Q: The EU’s Annex 11 says that reviews of all our automated systems activity, including audit trail reviews, should be more frequent. What is the ideal time-frame for these reviews, especially if there’s been no major change to our systems?
A: It depends on which audit trail you’re talking about. If it’s one that’s part of a specific record changed by users who have responsibility for that record — and the record is to be signed afterwards — you should review the audit trail as part of the overall record review. In other words, prior to sign-off, you must review the complete record, including the audit trail, to assure the changes were done appropriately.
[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]You should have an established written procedure that specifies the interval for audit trail reviews, based on risk.[/pullquote]
Otherwise, if it’s an audit trail associated with, for example, a database being changed by users and/or system administrators, you should have an established written procedure that specifies the review interval based on risk. In this case, you should determine the magnitude of the risk that changes could be made that are inappropriate, incorrect or capable of corrupting the data itself or reports written against the data.
Answered by Janis Olson, EduQuest Vice President of Regulatory and Quality Services (22 years as an FDA investigator and regional office director of Information Resources Management) and co-instructor of EduQuest’s in-person training class on FDA Auditing of Computerized Systems and Part 11/Annex 11.