Aliquora Team

Audit Trails and Data Integrity: ALCOA+ Checklist for Labs

Master audit trails and data integrity with this ALCOA+ checklist — practical steps QC labs can act on today to satisfy FDA, ISO, and internal auditors.

Audit trails and data integrity failures are among the most cited findings in FDA 483s and ISO 17025 audits. This checklist walks through the core ALCOA+ principles and translates each one into concrete actions your lab can implement now.

What ALCOA+ Actually Means in a Lab Context

ALCOA+ is the framework regulators use to evaluate whether your data is trustworthy. The acronym stands for Attributable, Legible, Contemporaneous, Original, Accurate — plus the extended attributes Complete, Consistent, Enduring, and Available. Each attribute maps directly to a specific risk your lab either controls or ignores.

Here is what each principle demands in practice:

  1. Attributable — Every entry must be traceable to a specific person. Shared logins are an immediate red flag for auditors. Every record entry, edit, or deletion should carry a unique user ID and timestamp so there is no ambiguity about who did what.

  2. Legible — Records must be readable for the life of the document. Pencil entries, thermal paper printouts, and faded ink are all legibility risks. Digital records in a validated system remove most of this risk, but PDF exports must also remain accessible as software versions change.

  3. Contemporaneous — Data must be recorded at the time of observation. Backdating a result — even by an hour — is a data integrity violation. If a result was entered after the fact, the audit trail must show the original entry time and a justified reason for any correction.

  4. Original — The first capture of a result is the official record. Transcribing values from paper worksheets into a spreadsheet introduces a second opportunity for error or manipulation. Instrument direct integration or electronic capture at the source eliminates that gap.

  5. Accurate — Results must reflect what actually happened. This goes beyond correct arithmetic. If a analyst re-runs a sample and only records the passing result, that selective reporting is an accuracy violation — even if the number itself is correct.

The Extended ALCOA+ Attributes Labs Most Often Miss

The "plus" attributes are where smaller labs tend to have gaps, especially when workflows mix paper and software.

  1. Complete — Nothing relevant may be omitted. A complete record includes raw data, instrument conditions, reagent lots, analyst IDs, and any anomalies observed — not just the final reported value. A COA with no supporting raw data attached is an incomplete record by definition.

  2. Consistent — Sequences and timestamps must be logical. An audit trail that shows a result approved before the analysis was completed signals a system-level problem. Review your LIMS timestamp logic periodically to confirm workflow steps are enforced in the correct order.

  3. Enduring — Records must survive for the required retention period. Local hard drives fail. USB sticks get lost. A validated system with automated backups and a documented disaster recovery plan is not optional — it is a regulatory expectation.

  4. Available — Records must be retrievable on demand. An auditor asking for all OOS results from the past 12 months should not require a manual search across three filing cabinets. If your retrieval time stretches beyond minutes, your availability posture needs work.

Building a Defensible Audit Trail: 3 Practical Steps

Knowing the principles is not enough. Here is how to operationalize them.

Step 1: Map every data entry point in your current workflow. List each place where a result is first captured — instrument software, paper bench sheet, spreadsheet, LIMS. Any point where data is manually re-entered is a transcription risk and a potential ALCOA+ gap.

Step 2: Confirm your system records changes, not just final states. A true audit trail logs the original value, the new value, the user who made the change, the timestamp, and a reason code. If your current software only stores the final record, you cannot demonstrate data integrity to an auditor.

Concrete example: Meridian Environmental Testing ran a water sample for nitrate and entered 12.3 mg/L. An analyst later corrected it to 2.3 mg/L after spotting a transcription error. Their LIMS — Aliquora — captured the original entry, the edit, the analyst's user ID, and the free-text reason ("decimal entry error, confirmed against instrument printout"). That complete trail satisfied the client's audit with no follow-up questions.

Step 3: Schedule a quarterly internal audit trail review. Assign a QA staff member to pull a random sample of 10–15 records each quarter and verify each ALCOA+ attribute is met. Document the review, any findings, and corrective actions taken. This creates a proactive compliance posture rather than a reactive one.

Frequently Asked Questions

What is the difference between an audit trail and a change log?

A change log records what changed. An audit trail records what changed, who changed it, when, and — ideally — why. Regulators expect the full audit trail, not just a change log.

How long must audit trail records be retained?

Retention depends on your regulatory framework. FDA 21 CFR Part 211 requires most laboratory records for at least two years after product distribution. ISO 17025 requires records to be retained for a period defined in your quality management system, typically a minimum of five years for most accreditation bodies.

Does paper-based recordkeeping satisfy ALCOA+?

Paper can satisfy ALCOA+ if controls are strong — permanent ink, no correction fluid, single-line corrections with initials and date, secure storage. In practice, paper systems make the Consistent and Available attributes difficult to demonstrate at scale, which is why most labs move to electronic records.

What triggers a data integrity investigation?

Common triggers include audit trail gaps, timestamps that precede instrument qualification, a pattern of results that cluster suspiciously close to specification limits, or a whistleblower complaint. Any of these can escalate to a formal regulatory inquiry.

How do I know if my LIMS audit trail is 21 CFR Part 11 compliant?

Part 11 requires, among other things: unique user IDs, system-enforced access controls, time-stamped records of all changes, and the ability to generate accurate copies of records on demand. Ask your LIMS vendor for their Part 11 compliance documentation and validate the system before relying on it for regulated data.