Audit Trail Checklist: 8 Questions to Ask When Configuring GMP QC Laboratory Audit Trails

Audit Trail ChecklistData integrity has become a major priority among regulatory investigators and audit trail deficiencies in particular have been cited in a growing number of enforcement actions.

While many firms understand the importance of configuring their systems to ensure audit trails are adequate and meet regulators expectations, many others still struggle to maintain electronic records with a complete and compliant audit trail.

Validated computer systems with enabled audit trails are necessary, but not sufficient, to meet global regulatory good documentation practice requirements for electronic records.

Electronic records must be supported by adequate audit trails and associated controls that ensure the ‘…ability to discern invalid or altered records.’

That means your quality unit must review electronic records and their associated audit trails to ensure that all data are considered in batch release decisions.

Free white paper: Ensuring Enterprise-Wide Data Integrity in FDA-Regulated Industries

We've highlighted eight key questions to ask when configuring audit trails for your laboratory instrument software to help ensure that the data generation and processing activities can be reconstructed and that all data are available for review.

While this not an exhaustive list, it should provide a helpful guide to protect you from making the kinds of errors that commonly show up in inspection reports.

1. Do you have policies and procedures that specify how staff are given access to computer systems?

The process for granting, changing, and removing access should be governed by a discrete procedure. Access to certain systems should be governed according to job function.

2. Are individual login and passwords required to access computer systems?

This is crucial for ensuring that the activity performed can be attributed to an individual. Never share any login credentials or passwords.

3. Does your software control actions through access privilege levels?

Activities within the system should be governed by job function and those who create records should have very limited or no ability to modify or delete them. Make sure to maintain and update lists showing who has particular access privileges for each system.

4. Are date and time featured secured so they cannot be changed by those who perform, supervise, or review records?

When individuals are able to change date and time stamps, it's not possible to ensure that activities were conducted at the date and times indicated – compromising the integrity of the data. These features should be controlled at the network level.

5. Is the identity of the person performing an activity captured by the audit trail?

This requires unique login credentials and ensures firms and regulatory investigators know who, in particular, performed an action. Logging in, acquiring data, processing data, modifying data, deleting data, reporting results or reviewing data are all activities that require audit trails capture individual performers.

6. Are your audit trails capable of documenting why an action was performed?

Selecting from a pre-written list of possible justifications can leave out important details needed when explaining why a particular action was taken. To ensure completeness and specificity, make this field a free text field for users to write their own justifications. Be sure all users are trained on how to provide a clear and complete justification.

7. Can data be obscured or deleted when certain operations are performed?

Sometimes this can happen and not be immediately apparent. When samples are retested, for example, the original results should always remain available to ensure everything can be reviewed and that your quality unit is considering all data when making lot disposition decisions. If data is overwritten, erased, or obscured, records associated with an activity cannot be fully reviewed.

8. Is the data being reviewed in the same format in which is was generated?

Most instrument data is reviewed in an electronic format and supplement by log books and other sources. GMP decisions should never be based on printouts of chromatograms or other documents that are used for convenience. When these documents are used, they should include the path to the original electronic data.


 Screen Shot 2017-04-30 at 1.59.49 PM.pngLearn how to ensure data integrity throughout your entire organization. Grab our free white paper, a 24-page guide filled with solutions to common compliance problems and a step-by-step process for integrating an effective control framework for data integrity.
Get The Guide

Topics: FDA Auditing, FDA Compliance, Data Integrity