Audit Trail Compliance And What To Look For In Mitigation Software

By Sakthivel Thangaiyan

An audit trail is a log that is a chronology of the “who, what, when, and why” of a record and is generated in either electronic or paper formats. Electronic audit trails are secure, computer-generated, time-stamped electronic records that allow for reconstruction of the course of events relating to creation, modification, or deletion of data such as processing and results and those that track actions at the record or system level.^1-5 Paper-based audit trails are typically embedded within the recording of original data as part of the data review. Audit trail functionalities for electronic-based systems must be configured properly to capture general system events and activities relating to the acquisition, deletion, and changes to data for audit purposes. The audit trail is important to have for accountability, data integrity, repeatability to create an event for investigation, recreation of study during disaster recovery, and regulatory compliance in the medical device and pharmaceutical industries.

It is acknowledged that some systems lack appropriate audit trails; however, in those cases alternative arrangements to verify the veracity of data must be implemented.

Requirements Of An Audit Trail

1. Security: The system must not allow the user to either disable or modify the audit trail events. All system users except the administrator of the software must have access to view/review and approve the audit trail per 21 CFR 11.10(e),^1-4 The administrator of the software must have access to enable/disable the audit trail and restrict access to the audit trail by other users per 21 CFR 11.10(d).
2. Time-Stamped: The software should automatically capture the date and time of actions/events, including creation, modification, deletion, document approval, and retirement events per 21 CFR 11.10(e).^1-4
3. Attributable: Capturing the user’s identity for actions performed within the system is vital, aligning with 21 CFR 11.10(g).^1-4 Authority checks must be in place to ensure that only authorized individuals can utilize the system.
5. Available: Audit trails must be available for review and copying and available for inspection in a human readable format.^1-4
6. Change History: The audit trail must capture and record all the events and changes made to electronic records per 21 CFR 11.10(e). The audit trail must not obscure previously recorded information, ensuring a complete and unaltered record of events with version histories for all changes made.^1-4
7. Audit Trail Retention: The audit trail must be attached to each data generated out of the system and the data retention period will remain same as for the corresponding audit trail.^1-4
8. Audit Trail Review: A detailed audit trail review procedure must be available. An audit trail must be submitted for any data review, including but not limited to original data, processed data, and relevant metadata for accuracy, technical validity, and compliance with procedural requirements. Audit trail review is part of the data review process.^1-5

All the above requirements will be verified at the time of computer system validation, and if the system is unable to adequately meet these audit trail requirements, it must be remediated to achieve compliance through a software upgrade.

 Challenges When Built-In Audit Trails Are Unavailable

1. Integration Complexity
   Implementing an audit log often requires seamless integration with existing application software. The complexity of integrating with diverse platforms, databases, and applications within an organization can pose a significant challenge. 
2. Minor Event Logging
   Setting up the audit log to capture the right level of detail without overwhelming the system with excessive data can be challenging. Configuring granular logging to track specific user activities, access control changes, and system events without compromising performance requires careful planning and expertise.
3. Retention and Storage Costs
   Maintaining an extended data retention period comes with increased storage costs. Balancing the need for historical log data with the associated storage expenses poses a financial challenge. Organizations need to find a cost-effective solution that meets both compliance requirements and budget constraints.
4. Ensuring Scalability
   As the organization grows, the audit logging solution must scale up accordingly. Ensuring that the chosen platform can handle the increasing volume of log data efficiently is crucial for maintaining optimal performance and responsiveness.
5. High-Frequency Data Generation
   In the event of high-frequency data generation, audit logs may rapidly become flooded with an overwhelming amount of data. Effectively managing, storing, and analyzing this extensive data log can pose a substantial challenge, often necessitating considerable resources.
6. Performance
   The act of recording each event can have repercussions on system performance. This may manifest as latency or bottlenecks, particularly problematic in real-time systems or environments with stringent performance requirements. Unauthorized access or tampering poses a risk to the reliability of the logs.
7. Review Complexity
   Conducting a comprehensive review of audit logs can be intricate due to the sheer volume of data. Identifying momentous events amidst numerous routine activities may prove to be a time-consuming endeavor.
8. Event Correlation
   Effectively analyzing logs often involves correlating events from diverse sources to discern patterns or security threats. This task can be intricate, especially when dealing with a variety of systems and applications.

Some systems lack appropriate audit trails; however, in those cases, alternative arrangements to verify the veracity of data can be implemented, e.g., alternative compliance software, administrative procedures, secondary checks, and controls.

Requirements Of Audit Trail Mitigation Software

For the medical and pharmaceutical industries, there are many software programs available to provide the audit trail functionality for systems that do not have built-in audit trail functionality. Features that you will want to look for when selecting mitigation software include:

• The mitigation software must capture and save various audit trail data, such as who made changes, when the changes were made, and versions of changed files, with an option to capture the reason for the changes. Also, it must provide an option to capture electronic signatures, unauthorized access attempts, and other system events.
• If an event notification requires a sign-off signature, the mitigation software must prompt the user for their username, domain, and password to authenticate the user’s electronic signature. This combination will be considered an electronic signature manifestation.
• The mitigation software must provide reports that identify audit trails for critical data. It must provide an option to retrieve, display, export, and print for inspection and the report must be in a human readable format. The mitigation software must also have a user-friendly option to set criteria like the start date and end date for which the audit trail report is required. It must also provide an option to compare the audit trail with another file.
• It must provide real-time compliance monitoring for identifying and recording events such as creation, modification, and deletion occurring to file(s) and be configured to monitor these in a folder to ensure data integrity and 21 CFR Part 11 compliance.
• It must have a content management platform, which makes it easier for GxP-regulated companies to analyze data integrity, manage the quality of their studies, and stay compliant with 21 CFR Part 11 requirements.
• It must have a comprehensive quality risk management system that predicts compliance risks, automates quality control checks in both manual and automated environments, captures data from all key business systems, and monitors user activity to ensure data integrity.
• It must connect to the network and monitor defined data sources.
• It must also monitor and retrieve data from multiple sources, including files on workstations and file servers.
• It must detect changes by monitoring defined and configured file directories. When a file is created, modified, or deleted in a monitored directory, it automatically captures information related to the change, such as username, file name, time, date, etc., for a complete audit trail.
• The mitigation software must be capable of monitoring minimally the following types of files:

• Configuration files
• Excel spreadsheet
• Word documents
• Text files
• PDFs
• Graphics files
• All Microsoft files
• Recipe files
• Data files
• PLC programs
• Access database
• SAS data set
• Database

In cases of failure to meet the audit trail requirements through built-in audit trail or compliance software, procedural control must be established by defining the process in a standard operating procedure and use of log sheets to capture all the system events/responses. The audit trail review must be completed for the data generated by the systems with manual audit logs.

References

1. Part 11, Electronic Records; Electronic Signatures - Scope and Application | FDA
2. https://www.fda.gov/media/119267/download
3. https://www.fda.gov/media/75414/download
4. eCFR: 21 CFR Part 11 -- Electronic Records; Electronic Signatures
5. https://assets.publishing.service.gov.uk/media/5aa2b9ede5274a3e391e37f3/MHRA_GxP_data
   _integrity_guide_March_edited_Final.pdf

About The Author:

Sakthivel Thangaiyan is a senior technical manager who currently works at a medical device OEM in the U.S. He has 18+ years of experience in validation of analytical instruments, computerized systems, test methods, processes, and multi-use spreadsheets in both the medical and pharmaceutical industries. He holds a bachelor’s degree in engineering from Anna University, Chennai, India.