in their expectations for audit trail implementation. For instance, the FDA has recently issued Form 483 in August 2022 to a company, highlighting concerns over absence or inadequate audit trail functionalities within critical equipment used in QC labs and production settings.[1]

Furthermore, there have been instances of implementing inappropriate technical controls within audit trails, leading to non-compliance. In certain cases, data changes fail to trigger necessary events in the audit trail, particularly when saved using the “save” button. This deficiency raises concerns about accurate real-time documentation, essential for accountability and transparency.[2]

The effectiveness of an audit trail is compromised without proper review

Recurring instances of inadequate audit trail review and the absence of periodic reviews have been reported.[3] Notably, certain companies restrict their audit trail review to physical printouts, disregarding the regulatory mandate that audit trails, being electronic in nature, must be reviewed electronically.[4] The audit trail review should not be seen as a “stand-alone” task but should be thought of and defined in-line with the data review in general. This must be a risk-based definition actively addressing risks and accepting them if reasonable, following ICH Q9.[5]

Moreover, an absence of established procedures governing the review of audit trails has been observed in some companies, encompassing both production and laboratory equipment. In August 2022, The FDA reported applying very general audit trail review procedures to software used for different equipment. Nonetheless, these procedures lack the specific identification of elements unique to the software. This raises concerns about the ability  of a reviewer to understand the different entries in the audit trail and their implications[6],[7] despite the FDA’s recommendation to establish distinct Audit Trail Review Plans for individual systems.

Incorporating Audit Trail Requirements During System Design: FDA, EMA

Audit trail functionality should be verified during validation of the system to ensure that all changes and potential deletions of critical data are recorded and meet ALCOA+ principles.[8]  It should imperatively include the following parameters:

– User Details: The identity of the user who undertook the action.

– Action Tracking: A comprehensive record of actions and changes including old and new values.

– Timestamp Precision: Precise timing of each action, including date and time.

– Reason Clarity: The rationale behind each action, providing justification for any modifications including the identity of the individual authorizing it.

Furthermore, ensuring that audit trail functionalities are enabled and always locked against deactivation or deletion is crucial. If there’s a breach even by administrative users, it must occur in the audit trail, preserving its integrity. Accurate recording of audit trail entries in real-time, reflecting the exact timing of activities, is also essential.

The need for well-defined data policies stands out, especially for determining which data is required in audit trails, and they should follow risk management principles. These trails need to be checked regularly, and any discrepancies must be investigated. Regular checks for discrepancies and a thorough review, aided by useful filters, search capabilities, and clear presentation, contribute to a comprehensive audit trail.

What about systems with no audit trail or an incomplete audit trail? What’s the work-around for such systems?

This situation is particularly relevant for older systems that are still employed in regulated laboratories and manufacturing, effectively fulfilling their designated tasks. Navigating this scenario involves implementing procedural controls, which may encompass the use of handwritten records. However, the recent concept paper on the Annex 11 revision clearly points out that this scenario is no longer acceptable:[9]

“Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.”

In a nutshell: You must update these systems and implement adequate technical controls to fulfill current GMP requirements.


In summary, audit trails are critical for data integrity and accountability. They provide a transparent record of actions, aiding in error detection and compliance. GxP-CC offers specialized consulting services to support you with our data integrity knowledge including the appropriate design of technical and procedural controls including audit trails and their review. Get in touch and ensure excellence in regulatory adherence and data reliability.














You Might Also Like:
Join Our Team
Reach your full potential while making a powerful impact.
Learn More
Contact Us
Let’s find the best solution for your compliance needs.
Learn More