July 10, 2026 · Quality Assurance
Audit Trail Review Is the New Data Integrity Battleground: Closing the Gap Before Inspectors Do
By Mussarat Fatima

Audit trail review has moved from a quiet back-office task to the front line of every data integrity inspection. Regulators are no longer satisfied that your systems generate an audit trail. In 2026, FDA and Health Canada inspectors want documented proof that a qualified person actually reviewed it, understood what it showed, and acted on anything unusual. That shift, from generation to review, is where most manufacturers are now exposed.
Data integrity deficiencies still appear in an estimated 60 to 80 percent of drug GMP warning letters, which makes this the single most cited category of enforcement finding. The pattern behind those letters has sharpened. Inspectors are citing firms whose audit trail functionality was never switched on, was disabled for performance reasons, or captured events that no one ever looked at. They are also citing shared logins, backdated records, and, in the most serious cases, data deleted during the inspection itself. For quality leaders in pharma, cannabis, and natural health products, the message is direct: an audit trail that no one reviews is treated as no control at all.
This guide explains what audit trail review means in practice, what FDA and Health Canada actually require, and how to close the most common gaps before an inspector finds them. If your operation still relies on paper habits, shared credentials, or computerized systems that were never validated, this is the article to read before your next inspection.
Executive Summary
- Audit trail review is now the inspection focus, not audit trail generation. Regulators expect a named reviewer, a defined frequency, and a documented sign-off for GMP-relevant electronic records.
- The legal basis already exists. FDA ties audit trail review to the second-person record review under 21 CFR 211.194(a), and 21 CFR Part 11.10(e) requires secure, computer-generated, time-stamped audit trails. Health Canada applies the same expectations through GUI-0001 and Annex 11 (GUI-0050).
- Shared logins are indefensible. If two people share a credential, data cannot be attributed to an individual, which breaks the first principle of ALCOA+ and undermines every downstream record.
- Unvalidated computerized systems are a red flag. Computerized system validation is the evidence that your chromatography data system, LIMS, or SCADA behaves as intended and cannot silently alter data.
- The fix is a system, not a form. A defensible programme combines an audit trail review SOP, risk-based review frequency, unique user accounts, validated systems, and trained reviewers, all tied together with clear records.
What Audit Trail Review Actually Means
An audit trail is the secure, time-stamped, computer-generated record of every meaningful action taken on an electronic record. In a chromatography data system, that includes injections, reprocessing, integration changes, deletions, and aborted runs. Generating the trail is the easy part; modern systems do it automatically. The regulatory expectation is that someone competent reviews those entries as part of releasing the result, and records that they did.
Reviewers are looking for signals, not just signatures. Repeated trial injections before a passing result, integration changes without a justification, tests run under a generic or shared account, system clocks that do not match, or data deleted and re-acquired are all classic warning signs. When a reviewer sees these and does nothing, or when no reviewer looks at all, the firm has a data governance failure that inspectors treat as serious.
Audit trail review sits inside the wider discipline of good documentation practices and quality management. For a broader view of how these controls fit together, see the MFLRC guide on why 60 to 80 percent of FDA warning letters still cite data integrity.
Why This Is the 2026 Data Integrity Battleground
Three forces converged to make audit trail review the pressure point. First, the regulatory guidance matured. FDA's 2018 guidance, Data Integrity and Compliance With Drug CGMP: Questions and Answers, made clear that people responsible for record review should review the audit trails that capture changes to that data. Second, inspection technique caught up. Investigators now ask to see the audit trail on screen, filter it live, and compare it to the paper batch record or certificate of analysis. Third, enforcement escalated. Recent letters describe deliberate falsification, backdated entries, and data destroyed during inspections, behaviours that only surface when someone examines the metadata.
The firms most exposed share a profile. They mix paper and electronic records without reconciling them, they let analysts share a single software login, and they run instruments on software that was never formally validated. Each of these weaknesses is visible in the audit trail, which is exactly why the audit trail is where inspectors now look first.
The Regulatory Basis: FDA and Health Canada Side by Side
FDA does not use the words review the audit trail in a single tidy sentence, which is why some firms wrongly assume it is optional. Instead the requirement is assembled from several sources. Laboratory records must contain complete data (21 CFR 211.194(a)), a second person must review that record for accuracy and completeness (211.194(a)(8)), computer inputs and outputs must be checked (211.68(b)), and audit trails must be secure and computer-generated (Part 11.10(e)). Read together, these mean the second-person review must include the audit trail.
Health Canada reaches the same destination through GUI-0001, the Good Manufacturing Practices Guide for Drug Products, supported by Annex 11 (GUI-0050) on computerized systems and the data integrity provisions of Division 2. Canadian inspectors apply audit trail expectations consistent with EMA practice under Annex 11: trails should be enabled, protected from disabling, and reviewed periodically by a named reviewer with a documented sign-off. Both agencies also point to the PIC/S guidance PI 041 on good data management as the detailed reference.
The table below summarizes where the requirements live.
| Requirement | United States (FDA) | Canada (Health Canada) | International reference |
|---|---|---|---|
| Complete laboratory data | 21 CFR 211.194(a) | Division 2, Food and Drug Regulations; GUI-0001 | PIC/S PI 041 |
| Second-person / audit trail review | 21 CFR 211.194(a)(8); 2018 Data Integrity Q&A | GUI-0001; Annex 11 (GUI-0050) | EU GMP Annex 11 |
| Secure, computer-generated audit trail | 21 CFR Part 11.10(e) | Annex 11 (GUI-0050) | EU GMP Annex 11 |
| Attributable actions (no shared logins) | 21 CFR Part 11; ALCOA+ | GUI-0001; ALCOA+ | MHRA GXP Data Integrity Guide |
| System validation (CSV) | 21 CFR 211.68; Part 11 | Annex 11 (GUI-0050) | GAMP 5; PI 041 |
For guidance on the newest computerized-system expectations, see the MFLRC analysis of the EU GMP Annex 11 revision arriving in 2026, which many Canadian and US sites are using as a benchmark.
ALCOA+: The Standard Every Audit Trail Is Measured Against
ALCOA began as five principles and was extended to ALCOA+ in MHRA guidance, then echoed by FDA and WHO. Every audit trail finding maps back to one of these principles, which makes ALCOA+ a practical checklist for reviewers rather than an abstract slogan.
| ALCOA+ principle | What it means | What breaks it |
|---|---|---|
| Attributable | Every action traces to one identified person | Shared logins, generic accounts |
| Legible | Records are permanent, readable, indelible | Overwritten data, illegible scans |
| Contemporaneous | Recorded at the time of the event | Backdated or pre-dated entries |
| Original | The first capture, or a certified true copy | Working from uncontrolled copies |
| Accurate | Correct, with no undocumented edits | Unexplained integration changes |
| Complete | All data retained, including failures | Deleted trial injections |
| Consistent | Sequence and timestamps make sense | System clock manipulation |
| Enduring | Kept for the required retention period | Records lost on obsolete media |
| Available | Retrievable promptly for inspection | Data that cannot be produced |
When an inspector reviews an audit trail, they are testing these nine attributes in real time. Building your review checklist directly around ALCOA+ is the simplest way to make sure nothing is missed.
The Shared Login Problem: Why Attributable Comes First
Shared credentials usually start as a convenience. A single analyst login is faster than provisioning accounts, or a supervisor's password gets passed around to approve results after hours. The audit trail then attributes work to a person who may not have done it, which is exactly the vulnerability the Attributable principle exists to prevent.
The fix is straightforward in principle and worth the effort in practice. Every user needs a unique account, role-based permissions that match their job, and a password they never share. Administrator rights must be separated from routine analyst functions so that no one can both perform and silently alter a test. These same controls also protect your staff, because a clean audit trail defends an honest analyst as effectively as it exposes a dishonest one.
Computerized System Validation: Proving the System Cannot Lie
Validation answers a simple inspector question: how do you know this software records everything it should and stops what it should? Without validation, the audit trail itself is suspect, because the control that produces it was never proven. FDA expects processes designed so that data required to be maintained cannot be modified without a record of the modification. For chromatographic data, that means results are saved to durable media at each step, and any change to the data or the injection sequence is captured in the audit trail.
A defensible CSV package covers the system's intended use, a risk assessment, installation and operational qualification, testing of audit trail and security functions, and a plan for keeping the system in a validated state through change control. For firms weighing how far automation and even AI can go without creating new compliance exposure, the MFLRC article on using AI in GMP documentation without triggering a compliance failure is a useful companion.
How to Build a Defensible Audit Trail Review Programme
Follow these steps to stand up or strengthen the programme.
- Write an audit trail review SOP. Define which systems are in scope, which audit trail entries are GMP-relevant, who reviews them, how often, and how the review is recorded. Vague procedures are themselves an inspection finding, so be specific. See the MFLRC guide on how to write SOPs that pass a Health Canada inspection.
- Set a risk-based frequency. Review audit trails tied to batch release and reportable results before the result is approved. Lower-risk trails, such as instrument status logs, can be reviewed on a defined periodic basis. Document the rationale for the frequency you choose.
- Provision unique accounts and validate systems. Remove all shared logins, apply role-based access, and confirm each system that produces GMP data has current validation and an enabled, protected audit trail.
- Train the reviewers. Reviewers must know what a suspicious entry looks like: aborted injections, reintegration without justification, timestamp anomalies, and deletions. A signature from someone who does not know what to look for adds no assurance.
- Record the review and act on findings. Capture who reviewed, what was reviewed, the date, and the outcome. When the review surfaces a problem, open an investigation and, where needed, a CAPA. For investigations that hold up, see the MFLRC guide on why your CAPA keeps failing.
Compliance Checklist: Audit Trail Review Readiness
Use this checklist to gauge how ready your operation is for a 2026 inspection. Every no is a gap worth closing now.
- Every GMP computerized system has audit trail functionality enabled and protected from being switched off.
- A written SOP defines audit trail review scope, reviewers, frequency, and records.
- Review of release-critical audit trails happens before the result is approved.
- All shared and generic logins have been eliminated; every user has a unique account.
- Administrator rights are separated from routine analyst functions.
- Each system producing GMP data is validated, with audit trail and security testing on file.
- Reviewers are trained to recognize aborted injections, reintegration, and timestamp anomalies.
- Audit trail reviews are documented with reviewer, date, scope, and outcome.
- Findings feed into investigations and CAPA, with effectiveness checks.
- Paper and electronic records are reconciled, with no orphan data.
- Data retention meets the Enduring and Available principles on supported media.
- A mock audit or gap assessment has tested the programme in the last 12 months.
Common Mistakes That Trigger Data Integrity Citations
Even well-run sites fall into predictable traps. Watch for these.
- Treating audit trail generation as enough. The system logs everything, but no one reviews it, so the control exists only on paper.
- Reviewing signatures, not metadata. A reviewer confirms the result looks right without opening the audit trail behind it.
- Shared or generic logins. Convenience today becomes an attributability crisis during inspection.
- Disabling audit trails for performance. Any switch-off, for any reason, reads to an inspector as concealment.
- Unvalidated or partially validated systems. Software changes over time, and validation that stopped years ago no longer proves anything.
- No defined review frequency. Without a documented, risk-based schedule, review becomes ad hoc and indefensible.
- Ignoring failed and aborted runs. Deleted trial injections are the classic marker of testing into compliance.
- Weak investigations. A finding is spotted but closed without root cause, so it recurs.
If you do receive an observation, how you respond matters as much as the underlying fix. The MFLRC guide on how to respond to an FDA Form 483 or Health Canada inspection observation walks through a credible response.
Frequently Asked Questions
What is audit trail review?
Audit trail review is the documented process in which a qualified person examines the automatic log of who created, changed, or deleted electronic data, confirms each action was authorized and explained, and signs off that the record can be trusted. It is the human control that makes an audit trail meaningful.
Is audit trail review required by FDA?
Yes, in effect. FDA assembles the requirement from CGMP record-review rules and Part 11. Laboratory records must be complete (21 CFR 211.194(a)), a second person must review them (211.194(a)(8)), and audit trails must be secure and computer-generated (Part 11.10(e)). The 2018 Data Integrity Q&A confirms reviewers should examine the audit trail as part of record review.
Does Health Canada require audit trail review?
Yes. Health Canada applies audit trail expectations through GUI-0001 and Annex 11 (GUI-0050), backed by Division 2 of the Food and Drug Regulations. Inspectors expect enabled, protected audit trails reviewed periodically by a named reviewer with a documented sign-off, consistent with EU GMP Annex 11.
Are shared logins allowed in GMP?
No. Shared logins break the Attributable principle of ALCOA+ because the system cannot prove who performed an action. Every user needs a unique account with role-based permissions. Shared credentials are one of the most frequently cited data integrity failures.
How often should audit trails be reviewed?
On a risk basis. Audit trails tied to batch release and reportable results should be reviewed before the result is approved. Lower-risk trails, such as instrument status or communication logs, can be reviewed on a defined periodic schedule. Document the rationale for whatever frequency you set.
What is ALCOA+?
ALCOA+ is the data integrity standard requiring data to be Attributable, Legible, Contemporaneous, Original, and Accurate, plus Complete, Consistent, Enduring, and Available. It is recognized by FDA, Health Canada, EMA, and MHRA, and it forms a practical checklist for audit trail review.
How MFLRC Can Help
Closing an audit trail review gap is rarely just a matter of writing one procedure. It usually touches your quality management system, your computerized systems, your access controls, and the way your team is trained. MF License and Regulatory Consultants supports manufacturers in pharma, cannabis, and natural health products across each of these areas.
Our work in this space includes data integrity gap assessments against ALCOA+, audit trail review SOP development, computerized system validation planning for chromatography data systems and LIMS, mock inspections and inspection-readiness reviews, and QAP and quality assurance support. We also help firms build defensible CAPA and investigation processes so that findings from audit trail review are closed properly the first time. With more than 20 years of quality assurance, quality control, and regulatory affairs experience, our team helps you build controls that hold up under Health Canada and FDA scrutiny.
Need help closing your audit trail review gap before an inspector finds it? Contact MFLRC for a practical, senior-led assessment tailored to your systems and market.
Conclusion
Audit trail review has become the clearest test of whether a firm's data integrity controls are real or merely documented. Regulators already have everything they need to cite you: the requirements exist in 21 CFR 211.194, Part 11, GUI-0001, and Annex 11, and the audit trail lays your practices bare. The firms that will pass 2026 inspections are the ones that treat review as an active control, run validated systems, give every user a unique login, and record what their reviewers actually did. The gap between generating an audit trail and reviewing it is small on paper and enormous in enforcement. Close it now, on your own terms, rather than under a Form 483.
Sources and References
- FDA, Data Integrity and Compliance With Drug CGMP: Questions and Answers (2018): fda.gov/media/119267
- FDA, Part 11 Electronic Records; Electronic Signatures, Scope and Application: fda.gov guidance
- 21 CFR 211.194, Laboratory records (eCFR): ecfr.gov
- 21 CFR Part 11, Electronic Records; Electronic Signatures (eCFR): ecfr.gov
- Health Canada, GMP Guide for Drug Products (GUI-0001): canada.ca
- Health Canada, Annex 11 to the GMP Guide: Computerized Systems (GUI-0050): canada.ca
- PIC/S, Good Practices for Data Management and Integrity (PI 041): picscheme.org
- MHRA, GXP Data Integrity Guidance and Definitions (2018): gov.uk
- EU GMP Annex 11, Computerised Systems (EudraLex Volume 4): health.ec.europa.eu
Downloadable Resource
Audit Trail Review Readiness Checklist & Data Integrity Toolkit
A practical, inspection-focused toolkit for QC, QA, and validation teams. Includes a 12-point readiness checklist, an ALCOA+ reviewer's reference, an audit trail review SOP outline, and the red flags inspectors look for. Built around FDA and Health Canada expectations.
File: audit-trail-review-toolkit.pdf
Fill in your details below and the download link will appear right away.
Share with others
Tags
