Audit Trail Review – A Data Integrity Issue

Data integrity demands a great amount of attention in the life science industry. This is now truer than ever with increased focus from the FDA, EU, and industry standards on data integrity issues and best practices. Audit trails for computerized systems are required for all FDA / EU regulated systems. It must capture the creation, modification, and deletion of regulated electronic records. Who created and when the record must be captured, as well as who, when and why the record was modified or deleted – as relevant. When a system is validated, an audit trail should be verified to ensure accuracy and that it meets all applicable regulatory and organizational requirements. Once the system is validated and in production, the audit trail should not be forgotten. A formal process to examine the audit trail to ensure data integrity is needed in the regulated environment. Let us consider audit trail review – how to approach it and a few items of interest.

Audit trail review refers to the process of periodically examining an audit trail based on a variety of factors. It is valuable to define audit trail review based on system risk. ISPE – as recommended by ISPE in the Records and Data Integrity Guide. Place a risk level on a system just as one would for any other computerized system risk assessment using criteria such as impacts to patient safety, drug/product efficacy, quality system, business risks, complexity/criticality etc. How often and to what degree the audit trail review occurs can then be assigned. Do include all system stakeholders in the criteria and assessment process including IT, QA, and business process owners.

It is important to develop procedures and processes for audit trail review or incorporate them into a Validation Master Plan and/or Quality Management System. The review itself might only be a spot check for a very low risk system or it could be a comprehensive analysis and tracing of data and metadata. Metadata is one aspect that should not be overlooked. The audit trail review cannot be adequate (in most cases) if information that makes the data meaningful (metadata) is not available. This is a time when putting on an investigator or QA “hat” is imperative. Audit trail review should (again, based on risk level) look with scrutiny at reruns and fails of data capture and modification. Procedurally and scientifically, it may be acceptable for rerunning and failing instrument runs, for example. However, does the audit trail capture these events? If so, how and is it complete? Again, risk is key, but these are questions and answers that are important. This is also an opportune time to review training records, access controls, and general system security – as applicable.

Audit trail review is an essential component to data integrity for any computerized system. There are guidelines and industry best practices out now which are very helpful in developing a process to manage the reviews. Yet it is important to understand the system’s risk and criticality so as to approach the assessment process efficiently. Use the audit trail review to put the pieces of data capture, modification, and deletion together – using metadata to give scale and meaning to the data and information. An audit trail review may be easy to overlook or curtail, but its contribution to overall data integrity and thus patient safety is very significant.