You're Reading a Free Preview Show
In this article, we analyze what is expected from the audit trail of a computerized system and we show a practical example of how to carry out the audit trail management Well-managed audit trails are key indicators of good internal business controls. The audit trails have gone from being manual to automated electronic records that make the information history more accurate, easily accessible and usable. The Audit Trail of a Computerized System is a fundamental tool to have control of the information and to detect and mitigate in time violations of data security, data corruption or the incorrect use of information. And it requires commitment from the top down, from management levels, affected departments and the IT team. In this article, we will review what the audit trail of a computerized system should include and a proposal for audit trail management for regulated computerized systems. What is an audit trailAudit trails are secure electronic records that allow the reconstruction of events related to the creation, modification or deletion of electronic records. These records provide supporting documentation and history to authenticate operational and security actions or to detect and mitigate deviations. That is, they provide proof of compliance and operational integrity. They are verified in the validation of the computerized system; an audit trail is a tool to maintain the information and the integrity of the system. What the audit trail of a computerized system should includeRegulationBoth the FDA and the EMA recommend that companies adopt a risk-based approach when determining where to apply (master data management and operations) the audit trail of a computerized system. According to the recommendations of the EMA, in reference to the audit trail of a computerized system, the regulations of Annex 11 of Eudralex establish that “consideration should be given, based on a risk assessment, to incorporating into the system the creation of a record of all changes and deletions relevant to GMP (a system-generated audit trail)”. Normative requirementsRequirements of the audit trail of a computerized system:
Auditory trail system featuresAudit trails are mainly used to guarantee the integrity of electronic records. According to the information provided by the regulations and good practice guidelines, the audit trail system must meet the following characteristics:
Management proposal of the audit trailNext, we show a basic proposal of management of the audit trail (AT) of a regulated computerized system (CS). In the first phase, the critical needs and functionalities of the system are identified (master data, processes, users, password and securities, generated, stored and / or processed records). Audit trail control is not required for the entire application. The risk analysis tool will be used to establish the criticality of master data, processes and securities throughout the validation project. Entities and processes that are critical must have Audit Trail. In the second phase, the audit trail system is configured and the registration of events related to the creation, modification or elimination of electronic records is carried out. Audit trail configuration: the system must have a master data configuration screen with audit trail control. The control can be applied at the general tab level (all fields on the screen will be audited) or by field. An example can be the configuration of parameters of the article form, suppliers, customers or warehouse types (this data will be decided according to a risk analysis). The configuration of the audit trail could be the following:
In this example, any changes to the warehouse configuration would be controlled and only the description change in the article´s configuration. Also, an administration screen will be needed to define the accepted reasons for the change. Example:
Application of the audit trail: the system must request the reason for modification or withdrawal. We can associate previously parameterized reasons (so that when the cause is added a drop-down list is shown) and a free description of the reason in order to specify each case. Records of the audit trail: the system must record the registration, modification or removal of the parameters considered critical for the computerized process. In this case, you must register:
Example of an audit trail of a computerized system:
If you need help to configure and implement audit trails in your organization, in Oqotech we have more than 10 years of experience helping companies in regulated sectors to computerize their process, ensure the integrity of their data and validate their computerized systems. Contact our team of expert consultants. |