Audit Trail Review

What audit trail review is

Audit trail review is the periodic, risk-based examination of audit trail records by an independent reviewer to detect unauthorised changes, anomalous activity, and data integrity concerns, with documented evidence of what was reviewed, what was found, and what was done about it.

It's distinct from the audit trail itself. The trail is the recorded history of who did what, when, and why on a regulated record. The review is what turns that history into an active control. A captured-but-unread audit trail satisfies 21 CFR §11.10(e) on the letter but fails the intent.

Audit trail review is one of the most-inspected data integrity controls in current regulator practice. MHRA's GxP DI guidance (March 2018, updated September 2021), PIC/S PI 041-1 (July 2021), and WHO TRS 1033, Annex 4 (2021) all treat it as a baseline expectation, not an optional governance practice.

Why audit trail review sits at the centre of data integrity inspections

The 2014 MHRA inspection wave and the FDA chromatography enforcement actions that ran from 2017 both turned on audit trail review. Firms had the trails. The trails were technically correct. But nobody was reading them. Inspectors found cases where deleted injections, modified results, and after-hours access had been sitting unreviewed in the audit trail for months.

The lesson regulators took is that capture alone doesn't deliver data integrity. Active review does. MHRA, PIC/S, and WHO all expect a documented review program with risk-based cadence, independent reviewers, signed evidence, and exception escalation.

For Part 11-regulated firms, audit trail review is now treated as an implicit expectation under §11.10(e) even though the literal text only requires capture. In current FDA inspections, asking to see the audit trail review SOP and the most recent review records is one of the first inspector moves on any computerised system.

Inspector perspective: the audit trail review is where inspectors learn whether a data integrity program is real. They'll typically ask for the review SOP, the last six months of review records, and the list of exceptions investigated. If the SOP doesn't exist, or the records don't show evidence of actual review, or the exceptions weren't followed up, the rest of the data integrity conversation gets much harder.

Where audit trail review is expected and how regulators describe it

Audit trail review is implicit in Part 11 and explicit in modern data integrity guidance. The references inspectors cite:

• 21 CFR §11.10(e): requires "secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records." The literal text mandates capture; regulator practice extends it to review.
• FDA Part 11 Scope and Application (August 2003): confirms enforcement focus on validation, audit trails, copies of records, and record retention. Audit trail review is implicit in the broader audit trail expectation.
• FDA Data Integrity Q&A (December 2018): addresses audit trail review expectations directly for drug CGMP.
• MHRA "GxP" Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021): explicitly requires a defined, risk-based audit trail review process with documented evidence.
• PIC/S PI 041-1 (July 2021) §9: the most detailed regulator interpretation. Covers review frequency, independence, scope definition, evidence retention, and exception handling.
• WHO TRS 1033, Annex 4 (2021): applies audit trail review expectations to both paper and electronic records across the lifecycle.
• EU GMP Annex 11 §9: "Consideration should be given to the inclusion in the system of the creation of a record of all GMP-relevant changes and deletions (a system-generated 'audit trail')." EU inspectors treat review as the natural extension.
• 21 CFR §211.180(e): quality unit responsibility for evaluation; audit trail review evidence forms part of the record set for that evaluation.
• ICH Q9(R1) (effective 2023): risk-based principles drive review frequency and depth by record criticality.
• ISO 13485 §4.2.5: control of records; review evidence is itself a controlled record subject to retention.

The audit trail review workflow stages

A defensible audit trail review program runs through a recognisable shape:

• Risk assessment of records and systems. Classify GxP records and the systems that produce them by criticality. High-risk (chromatography, MES, batch release, e-signatures on releases) gets more frequent review. Lower-risk (auxiliary systems) gets less. The classification is documented and re-evaluated.
• Review SOP. Defines what gets reviewed, by whom, how often, what to look for, how anomalies are escalated, and how evidence is retained. Without this SOP, every review is an improvisation.
• Reviewer assignment. The reviewer is independent of the record owner, trained on the system, the audit trail schema, and the SOP, and has authority to escalate findings.
• Scoped review. The reviewer pulls the audit trail filtered by system, user, date range, action type per the SOP. Reviews entries against the defined anomaly criteria. Investigates anything unusual on the spot or flags for follow-up.
• Exception capture and escalation. Anomalies are documented with enough detail that a follow-up investigator can reconstruct what was seen. Routed to the appropriate process (deviation, CAPA, security incident, or QA review) per severity.
• Signed review evidence. Reviewer signs the review record. Captures period reviewed, scope, findings, follow-up actions, and conclusion. The record itself sits under document control.
• Trending. Recurring anomaly patterns (same user, same record type, same time window) are tracked across reviews. Patterns drive systemic action: SOP updates, training, role-permission tightening, system change requests.
• Periodic program review. The audit trail review program itself gets reviewed at Management Review: coverage, finding rate, follow-up closure rate, recurring anomaly patterns.

What strong audit trail review programs share

The programs that hold up at inspection share consistent patterns:

• Risk-based cadence applied honestly. High-risk systems get reviewed at the cadence the risk warrants, not at an admin-convenient monthly default for everything.
• Review SOP is current. Names the systems, the records, the cadence, the anomaly criteria, and the escalation paths. Updated when systems change, when new finding patterns emerge, when regulations revise.
• Reviewer is genuinely independent. Documented separation from the record owner, not just "someone else from QA" if that someone reports to the owner.
• Reviewer is trained. Specific training on the audit trail format of the system being reviewed, the anomaly criteria, and the escalation SOP. Training records retained.
• Scope is meaningful. Not "everything" (which produces shallow review of a huge dataset) and not "random sample" (which misses targeted threats). Risk-targeted scope per the SOP.
• Findings get investigated. Every anomaly closed with a documented disposition. "Closed, no further action" is acceptable when justified; closed without explanation is a finding.
• Review evidence is a controlled record. Under document control. Retained for the predicate-rule period. Signed with identity, date, and meaning (review completion) under §11.50 for electronic systems.
• Trending happens. Cross-review pattern analysis. Recurring findings drive systemic action, not repeated point-fix exception handling.
• Program metrics feed Management Review. Coverage rate, finding rate, time-to-closure on exceptions, recurring anomaly categories — all standing MR inputs under ISO 13485 §5.6.2.
• Survives system migration. When systems change, the review program adapts. Migration plans include re-defining the review approach for the new system.

How Complere supports audit trail review

Reading audit trails is a discipline your quality team owns. What Complere gives you is the underlying evidence — clean, complete, and easy to pull — so your reviewer can actually do the work and produce something an inspector will accept.

Every regulated record across the platform — your controlled documents, CAPAs, change requests, audits, deviations, complaints, training records, risk assessments — carries its own history of who did what, when, and why. The history can't be quietly altered or deleted, and your records stay in your own space so there's no cross-customer concern. When your reviewer needs to look at activity, they can view it on screen three ways — on the individual record, across a whole module, or globally across modules — filtered by record, user, action type, or date range, and pull a human-readable export they can hand straight to an inspector.

For the review record itself, your team can author it inside the controlled-document workflow — template-driven, signed by your reviewer with their identity, timestamp, and the meaning of their sign-off (review completion), and kept for the retention period your regulations require. If a review surfaces an anomaly that needs systemic action, your team can route it into the CAPA workflow without leaving the platform.

Honest disclosure on what's not built today: Complere doesn't yet have a dedicated audit-trail-review screen with reviewer-assignment dashboards, in-platform exception annotation, or program-coverage metrics as a first-class surface. That sits on the roadmap and will ride on the same cross-module reporting layer being built for Management Review. Until it lands, your reviewers work from the per-record, module-wide, and cross-module audit trail views — filtering on screen and exporting — and capture their review evidence as controlled documents. It's the same model many of our peer customers run on today.

What stays with your team: the review SOP, choosing the reviewer, setting the cadence by risk, and following up when something looks off. Complere supports the program; your reviewers run it.

Related data integrity, governance, and inspection terms

Audit trail review is one link in a connected set of data integrity controls:

• Audit Trail — the captured history that review examines
• Data Integrity — the outcome review supports
• ALCOA+ — the diagnostic framework reviewers apply to assess audit trail quality
• 21 CFR Part 11 — §11.10(e) is the predicate the review extends
• Internal Audit — audit trail review programs are themselves an internal audit scope topic under PIC/S PI 041-1 §5
• CAPA — anomalies surfaced through review route into CAPA
• Deviation — significant audit trail anomalies can warrant deviation investigation
• Management Review — review program metrics are standing MR inputs