How to prepare for a Data Integrity Inspection

Data governance and integrity have been getting more and more in the focus of regulatory inspections. But companies can prepare for these inspections. In the following you will find out how this can be accomplished with planned and periodic internal audits to ensure that compliance and performance are sustained and enable corrective actions to be taken at an early stage.

The ALCOA principle

The acronym ALCOA is used as a framework for ensuring data integrity and governance. ALCOA relates to data, whether paper or electronic, and is defined as Attributable, Legible, Contemporaneous, Original and Accurate:

• Attributable - who performed an action and when
• Legible - can you read a data file or all written entries
• Contemporaneous - documented at the time of the activity
• Original - written printout or observation or a certified copy
• Accurate - no errors or editing without documented amendments

This should be the basis for all your data governance activities and leads the way to control the integrity of your data.

What to look for

When you evaluate your systems to check whether compliance is met, you should consider the following aspects:

• Is all the data and meta data complete (how do you define data and how is data collected)?
• How is the data processed (how do you make sure that data is not changed or even falsified)?
• How is the data reviewed (what is reviewed and to what extent)?
• How is data summarised and reported (how do you make sure that all relevant data is used and data selection is prevented)?
• How do you retain and archive the data (what, how and where)?
• Are all processes and interfaces validated?

What helps the auditor through all the data?

A systematic approach should be chosen and an auditor should:

• Review applicable SOPs
• Review or create flow charts and process maps
• Identify critical steps
• Identify critical interfaces
• Identify critical documentation
• And, not to forget, review of previous internal and external audit findings with corrective actions and their effectiveness

In detail, as an auditor, you should have a look at data entries and perform plausibility checks for various steps in data generation and transfer. You should also have a close look at the user and access management and the segregation of duties. Furthermore, the following areas should be checked:

• Audit trail function
• Completeness of print-outs
• Backup management

That is certainly a lot of work which can not be covered in a short internal audit. So it might be advisable to develop a questionnaire or checklist based on a data flow model or Mind Maps. Arrange interviews with system and process owners and maybe get support by an expert from your IT department.

After the audit, report the results and evaluate any (GMP) risk to define necessary actions. And don't be afraid, negative feedback must be possible. Data Integrity assessments should then be part of every internal audit.