A Harmonized Approach to Performing a Risk-Based Audit Trail Review

Audit trail review (ATR) is a mechanism to detect potential critical changes to data/system security settings and to ensure the quality and integrity of reported data. PIC/S Good Practices For Data Management And Integrity In Regulated GMP/ GDP Environments-July 2021 (6) - gives an indication of the key elements to consider for an effective risk-based approach: "Data criticality (impact to decision making and product quality) and data risk (opportunity for data alteration and deletion, and likelihood of detection/ visibility of changes by the manufacturer's routine review processes)." [...]regulatory expectations for audit trail review have become an established part of the GxP data lifecycle. The following terms are defined (5): * technical control-computerized features like audit trail, backup mechanism, user management and security, electronic signatures and/or digital signatures to assist or enforce administrative and procedural controls * procedural control-standard operating procedures (SOPs) and work instructions for operation and administration, system user controls, computer system validation, calibration, network qualification, awareness training, etc. * system controls-combination of procedural and technical controls for a system. While audit trail review is often considered an essential part of ensuring data integrity, the same guidance clarifies that routine data review should include a documented audit trail review where this is determined by a risk assessment (emphasis added) (2).