A quick guide to a data integrity audit
We explain the steps to follow to perform a data integrity audit in highly regulated sectors.
Data integrity is one of the points that can present a high risk and generate serious vulnerability problems if not managed with guarantees.
Therefore, the data integrity audit is essential to review and evaluate compliance with the appropriate conditions and recommend elements of improvement in this area for any company, including those working in highly regulated environments, such as the manufacture of medicines or medical devices.
The sophistication of computerized environments, in the digital age, makes the problems affecting these organizations increasingly complex. For these reasons, today we would like to share a brief guide to perform an effective data integrity audit. This will be of great help both to organizations undertaking the task for the first time and to those wishing to improve their current principles and strategies.
A quick guide to data integrity auditing
Keeping a data record intact is not an easy task. The risk factors are many: the number of people who can access the information, viruses, unauthorized remote access, natural events… In addition, the objective of a data integrity audit is also to detect any existing data or metadata that has gone unnoticed. Therefore, it is necessary to search within the deleted data, the reprocessed data, those that are used incorrectly or those that are not reviewed during the final disposal stage of a batch.
Given the difficulties we may encounter in this data integrity audit process, following the following 4 steps makes the task much easier:
Step 1: Establish objectives for the data integrity audit
A good starting point is to define the sources of violations or misuse of data. In this way, there will be a clear vision of the areas that can present greater problems, which will allow to guide the activities and to optimize the use of time and of the human, technical and economic resources destined to the audit of data integrity.
Identifying the circumstances that facilitate compliance issues can be easier for the auditor to focus on the controls and system requirements in place. Access control, management control, file structure, and data management throughout the data life cycle are some good starting points to begin the task.
The next step is to find factors that may be causing transgressions to the integrity of the data, either through the corporate culture, methods or processes in place. Company policies that encourage or reward rapid results are a recurring example of such factors.
Finding high-risk targets, where most problems are concentrated, may be easier by following these tips:
- Identify products that register high rates of OOS (out of specification), especially those that undergo phase II investigations and products that do not conclude in a definitive laboratory error.
- Pay special attention to stability specifications that are highly restrictive or compromise the established expiration period.
- Once the high-risk areas have been identified, select a broad data set, over a defined period of time, and track all data from the beginning to the end of the report. If there is a data integrity problem, this process will most likely reveal an indicator of something that needs to be addressed further.
Step 2: Carry out the audit
In all audits, not just data integrity audits, it is important to create a cordial and collaborative environment between auditors and auditees. It is important that audited employees understand why a data integrity audit is being performed, what the objectives are and what expectations are being considered at the end of the task.
Thus, the work undertaken will have high chances of success. In practice, these steps should be followed:
- Consult the administrator or director of the area or department, to understand the hierarchical structure. This will make it easier to identify “process owner” employees on whom to focus the work. It is very common to find managers or directors who insist on answering the questions asked of their subordinates. This is behavior that should be considered as suspicious and turn on the alerts to deepen the investigation.
- Adopt a risk-based approach to prioritize data integrity audit activities. One of the most practical approaches to optimize time is to focus on the processes that have the greatest impact on outputs and outcomes. It is easy to identify them in flow charts, for example.
- Be wary of summary reports. They are useful for getting an overview of how a process or procedure is performed, but are not acceptable as evidence of compliance. The most important components of good manufacturing practices (GMP) can only be evaluated by examining raw data.
- To be conciliatory and diplomatic when facing discrepancies. In situations of data inconsistency, it is necessary to avoid making judgments or criticisms. The most prudent thing is to deepen the investigation and information gathering, thus trying to clarify the problem and establish the root cause.
The latter is a key aspect of an audit: the collection of evidence. The quality of the investigations that are initiated on the basis of the findings or suspicions detected will depend largely on the evidence that is collected when the problem is first discovered. This evidence includes photographs, electronic copies, and even testimonials from responsible employees.
Step 3: Document
During the final phase of the audit, it is necessary to document all problematic or questionable conditions discovered in the evaluation and investigation phase.
It should not be concluded definitively that there are no data integrity gaps just because no findings were recorded to show this. If specific conditions suggest that problems are likely to occur due to inappropriate controls or incentives, this should be documented and close follow-up recommended.
When “orphan data” are discovered, the finding and the conditions that allowed for the existence of such data should also be noted. Examples of such conditions may be “data deleted as a result of unrestricted authorizations to modify data” or “data residing in electronic systems, undeclared and undiscovered due to lack of file designation and review of the data in an electronic system.
Step 4: Corrective Actions
In response to any post-evaluation activity, corrective and preventive actions (CAPA, Corrective Actions and Preventive Actions) must be taken.
These are especially useful in situations that require long-term technological solutions. They may include routine reviews of risk data sets, more extensive monitoring of systems that have shown problems, or manual review of reprocessing and data integration when parameters are not under adequate control.
Your company may need help defining and implementing a data integrity policy. At Oqotech we have over ten years of experience supporting industries in highly regulated sectors. Contact our team and we will help you with everything you need.