Audit Trail: Risk-Based Approach to Compliance

With the rapid evolution of technology, more and more companies in regulated industries have transitioned to an electronic medical device audit trail. This was the impetus for the U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 regulation, which states that electronic records and signatures are equivalent to paper record and handwritten signature.


Compliance with the regulation requires that a digital signature be assigned to a specific individual, include a signature type (i.e., review, approval, author), and be traceable from the document back to the signer.



To ensure the transparency, trustworthiness, and reliability of records, regulatory oversight of a company’s data and records management includes examining timestamped audit trails. GxP Lifeline recently met with Seyed Khorashahi, executive vice president of medical devices and CTO at Regulatory Compliance Associates (RCA) — a worldwide consulting firm that assists pharmaceutical, biologic, sterile compounding, biotechnology, and medical device companies with resolving compliance and regulatory challenges. Khorashahi shares some valuable insight on the anatomy of a medical device audit and advises companies on how to comply with this critical component of Part 11.


Medical Device Audit


Bottom line, an audit trail is the who, what, when, and why of a company’s data. It’s a log containing metadata that essentially allows you to reconstruct all user actions and events. As a result, the accuracy of the data will show who made a change and what was changed. And when it was changed. And, more importantly, why.


Part 11 includes the predicate rules, which apply to record retention throughout the product’s life cycle — from cradle to grave. An audit trail ensures the ongoing completeness, accuracy, integrity, and security of data and records. It’s also necessary to provide transparency of the actions people take with the data. This all needs to be available to auditors during an inspection.


Audit Tracking


Manufacturing regulated products calls keeping a close eye on tracking product data — especially when it can impact on patient safety. This can be tricky in the day-to-day gathering, storage, tracking, usage, etc. of data.


Good Documentation Practices (GDP) mandate that you document everything in regulated product development. This help provide supporting evidence during audit tracking that employees are following procedures. An important component in a medical device audit is data needs to be timestamped. Therefore, data needs to be in electronic form. Companies still using paper records need to digitize documents in order to file and track them electronically.


Document Scanning


When scanning materials, clarity is critical to field audit tracking. Text-only documents can be simple enough, but images are more difficult. You need the ability to capture everything to ensure it’s a true copy that is acceptable under GxP regulations.


Beyond that, scanning stacks of documents is prone to its own set of challenges. Not only is it extremely time-consuming, all scanned documents need to be reviewed. This ensures there are no errors or missing pages at the end of the medical device audit. Then the same Part 11 signature guidelines need to apply.


Another challenge is the audit trail software that companies use for managing quality processes and data are configurable. This means they might not have a way to limit access to specific users or revise permission access. Above all, leadership employees should employ controls for the inadvertent deletion of data. This directly puts data integrity at risk.


Medical Device Cybersecurity


Also, if they’re using an open system (connected to the network), it becomes a cybersecurity concern because open systems have a wider cyberattack surface. Hackers continuously employ various human and computer-generated measures to gain access to a company’s data. Once data is breached, it’s no longer compliant with data integrity requirements.


There are also situations where employees undermine medical device audit trails by sharing login credentials. This has actually been noted in both warning letters and the audit trail report. Community system access may be a common workaround to keep production going when key personnel are away.


However, going back to the who, what, when, and why concept, when an entire department uses the same username and password, there is no way to accurately trace actions to specific individuals or verify electronic signatures.


Audit Trail Compliance


As I mentioned earlier, at the end of the day, data stewardship is all about keeping track of who, what, when, and why. Companies are collecting and handling more data these days. This means there is a lot more information to keep an eye on. Data has a certain life cycle based on the type of product.

You need to make sure you have a validated system and processes in place to ensure it remains intact, secure, and readily accessible for audits.


  • Electronic signatures – Are electronic signatures unique to the individual? Ensure that signatures cannot be copied or transferred.
  • User credentials – Is user access tightly controlled based on each person’s role and job responsibility? For example, people who access and modify data should not be able to turn off or modify the audit trail. Having too many users with read and write access to data increases the risk of intentional or inadvertent data changes or loss.
  • Audit trail reviews – Are audit trails getting reviewed often enough and by the right people? Part 11 guidelines specify the audit trail review requirements regarding who and how frequently they need to be reviewed. This is necessary to ensure records are accurate, free of gaps and errors, and that the information provided to auditors matches what is in the system.
  • Escalation – Are only authorized personnel reviewing and approving records? There are occasions when an approver is unavailable. There should always be another person who is authorized to approve and sign records. The system needs to include the functionality and procedures to allow the escalation of document reviews and approvals to other authorized individuals. These situations also need to be logged and documented.
  • Security – Are there system vulnerabilities that could lead to a security breach? I touched on security earlier, but I can’t emphasize enough the importance of system and data security. Even before COVID-19 dispatched employees to work remotely, many companies were incorporating mobile devices. This increases security vulnerabilities. Using an integrated QMS that has security measures such as role-based authentication and access controls can effectively augment data protection processes.

I recommend using a risk-based approach with audit trails. Your quality management system (QMS) and processes can identify and resolve the risks to data integrity. Here are a few items to consider when doing a risk assessment and being compliant with Part 11:


Digitization is the direction things are going. You need to be able to effectively control and rely on your data. And legacy and hybrid systems won’t always be compatible with the evolving regulatory landscape. Companies in regulated environments need to make sure their data and metadata are compliant with data integrity requirements. Data access should be transparent and accessible to future medical device audit team members, including in a readable format for the extent of the data’s life cycle.


About RCA’s Medical Device Consulting Services


The regulatory compliance process surrounding the medical device industry involves a strict adherence to pre/post market information throughout a device’s life-cycle. Even a single compliance issue you have can turn into a significant effect on your business. Regulatory Compliance Associates medical device consultants can help guide you through any stage of this strategic process, with capabilities during product development through the regulatory clearance/approval of your product.


Our team of over 500 medical device consulting Experts — including former FDA officials and regulatory compliance leaders in the field of medical device regulation — will work with your company to create a quality assurance and regulatory compliance approach tailored to your products and regulatory needs. Regulatory Compliance Associates works with international Fortune 100 companies, venture capital start ups, and companies of all sizes and shapes. our compliance enforcement solutions for law firms include remediation for warning letters, FDA 483’s, import bans or consent decrees. Very few regulatory compliance services have the same regulatory compliance expertise in a variety of medical fields.




For medical device manufacturers, technology can be a double-edged sword. The innovative technologies that elevate the quality of life for patients can also be used to potentially undermine the organization using the device. The consequences can affect the device itself if Regulatory Compliance Associates medtech consultants do not implement good IoT cybersecurity and FDA cybersecurity protocols.


At Regulatory Compliance Associates, we offer a wide variety of services for medical devices security to help ensure that your product is protected from cyber-attacks. With a well-planned design, along with full visibility of product development and the supply chain, Regulatory Compliance Associates medical device consultant Experts can help strengthen your device’s cybersecurity. We partner with medical device companies in each phase of the design cycle, including protecting inputs from threat exposure and hardening outputs for regulatory compliance & FDA submission approval of your medical technology.


Regulatory Affairs


Regulatory affairs is Regulatory Compliance Associates® backbone, and we handle more submissions in a month than many manufacturers do in a lifetime. Our regulatory compliance consulting Experts have experience working with the FDA, global regulatory bodies and / or agencies, and notified bodies worldwide. Therefore, you can count on us for in-depth and up-to-date insights which increase speed-to-market.


As a trusted regulatory affairs consultant, our FDA veterans and industry experts represent Regulatory Compliance Associates® as one of the top medical device consulting firms. We’re here to help you navigate the difficulties associated with new product submissions. Regulatory Compliance Associates® medical device consulting company has expertise in both the approval process and post-approval support. 


  • New Product Approval
  • Post-Approval Support
  • Outsourced Staffing
  • EU MDR
  • Combination Products


Compliance Assurance


Increasingly, life science companies are feeling the pressure of greater scrutiny by regulators, and responding by developing sustainable compliance strategies. Whether it’s preparing for an audit, developing a response to an FDA finding, or remediation to an adverse event, Regulatory Compliance Associates® can help.


Our network of over 500 medical device consultant & FDA, MHRA & EMA veterans are industry professionals offers a unique blend of expertise. This allows Regulatory Compliance Associates® to handle both simple and complex regulatory compliance challenges within medical device consulting companies.


  • Gap Assessments
  • Internal Audits
  • Employee Training
  • Notified Body Response
  • Data Integrity


Quality Assurance


Regulatory Compliance Associates® Quality Assurance consulting includes quality system assessments, strategy, implementations, and identification of quality metrics to ensure continuous improvement, aligning with your business needs and goals. Each Regulatory Compliance Associates® medical device consultant is a quality expert with experience spanning major corporations and start-ups. We know firsthand how to achieve, maintain, and improve quality, and we excel in transferring this knowledge to your organization.


In the medical devices field, quality assurance (QA) is more than merely ensuring the quality of a finished product. You need the tools to monitor and regulate every process from the design of a new product to continued quality compliance as the device is sent to market. At Regulatory Compliance Associates®, we offer you the quality assurance services you need to monitor these processes and ensure quality compliance every step of the way.


With more than 20 years experience working with medical device consulting companies, Regulatory Compliance Associates® trusted medical device quality assurance consultant team is fully equipped to handle your unique QA needs.


  • ISO13485 
  • 21 CFR 210
  • 21 CFR 211
  • Outsourced Staffing
  • Facility Validation
  • Equipment Validation
  • Quality Metrics


Remediation Support


Regulatory Compliance Associates® is widely recognized within medical device consulting companies & the life science industry for remediation support. Regulatory Compliance Associates® ability to help companies successfully resolve complex regulatory challenges have a proven track record of success. Our medical device consulting services include significant experience with the development of responses to 483 Observations, Warning Letters, Untitled Letters and Consent Decrees.


  • Regulatory Action
  • Regulatory Compliance
  • Regulatory Enforcement
  • Warning Letter
  • 483 Observation
  • Oversight Services


Our value goes beyond the initial response by helping companies successfully execute their action plans, develop an improved compliance culture tailored to the needs of their business, and ultimately move beyond the regulatory action to emerge as a stronger business. We negotiate difficult demands of remediation with insight and the clear advantage of our medical device consultant expertise and experience that makes partnering with Regulatory Compliance Associates®  a competitive differentiator in the remediation space.


  • Quality System
  • Technical File
  • Design History File
  • Data Integrity
  • cGMP


Strategic Consulting


Whether it’s a strategy, a technical plan, or project, Regulatory Compliance Associates® medical device consultancy can help ensure a successful project. Regulatory Compliance Associates® medical device strategy consulting can deliver your project on time, on budget, and you’re never embroiled in a costly mistake.


Our medical device consultant Experts are industry Experts are here to provide the unique insight you need before an M&A deal, through a staffing crisis and in every area of your product’s development and life cycle. As the trusted medical device manufacturing consultants of thousands of companies around the world, we have the knowledge and expertise needed to deliver exceptional results to your business — no matter your size or unique needs.


  • Manufacturing Optimization
  • Product Lifecycle Management
  • Mergers & Acquisitions (M&A)
  • Due Diligence
  • Device Vigilance
  • Risk Management Plan
  • Product Complaints
  • Medical Information


About Regulatory Compliance Associates


Regulatory Compliance Associates® (RCA) provides medical device consulting to the following industries for resolution of life science challenges:



We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.


As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.


  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021


About Sotera Health


The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.


Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.


We are a trusted partner to more than 5,800 customers in over 50 countries, including 40 of the top 50 medical device companies and 8 of the top 10 pharmaceutical companies.


Commitment to Quality


Our Certificate of Registration demonstrates that our Quality Management System meets the requirements of ISO 9001:2015, an internationally recognized standard of quality.


To begin the Regulatory Compliance Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 



Our website uses cookies to give you the best possible experience.

By continuing to use this site, you agree to the use of cookies.