In clinical trials, where every data point matters, tracking information from start to finish can be vital. One tool that should be in every statistical programmer’s arsenal is an audit trail, a step-by-step record that allows researchers and agencies to verify and track each data artefact to its source.
What is an audit trail, exactly?
Simply put, it’s a blueprint of information that can help track activity of an electronic record. This sequential information of the “who,” “what,” “when,” “where,” and “why” of data collection can help if concerns around data integrity require going back, validating, and further analyzing a project.
An audit trail is important in clinical research and often required for clinical trial management systems that maintain patient information and the trial’s unique data. The evaluation of that data is vital, as that data is then used to answer critical questions about patient care, quality of life, and healthcare policy, among other applications.
The Importance of Audit Trails for Compliance
We’ve discussed the functional, internal importance of audit trails but did you know that they’re also important to regulatory agencies? Section 21 CFR 11.10 (e), part of the FDA’s Code of Federal Regulations, regulates electronic records and signatures used for clinical trials with the aim of ensuring reliable, quality data and records.
Under this title, clinical trial sponsors should be prepared to:
- Use secure, computer-generated, time-stamped audit trails to keep track of user entries and activities that create, modify, or delete electronic records.
- Retain these audit trails for as long as required
- Make these audit trails available to the agency for review and copying
- Limit ability to modify the audit trails (e.g., employees who are able to create, modify, or delete electronic records should not have this capability)
- Create audit trails incrementally, in chronological order, in a way that does not allow new information to overwrite existing data
Learn more about the FDA guidance here.
What are the Components of an Audit Trail?
It could be easy to get carried away documenting a ton of small things. To keep things simple, it’s best to limit your audit trail to a few key components answering the 5 W’s.
Audit trails should include:
- Change Details & Original Access
What actions were performed on what artefacts, e.g. what changes or deletions were made? This will include the location of the artefact. In addition, be sure to keep a copy of the original, with all data available (nothing should be hidden).
- User Identification
Who made this change? Be sure to use unique identifiers, such as userIDs, and remember that user names are not unique.
- Reasoning
Why was a change made? Explain why any significant GxP change or deletion was necessary.
- Timing
When was this change made? Changes should include a date and time stamp, with clear reference to time zone.
- Location
Where was the user at the time that the change was made? Audit records can include the IP address of the user.
Who Uses Audit Trails?
Internal Teams
Audit trails are most often accessed by managers or study program leads, especially those with a responsibility for demonstrating compliance to auditors.
Although user action is tracked through audit trail tools, users must not have the ability to change or modify the audit trail in any way. Users may wish to use the audit trail to answer operational questions like “Who deleted my file last week?”
External Teams
Access may also be requested by regulatory agencies such as the FDA.
When Will Someone use my Audit Trail?
Outside of the actual recording of data in an audit trail, in a perfect world, you won’t need it. Think of an audit trail as a safeguard and insurance against further investigation and a clearer path to approval.
Learn more about Aspire Audit, an audit tool designed and built for clinical use with focus on protecting patient privacy and enabling regulatory compliance.
