Maintaining an audit trail is a regulatory compliance requirement, but what makes an audit trail beneficial for maintaining effectiveness and complying with regulations? This blog will explain what an audit trail is and the main aspects to consider when implementing an audit trail to safeguard data integrity.
Acceptance of data for decision-making purposes depends on the ability of regulatory authorities and inspection agencies to verify the quality and integrity of the data. Data integrity has become a major priority during regulatory inspections and audit trail shortcomings, in particular, have been mentioned in a growing number of observations.
ICH GCP defines audit trail as "Documentation that allows reconstruction of the course of events". The basic definition of an audit trail is a log that contains metadata concerning when and by whom data has been originally entered, changed, or deleted. The MHRA guidance on GxP Data Integrity published in March 2018 also covers the Audit Trail topic: “The audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GxP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action”.
The decision whether to apply audit trails for electronic records should be based on a combination of GxP regulatory requirements and assessment of risks to the trustworthiness and reliability of records. This includes the risk of unauthorized or undetectable changes to records and the determination of the potential effect on product quality, safety, and record integrity.
While many regulated companies understand the importance of configuring their computer systems to ensure audit trails are adequate and meet regulatory requirements, many others still struggle to maintain electronic records with a complete and compliant audit trail.
There are several things that should be taken into consideration when setting up audit trails. Many of the controls will be technical in nature and will form part of the functionality of a purchased system; however, a combination of technical and procedural controls may be needed for an adequate level of protection. Whether companies need a solution that is custom made or require off-the-shelf software from a supplier, is dependent on several factors.
You need to consider the following topics:
- Audit only what is necessary. Only audit trail those events/data that are critical.
- Audit trail content. The items included in the audit trail should be those of relevance to permit reconstruction of the process or activity.
- Logical and procedural controls.Validated computer systems with enabled audit trails are necessary, but not enough, to meet global regulatory good documentation practice requirements for electronic records. Additional logical and procedural controls need to be implemented. For example:
- Audit trails should be switched on. Users should not be able to amend or switch off the audit trail. Where a system administrator amends or switches off the audit trail a record of that action should be retained.
- Periodic checks to verify that audit trails remain enable and effective.
- Establishment of effective procedures for system use, administration and change management.
- Audit trails should be part of the system validation. The accuracy and reliability of the audit trail should be verified during validation testing.
- Report and review. What is the value of an audit trail solution if the regulated company never reviews it? The company must continually review.
- Readily available for inspection. All GxP records held by the GxP organization are subject to inspection by the responsible Competent Authorities.
- Data retention.Audit trails should be considered part of records and they need to be stored and maintained. All audit trails must be kept as long as their corresponding electronic records are required to be stored as mandated by applicable regulations. Regulated companies should develop retention policies that include audit trail data.
How to Implement an Effective Audit Trail: Next Steps
The computer systems used in a GxP environment may technically provide the minimum audit trail components, but it may be difficult to support in-process or periodic review of audit trail information. Regulated companies should work with suppliers to develop useful audit trail functionality and provide effective data analysis tools.
The topics explained throughout this blog should be considered when establishing and defining data integrity requirements (URS) for GxP systems and implementing the related logical and technical procedures. Regulated companies and investigator sites should assess their processes to ensure they comply with data integrity expectations. Regulated companies and investigators must protect the subjects’ rights, safety, and welfare.
