What is a GxP audit trail review?
An audit trail review is the documented, risk-based evaluation of system-generated audit trail data to confirm GxP records haven't been altered, deleted, or manipulated without authorization. It's required under 21 CFR Part 11 and EU GMP Annex 11 Section 9, which mandates regular, risk-based review. Frequency and depth scale to risk — the review itself must be documented, or it doesn't count.
Most audit trail findings don't cite a missing audit trail. They cite one that existed, worked perfectly, and was never actually reviewed.
What Regulators Actually Require
21 CFR Part 11 requires secure, computer-generated, time-stamped audit trails for GxP electronic records. EU GMP Annex 11, Section 9, goes further: audit trails must be available in an intelligible form and subject to regular review, based on risk. MHRA's GxP Data Integrity Guidance and PIC/S PI 041-1 reinforce the same principle — risk-based, periodic, and documented. None of these require reviewing every system activity. MHRA is explicit that login/logoff events and keystrokes don't need line-by-line review; the scope is GxP data audit trails, not general technical logs.
The GxP Audit Trail Review Checklist
- ✓Scope is defined by risk assessment — which systems, records, and fields require audit trail review is documented, not assumed.
- ✓Audit trail cannot be disabled or amended by end users, and any administrator action to switch it off is itself logged.
- ✓Review frequency matches risk tier — before release for critical data, scheduled cadence for routine records.
- ✓Reviewer is independent of the person who generated or entered the original data.
- ✓Every change has a reason recorded — who, what, when, and why, not just a timestamp.
- ✓The review itself is documented — signed, dated, and retrievable, not just performed informally.
- ✓Flagged anomalies trigger a deviation — an exception found in review goes into the quality system, not just a follow-up email.
- ✓Review procedure is itself periodically assessed — confirming the review process is still catching what it's meant to catch.
How Often Should You Review?
| Data / System Risk | Review Frequency | Example |
|---|---|---|
| Critical — feeds a release decision | Before every batch/lot disposition | Batch record data, quality decision fields |
| High — GxP-critical configuration | Real-time or immediate, on change | Specification limits, master data changes |
| Moderate — routine GxP records | Scheduled periodic (e.g. monthly) | Standard production and QC records |
| Low — general system activity | Not required unless risk-flagged | User logins/logoffs, keystroke logs |
Review by Exception
Reading every audit trail entry manually doesn't scale, and regulators don't expect it. MHRA defines an exception report as a validated search tool that identifies predetermined "abnormal" data or actions for the reviewer's attention. GAMP 5 Second Edition promotes exactly this: validated review-by-exception tools that improve both efficiency and reliability over manual line-by-line review, particularly for high-volume systems.
The failure pattern to avoid: "Never reviewed" is the single most common finding across FDA, EMA, and MHRA notices — not a broken audit trail, but a fully functional one nobody looked at. A well-known 2005 FDA enforcement action involved systematic data manipulation that routine audit trail review would have caught early. The lesson has been repeated in inspection findings ever since.
How GoVal Supports Audit Trail Review
GoVal ships with 21 CFR Part 11 and EU Annex 11 compliant audit trails built into its architecture, and supports validated review-by-exception workflows that direct reviewers to flagged changes instead of every entry. Review frequency and scope are tied to each system's GAMP 5 risk classification, and every completed review is itself a timestamped, audit-trailed record — closing the exact gap that "never reviewed" findings expose.
Related Topics
Frequently Asked Questions
What is an audit trail review in GxP? +
How often should audit trails be reviewed? +
What is review by exception for audit trails? +
Do you need to review every audit trail entry, including logins and system logs? +
What happens if audit trails are not reviewed? +
How does GoVal support audit trail review? +
Turn audit trail review into a documented, risk-scaled workflow
Review-by-exception, risk-tiered review frequency, and audit-trailed review records — in GoVal.
