Skip to main content

Audit Trail Review: GxP Checklist & Best Practices

Ready to modernize?

See GoVal in Action

Book a 30-minute walkthrough with our validation specialists. No slides — just your questions, answered live.

Contact Us
Summary

An audit trail review is the documented, risk-based evaluation of system-generated audit trail data to confirm that GxP records have not been altered, deleted, or manipulated without authorization, as required under 21 CFR Part 11, EU GMP Annex 11 Section 9, and MHRA's GxP Data Integrity Guidance. Review frequency and depth must be set by risk, not applied uniformly: high-risk data tied to batch release warrants review before every release decision, while lower-risk records can follow a scheduled periodic cadence, and routine system activity like logins does not require line-by-line review. The most common failure mode is not a missing or disabled audit trail — it is one that exists, is technically complete, and was simply never reviewed. GoVal supports audit trail review through validated review-by-exception workflows and documented, audit-trailed review records tied to each system's risk classification.

What is a GxP audit trail review?

An audit trail review is the documented, risk-based evaluation of system-generated audit trail data to confirm GxP records haven't been altered, deleted, or manipulated without authorization. It's required under 21 CFR Part 11 and EU GMP Annex 11 Section 9, which mandates regular, risk-based review. Frequency and depth scale to risk — the review itself must be documented, or it doesn't count.

Most audit trail findings don't cite a missing audit trail. They cite one that existed, worked perfectly, and was never actually reviewed.

What Regulators Actually Require

21 CFR Part 11 requires secure, computer-generated, time-stamped audit trails for GxP electronic records. EU GMP Annex 11, Section 9, goes further: audit trails must be available in an intelligible form and subject to regular review, based on risk. MHRA's GxP Data Integrity Guidance and PIC/S PI 041-1 reinforce the same principle — risk-based, periodic, and documented. None of these require reviewing every system activity. MHRA is explicit that login/logoff events and keystrokes don't need line-by-line review; the scope is GxP data audit trails, not general technical logs.

The GxP Audit Trail Review Checklist

  • Scope is defined by risk assessment — which systems, records, and fields require audit trail review is documented, not assumed.
  • Audit trail cannot be disabled or amended by end users, and any administrator action to switch it off is itself logged.
  • Review frequency matches risk tier — before release for critical data, scheduled cadence for routine records.
  • Reviewer is independent of the person who generated or entered the original data.
  • Every change has a reason recorded — who, what, when, and why, not just a timestamp.
  • The review itself is documented — signed, dated, and retrievable, not just performed informally.
  • Flagged anomalies trigger a deviation — an exception found in review goes into the quality system, not just a follow-up email.
  • Review procedure is itself periodically assessed — confirming the review process is still catching what it's meant to catch.

How Often Should You Review?

Data / System RiskReview FrequencyExample
Critical — feeds a release decisionBefore every batch/lot dispositionBatch record data, quality decision fields
High — GxP-critical configurationReal-time or immediate, on changeSpecification limits, master data changes
Moderate — routine GxP recordsScheduled periodic (e.g. monthly)Standard production and QC records
Low — general system activityNot required unless risk-flaggedUser logins/logoffs, keystroke logs

Review by Exception

Reading every audit trail entry manually doesn't scale, and regulators don't expect it. MHRA defines an exception report as a validated search tool that identifies predetermined "abnormal" data or actions for the reviewer's attention. GAMP 5 Second Edition promotes exactly this: validated review-by-exception tools that improve both efficiency and reliability over manual line-by-line review, particularly for high-volume systems.

The failure pattern to avoid: "Never reviewed" is the single most common finding across FDA, EMA, and MHRA notices — not a broken audit trail, but a fully functional one nobody looked at. A well-known 2005 FDA enforcement action involved systematic data manipulation that routine audit trail review would have caught early. The lesson has been repeated in inspection findings ever since.

How GoVal Supports Audit Trail Review

GoVal ships with 21 CFR Part 11 and EU Annex 11 compliant audit trails built into its architecture, and supports validated review-by-exception workflows that direct reviewers to flagged changes instead of every entry. Review frequency and scope are tied to each system's GAMP 5 risk classification, and every completed review is itself a timestamped, audit-trailed record — closing the exact gap that "never reviewed" findings expose.

Related Topics

Frequently Asked Questions

What is an audit trail review in GxP? +
An audit trail review is the documented evaluation of system-generated audit trail data — who changed what, when, and why — to confirm GxP records haven't been altered, deleted, or manipulated without authorization. It's required under 21 CFR Part 11 and EU GMP Annex 11 Section 9, which states audit trails must be available in intelligible form and subject to regular review, based on risk. The review itself must be documented; an unreviewed audit trail does not satisfy this requirement.
How often should audit trails be reviewed? +
Frequency should be set by risk, not applied uniformly. High-risk data tied to batch release or product disposition should be reviewed before that decision is made, not on a fixed calendar. Lower-risk GxP records can follow a scheduled periodic cadence, like monthly or quarterly. Routine system activity, such as logins and logoffs, doesn't need review at all unless flagged by a specific risk in the system's risk assessment.
What is review by exception for audit trails? +
Review by exception uses a validated search tool to automatically flag predetermined "abnormal" data or actions, rather than requiring a person to read every entry line by line. MHRA's guidance defines this approach explicitly, and GAMP 5 Second Edition promotes validated exception reporting as a way to increase both efficiency and reliability, especially for high-volume systems.
Do you need to review every audit trail entry, including logins and system logs? +
No. MHRA guidance explicitly states it's not necessary for audit trail review to include every system activity, such as logins, logoffs, or keystrokes. The relevant scope is GxP data audit trails — changes affecting product quality, patient safety, or data integrity — not general technical or system-level logs, which carry different risk.
What happens if audit trails are not reviewed? +
An unreviewed audit trail is one of the most frequently cited data integrity findings in FDA warning letters, regardless of whether the audit trail itself was technically functional. The concern is that unreviewed manipulation goes undetected — a pattern regulators have treated seriously since a 2005 FDA enforcement action involving systematic data manipulation that routine review would have caught.
How does GoVal support audit trail review? +
GoVal ships with 21 CFR Part 11 and EU Annex 11 compliant audit trails built into its architecture, and supports validated review-by-exception workflows so reviewers are directed to flagged changes rather than scanning every entry. Review frequency and scope tie to each system's GAMP 5 risk classification, and every completed review is itself a timestamped, audit-trailed record.

Turn audit trail review into a documented, risk-scaled workflow

Review-by-exception, risk-tiered review frequency, and audit-trailed review records — in GoVal.

Book a Free Demo →