Maintaining an audit trail is a regulatory compliance requirement, but what makes a good audit trail that is effective and complies with regulations?

This article will explain what and audit trail is, what the applicable regulations are and the main aspects to consider when implementing an audit trail to contribute to safeguard clinical data integrity.

Acceptance of data from clinical trials for decision-making purposes depends on the Regulatory Authorities’ ability to verify the quality and integrity of the data.

Data integrity has become a major priority during regulatory inspections and audit trail deficiencies in particular have been cited in a growing number of observations.

EU GMP Annex 11, 21 CFR Part 11 and related guidance documents outline the current regulatory requirements for audit trails.

ICH GCP defines audit trail as “Documentation that allows reconstruction of the course of events”1.

The basic definition of an audit trail is a log that contains metadata concerning when and by whom data has been originally entered, changed, or deleted2,3.

The MHRA guidance on GXP Data Integrity published in March 2018 also covers the Audit Trail topic:

“The audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GXP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record, either paper or electronic, without obscuring or overwriting the original record. An audit trail facilitates the reconstruction of the history of such events relating to the record regardless of its medium, including the “who, what, when and why” of the action”4.

The decision whether to apply audit trails for electronic records should be based on a combination of GXP regulatory requirements and assessment of risk to the trustworthiness and reliability of records, including the risk of unauthorized or undetectable changes to records5, and the determination of the potential effect on product quality, safety and record integrity6.

“The need for and the type of audit trails should be based on a documented and justified risk assessment”7

While many regulated companies understand the importance of configuring their computer systems to ensure audit trails are adequate and meet regulatory requirements, many others still struggle to maintain electronic records with a complete and compliant audit trail.

There are many things that should be taken into consideration when setting up audit trails. Many of the controls will be technical in nature and will form part of the functionality of a purchased system; however, a combination of technical and procedural controls may be needed for an adequate level of protection7.

Whether companies are using a solution that is custom made or they acquire off-the-shelf software from a supplier, they need to consider the following topics:

• Audit only what is necessary: the MHRA GXP Data Integrity Guidance and Definitions states that “The relevance of data retained in audit trails should be considered by the organisation to permit robust data review/verification. It is not necessary for audit trail review to include every system activity (e.g. user log on/off, keystrokes etc.)” 4. Only audit trailed those events/data that are critical.

  The Process Owner and Data Owner (they may be the same person) need to be involved when setting up the audit trail functionality to consider what information they need to review based on its criticality, which should have been defined by the regulated company within a Data Governance framework.

• Audit Trail content. The items included in the audit trail should be those of relevance to permit reconstruction of the process or activity. They will help to reconstruct significant details about study conduct and source data collection necessary to verify the quality and integrity of data8 and ensure compliance with the applicable regulation.
  Including unnecessary information should be avoided since it can increase compliance risk4.

  Audit Trail information should include the following4,7:

• • Identity of the person performing the action (this identification must be unique).

  • The detail of the change or deletion, and a record of the original entry (original information should not be obscured).

  • The reason for any GXP change or deletion (to explain why the action was necessary).

  • The Date and Time when the action was performed (changes should be dated and time stamped. They should be implemented with a clear understanding of the time zone referenced and ensuring that the system clocks used for the time stamp are accurate and secure).

• Logical and Procedural Controls. Validated computer systems with enabled audit trails are necessary, but not enough, to meet global regulatory good documentation practice requirements for electronic records. Additional logical and procedural controls need to be implemented. For example:

  • Audit trails should be switched on. Users should not be able to amend or switch off the audit trail. Where a system administrator amends or switches off the audit trail a record of that action should be retained4.

  • Periodic checks to verify that audit trails remain enable and effective.

  • Establishment of effective procedures for system use, administration and change management7.

• Audit Trails should be part of the system validation. The accuracy and reliability of the audit trail should be verified during validation testing5. Validation documentation should demonstrate that audit trails are functional, and that all activities, changes and other transactions within the systems are recorded, together with all metadata in a useable form2.

• Report and Review. What is the value of an audit trail solution if the regulated company never review it? By following the steps in the paragraphs above, companies will know they are getting the information they are looking for, but they need to ensure to continually review, follow up, and document the audit trail review process regularly. For this purpose, every GXP organization should implement procedures that outline their policy and processes for review of audit trails in accordance with risk management principles2,9.

  Reviews should be performed of audit trail content that has direct impact on reported values that will be used for product or patient decisions7.

  ICH E6(R2), Section 5.18.1(b) specifies that one of the purposes of trial monitoring is to verify that “the reported trial data are accurate, complete, and verifiable from source documents”. In-process audit trail review is a way of doing this and should be established as part of the monitoring activities of the clinical trial.

  ICH E6(R2), Section 5.18.3 also reinforces the relevance of centralized monitoring as a useful process conducted by appropriately qualified and trained persons (e.g., data managers, biostatisticians) to help distinguish between reliable data and potentially unreliable data. Audit trail reviews conducted by these trained staff can help to identify potential issues that may result in loss of data integrity. Issues may include: erroneous data entry, modifications by unauthorized persons data not entered contemporaneously, falsification of data1,7.

  To comply with the above requirements, it is necessary that audit trails are designed so that the audit trail information relevant to data being reviewed or used is visible on screen or easily obtainable10.

  Audit trails need to be available and convertible to a generally intelligible form9 and they also need to be viewable/accessible to end-users.

  For enhanced usability, if available, systems should be configured to allow the search, sorting, and filtering of audit trail data7.

• Readily available for inspection: All GXP records held by the GXP organization are subject to inspection by the responsible Competent Authorities. This includes original electronic data and metadata, such as audit trails maintained in computerized systems.

  Management of both contract givers and contract acceptors should ensure that adequate resources are available and that procedures for computerized systems are available for inspection. System administrator personnel should be available to readily retrieve requested records and facilitate inspections11.

  It is a good practice to discuss the above topic before acquiring a computer system that will be used in a clinical trial setting.

  Inspectors tend to request copies of full audit trail reports for the critical systems used in the selected clinical trial(s) e.g. eTMF, eCRF, ePRO.

  There is no regulatory requirement dictating the format of those reports; however, the typical format requested is an excel file (with any headers explained). The content and format of these reports should be discussed with the suppliers of such systems and be formally validated to comply with the inspectors´ expectations. Companies should not wait until the very moment they receive the inspection request to handle this topic but before deploying the software.

• Data Retention. Audit trails should be considered part of records and they need to be stored and maintained. All audit trails must be kept as long as their corresponding electronic records are required to be stored as mandated by applicable regulations.

  Regulated companies should develop retention policies that include audit trail data.

  Data migration activities should also retain audit trail information. A record of the changes to an electronic record prior to conversion of its format should be preserved, if possible7.

Conclusion

The computer systems used in a clinical trial setting may technically provide the minimum audit trail components, but it may be difficult to support in-process or periodic review of audit trail information.

Regulated companies should deal with suppliers to develop useful audit trail functionality and provide effective data analysis tools7.

The topics explained throughout this article should be considered when establishing and defining data integrity requirements (URS) for GXP systems and implementing the related logical and technical procedures.

The reliability of data is at risk if its integrity is compromised at any stage during the clinical research process. Regulated companies and investigator sites should assess their processes to ensure they comply with data integrity expectations.

For the Health Authorities to accept the data from clinical trials and grant positive opinion on whether a medicine should be authorized, data quality and data integrity need to be maintained.

Regulated companies and clinical investigators must protect the subjects´ rights, safety and welfare. These three fundamental pillars are not only jeopardized when subjects in clinical investigations are exposed to unnecessary risks and hardships but also when a new medicine that may have been effective does not obtain a marketing authorization due to problems with the quality and integrity of the data.

References

1. International Council for Harmonization (ICH): ICH Harmonized Guideline, Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2). Step 4, version 9 November 2016.

1. PIC/S Guidance: PI 011-3, Good Practices for Computerised Systems in regulated “GXP” Environments, 25 September 2007, Pharmaceutical Inspection Co-operation Scheme (PIC/S).

1. 21 CFR Part 11 Electronic Records; Electronic Signatures, Code of Federal Regulations, 1997, US Food and Drug Administration (FDA).

1. MHRA: GXP Data Integrity Guidance and Definitions, Revision 1, March 2018, Medicines and Healthcare products Regulatory Agency (MHRA).

1. ISPE GAMP® Good Practice Guide: A Risk-Based Approach to Compliant Electronic Records and Signatures, 2005, International Society for Pharmaceutical Engineering (ISPE).

1. FDA guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and Application, August 2003, US Food and Drug Administration (FDA).

1. ISPE GAMP® Guide: Records and Data Integrity, 2017, International Society for Pharmaceutical Engineering (ISPE).

1. FDA Guidance for Industry: Computerized Systems Used in Clinical Investigations, May 2007, US Food and Drug Administration (FDA).

1. EudraLex Volume 4: Guidelines for Good Manufacturing Practice for Medicinal Products for Human and Veterinary Use, Annex 11, Computerised Systems, 2011.

1. ISPE GAMP® Good Practice Guide: Validation and Compliance of Computerized GCP Systems and Data, 2017, International Society for Pharmaceutical Engineering (ISPE).

1. WHO Expert Committee on Specifications for Pharmaceutical Preparations: Guidance on Good Data and Record Management Practices, June 2016, Technical Report Series, No 996, Annex 5, World Health Organization (WHO).

Author: Dr Leire Zúñiga, Director and Principal GCP Consultant

PHARMITY, 27th of August 2018

www.pharmity.com