Maintaining an audit trail is a regulatory compliance requirement, but what makes an audit trail beneficial for maintaining effectiveness and complying with regulations? This blog will explain what an audit trail is and the main aspects to consider when implementing an audit trail to safeguard data integrity.
Acceptance of data for decision-making purposes depends on the ability of regulatory authorities and inspection agencies to verify the quality and integrity of the data. Data integrity has become a major priority during regulatory inspections and audit trail shortcomings, in particular, have been mentioned in a growing number of observations.
ICH GCP defines audit trail as "Documentation that allows reconstruction of the course of events". The basic definition of an audit trail is a log that contains metadata concerning when and by whom data has been originally entered, changed, or deleted. The MHRA guidance on GxP Data Integrity published in March 2018 also covers the Audit Trail topic: “The audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GxP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action”.
The decision whether to apply audit trails for electronic records should be based on a combination of GxP regulatory requirements and assessment of risks to the trustworthiness and reliability of records. This includes the risk of unauthorized or undetectable changes to records and the determination of the potential effect on product quality, safety, and record integrity.
While many regulated companies understand the importance of configuring their computer systems to ensure audit trails are adequate and meet regulatory requirements, many others still struggle to maintain electronic records with a complete and compliant audit trail.
There are several things that should be taken into consideration when setting up audit trails. Many of the controls will be technical in nature and will form part of the functionality of a purchased system; however, a combination of technical and procedural controls may be needed for an adequate level of protection. Whether companies need a solution that is custom made or require off-the-shelf software from a supplier, is dependent on several factors.
You need to consider the following topics:
The computer systems used in a GxP environment may technically provide the minimum audit trail components, but it may be difficult to support in-process or periodic review of audit trail information. Regulated companies should work with suppliers to develop useful audit trail functionality and provide effective data analysis tools.
The topics explained throughout this blog should be considered when establishing and defining data integrity requirements (URS) for GxP systems and implementing the related logical and technical procedures. Regulated companies and investigator sites should assess their processes to ensure they comply with data integrity expectations. Regulated companies and investigators must protect the subjects’ rights, safety, and welfare.