Audit Trail: Risk-Based Approach to Compliance

With the rapid evolution of technology, more and more companies in regulated industries have transitioned to an electronic audit trail. This was the impetus for the U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 regulation, which states that electronic records and signatures are equivalent to paper record and handwritten signature.


Compliance with the regulation requires that a digital signature be assigned to a specific individual, include a signature type (i.e., review, approval, author), and be traceable from the document back to the signer.



To ensure the transparency, trustworthiness, and reliability of records, regulatory oversight of a company’s data and records management includes examining timestamped audit trails. GxP Lifeline recently met with Seyed Khorashahi, executive vice president of medical devices and CTO at Regulatory Compliance Associates (RCA) Inc. — a worldwide consulting firm that assists pharmaceutical, biologic, sterile compounding, biotechnology, and medical device companies with resolving compliance and regulatory challenges. Khorashahi shares some valuable insight on the anatomy of an audit trail and advises companies on how to comply with this critical component of Part 11.


Audit Trail Overview


Bottom line, an audit trail is the who, what, when, and why of a company’s data. It’s a log containing metadata that essentially allows you to reconstruct all user actions and events. As a result, the accuracy of the data will show who made a change and what was changed. And when it was changed. And, more importantly, why.


Part 11 includes the predicate rules, which apply to record retention throughout the product’s life cycle — from cradle to grave. An audit trail ensures the ongoing completeness, accuracy, integrity, and security of data and records. It’s also necessary to provide transparency of the actions people take with the data. This all needs to be available to auditors during an inspection.


Audit Tracking


Manufacturing regulated products calls keeping a close eye on tracking product data — especially when it can impact on patient safety. This can be tricky in the day-to-day gathering, storage, tracking, usage, etc. of data.


Good Documentation Practices (GDP) mandate that you document everything in regulated product development. This help provide supporting evidence during audit tracking that employees are following procedures. An important component in an audit trail is data needs to be timestamped. Therefore, data needs to be in electronic form. Companies still using paper records need to digitize documents in order to file and track them electronically.


Document Scanning


When scanning materials, clarity is critical to field audit tracking. Text-only documents can be simple enough, but images are more difficult. You need the ability to capture everything to ensure it’s a true copy that is acceptable under GxP regulations.


Beyond that, scanning stacks of documents is prone to its own set of challenges. Not only is it extremely time-consuming, all scanned documents need to be reviewed. This ensures there are no errors or missing pages in the audit. Then the same Part 11 signature guidelines need to apply.


Another challenge is the audit trail software that companies use for managing quality processes and data are configurable. This means they might not have a way to limit access to specific users or revise permission access. Above all, leadership employees should employ controls for the inadvertent deletion of data. This directly puts data integrity at risk.


Audit Trail Cybersecurity


Also, if they’re using an open system (connected to the network), it becomes a cybersecurity concern because open systems have a wider cyberattack surface. Hackers continuously employ various human and computer-generated measures to gain access to a company’s data. Once data is breached, it’s no longer compliant with data integrity requirements.


There are also situations where employees undermine audit trails by sharing login credentials. This has actually been noted in both warning letters and the audit trail report. Community system access may be a common workaround to keep production going when key personnel are away.


However, going back to the who, what, when, and why concept, when an entire department uses the same username and password, there is no way to accurately trace actions to specific individuals or verify electronic signatures.


Audit Trail Compliance


As I mentioned earlier, at the end of the day, data stewardship is all about keeping track of who, what, when, and why. Companies are collecting and handling more data these days. This means there is a lot more information to keep an eye on. Data has a certain life cycle based on the type of product.

You need to make sure you have a validated system and processes in place to ensure it remains intact, secure, and readily accessible for audits.


  • Electronic signatures – Are electronic signatures unique to the individual? Ensure that signatures cannot be copied or transferred.
  • User credentials – Is user access tightly controlled based on each person’s role and job responsibility? For example, people who access and modify data should not be able to turn off or modify the audit trail. Having too many users with read and write access to data increases the risk of intentional or inadvertent data changes or loss.
  • Audit trail reviews – Are audit trails getting reviewed often enough and by the right people? Part 11 guidelines specify the audit trail review requirements regarding who and how frequently they need to be reviewed. This is necessary to ensure records are accurate, free of gaps and errors, and that the information provided to auditors matches what is in the system.
  • Escalation – Are only authorized personnel reviewing and approving records? There are occasions when an approver is unavailable. There should always be another person who is authorized to approve and sign records. The system needs to include the functionality and procedures to allow the escalation of document reviews and approvals to other authorized individuals. These situations also need to be logged and documented.
  • Security – Are there system vulnerabilities that could lead to a security breach? I touched on security earlier, but I can’t emphasize enough the importance of system and data security. Even before COVID-19 dispatched employees to work remotely, many companies were incorporating mobile devices. This increases security vulnerabilities. Using an integrated QMS that has security measures such as role-based authentication and access controls can effectively augment data protection processes.

I recommend using a risk-based approach with audit trails. Your quality management system (QMS) and processes can identify and resolve the risks to data integrity. Here are a few items to consider when doing a risk assessment and being compliant with Part 11:


Digitization is the direction things are going. You need to be able to effectively control and rely on your data. And legacy and hybrid systems won’t always be compatible with the evolving regulatory landscape. Companies in regulated environments need to make sure their data and metadata are compliant with data integrity requirements. Data access should be transparent and accessible in a readable format for the extent of the data’s life cycle.


About RCA Pharmaceutical Services


Regulatory Compliance Associates (RCA)® has helped thousands of pharmaceutical companies meet regulatory, compliance, quality assurance, and remediation challenges. With more than 20 years of experience with FDA, Health Canada, EU and global regulatory agencies worldwide, RCA offers leading pharmaceutical consultants that can help you navigate through the challenges associated with evolving industry regulations.


Our team of over 500 seasoned FDA, Health Canada and EU compliance consultants and regulatory affairs experts can understand the complexities surrounding the pharmaceutical industry and the unique inner workings of the regulatory process. 


Client Solutions


Whether you’re in the product planning, development or pharmaceutical lifecycle management stage or need a remediation strategy for a compliance crisis, RCA® Inc. will guide you through every step of the regulatory process and create a customized approach depending on your product and your pharma company’s individual needs. Our clients include:


  • Companies new to FDA, Health Canada or EU regulations and the pharmaceutical industry
  • Start-up organizations with novel submissions to 510(k) submissions from multi-national corporations
  • Investment firms seeking private equity due diligence for pre-acquisition and post-deal research
  • Law firms seeking expertise in the remediation of warning letters, consent decrees, 483’s or import bans


Regulatory Affairs


Regulatory affairs is Regulatory Compliance Associates® Inc.’s backbone and we fully understand the complexities of the pharmaceutical and biopharmaceutical industries. Our expertise spans all facets and levels of Regulatory Affairs, from Regulatory Support for New Products to Life Cycle Management, to other services like Outsourced Regulatory Affairs, Submissions, Training, and more.


As your partner, we can negotiate the potential assessment minefield of pharmaceuticals with insight, hindsight, and the clear advantage of our breadth and depth of knowledge and experience. We offer the following four regulatory affairs services for pharmaceutical companies.


  • New Product Support
  • Product Lifecycle
  • Other Regulatory Services


Compliance Assurance


The regulations process surrounding pharmaceutical companies can be tricky for even the most experienced industry veteran to understand, and just one misstep could mean significant and lasting consequences for your business. At RCA® Inc., we offer the experience and resources necessary to guide you in quality compliance.


  • Assessments
  • Audits
  • Regulatory Agency Response
  • Preparation and Training
  • Inspection Readiness


Quality Assurance


Regulatory Compliance Associates® Inc.’s Quality Assurance services include assessments, strategy, implementations, staff augmentations, and identification of quality metrics to ensure continuous improvement, aligning with your business needs and goals. Our consultants are quality experts with experience spanning major corporations and start-ups. We know firsthand how to achieve, maintain, and improve quality, and we excel in transferring this knowledge to your organization.


  • 21 CFR Part 11
  • Data Integrity
  • Manufacturing Support
  • Facility Support




Regulatory Compliance Associates® Inc. has significant experience and a proven approach to managing FDA Warning Letters, Consent Decrees, Remediation and other serious regulatory situations. We know how to partner with executive, legal, and communication teams, and will assist management with a response that will be accepted by the regulatory agency and be realistic to execute.


We can develop a comprehensive proof book of documented objective evidence demonstrating the corrective actions taken to remediate non-compliant issues. In addition, RCA can help prepare a comprehensive strategy to assist in your remediation efforts, drive continuous improvement, and maintain compliance with the regulations.


  • Regulatory Action
  • Warning Letter
  • 483 Observation
  • Oversight Services


About RCA


Regulatory Compliance Associates® (RCA) provides regulatory compliance consulting to the following industries for resolution of compliance and regulatory challenges:



We understand the complexities of running a life science business and possess areas of expertise that include every facet of R&D, operations, regulatory affairs, quality, and manufacturing. We are used to working on the front lines and thriving in the scrutiny of FDA, Health Canada, MHRA and globally-regulated companies.


As your partners, we can negotiate the potential minefield of regulatory compliance and regulatory due diligence with insight, hindsight, and the clear advantage of our unique expertise and experience.


  • Founded in 2000
  • Headquartered in Wisconsin (USA)
  • Expertise backed by over 500 industry subject matter experts
  • Acquired by Sotera Health in 2021


About Sotera Health


The name Sotera Health was inspired by Soteria, the Greek goddess of safety, and reflects the Company’s unwavering commitment to its mission, Safeguarding Global Health®.


Sotera Health Company, along with its three best-in-class businesses – Sterigenics®Nordion® and Nelson Labs®, is a leading global provider of mission-critical end-to-end sterilization solutions and lab testing and advisory services for the healthcare industry. With a combined tenure across our businesses of nearly 200 years and our industry-recognized scientific and technological expertise, we help to ensure the safety of over 190 million patients and healthcare practitioners around the world every year.


We are a trusted partner to more than 5,800 customers in over 50 countries, including 40 of the top 50 medical device companies and 8 of the top 10 pharmaceutical companies.



To begin the Regulatory Consulting Associates® scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. 



Our website uses cookies to give you the best possible experience.

By continuing to use this site, you agree to the use of cookies.
Privacy Policy