Guest Column | November 26, 2018

Advanced Auditing Strategies To Detect Data Integrity Risks

By Joy McElroy, Maynard Consulting Company


Data integrity is essential in the pharma, biologics, and medical device manufacturing industries. Not only is complete, accurate, and reliable data necessary to assure drug safety and quality, the growing reliance on increasingly sophisticated digital systems means that issues relating to data integrity are increasingly complex. As a result, auditing is more critical than ever. Assessments of data integrity require auditors to be highly conscientious and skilled at detecting problems. Auditors have to diligently assess all data generated throughout the manufacturing process to prevent their organizations from becoming vulnerable to serious problems.

The following outlines a road map to follow when planning and setting up internal audits for data integrity risks.

Preparing For The Audit

The first goal of an effective data integrity audit is to precisely identify any existing data or metadata that is going unnoticed. This will include deleted data, reprocessed data, data that is being misused, or data that isn’t receiving a final review during batch record disposition.

You will need to start by defining any chances or opportunities for breaches or misuse of data. After defining these problematic areas, put together an audit agenda to prioritize high-risk areas. This will make the best and smartest use of time and resources.

Identify specific occasions that will cause compliance issues and review system controls and requirements that are currently in place, including access controls, management controls, file structure, and data management across the entire data life cycles.

Next, track down any issues that may lead to data integrity breaches. Remember, these breaches may not all be apparent or easily detected. A company culture that rewards and encourages thoroughness and complete results is the best way to minimize data integrity issues. Avoid creating an atmosphere that encourages speedy results, as this will cause issues to go undetected and will increase concerns and controversy about data integrity .

Begin by narrowing your focus to identify incentive structures grounded in the methods and processes that are deeply rooted into your manufacturing organization. These may be issues such as development and method transfer, which can be difficult to detect, and will continue to receive 483s and warning letters from the FDA.

Next, identify and recognize other potential inadequacies. This allows auditors to focus on a high-risk dataset. A good place to start is out of specifications (OOSs) and stability systems. Auditors should look for products with high rates of OOS, especially those that go to Phase 2 investigations and those that do not conclude in a definitive laboratory error. Be conscious and recognize stability specifications that are highly restrictive. They may be a test for the established expiration period.

Once these opportunities have been identified, select an extensive dataset over a predetermined time frame and then trace all data generated from the beginning to the final reporting.  This strategy will provide the highest probability of finding data integrity breaches.

Conducting The Audit

How you conduct the audit is one of the most important aspects of the process. Always be professional, and remember to facilitate a comfortable environment for the audited party. It is important to make the auditee feel at ease disclosing information.

After entering the department or facility under audit, identify the employee hierarchy. While management should be present during the audit, the majority of time is best spent with the frontline employees. Allow employees time to answer questions pertaining to their work responsibilities. Do not rely on managers to provide all critical data, because managers may not be completely knowledgeable of the specific processes under review.

The primary objective of an audit is to receive complete information in a restricted time frame. A significant amount of data must be collected and numerous systems must be covered. By facilitating openness during the audit, the auditor can maximize the amount of data collected.

Another approach involves focusing on those processes that could most affect the quality of the product or results. Identify these fairly quickly by reviewing process flowcharts, identifying critical process parameters, listing test methods, and examining SOPs. The flexibility to change course is critical. Remember, the auditor may get a sense during the initial walk-through that something is not exactly right with particular processes or operations.

Reviewing summary reports is critical to help identify potential trends. Do not, however, completely rely on them to measure the acceptability of a system. It is crucial to review the raw data because this is where the critical GMP operations are taking place. It is imperative to understand the chain of events, beginning with running of sample sets to the initiation of OOS investigations and, ultimately, the compilation of the summary report. If any part of this chain is missing, it signifies a gap in the ability to draw conclusions regarding the department’s or facility’s adherence to GMP requirements.

If significant inconsistencies are discovered, gather as much information as possible without placing judgement. Take particular notice if excessive workloads are leading to non-GMP practices. This additional information will provide management with the root cause of the problems as well as potential solutions.

Concluding The Audit

During the conclusion of the audit, document all objectionable conditions observed in data integrity controls, oversight and governance, and outcomes. If data integrity breaches are not observed, do not conclude that such breaches do not exist. Remember, 100 percent verification may be logically impossible. Document any existing conditions that show potential opportunities for data integrity breaches due to inadequate controls or inappropriate motivation. Identify these conditions based on the facts observed. These conditions might result in a basis for extending or refocusing the audit to ensure the evaluation is complete.

When it comes to orphan data, explain all findings related to its discovery. If orphan data is found, determine the type and conditions that allowed for the existence of such data to occur. Conditions may be those such as “deleted data as a result of unrestricted authorizations to modify data,” or “data residing in electronic systems, unreported and undiscovered due to a lack of consistent file naming and review of data in an electronic system.”

The presence of orphan data and its impact must be addressed, including evaluating data for OOS results. Further action may include reporting through the Field Alert Reporting (FAR) system or Biological Process Deviation Report (BRDR) and recall assessment. Retrospective evaluation of broader datasets may be appropriate when conditions are observed that allow for additional orphan data. Any new orphan data will need to be evaluated fully.

Correcting Issues

Corrective and preventive action planning should take place once the data assessment is complete. This should include consideration of all interim controls. These may be a necessity when longer-term technological solutions leave open areas for substantial risk. Interim controls may include additional periodic review of datasets, requiring the “four” eyes principle for systems without adequate audit trails, or review of reprocessing and/or manual integration parameters that are not adequately controlled. CAPAs will need to be put in place and carefully planned to remediate issues and to improve controls of the systems, interfaces, and oversights. Managers should monitor CAPA plans to ensure adequate progress and risk management.

Consider instituting a data integrity improvement map. It is a useful tool to illustrate the progress of improvements and controls over the course of time. This tool is helpful in ensuring the full situation is considered and carefully managed and includes description of controls, limitations, immediate mitigation, interim controls, planned next steps, and timing.


Maintaining data integrity is difficult. However, it is essential in regulated industries, where patients’ health and lives are at stake. All decisions in the GMP manufacturing environment rest on the reliability of generated data, and global regulatory authorities are increasingly focusing on the quality of data in their roles as protectors of the public health. Thoroughly auditing these high-risk environments is critical to business viability, continuity, and competitive advantage.

About The Author:

Joy McElroy is the founder and principal consultant at Maynard Consulting Company, which provides services in validation engineering, process engineering, quality control, and quality assurance. McElroy began her career in the pharmaceutical industry performing environmental monitoring and sterility testing, and then moved into a supervisory role overseeing quality control. From there, she moved into quality assurance, and then into equipment qualification and process validation. In addition to consulting, she also develops and delivers webinars, on-site training, and seminars in areas such as technical writing, equipment qualification, cleaning validation, FDA audit preparation, and more.

McElroy earned her B.S. in zoology from North Carolina State University. You can reach her at or connect with her on LinkedIn.