Top 10 Data Integrity Requests During a Life Sciences Audit

Picture of Dr Eva Kelly

In today’s life sciences industry, ensuring data integrity is crucial to maintaining regulatory compliance, particularly when dealing with GMP systems. Whether your company is navigating new manufacturing operations, launching a product in a new market, or adopting a risk-based approach for the first time, understanding what auditors look for is essential. Audits focused on data integrity are not just about broad site-wide assessments—they can also focus on specific systems or third-party vendors supporting your operations.

This blog will walk you through the key aspects of a life sciences system audit and provide insights into the Top 10 Data Integrity Requests auditors are likely to make.

Types of Data Integrity Audits

A data integrity audit can take several forms, depending on the scope and nature of the system or process under review. Here are four common types of data integrity audits in the life sciences sector:

  • Site data integrity audits: These involve a holistic review of the entire life sciences site, encompassing multiple systems, processes, and departments to ensure consistent data integrity practices across the organization.

  • System-specific audits: These focus on a particular GxP system and its use, ensuring its compliance with data integrity standards.

  • Vendor audits: If your company works with Contract Manufacturing Organizations (CMOs), Contract Research Organizations (CROs), or other CxOs, a data integrity audit may focus on your vendor's processes and systems to ensure they are meeting an appropriate standard.

  • Third-party IT vendor audits: Many life sciences companies rely on third-party IT vendors to manage GxP systems. Auditors will assess how these vendors manage your data and assure its integrity within their hosted solutions.

Each type of audit brings unique challenges, but all require confirmation that effective data integrity governance exists, supported by strong SOPs, proper validation, and adherence to regulatory standards like 21 CFR Part 11, Annex 11, and GAMP5.

Stages of a Data Integrity Audit

For this blog post, we are going to focus on a System-specific audit type. This type of audit zooms in on a particular GxP system, assessing its compliance with data integrity principles and regulatory requirements.

A typical data integrity audit of a GxP system involves several phases - we will focus on 3 in this article (we are excluding any initial planning and closeout phases so we can focus our attention to the system itself):

  1. Review of SOPs and governance: Auditors will first examine your standard operating procedures (SOPs) and governance policies to understand how you control data integrity for the system and its use.

  2. Review of supporting GxP records: Next, auditors will focus on key records related to the system’s operation. This can include completed or in progress validation documentation, change controls, deviations, and other relevant GxP data.

  3. ‘Show and tell’ demonstration: Finally, a subject matter expert (SME) will be asked to demonstrate the system in action. This demonstration will showcase how the system functions, how data is captured, and how it complies with data integrity standards.

Top 10 Data Integrity Requests

To ensure your life sciences system can stand up to an audit, here are the top 10 data integrity requests that auditors are likely to make during review of procedures and supporting GxP records:

  1. Data Governance and SOPs

    • Auditors will review your company’s data governance framework, ensuring you have policies in place to maintain the accuracy, completeness, consistency, and security of your data.

    • They’ll check your SOPs to see if they align with regulatory expectations, such as ALCOA plus principles, which emphasize the attributes of data integrity: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. They may also look for more compliance evidence with regulations such as FDA 21 CFR part 11 or EudraLex Volume 4 Annex 11

  2. Inventory List

    • Provide a full inventory list of all systems, especially high-risk ones like a GAMP category 5 system. These systems handle complex functionality and require rigorous validation.

  3. Validation Report

    • Auditors will review your system’s validation report, looking for a clear description of the business need and evidence that proper validation activities (including code review for a GAMP category 5 - customized system), have taken place.

  4. Initial System Assessment

    • An initial assessment (such as a system risk assessment) will be performed to determine the system as GxP, it’s criticality and GAMP categorization to determine further controls, and this document should be available for review.

  5. Requirements Traceability Matrix (RTM)

    • The RTM is critical in demonstrating that each system requirement has been validated and that data integrity controls are in place. Auditors may focus on how risk assessment of requirements was performed and that applicable testing is available to review as a mitigation control.

  6. Admin SOP

    • An SOP for system administrators are crucial, as these individuals often have high-level access to the system. Auditors will ensure that admin tasks, including user account management and system maintenance, are properly governed.

  7. User SOPs

    • User SOPs will also be reviewed to ensure they reflect the business need for the system. Proper user training and documented procedures are essential to maintaining data integrity.

  8. QMS Documentation – Change Controls, Deviations, CAPAs

    • Auditors will request evidence from your Quality Management System (QMS) showing how changes to the system, deviations, and corrective and preventive actions (CAPAs) are documented and managed. They will want to see that all changes and deviations are tracked, assessed for impact on data integrity, and properly approved, ensuring that data remains accurate and reliable throughout the system lifecycle.

  9. Backup and Restore Evidence

    • Auditors will request evidence of successful system backups stored off-site, as well as documentation proving that a restore has been performed successfully to the timelines mentioned in the procedure. Lack of a viable backup could mean the loss of data in the event of a disaster, which is a critical risk that is mitigated through restore testing.

  10. Periodic Review Evidence

    • Auditors will ask for documentation of the last completed periodic review of the system to ensure it continues to meet regulatory requirements and operates as intended. This review should cover system performance, data integrity controls, and any changes or issues identified since the previous review, ensuring that risks are properly assessed and mitigated.

Once the review is complete, a ‘Show and tell’ demonstration will be largely led by the auditor based on any findings so far. System users may be asked to demonstrate procedures in action, while administrators may be asked to demonstrate access controls, user role segregation, and audit trail or modification logs to prove data remains accurate and unaltered.

Conclusion: Preparing for the next audit

Preparing for a data integrity audit can feel overwhelming, but knowing what to expect can make the process much smoother and improve the team’s audit readiness. From reviewing SOPs to providing evidence of successful backups, being ready with the right documentation is key.

At ERA Sciences, we understand the challenges life sciences companies face when ensuring their digital systems are compliant with 21 CFR Part 11, Annex 11, and other regulatory frameworks. To help you navigate these complexities, we offer a comprehensive Data Integrity Course designed specifically for IT Quality leaders in life sciences.

Ready to ensure your systems are audit-ready and compliant? Check out our free course with tips on preparing for a Data Integrity Audit today and gain the expertise you need to protect your organization and ensure patient safety.
, , , , , , ,
Dr Eva Kelly

Dr Eva Kelly

Eva holds a degree in Analytical Science and a PhD in Chemistry from Dublin City University, bringing over 25 years of experience in site solutions and learning management across various sectors, including pharmaceuticals, medical devices, and FMCG. She has specialized as a Data Integrity SME, with expertise in 21 CFR Part 11 and Annex 11 compliance, and has led Data Integrity and QA IT roles within pharma and biotech companies, focusing on GxP SAAS, hosted, and on-premise solutions. Eva is passionate about fostering a culture of Data Integrity (DI) excellence, working directly with clients to implement DI governance strategies that prioritize people, processes, and technology. Over the past decade, she has honed her skills in stakeholder presentations, quality risk management, and the implementation of systems such as SABA Cloud, EtQ Reliance, VEEVA Vault, and Axway Track and Trace, among others. With a deep understanding of DI's evolving role, Eva is dedicated to helping clients achieve thorough GxP record compliance and successful DI initiatives.

Follow me on LinkedIn

Comments

Related posts