Audit trails are a critical requirement in clinical trial management systems. These computer-generated records capture all the activity in the system and are valuable tools to maintain a high level of data integrity and are extremely useful to study teams and regulatory agencies alike.
What is an audit trail?
An audit trail is a computer-generated electronic record that allows one to review the course of events related to the creation, modification, and deletion of an electronic document. Every clinical trial document produced with computer systems is required by law to be tracked by an accompanting an audit trail.
An audit trail entry provides information about:
- Who accessed a document
- What actions they performed with it
- When was the document accessed
- Where was the document accessed from
Audit trails are a requirement in clinical trial management systems that contain data about patients and the clinical trial itself. Audit trail data can also be used to answer critical questions about patient care and quality of life as well as healthcare policy and similar topics.
It is important to understand the distinction between audit trails and logs. Computerized systems maintain logs of their performance to supply IT technicians with data for troubleshooting activities. On the other hand, audit trails contain another form of information.
For instance, audit trails can record essential data from electronic signatures, like the time at which a document was signed. It is customary for electronic signature systems to keep logs of when and where a document is signed, in addition to information about who signed the document. Audit trails eliminate discussions about document authenticity and reliability by providing clear information about a document’s history.
The data found in audit trails is meant to be used by clinical teams, sponsors, regulatory agencies, and similar professionals. Due to their front-facing nature, it is in the best interest of all parties involved in a clinical study to have audit trails that are simple to access and easy to navigate.
Is an FDA audit trail required by the United States Code of Federal Regulations?
The Code of Federal Regulations lists audit trails as a required measure to ensure the authenticity, integrity, and confidentiality of electronic records. All persons who use closed systems for the creation, modification, maintenance, or transmission of electronic records are required to implement audit trails (source).
The use of secure, computer-generated, and time-stamped audit trail documentation is explicitly listed by the FDA as a regulatory requirement under Title 21, Part 11 of the Code of Federal Regulations (CFR). It is required by law that an independent record is produced whenever an electronic record is created, modified, or deleted. The time of operator entries must be kept on record and no effort to make changes to the audit trail data should be made.
Applicable predicate rule requirements dictate that accurate records must be maintained throughout a clinical trial. The CFR states that audit trail documentation is to be retained for as long as it is required for the subject electronic records. In addition, FDA must be able to review and copy audit trail data.
Why are audit trails important for clinical trials?
Audit trails greatly simplify preparation for an audit. In addition, they provide users with a wide range of benefits, such as access to a comprehensive view of the entire history of a document. Thereby, it is a great benefit to clinical teams to possess well-structured and easily accessible audit trails.
The benefits of audit trails include:
- Streamlined audits: Periodically performing audit-related assignments can be a very stressful and time-consuming task. Thanks to the capacity of audit trails to keep well-organized records of all activity, this process is substantially simplified. This benefits both auditors and those being audited. The former are able to complete their work faster, while the latter can reduce stress and money spent on audit fees.
- Enhanced information security: Clinical data is of a very sensitive nature, making it vulnerable to cybersecurity breaches. Additionally, inconsistencies in operations may have malicious intent behind them. Audit trails give a clear look at all actions performed on documents and thereby help uncover any type of malintent, whether from external or internal sources.
- Increased operational efficiency: Audit trails give users a clear view of the entire history of a document. Investigators can use audit trails to track and learn from their successes and challenges. Thus, their implementation helps save time and increase the speed at which critical decisions are made.
- Problem detection: Teams can use audit trail data to reconstruct the series of events that led to any type of outcome, positive or negative. Easy access to this information enhances researchers’ capacity to detect current problems and prevent future ones from happening.
- User accountability: The perpetual recording of documents promotes the appropriate behavior of all users. Since actions are tied to the identity of users, it is always clear who is behind any activity. Issues such as the improper use of information, unauthorized modifications, or the introduction of malware will be automatically recorded.
The two types of audit trail reviews
There are two main types of audit trail reviews:
Regular audit trail reviews
These audit trails are meant to be reviewed in tandem with their parent GxP record. FDA recommendations state that audit trails that display changes to critical data should be reviewed alongside each record and before the final approval. Audit trails that capture changes to sample run sequences, sample identification, or critical process parameters are subject to regular reviews. The same applies to the change history of finished product test results.
Scheduled audit trail reviews
These audit trails must be reviewed periodically. This type of review is more complex than its regular counterpart. Enterprise applications performing scheduled reviews should plan accordingly. System owners and administrators must consider the time, effort, and costs related to performing scheduled reviews. This process can become a challenge when using legacy software, as audit trails generated by legacy applications may only be accessible to programmers.
Who should review an audit trail?
Auditing processes are usually conducted by the sponsor of the study or a regulatory agency such as the FDA. The principal investigator (PI) is usually notified prior to an audit.
The FDA has established the Bioresearch Monitoring (BIMO) Program of inspections and audits to ensure the highest standards of quality and integrity. It is expected for all data to be attributable, original, accurate, contemporaneous, and legible for both electronic and paper records.
Supplier management audits can be performed to assess the quality of processes. This can help identify areas of potential risk, adopt better organizational quality standards, and improve document management practices.
Since modern document management software is able to handle compliance procedures automatically, it gives its adopters a considerable operational advantage and risk assessment capabilities. Modern software solutions offer a risk-based approach to audit trails, helping users to easily identify and resolve risks related to record integrity and compliance.
One can ensure site preparedness for an audit by:
- Providing a comfortable environment for the auditor to perform their duties.
- Making sure all trial master file (TMF) content is up-to-date and compliant. This is made considerably easier thanks to eTMF software.
- Keeping updated curriculum vitae and good clinical practices (GCP) certificates of all study staff.
- Certifying that all correspondence is signed, dated, and properly filed.
- Maintaining site-specific standard operating procedures (SOP).
- Ensuring the collection of samples is compliant with SOP and GCP guidelines.
When does the audit trail begin?
An audit trail creates a step-by-step record of clinical research, which goes back to the beginning of a clinical study. Typically, audit trail records will be assessed whenever record integrity or accuracy are put into question.
The same level of tracking is not required for all studies. The significance of data tracking can vary depending on the nature of critical values affecting the study. For instance, research that deals with randomization may produce larger amounts of audit trail data.
Is the review of the audit trail required in clinical trials?
The FDA guidelines for computerized systems used in clinical trials prescribe the requirement for audit trails. The creation, modification, and deletion of all records in electronic form must be chronologically documented in accordance with the law. Audit trails are designed to fulfill that purpose.
What are the FDA audit trail requirements?
Link to the record
An audit trail must be traced back to the corresponding record it belongs to. In many cases, the reference link will contain a unique ID that assigns it to the record.
All audit trails must include information related to the individual who has created, modified, or deleted a record.
Original and new values
The audit trail must contain all values applied to a record. This guarantees that the entire history of a document is preserved and available for review.
Reasons for modifications
A log should be kept to note the reasons behind changes made to records. Nonetheless, changes performed to a document during drafting or review comments may be exempt from this requirement.
Date and time
To keep an accurate chronology of events, a clear date and time stamp must exist in all audit trail records. This is an important component in order to maintain the reliability of electronic records.
Regulators should always be capable of reviewing and coping with audit trail data.
An audit trail must be kept on record for as long as its corresponding document is required to be stored.
Audit trail records must be stored securely. Users should not be given access to edit audit trail data.