Scoping the Real Risk of Data Integrity Issues in an Out-of-the-Box eQMS
When a clinical-stage biotech discovered its eQMS didn't have compliant audit trails and access controls, the urgent question was whether its document library was still trustworthy.
We recently shared some observations on how a new eQMS can be underbuilt for the stage a company is entering. Today, we have an actual case study that shows what that risk looks like in a real operation.
A clinical-stage biotech approached us after it ran an internal quality review and found a documentation issue. The eQMS it had been using since its early days wasn’t producing audit trails that met 21 CFR Part 11. The out-of-the-box system also didn’t have genuine access controls. Users could change fields in a document's metadata, and those permissions had been open for a while.
The company’s initial assessment left it unable to determine whether the documentation it had generated remained trustworthy under regulatory requirements. In the worst-case scenario, the issue could call its clinical programs into question. The team recognized that it needed an outside perspective from someone who had scoped similar problems before, and it needed that support quickly.
We placed a seasoned QA consultant inside the organization within days. Just a few weeks later, he had:
Isolated the system vulnerabilities.
Confirmed through statistical sampling that the document library was intact.
Built a remediation plan to ensure data integrity and system configuration requirements.
The damage was more contained than the company had feared, but the platform underneath it still wasn’t fit for purpose at the company’s current stage.
By the end, the company had interim controls in place, a Part 11 compliance assessment on the record, and clear recommendations to migrate to a more capable platform. They moved forward with the migration.
Separating a system vulnerability from a data integrity failure
This pattern repeats across the industry more often than most companies like to admit: A small biotech in its early stages needs a quick QMS, but budget is tight, and there’s no eQMS specialist on staff. Typically, the high-level team reviews a handful of options, picks one that demos well, implements it with minimal configuration, and drives ahead with a focus on drug discovery and development (and not an eQMS).
For the first year or two, this works well enough. Then the company grows and its clinical programs (hopefully) advance. The compliance footprint widens, and regulatory expectations get more specific. The system that was fine in the early days starts showing gaps. By the time anyone looks closely, there’s a panicked realization that those gaps have been open for a long time.
That’s where this engagement started. The eQMS had been deployed out of the box with almost no customization or user requirements. As the company grew, several issues came into focus:
The platform’s audit trail didn’t meet Part 11. The company believed it had audit trail coverage, but its internal definition didn’t match what regulators expect: a tracked record of who changed what, when, and why.
Access controls were effectively absent. The system was wide open to all users at the same level. Anyone could modify document metadata, form field labels, or file names without restriction. No read-only tier, role-based access, or training gate before a user could make changes.
Because changes weren’t controlled or tracked, the company couldn’t confirm that the original versions of documents across the system were still intact.
That last point is what created the urgency in this case. The company had an active clinical program. If the document library had been compromised at scale, the implications would extend well beyond the quality system.
Containing the risk, documenting the evidence, and defining the path forward
Our consultant came in with a background in clinical auditing and QMS systems and moved quickly to scope the actual risk rather than the assumed worst-case scenario.
The first priority was to answer a question the company could not resolve on its own: whether it had a data integrity issue or an unexploited system vulnerability. He conducted a statistical sampling exercise across the document library, comparing current versions with original records across quality, regulatory, and CMC functions. The sampling results were clean, indicating that the library had not been compromised at scale. But the review did identify system vulnerabilities.
Our consultant worked with the QMS supplier to document the quality event, root cause, and interim controls implemented by the supplier. Together, the client and QMS supplier reviewed the system’s configuration, installation, and ongoing management. This review provided objective evidence and established a clear understanding of the situation.
With that question resolved through the investigational work, the effort was split into two workstreams:
Putting interim controls in place so the system was no longer wide open. The consultant established role-based access tiers (read-only, workflow execution, administrative), required training before access was granted and required demonstrated competency before any user could operate at higher permission levels. The vulnerability that had allowed unrestricted changes was closed.
Second, a full Part 11 compliance assessment of the eQMS itself. The assessment concluded that the platform, even with new controls, wasn’t adequate for the company’s current regulatory posture. The out-of-the-box system had been workable at an earlier stage of regulatory expectations. But it wasn’t workable now, going into clinical trials. The recommendation was either a full revalidation with significant modifications and testing or migration to a system better suited to where the company actually was.
In this case, the company chose to migrate to another system. Throughout the engagement, the consultant documented findings and remediation actions in a format suitable for a health authority, should one ever ask. A clean, defensible record of what was found, what was done about it, and what came next. If a regulator brought the issue up in an inspection, the company wouldn’t be caught flat-footed.
What the company had in place by the end of the engagement
The engagement ran for several months. By the end, the company had:
Confirmation that the document library was intact and that the data integrity concern was a system vulnerability, not a systemic breach.
A full investigation across both internal and supplier teams for issue management and closure.
Interim access controls and training requirements are in place across the eQMS.
A detailed Part 11 compliance assessment documenting the platform’s gaps against current regulatory requirements.
A remediation record structured for health authority review.
An assessment and recommendation decision for a migration to a new eQMS platform better suited to the drug discovery stage.
The internal team came out with a clearer view of what Part 11 actually requires and what to look for in their next platform. Our consultant’s read: the worst part of the situation had been the uncertainty. Once the scope was defined and the document integrity sampling came back clean, the path forward was workable.
The broader lesson here
This case is less about one company’s eQMS than about a pattern we see repeating across growing biotechs.
Out-of-the-box eQMS platforms are sold aggressively to early-stage companies with small budgets. The demos look polished, and sales teams run an effective playbook. For a company in its earliest stages, the platform may provide a complaint system for a while. The problem arises later, when nobody goes back to reassess the system's validation as the company’s compliance needs change. What worked at proof of concept doesn’t work in clinical operations. By the time someone notices, the gap has been open for months or years.
Our consultant’s advice to any company in a similar position: build your processes first, then make the system fit them. Not the other way around! And if you implemented a QMS early without doing the fit-for-purpose work to back it up, have someone with systems and compliance experience review it before a regulator does.
Need eQMS support? Let’s talk!
If your company implemented a quality management system early and hasn’t revisited whether it still meets regulatory requirements, you may be carrying compliance gaps you don’t know about.
We can place a consultant with eQMS assessment and Part 11 compliance experience inside your organization to evaluate the system, surface vulnerabilities, and build a remediation or migration plan before a regulator asks the same questions.
We also help firms with their very first QMS builds. To talk through your current situation, drop us a line.
Who is The FDA Group?
The FDA Group helps life science organizations rapidly access the industry's best consultants, contractors, and candidates. Our resources assist in every stage of the product lifecycle, from clinical development to commercialization, with a focus on Quality Assurance, Regulatory Affairs, and Clinical Operations.
With thousands of resources worldwide, hundreds of whom are former FDA, we meet your precise resourcing needs through a fast, convenient talent selection process supported by a Total Quality Guarantee. Learn more and schedule a call with us to see if we’re a fit to help you access specialized professionals and execute your projects on time and on budget.