Comprehensive Data Integrity Audit Checklist for Pharmaceutical Quality Control Laboratories

Based on extensive research of FDA 483 observations, warning letters, and regulatory guidance from the last 10 years, this document provides a comprehensive audit framework for identifying and mitigating data integrity issues in pharmaceutical quality control laboratories. This analysis covers violations from companies across the globe and provides actionable tools for conducting thorough data integrity audits.

Key Research Findings from FDA 483 Observations (2015-2025)

Analysis of FDA enforcement actions reveals consistent patterns of data integrity failures. The most critical and frequently cited violations include:

Most Critical Violations Identified

• Laboratory Records Failures (21 CFR 211.194(a)): This is the most common citation, involving incomplete data, missing second-person reviews, and the destruction or disposal of original cGMP documents in waste areas.
• Electronic Systems Control Deficiencies (21 CFR 211.68(b)): A major focus area, including inadequate access controls allowing unauthorized data modification, use of shared user accounts that prevent traceability, and missing or disabled audit trails on critical systems.
• Chromatography Data Integrity Issues: Specific failures in HPLC/GC systems are common, such as unexplained sequential gaps in injection numbering (suggesting trial injections or deleted data), inappropriate peak integration without justification, and missing raw data files.
• Data Manipulation and Falsification: The most severe violations involve the deliberate fabrication of test results, back-dating of records and activities, and admissions by management of falsifying laboratory investigations to pass inspections.

Comprehensive Audit Checklist

The following detailed checklist covers 12 critical sections with 83 specific audit points. Each point is mapped to regulatory references and key red flags to identify during an audit. This comprehensive approach ensures all facets of laboratory data management are scrutinized.

1. General Data Governance

Audit Point	Red Flags to Identify	Regulatory Reference
Data governance system integrated into pharmaceutical quality system per EU GMP Chapter 1	No written data governance policy or procedures	EU GMP Chapter 1, PIC/S PI-041
Written data integrity policy addressing ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available)	ALCOA+ principles not understood or implemented by staff	FDA Data Integrity Guidance, MHRA GxP Guidance, PIC/S PI-041
Risk assessment conducted to identify critical data affecting patient safety and product quality	No risk assessment performed for critical data identification	ICH Q10, FDA Data Integrity Guidance
Designated data integrity officer or responsible person appointed	No designated person responsible for data integrity oversight	PIC/S PI-041 Section 7
Regular data integrity assessments performed across all laboratory operations	Reactive approach to data integrity (only addressing issues when cited)	FDA Data Integrity Guidance Section III
Good Documentation Practices (GDP) implemented and followed	Poor documentation practices across laboratory operations	EU GMP Chapter 4, MHRA GxP Guidance
Standard Operating Procedures (SOPs) established for data creation, handling, and retention	Inconsistent procedures between different laboratory sections	21 CFR 211.100, EU GMP Chapter 4
Data integrity training program in place for all laboratory personnel	Lack of data integrity awareness among laboratory personnel	21 CFR 211.25, ICH Q10

2. Electronic Records & Systems

Audit Point	Red Flags to Identify	Regulatory Reference
Unique user accounts with individual passwords (no shared logins)	Shared login accounts or passwords visible on sticky notes	21 CFR Part 11, EU GMP Annex 11
Role-based access controls implemented with appropriate user privileges	Generic user accounts used by multiple personnel	EU GMP Annex 11 Clause 12.1
Automatic inactivity logout configured on all systems	No automatic logout configured (systems left logged in)	EU GMP Annex 11 Clause 8.1
Electronic signatures compliant with 21 CFR Part 11 requirements	Missing or non-functional electronic signature systems	21 CFR Part 11.50, EU GMP Annex 11
Password policies enforced (complexity, expiration, history)	Weak password policies or no password requirements	21 CFR Part 11.300
Administrator rights restricted and justified for authorized personnel only	Users with excessive system privileges beyond job requirements	EU GMP Annex 11 Clause 12.1
System clocks synchronized and protected from unauthorized changes	System clocks showing incorrect time or easily changed by users	21 CFR Part 11.10(d)
Electronic records protected against unauthorized alteration or deletion	Evidence of data deletion or modification without proper documentation	21 CFR 211.68(b)
Database integrity controls in place to prevent backend manipulation	Direct database access without audit trail logging	21 CFR Part 11.10(a)
Network security measures implemented to protect data transmission	Inadequate network security allowing unauthorized system access	EU GMP Annex 11 Clause 7.1

3. Laboratory Instruments & Software

Audit Point	Red Flags to Identify	Regulatory Reference
All laboratory instruments qualified and validated before use	Instruments not properly qualified or validation documentation missing	21 CFR 211.63, EU GMP Chapter 3
Instrument software configured with appropriate security settings	Default software settings used without proper configuration	EU GMP Annex 11
Calibration records maintained with complete traceability	Missing or incomplete calibration records	21 CFR 211.160(b)(4)
User requirements specifications (URS) include data integrity requirements	Data integrity requirements not included in equipment purchase specifications	GAMP 5, EU GMP Annex 15
Integration parameters and peak integration reviewed and justified	Unexplained changes to integration parameters without documentation	USP <1058>, EU GMP Chapter 6
System suitability tests (SST) documented and failures investigated	SST failures not properly investigated or documented	21 CFR 211.160(b)(4)
Instrument maintenance records complete and up-to-date	Maintenance performed without proper documentation or impact assessment	21 CFR 211.63
Data transfer processes validated to ensure integrity	Manual data transfer processes without validation	21 CFR Part 11.10(c)
Backup instruments qualified and ready for use when primary systems fail	No backup systems available when primary instruments fail	21 CFR 211.63

4. Chromatography Data Systems

Audit Point	Red Flags to Identify	Regulatory Reference
HPLC/GC data systems configured with enabled audit trails	Audit trails disabled or not configured properly	EU GMP Annex 11 Clause 12.4
Sequential injection numbering maintained without gaps or missing files	Missing injection sequences or gaps in file numbering	21 CFR 211.194(a)
Raw data files retained and available for all analytical runs	Raw data files deleted or not retained	21 CFR 211.180
Chromatographic method parameters locked and changes controlled	Frequent changes to method parameters without proper justification	21 CFR 211.194(a)
Reprocessing and reintegration activities documented with justification	Reprocessing performed without adequate documentation	21 CFR 211.194(a)
Sample sequence tables complete and unmodified	Modified sample sequences without proper authorization	21 CFR 211.194(a)
Electronic raw data archived according to retention requirements	Electronic data not properly archived or accessible	21 CFR 211.180
Second person review procedures established for chromatographic analyses	No second person review of analytical data	21 CFR 211.194(a)(8)

5. Audit Trail Management

Audit Point	Red Flags to Identify	Regulatory Reference
Audit trails enabled on all critical systems and cannot be disabled by users	Audit trails turned off or disabled on critical systems	EU GMP Annex 11 Clause 12.4
Audit trail entries include date, time, user ID, and reason for change	Incomplete audit trail entries missing required information	21 CFR Part 11.10(e)
Regular audit trail reviews conducted by qualified personnel	No evidence of regular audit trail reviews	21 CFR 211.194(a)(8)
Audit trail review procedures document ‘review by exception’ methodology	No procedure for audit trail review or ‘review by exception’	EU GMP Annex 11 Clause 12.4
Audit trail data archived and retrievable throughout retention period	Audit trail data not properly archived or accessible	21 CFR 211.180
Audit trail entries investigated when unexplained or suspicious activities detected	Suspicious activities in audit trails not investigated	FDA Data Integrity Guidance
Audit trail review findings documented and followed up appropriately	Audit trail review findings not documented or followed up	21 CFR 211.192

6. Laboratory Records & Documentation

Audit Point	Red Flags to Identify	Regulatory Reference
Laboratory records include complete data from all tests per 21 CFR 211.194(a)	Incomplete laboratory records missing critical test data	21 CFR 211.194(a)
Original records retained as primary source documents	Copies used instead of original records without proper controls	21 CFR 211.180
True copies clearly identified and controlled throughout lifecycle	Poor copy controls with no identification of true copies	21 CFR 211.180
Corrections made without obscuring original entries, signed, dated, and justified	Use of correction fluid, white-out, or scratching out original entries	EU GMP Chapter 4.7-4.9
Sequential page numbering maintained without missing pages	Missing pages or out-of-sequence page numbering	21 CFR 211.194(a)(3)
Weight slips and balance printouts retained for all weighing activities	Missing weight slips or balance printouts for critical tests	21 CFR 211.194(a)(3)
Batch records reviewed by second person before product release	No evidence of second person review of laboratory records	21 CFR 211.194(a)(8)
Laboratory notebooks and logbooks completed contemporaneously	Back-dating of entries or non-contemporaneous documentation	21 CFR 211.160(a)
All supporting documentation (certificates, standards, reagents) maintained	Missing supporting documentation for analytical testing	21 CFR 211.194(a)

7. Microbiological Testing

Audit Point	Red Flags to Identify	Regulatory Reference
Environmental monitoring data recorded contemporaneously	Environmental monitoring data recorded retrospectively	21 CFR 211.113
Microbial growth observations documented accurately (no ‘nil’ recordings when growth present)	Systematic recording of ‘nil’ growth when contamination present	21 CFR 211.194(a)
Media preparation and sterilization records complete and traceable	Incomplete media preparation records or missing sterilization data	USP <1116>
Incubation conditions monitored and documented continuously	Gaps in incubation monitoring records	21 CFR 211.113
Personnel monitoring results recorded without manipulation	Manipulation of personnel monitoring results to show compliance	21 CFR 211.113
Laboratory investigations conducted when contamination detected	No investigations conducted when contamination detected	21 CFR 211.192

8. Out-of-Specification (OOS) Investigations

Audit Point	Red Flags to Identify	Regulatory Reference
OOS results investigated immediately per established procedures	OOS results not investigated or investigations inadequate	21 CFR 211.192
All test results reported regardless of pass/fail status (no selective reporting)	Selective reporting of test results (only reporting passing results)	21 CFR 211.194(a)
Retest procedures clearly defined and scientifically justified	Retesting without proper procedures or scientific justification	21 CFR 211.165(e)
OOS investigation reports complete with root cause analysis	Incomplete OOS investigations without proper root cause analysis	21 CFR 211.192
CAPA implemented based on OOS investigation findings	No CAPA implemented following OOS investigations	21 CFR 211.100(a)

9. Personnel & Training

Audit Point	Red Flags to Identify	Regulatory Reference
Staff trained on data integrity principles and consequences of violations	No data integrity training provided to laboratory staff	21 CFR 211.25
Individual accountability established through unique login credentials	Shared accountability with no individual responsibility	21 CFR 211.68(b)
Analyst competency assessed and documented	Incompetent analysts performing critical testing	21 CFR 211.25(a)
Regular refresher training provided on good documentation practices	No refresher training on documentation practices	EU GMP Chapter 4
Conflict of interest policies implemented to prevent data manipulation pressure	Pressure from management to meet production targets at expense of data integrity	21 CFR 211.22
Whistleblower protection programs established for reporting violations	No mechanism for reporting data integrity violations without retaliation	FDA Data Integrity Guidance

10. Data Backup & Archiving

Audit Point	Red Flags to Identify	Regulatory Reference
Regular automated backups performed and tested for data recovery	No backup procedures or backups not performed regularly	21 CFR 211.68(b)
Backup data stored securely and protected from unauthorized access	Backup data not protected or accessible to unauthorized personnel	21 CFR 211.68(b)
Data retention periods established per regulatory requirements	Undefined data retention periods or premature data destruction	21 CFR 211.180
Archived data periodically tested for readability and integrity	Archived data not tested for readability or integrity	21 CFR 211.180
Disaster recovery procedures tested and documented	No disaster recovery procedures or procedures not tested	21 CFR 211.68(b)

11. Computer System Validation

Audit Point	Red Flags to Identify	Regulatory Reference
Computer systems validated according to GAMP guidelines	Computer systems not validated or validation documentation inadequate	EU GMP Annex 15
Change control procedures implemented for system modifications	System changes made without proper change control	EU GMP Annex 15
System installation, operational, and performance qualifications completed	Missing qualification documentation (IQ/OQ/PQ)	EU GMP Annex 15
Periodic review of system performance and security conducted	No periodic review of system performance or security	EU GMP Annex 15
Vendor audits performed to assess data integrity capabilities	Vendors not audited for data integrity capabilities	GAMP 5

12. Management Oversight

Audit Point	Red Flags to Identify	Regulatory Reference
Senior management commitment to data integrity demonstrated	Management not committed to data integrity or unaware of requirements	ICH Q10
Quality unit oversight of data integrity program established	Quality unit not exercising proper oversight of laboratory operations	21 CFR 211.22
Regular management review of data integrity metrics and trends	No management review of data integrity performance	21 CFR 211.22
Corrective and preventive actions (CAPA) system effective for data integrity issues	Ineffective CAPA system for addressing data integrity issues	21 CFR 211.100(a)
Internal audit program includes data integrity assessments	No internal audit program or audits do not address data integrity	21 CFR 211.100(a)

Common FDA 483 Observations Summary

The following table summarizes the most common FDA 483 observations related to data integrity, categorizing them by area, risk level, and effective detection methods for auditors.

Category	Common FDA 483 Observation	Specific Examples from FDA 483s	Risk Level	Detection Methods
Laboratory Records	Laboratory records do not include complete data derived from all tests necessary to ensure compliance (21 CFR 211.194(a))	Batch records lacking component quantities, operational steps, personnel initials, and time logs	Critical	Review batch records for completeness and cross-reference with specifications
Laboratory Records	Failure to ensure that original records have been reviewed for accuracy, completeness, and compliance (21 CFR 211.194(a)(8))	QC test results not reviewed by second person before batch release	Critical	Verify second person review signatures and dates on all analytical reports
Laboratory Records	Laboratory records missing weight or measure of sample used (21 CFR 211.194(a)(3))	Balance printouts and weighing tickets missing from analytical testing records	High	Check that weight slips and balance printouts are attached to test records
Laboratory Records	Incomplete batch production and control records (21 CFR 211.188(b))	Production batch records missing dates, amounts, and identity of personnel weighing materials	High	Audit batch production records for required documentation elements
Laboratory Records	Missing or destroyed original CGMP documents found in waste areas/trash bins	Torn laboratory records found in plastic bags on rooftops and in waste areas	Critical	Physical inspection of waste areas and examination of discarded documents
Laboratory Records	Laboratory notebooks and logbooks not completed contemporaneously or containing gaps	Laboratory notebooks with missing pages and out-of-sequence numbering	High	Review sequential page numbering and look for missing or replaced pages
Electronic Systems Control	Failure to exercise appropriate controls over computer systems (21 CFR 211.68(b))	Desktop computers containing APR spreadsheets left unlocked with universal access	Critical	Test system access controls and verify user privilege restrictions
Electronic Systems Control	Inappropriate access privileges allowing unauthorized data modifications	Laboratory personnel with administrator rights allowing file/folder modifications	Critical	Review user account lists and check for shared or generic accounts
Electronic Systems Control	Shared user accounts and passwords compromising individual accountability	LIMS samples created and cancelled without adequate controls or justification	High	Examine LIMS audit logs for unauthorized sample creation/cancellation
Electronic Systems Control	No audit trail or inadequate audit trail implementation on critical systems	Computer systems lacking controls to prevent deletion of electronic raw data	Critical	Verify audit trail configuration and test if it can be disabled by users
Electronic Systems Control	Electronic data deletion without proper documentation or authorization	Hundreds of unauthorized ‘Add/Modify/Delete peaks’ actions in electronic data	Critical	Analyze electronic data for evidence of unauthorized deletions or modifications
Chromatography Data Integrity	Missing chromatographic raw data files or selective retention of data	HPLC chromatograms missing from batch records for tested lots	Critical	Cross-reference analytical methods with actual injection sequences used
Chromatography Data Integrity	Sequential injection numbering gaps indicating possible data deletion	Different injection sequences used than specified in approved analytical methods	Critical	Review file naming conventions and check for sequential gaps in data files
Chromatography Data Integrity	Inappropriate peak integration or reprocessing without proper justification	Missing injection results not reported in chromatographic runs	High	Examine integration parameters and verify authorization for changes
Chromatography Data Integrity	HPLC/GC method parameters changed without proper documentation	Excel spreadsheets used for calculations without proper validation or raw data retention	High	Compare Excel calculation files with original raw data sources
Chromatography Data Integrity	System suitability test failures not properly investigated	System suitability failures not cross-referenced with instrument logs	High	Cross-reference SST failures with corrective actions in instrument logs
Chromatography Data Integrity	Sample sequence modifications without adequate controls	Manual integration parameters changed without documentation	High	Review processing methods and verify approval for manual integration
Quality Control Unit Failures	Quality control unit failed to exercise responsibility (21 CFR 211.22)	Quality unit releasing batches without completing all required testing	Critical	Review quality unit authority and oversight procedures
Quality Control Unit Failures	Quality unit approval of certificates of analysis prior to completing all testing	COAs approved and signed before analytical testing was performed	Critical	Check timing of COA approval against completion of analytical testing
Quality Control Unit Failures	Inadequate investigation of out-of-specification results	OOS results of 97.8% (specification 98.0-102.0%) released without investigation	Critical	Examine OOS investigation files for completeness and scientific justification
Quality Control Unit Failures	Release of products based on retesting without proper investigation	Laboratory manager admitting to fabricating investigations for FDA inspection	Critical	Verify that batch release decisions are based on complete analytical data
Microbiological Testing	Environmental and personnel monitoring results falsified	Microbial growth observed on monitoring plates but recorded as ‘Nil’ growth	Critical	Compare visual observations of microbial plates with recorded results
Microbiological Testing	Incomplete microbiological testing records or missing incubation data	Environmental monitoring data showing higher values after ‘extra readings’	High	Review environmental monitoring trends for unusual patterns
Microbiological Testing	Media preparation and sterilization records incomplete or missing	Personnel monitoring results manipulated to show compliance	High	Cross-reference personnel monitoring results with actual observations
Microbiological Testing	Microbial growth observations not accurately documented	Incubation conditions not properly monitored or documented	High	Verify incubation monitoring records against actual facility conditions
Data Manipulation/Falsification	Deliberate alteration or fabrication of analytical test results	Production manager falsifying signatures in ‘Prepared By’ and ‘Checked By’ sections	Critical	Interview laboratory personnel about data handling practices
Data Manipulation/Falsification	Back-dating of analytical testing and documentation	Laboratory tests fabricated in preparation for FDA inspection	Critical	Review analytical records for evidence of physical alterations
Data Manipulation/Falsification	Use of correction fluid or physical alteration to hide original data	Acetic acid poured on analytical balance slips to destroy evidence	Critical	Examine waste areas for destroyed or discarded original documents
Data Manipulation/Falsification	Creation of false laboratory investigations and reports	WhatsApp used to transmit QC documentation to avoid official records	Critical	Check computer systems for evidence of data manipulation software
Data Manipulation/Falsification	Analysts admitting to data falsification during FDA interviews	QC analyst taking home facility’s only computer containing critical data during inspection	Critical	Compare original data files with final reported results
Audit Trail Deficiencies	Audit trails disabled, turned off, or not reviewed regularly	General users able to switch off audit trails on critical systems	Critical	Verify audit trail functionality through system testing
Audit Trail Deficiencies	Incomplete audit trail entries missing date, time, or user identification	Audit trail entries showing data modifications without reasons for change	High	Review audit trail entries for completeness and consistency
Audit Trail Deficiencies	No procedures for reviewing audit trail entries (‘review by exception’)	No evidence of routine audit trail review by quality unit	High	Check quality unit procedures for audit trail review requirements
Audit Trail Deficiencies	Audit trail data not properly archived or retrievable	Archived audit trail data not readable or accessible	High	Test data retrieval capabilities for archived audit trail information
Equipment/Instrumentation	Laboratory instruments not meeting calibration specifications	HPLC, GC, and UV spectrophotometers not meeting calibration specifications	High	Review instrument calibration certificates and compare with specifications
Equipment/Instrumentation	Missing instrument qualification and validation documentation	Perkin Elmer UV Spectrophotometer failures not investigated before retirement	High	Examine equipment qualification documentation for completeness
Equipment/Instrumentation	Preventive maintenance performed immediately before calibration affecting accuracy assessment	Equipment opened and parts changed during preventive maintenance affecting calibration	Medium	Verify maintenance schedules and check impact assessments
Equipment/Instrumentation	No backup systems available when primary instruments fail	Analytical instruments used for commercial release without proper qualification	Medium	Test backup instrument availability and qualification status
Documentation Practices	Poor documentation practices violating Good Documentation Practice (GDP) principles	Use of correction fluid and physical scratching to alter original entries	High	Review documentation for adherence to GDP principles
Documentation Practices	Non-contemporaneous record completion and back-dating	Laboratory activities not recorded in instrument logbooks or timing mismatches	High	Check document dating against actual activity performance dates
Documentation Practices	Missing signatures, initials, or proper identification on critical documents	Data copying from previous batches instead of conducting actual analysis	High	Verify signature/initial requirements and check for missing documentation
Documentation Practices	Inadequate correction procedures that obscure original entries	Missing second person review signatures on critical laboratory documents	High	Examine correction procedures and verify original entries remain visible

Data Integrity Investigation Framework

When a data integrity violation is identified, a structured, 10-phase investigation is essential to understand the scope, assess the impact, determine the root cause, and implement effective remediation. The following framework provides a systematic approach.

Investigation Phase	Key Activities	Deliverables/Documentation	Timeline (Days)	Responsible Party
1. Initial Assessment	Document the specific violation; Establish investigation team; Define timeline and milestones; Secure all potentially affected data and systems; Notify senior management	Incident report; Team charter; Investigation protocol; Chain of custody docs; Management notification	1-2	Quality Unit, Senior Management, IT
2. Scope Definition	Identify affected products, batches, time periods; Determine which systems and processes to include; Define geographical scope; Establish inclusion/exclusion criteria	Scope definition document; List of affected items; System/process maps; Risk assessment for scope	3-10	Investigation Team
3. Data Collection	Preserve all electronic and paper records; Collect audit trail data; Gather backup files and archived data; Document system configurations and user access; Obtain training records	Evidence inventory; Audit trail extracts; Backup verification; System configuration docs; Training records	5-20	Investigation Team, IT, HR
4. Evidence Analysis	Analyze audit trails for suspicious patterns; Compare electronic vs. paper records; Look for evidence of manipulation/deletion; Identify discrepancies between raw data and final reports; Examine metadata and timestamps	Audit trail analysis report; Discrepancy analysis; Data manipulation evidence; Comparison matrices; Metadata analysis	15-40	Investigation Team
5. Personnel Interviews	Interview current and former employees; Use qualified third-party investigators for sensitive interviews; Document all interviews with witness statements; Ensure confidentiality	Interview protocols; Transcripts; Signed witness statements; Third-party investigator report	20-60	Third Party/Investigation Team
6. Impact Assessment	Assess impact on product quality and patient safety; Determine affected batches; Evaluate need for product recall; Assess impact on regulatory submissions; Calculate financial consequences	Product quality impact assessment; Batch disposition evaluation; Patient safety risk assessment; Regulatory impact analysis	30-120	Investigation Team
7. Root Cause Analysis	Identify immediate, intermediate, and root causes using structured methodologies (5-Why, Fishbone); Examine organizational, procedural, and technical factors; Identify system vulnerabilities	Root cause analysis report; Cause and effect diagrams; System vulnerability assessment	45-180	Investigation Team
8. Corrective Actions	Implement immediate containment; Develop comprehensive CAPA plan; Address system vulnerabilities; Implement additional controls and oversight; Retrain personnel	Containment documentation; CAPA plan; System remediation specs; Enhanced procedures; Retraining records	60-365	Quality Unit, IT, Training Dept.
9. Preventive Actions	Strengthen data governance and oversight; Implement enhanced audit trail review procedures; Improve system access controls; Establish ongoing data integrity monitoring	Preventive action plan; Enhanced governance procedures; Improved audit trail review SOPs; Strengthened access controls	90-365+	Quality Unit, IT
10. Monitoring & Verification	Monitor effectiveness of implemented CAPAs; Conduct follow-up audits; Verify preventive actions are working; Report progress to management and regulatory authorities	CAPA effectiveness reports; Follow-up audit results; Verification documentation; Progress reports	365+	Quality Unit, Senior Management

Key Detection Methods and Critical Risk Indicators

Advanced Audit Techniques

• Electronic Systems Auditing: Go beyond documentation. Actively test system access controls, attempt to disable audit trails, review user account lists for shared/generic accounts, and analyze electronic data for evidence of unauthorized deletions or modifications.
• Chromatography Data Review: Scrutinize the data itself. Cross-reference methods with actual injection sequences, check for sequential gaps in file numbering, verify integration parameters and authorization for any changes, and always compare raw data files with the final reported results.
• Physical Evidence Collection: Don’t overlook the physical environment. Inspect waste areas for discarded original documents, examine lab notebooks for missing or replaced pages, ensure all balance printouts and weighing tickets are retained and attached to records, and review how corrections are made to ensure GDP compliance.

Critical Risk Indicators to Monitor

Immediate Red Flags

• Missing or disabled audit trails.
• Shared login credentials or passwords visible on workstations.
• Sequential gaps in analytical data file numbering.
• Back-dated entries or non-contemporaneous documentation.
• Torn, shredded, or otherwise destroyed records in waste areas.

Systematic Issues

• Pressure on analysts from management to meet production targets.
• Absence of a robust second-person review process for critical data.
• Inadequate OOS investigations or routine retesting into compliance without scientific justification.
• A management culture that lacks awareness or commitment to data integrity principles.

Regulatory Expectations and Compliance

Your audit approach must align with current global regulatory guidance. Key documents include:

• FDA: Data Integrity and Compliance With Drug CGMP Questions and Answers Guidance for Industry (2018)
• MHRA: ‘GXP’ Data Integrity Guidance and Definitions (2018)
• PIC/S: PI 041-1 Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (2021)
• WHO: Annex 4, Guideline on data integrity (2021)

---

Special Focus: Review Plan for Chromeleon Chromatography Data System (CDS)

A detailed review of a CDS like Chromeleon is critical. This plan outlines a systematic approach aligned with GMP, 21 CFR Part 11, MHRA, and PIC/S guidance.

1. Preparation and Prerequisites

• Obtain all Chromeleon CDS SOPs (user management, data handling, audit trail review, etc.).
• Review regulatory expectations (21 CFR Part 11, MHRA GxP, PIC/S PI-041) to ensure local policies are compliant.

2. User Management and Security Controls

• Confirm each user has a unique login; no shared accounts exist.
• Verify role-based access controls are appropriately set for analysts, reviewers, and administrators.
• Ensure administrator rights are strictly limited and justified.

3. Electronic Record Configuration and Validation

• Confirm the CDS has been fully validated for its intended use, with documentation for the current version and configuration.
• Verify that critical items like instrument methods, processing templates, and report formats are version-controlled and changes are restricted to authorized personnel.

4. Audit Trail Functionality and Review

• Validate that audit trails are enabled globally and cannot be disabled by users.
• Check that audit trails capture essential metadata (who, what, when, why).
• Conduct a detailed review of recent analyses, looking for unauthorized modifications, data deletion, unexplained reprocessing, and gaps in sample numbering.
• Ensure a second-person review of audit trail data is performed and documented for each batch.

5. Electronic Signatures and Data Locking

• Test that electronic signatures comply with 21 CFR Part 11, securely linking the signature to the record and locking the data from further changes.

6. Data Backup, Storage, and Accessibility

• Review automated backup schedules, data retention policies, and archival procedures.
• Verify that backups are tested for successful recovery and that archived data remains accessible and readable throughout its retention period.

7. Change Management and System Suitability

• Confirm that all system updates, configuration changes, or software upgrades follow a documented change control process.
• Review system suitability testing procedures to ensure failures are investigated, not simply repeated without justification.

8. Continuous Monitoring and Training

• Implement regular trending of audit trail events and user activity to detect patterns of concern.
• Verify that all personnel using the CDS have received up-to-date training on system use, data integrity principles, and audit trail review procedures.

Required Audit Trail Checks for Chromeleon

• User Account Changes: Creation, modification, or deactivation of user accounts; changes to user roles or privileges.
• System Configuration: Changes to software settings, method parameters, sequence tables, and report templates.
• Data Acquisition & Processing: Sample injections, manual integrations, peak reprocessing, and result recalculations must be logged with justification.
• File Management: Opening, modifying, deleting, or moving raw data or result files must be tracked. Look for gaps in file numbering.
• Reporting & Signatures: Who generated, modified, and electronically signed each report, ensuring a link to the corresponding raw data.
• Audit Trail Review Events: Documentation of periodic reviews, including the reviewer, scope, findings, and any follow-up actions.
• System Changes: Tracking of system upgrades, installations, or configuration changes via a change control process.
• Backup & Restoration: Verification of backup and restoration events, including tests of archived data readability.

Recommended Audit Trail Templates for Chromeleon Review

1. Audit Trail Review Log

Review Date	Reviewer Name	System/Project Reviewed	Scope of Review (e.g., Batch Nos.)	Findings / Observations	Actions Required	Signature

2. Manual Integration / Reprocessing Log

Date/Time	User	Sample ID	Change Type (e.g., Manual Integration)	Reason / Justification	Reviewer	Outcome

3. Suspect Event / Exception Tracking Sheet

Event Date	Event Type	User	Description of Event	Action Taken	Investigation Outcome	CAPA No.