1. INTRODUCTION:

Life science industry growth in the past and beyond appears promising, but risk avoidance remains a concern for most companies. With the rapid evolution of technology, more complex data-centric products, and greater regulatory demands, companies are turning to automation, maintaining records, and submitting information electronically to achieve pitfalls like failed audits or recalls^1,2.

Getting to Audit Trail:

The audit trail is one element that has been running continuously with some advancement ever since the pharmaceutical, biotechnology, and medical device, regulatory agencies periodically inspected industries worldwide to verify compliance with a high standard of law.

One of the audit topics is recording raw data and ensuring the integrity of data throughout the entire data lifecycle. The health authorities or regulatory agencies issued many warning letters about audit trail deficiencies^3,4,5. In recent years, the concept of an audit trail has expanded because of the regulatory requirements and industrial guidance.

It captured all information about raw data within the metadata, which is an integral part of raw data⁶. The term "audit trail" refers to a type of metadata, or "data of the data," that stores information on actions and better approaches to the creation, update, alteration, or destruction of GxP (refers to the ‘good practice’) records. It provides a secure recording or a method to check whether the activities being performed inside the organization square measured and recorded within the compliance mode and traced to their origin up to the entire life cycle of a product, either paper or electronic.

It also provides information concerning the relevant chronology of “what is change (e.g., field, data identifiers), who made the changes (e.g., username, role, organization), when it changed (date/time stamp), and most important why the action taken (justification/reason for the change)” should documented⁷.

In a nutshell, audit trails are essential for a system's security because they verify the operations being carried out, record them in compliance mode, track data changes, and offer documentary proof of the series of actions that have influenced any operation, method, activity, or item. An incomplete or absent audit trail can impact data integrity or may raise the authenticity of the activity performed, which may impact the product quality.

The process that creates an audit trail needs to run in a restricted mode, so it can access and supervise all actions from all users; whether an admin, manager, employee, or end-user should not allow to change it. For the same reason, the audit trail function should not be accessible to users other than an ‘admin user’, and for any activity executed by the admin, software should automatically generate an entry into an audit log file (e.g., audit trail).

2. Benefits of an Audit Trail:

We can summarize the key benefits of audit trails as: -

· Accountability⁸: With audit trails, management can monitor changes remotely, encourage proper user conduct, and inspire a user to be trustworthy and responsible.

· Intrusion detection⁸: This allows administrators to identify suspicious behavior or actions.

· An airtight audit trail helps companies to improve internal controls, save time and enhance efficiency.

· Assure data integrity and security, verify and track records

· Stress-free audits⁹: Maintaining adequate documents can reduce the pressure of an audit, which aids in a worry-free audit.

· Reconstruct the history of events – If a system has a glitch, the incidents that led up to it can investigate and be recreated.

· Fraud Prevention⁹: Helps to prevent cyber security breaches and can reduce the likelihood of external fraud.

· Support in disaster recovery in an unanticipated crisis or calamity.

· Regulatory Compliance⁹: Accurate records are crucial to meet regulatory obligations, to comply that is what an audit trail can provide.

3. Types of Audit Trails⁹:

An audit trail can be broadly classified as:

System-level audit trails:

High-level audit trails exist at the system level. They keep track of information about log-on attempts, including recognition of user, date and time of each login/logout, the device being used, and the task worked. Additionally, you can access information about network performance and automatic system operations here.

Application-level audit trails:

Application-level audit trails record operations performed on files and transactions and allow auditors to check whether all procedure stages have adhered. Individual record operations such as time stamping, opening, closing, reading, editing, deleting, and printing/downloading are examples of logged activities.

User audit trails:

A user's activities get recorded in user audit trails. This comprises attempts to access specific data or functionality, visibility to see which commands were launched, and an aggregate of user metrics. A user audit trail will specifically aid in identifying suspicious activity.

4. Regulatory Statutory:

Federal agencies frequently released guidance documents to explain the intent behind current laws and regulations. Over time, guidance has evolved into a key tool that assists in implementing rules. Different regulatory agencies aim to guide the industry for audit trail requirements, which are narrated below.

Food and Drug Administration (FDA)¹¹:

As defined in ‘Data integrity and compliance with drug CGMP, FDA suggests reviewing audit trails that document the change to vital data together with each record before it officially approved the record. Based on the complexity of the system and the expected use, they also recommend regular audit trail checking.

European Commission¹²:

As stated in the draft guideline on computer systems and electronic data in clinical trials published by the European Medicines Agency in June 2021, a secure, computer-generated, time-stamped electronic record that permits the reconstruction of the sequence of events connected to the production, modification, or deletion of an electronic record termed as an audit trail (in computer systems).

21 Code of Federal Regulations (CFR) Part 11 Subpart B, Sec 11.10 regarding controls for closed systems¹³:

A secure, time-stamped audit trail should independently record the entries and actions that create, change, or delete an electronic record. The previously generated records shall not obscure original record changes. If required, such documentation data must be retained. Electronic records should be available for regulatory agencies to evaluate and copy.

Pharmaceutical Inspection Co-operation Scheme (PIC'S)⁷:

PIC/S has been actively involved in the establishment and promotion of harmonized GMP standards and guidance documents ever since it was established. As stated in ‘Good Practices for Data Management and Integrity in Regulated GMP/GDP environments’, the audit trail features should configure properly to capture both general system events and any activity connected to the acquisition, removal, and rewriting of any changes to data for audit.

Medical and Healthcare Products Regulatory Agency (MHRA)¹³:

According to MHRA regulatory requirements defined in ‘Practical application of data integrity and audit trail review’, the entries (such as creation, addition, deletion, and tempering) in a report, whether it be on paper or digitally, can safely record via an audit trail without obscuring or overwriting the original legitimate document. An audit trail facilitates the reconstruction of the history of such events regarding all records should include who, what, when, and why of an action, regardless of the medium used".

5. Components of an Audit Trail^13,14:

Audit trails provide critical information about the entire life cycle of a product. To have a complete audit trail entry, the following components are to be included, but not limited to:

Record link:

It refers to the unique ID of the corresponding record and ensures traceability.

User ID operating:

Each audit trail entry must contain a link to the record and be able to trace back to the person who did it, and this might be the user’s unique ID.

Original and change value:

The audit trail must contain all earlier/new values to a record over time to recreate a complete history.

Justification/Reasons for change:

A justifiable reason with a rationale for the change must be required sometimes and should be handled through a regulated change process.

Date and time stamp:

A transparent and accurate date and time stamp is one of the foremost important components for maintaining trustworthy and reliable electronic records.

6. Audit Trail System Features^13,14:

The audit trail's primary goal is to guarantee the authenticity of electronic records. Governing bodies provide important information on the features of audit trail systems. All audit trails must be:

Available:

Audit trail data should be readily available for review/copy to the regulatory personnel.

Automated:

The computer system must capture all electronic records like creation, modification, or deletion automatically.

Archived:

An audit trail must be kept until we store their corresponding digital statistics records.

Traceable:

Audit trail records intend to be in an intelligible form. If data records are upgraded, the reason for changing and the name of the person must log in along with the previous/new values.

Contemporaneous:

Each audit trail entry should be time-stamped using an appropriately controlled clock that can’t change.

Safe and Secure:

Data from the audit trail must be in a safe location and can’t change by any user for editing.

7. Audit Trail Review:

Many people consider an audit trail review just a review of the audit trail function of the computerized system. Regulators expect pharmaceutical firms to create relevant and efficient data integrity risk-management plans based on reliable data governance, collection technologies, and operating models¹⁶.

The goal of the audit trail review is to determine whether all the generated data complies with the ALCOA+ requirement (refer to section 8, table 1). Data that is attributable, legible, contemporaneous, original, and accurate refers to ALCOA; the + (plus) sign adds complete, consistent, enduring, and available.

During regulatory audits, data integrity has risen to the top of the priority list, and an increasing number of issues have pointed out weaknesses in the audit trail. To ensure transparency, trustworthiness, and reliability of records, reviewing of audit trails is an essential element of data integrity for any automated system.

While reviewing the audit trail, one should examine all the stages that were engaged in the procedure, including the audit trail of an instrument and operating software.

Simple systems, like pH meters, turbidity meters, etc., don’t always have the proper audit trails. In such circumstances, adequate controls, checks such as administrative procedures, and peer review ensure the accuracy of data¹⁵.

When a legacy system lacks the audit trail features, an alternate control or more verification steps can implement, such as specifying the process in a standard operating procedure (SOP), using logbooks, integrating with a validation master plan or quality management system, etc¹⁵. To overcome these issues, companies should try to acquire, upgrade, or replace software that offers audit trail capabilities, according to recent guideline materials⁷.

The data transfer procedure, such as moving data to a spreadsheet or other applications, must also have an audit trail. It's crucial to keep in mind that both the audit trail and the data should have backup and retrieval systems in place. As this requires multiple checks on a larger population of data, regular review of audit trails is more difficult, so a periodic review approach can be used. A thorough understanding of the product and process can substantially reduce the risk¹². It is advisable to identify/implement controls based on risk evaluation for periodic review procedures. Prioritized the audit trail review based on the associated level of risk to find whether the system is at high, medium, or low risk^17,18. These help in identifying the critical checks before the batch release of any product.

In case of any unusual or unexpected findings during the review process, they must examine, and proper corrective and preventive actions (CAPA) measures must be performed to eliminate and verify the impact on product19.

By using a risk-based method, the audit trail periodic review procedure can streamline, rather than a one-size-fits-all²⁰. An audit trail review is one strategy to identify errors in data collection and reporting.

8. Audit Trail Reviewer Qualification:

Another important aspect is to understand that the people responsible for implementing and reviewing the audit trail documents are suitably qualified to carry out the evaluations. One must have sufficient knowledge concerning ALCOA plus standards (presented below in table 1)²¹, data integrity, audit experience, working knowledge of the system, etc. and system access privilege is necessary to review raw data, audit trails, metadata, and other important records.

Table 1: Overview of ALCOA + requirements

Attributable	Keep a record of when and who did what.
Legible	Readable over the entire life span of the record.
Contemporaneous	Noted when the activity is ongoing.
Original	Maintained in their original form.
Accurate	Data with no alterations or errors.
+ Complete	Completeness of the data is required a complete set.
+ Consistent	Data should be internally consistent.
+ Enduring	Enduring throughout the entire data lifecycle.
+ Available	Available without delay throughout the life of the record for examination or inspection.

Apart from the above knowledge, there should be a well-defined procedure for the qualification of the reviewer, and this should be competency-based. A prior, proven track record of analyzing and reviewing some normal and abnormal incidents is an added advantage¹⁵.

9. Suggestions for Compliant Audit Trails²:

For global regulatory acceptance, most industries nowadays are accumulating and managing more data, and to achieve this, it is beneficial to have a validated computer system, procedures, and processes in place. To stay in compliance with laws, a secure, effective, and compliant audit trail log is required. The compliant audit trail includes:

· Electronic signatures – Make sure that signatures are unique to each signer and can’t be copied or transferred.

· User credentials – Appropriate system access should be controlled strictly, based on a person’s role and job responsibility.

· Audit trail reviews – The audit trail review requirements are outlined in Part 11 guidelines, including who must evaluate them and how often. Individuals conducting the review should have working/sufficient knowledge of the system to identify any gaps or improvements needed for the system to make sure that records are complete, without shortcomings or errors, and that the data presented to auditors corresponds to what is in the system.

· Escalation – Authorized personnel shall review and approve the records. If unavailable, the system needs to include the functionality and procedures to allow the escalation of document review and approval to other individuals.

· Security – An integrated quality management system (QMS) with security measures such as role-based authentication and access controls can effectively enhance data protection.

10. CONCLUSION:

The above review study concludes that the audit trail review has become an important tool that is growing continuously, and it is a widely used procedure in pharmaceutical industries. We can utilize it not only to mitigate the risk but also to make sure the integrity of the electronic records. Agency recommends a risk-based approach for the review of an audit trail, which ensures the potential effect on product quality, patient safety, and process. There should be a standard system that clearly defines which data should be subject to the audit trailed best practices.

In addition, regulations and supporting documents provide important information on the features of audit trail systems that must be necessary to maintain a state of compliance.

11. REFERENCES:

1. Mike R. GAMP5 compliance for risk-based computer validation. March 2020; Leveraging. Available on URL: https://www.mastercontrol.com/gxp-lifeline/leveraging-gamp-compliance-for-risk-based-computer-validation.

2. David Jensen. GxP Lifeline, Q and A: A risk-based approach to compliant audit trails. May 2021; Master control. Available on URL:https://www.mastercontrol.com/gxp-lifeline/q-a-a-risk-based-approach-to-compliant-audit-trails.

3. Toscano G. Data Integrity: A Closer Look. NSF International. 2018; White Paper. Available on URL: http://www.nsf.org/newsroom_pdf/pb_data_integrity_closer_look.pdf.

4. Food and Drug Administration (FDA). Warning letters. November 2018; Available on URL: https://www.fda.gov/iceci/enforcementactions/warningletters/default.htm

5. Mrak, E. PDA/FDA Inspection Trends - Parental Drug Association. November 2015; Available on URL: https://www.pda.org/docs/default-source/website-document-library/chapters/presentations/new-england/pda-fda-inspection-trends.pdf

6. Aleksandra C. Data Integrity in Quality Control Laboratory - How to ensure it? 2022; Selvita, Blog. Available on URL:https://selvita.com/blog/data-integrity-in-quality-control-laboratory-how-to-ensure-it.

7. Pharmaceutical Inspection Co-operation Scheme (PIC/S). Good Practices for Data Management and Integrity in Regulated GMP/GDP environments. July 2021.

8. Andy M. Audit trails: Managing the Who, What and When of Business Transactions. August 2017 (updated 4 December 2021); Smartsheet. Available on URL:https://www.smartsheet.com/audit-trails-and-logs

9. Reciprocity. What is an audit trail and what purpose does it serve? Blog. January 2022; Available on URL: https://reciprocity.com/blog/what-is-an-audit-trail-and-what-purpose-does-it-serve.

10. Nuala C and James D. Data Integrity beyond the Lab. ISPE Quality Manufacturing Conference. June 2018; Available on URL:https://ispe.org/pharmaceutical-engineering/january-february-2019/data-integrity-beyond-lab

11. Food and Drug Administration (FDA). Data integrity and compliance with drug CGMP, Question, and Answers, Guidance for industry. December 2018.

12. European Medicines Agency (EMA). Draft Guideline on computer systems and electronic data in clinical trials. June 2021.

13. Robert L. Practical application of data integrity and audit trail review. Lonza informatics. June 2019; Available on URL:https://www.pda.org/docs/default-source/website-document-library/chapters/presentations/pacific-northwest/practical-applications-of-data-integrity-and-audit-trail.pdf

14. Audit trail requirements in electronic GxP systems: A quick guide. The FDA group, Blog. July 2017; Available on https://www.thefdagroup.com/blog/audit-trail-requirements-in-electronic-gxp-systems-a-quick-guide.

15. Shrivastava, R. what is Audit Trail | Audit Trail Review in Pharma Industries | Requirements. LyfnStyle. October 2021; Available on URL:https://www.lyfnstyle.com/what-is-audit-trail-audit-trail-review-in-pharma-industries-requirements.

16. Audit Trail Review: A key Tool to Ensure Data Integrity, eClinical Forum and the Society for Clinical Data Management, October 2020; Available on URL:https://scdm.org/wp-content/uploads/2020/10/eCF_SCDM-ATR-Industry-Position-paper-Final-Editorial-Edits.pdf

17. Chandrasekar P. Audit Trails Review for Data Integrity, Pharmaceutical Updates. October 2021; Available on URL:https://pharmaceuticalupdates.com/2021/10/28/audit-trails-reviews-for-data-integrity.

18. Jeanne M, Audit Forum - Audit Trails - IVT Network Institute of validation technology. November 2021; Available on URL:https://www.ivtnetwork.com/article/audit-forum-audit-trails

19. Chandrasekar P. Requirement of Audit Trails in Pharmaceuticals. Pharmaceutical Updates. May 2020; Available on URL:https://pharmaceuticalupdates.com/2020/05/06/requirement-of-audit-trail-in-pharmaceuticals-and-in-other-industries.

20. Ivan S. Audit Trail and Data Integrity in Pharmaceuticals and Life Sciences, GXP. May 2020; Available on URL:https://www.ivntnetwork.com.

21. What is Data Integrity and ALCOA Plus, Pharma Awareness. January 2019; Available on URL:https://www.pharmawareness.com/what-is-data-integrity-and-alcoa-plus/

Received on 28.06.2022 Modified on 18.07.2022

Asian J. Pharm. Res. 2022; 12(4):359-363.

DOI: 10.52711/2231-5691.2022.00056