Data integrity audits come in several forms, each with unique challenges and requirements.

Site-wide assessments examine your entire operation's data integrity practices, while system-specific audits focus on particular GxP systems. Vendor audits evaluate how your partners handle your data, and third-party IT vendor audits assess hosted solutions.

Before we dive into the details, it’s best to start with the most important question that we find many firms don’t like their answer to: When was your last data integrity audit?

We can unpack that question into a few more granular ones that help determine the urgency here:

• Have you mapped all your data flows across systems and departments?

• Can you clearly define which systems fall under GxP requirements?

• Do you maintain an up-to-date inventory of all third-party vendors handling your GxP data?

• Have you documented the interfaces between different systems and how data integrity is maintained during transfers?

In our data integrity audit work across hundreds of life sciences organizations, we've noticed a common blind spot: the interfaces between systems. While companies often have robust controls for individual systems, data integrity issues frequently emerge during system transfers. We recently worked with a mid-sized biotech company that discovered their LIMS wasn't maintaining proper audit trails when exporting data to their electronic batch record system. This kind of gap might go unnoticed until an FDA inspector starts asking questions about data lifecycle management.

Another recurring challenge we see is the underestimation of “GxP scope.” Companies sometimes fail to recognize that seemingly peripheral systems (like environmental monitoring systems or calibration management software) can have significant data integrity implications. In one memorable case, a client hadn't included their stability chamber monitoring system in their data integrity program, not realizing that the temperature and humidity data were critical GxP records.

Still need to schedule your 2025 audits? Just a heads up that this year has been the busiest by far for audit planning in recent years. We're seeing RA/QA leaders prioritizing mock inspections, internal site audits, and vendor/supplier audits well into 2025. The FDA says 2025 will be a “crucial year” for working through its inspection backlog. If you have yet to schedule your audits and other compliance assuredness projects, demand for auditors and mock inspectors — particularly from former FDA professionals — is at an all-time high. We urge you to contact us as soon as possible to make sure resources are available for your audit schedule.

Here’s a brief look at what our auditors look for during a data integrity audit and how to assess your own readiness right now. The more uneasy you are with your answers to the questions we’ve peppered throughout this guide, the more important it is to contact us to discuss getting a data integrity expert into your site sooner rather than later.

Documentation review

Auditors typically begin by examining your SOPs and governance policies. They're looking for more than just the existence of procedures — they want to see evidence of a comprehensive data integrity program. This includes clear policies on data handling, security protocols, and audit trail reviews.

Your governance framework should demonstrate how you maintain data integrity throughout the entire data lifecycle, from creation to archival or destruction. Auditors will look for specific controls addressing known vulnerabilities, such as shared login credentials or unauthorized data modifications.

One of the most frequent findings in our audits is incomplete audit trail reviews. While most companies have procedures requiring periodic audit trail review, we often find these reviews are superficial or poorly documented. During a recent audit of a medical device manufacturer, we found its audit trail review procedure called for monthly reviews, but the actual reviews only captured login/logout events, missing critical data modifications and system configuration changes.

We've also noticed a trend of companies struggling with the "available" aspect of ALCOA+. In several recent audits, client teams struggled to readily retrieve historical data because they hadn't properly validated their backup and restore procedures. When asked to retrieve data from two years ago, one company spent days trying to restore from backups, only to discover their archive process had corrupted some of the audit trail data.

Review your documentation against these criteria:

• Do your SOPs explicitly address each ALCOA+ principle with specific controls?

• Have you documented your specific risk assessment methodology for data integrity?

• Can you demonstrate how your policies are implemented and enforced?

• Do you have clear procedures for handling data integrity incidents?

GxP record examination

During this phase, auditors dig deep into your validation documentation, change controls, and deviation reports. They're looking for patterns that might indicate systemic issues and evaluating how well your organization responds to data integrity challenges.

Your validation documentation should demonstrate thorough testing of data integrity controls, including edge cases and failure modes. Change controls need to show careful consideration of data integrity impacts, with appropriate testing and verification steps.

Change control documentation often reveals interesting patterns. In a few of our recent audits, we've seen a concerning trend of "emergency" changes being used to bypass normal change control procedures. At one company, we found nearly half of their system changes over a six-month period were classified as emergencies. This pointed to deeper issues with their change management process and resource allocation.

Investigation documentation is another area where we frequently uncover issues. Companies often focus on the immediate problem without considering broader data integrity implications. For example, if you investigate a series of analytical test failures, you also need to consider whether other data generated by the same analyst or instrument might be compromised.

Evaluate your GxP records with these points in mind:

• Can you trace the full history of any data point in your system?

• Do your change controls include specific assessments of data integrity impacts?

• How do you verify the effectiveness of your data integrity controls after system changes?

• Are your deviation investigations thorough enough to identify root causes of data integrity issues?

Critical system controls

This is always a big problem area. Shared user accounts remain a persistent problem, especially in laboratory environments. In a recent audit, we discovered a quality control laboratory where analysts were sharing a generic "HPLC_User" account for chromatography systems. While the company argued this was more efficient, it completely undermined data attribution and individual accountability.