Audit Trail – explained simply

What is an audit trail?

An audit trail is a complete, electronic record that guarantees processes run as intended and every defined step is followed. Each action or change leaves a trace that can be tracked – from the very first entry to the final approval. With audit trails, every process can be fully retraced, transparently documented, and archived in a way that remains unchanged over the long term.

What information does an audit trail contain?

An audit trail records all relevant details of an action to ensure traceability and security. The following information is documented:

• Who? The user or system that performed the action.
• When? The exact time of the action, captured with a precise timestamp.
• With what? The device or system used – for example, a computer, scanner, or production machine.
• What? The activity carried out and the resulting changes.
• Why? If required, the reason for the action.

This data can be captured automatically or manually. The actual review of audit trail data takes place during an audit trail review – a process designed to identify deviations, errors, or security risks at an early stage.

Types of audit trails

Audit trails can focus on different aspects:

• Configuration audit trails → Record changes to system settings or software versions.
• Data audit trails → Document modifications to user or product data.
• System audit trails → Log logins, access events, and activities within a system.

Whether captured automatically or manually, the data is stored in a tamper-proof way to prevent manipulation or loss. These records are regularly reviewed in an audit trail review. In highly regulated industries such as pharmaceuticals and food, precise documentation is essential to meet GMP and FDA requirements.

What is not an audit trail?

Not every type of documentation qualifies as a true audit trail. The following systems or methods do not provide audit-trail compliance:

• Simple system logs or error reports: Often incomplete and lacking a full record of all changes.
• Manual change lists or spreadsheets: Unless captured automatically and stored in a tamper-proof way, they are not reliable.
• Unprotected backup data: Backups save data states, but not the changes made or the reasons behind them.

A genuine audit trail must be complete, tamper-proof, and traceable at any time to reliably meet regulatory requirements.

Quick Check: Is your audit trail up to standard?

Use this checklist to find out whether your audit trail is set up the right way:

• Are regulatory requirements (GMP, FDA, ISO) met?
• Are all relevant processes fully documented?
• Are access rights and electronic signatures up to date?
• Are audit trail reviews carried out regularly?
• Are responsibilities and review methods clearly defined?

Legal requirements at a glance: When is an audit trail mandatory?

Audit trails are required whenever electronic data is legally created, processed, or signed. In highly regulated industries, both the FDA and the EU explicitly mandate their use:

USA – FDA (21 CFR Part 11)
→ Mandatory for electronically generated and signed data. Non-compliance often results in FDA warning letters and can lead to serious consequences such as production stoppages or loss of trust.

EU – GMP Annex 11
→ Required for electronic systems in production, quality control, and documentation to ensure full GMP compliance.

What is checked in an audit trail review?

An audit trail review focuses on evaluating the relevant data recorded in an audit trail. In regulated industries, such reviews are essential to safeguard compliance and data integrity.

Key criteria include:

• Which data? Selection of the relevant entries
• Who reviews? The responsible individuals or teams
• How often? Defined review intervals (e.g. daily, weekly)
• How is it reviewed? The chosen method – manual, automated, or AI-supported

Audit trail reviews are indispensable: they help detect manipulation early, prevent data loss, and address compliance risks before they become critical.

Typical use cases for audit trails

In regulated industries, audit trails are an essential tool to track critical processes with full transparency and prevent data loss. Common examples from practice include:

• Cybersecurity & IT security → Logging hacker attacks, unauthorized access, or suspicious activities.
• Monitoring critical production conditions → Detecting failures in cooling systems or temperature fluctuations in production (e.g. pharmaceuticals or food).
• Fraud detection → Protecting against manipulated business data, unauthorized changes, or internal fraud.
• Data loss & recovery → Documenting deleted or accidentally altered information, production data, or formulations.
• Changes to production & quality data → Recording recipe adjustments, shelf-life extensions, or process modifications for audits and regulatory inspections.

Which file formats are used for audit trails?

For efficient analysis and archiving, audit trails are stored in various structured file formats. Typical formats include:

CSV – easy to read, ideal for tables and reports
XML – structured, widely used in enterprise systems
YAML – human-friendly, often used for configuration files
JSON – compact and machine-readable, ideal for modern IT systems

The right format depends on your company’s requirements, IT landscape, and how the data will be further processed.

How long should an audit trail be retained?

For many companies, the retention of audit trails is a challenge—mainly because the logs can require significant storage space. Still, the following applies:

• Retention for the full lifecycle of the related data: Audit trails should be stored as long as the associated records exist.
• Reporting & troubleshooting: Historical audit trails are invaluable for compliance checks, internal controls, and error analysis.
• Optimized storage solutions: Modern cloud or archiving technologies help avoid storage bottlenecks while ensuring long-term documentation.

Industries where audit trails are essential

Audit trails are particularly critical in highly regulated industries to ensure compliance, product safety, and consistent quality assurance. Typical sectors with a strong need for audit trails include:

• Pharmaceuticals & biotechnology → Compliance with GMP, FDA, and ISO requirements for data security and traceability.
• Chemicals → Meeting legal requirements (e.g. REACH) through complete documentation.
• Food & cosmetics → Guaranteeing product safety with audits in line with HACCP and FDA regulations.
• Medical technology → Ensuring compliance with ISO 13485 and MDR regulations.

Audit trail software: What really matters

Software solutions for the life sciences industry must meet strict audit trail requirements. ERP systems play a particularly central role, as they control production, quality management, and documentation within companies.

Key functions of audit trail–enabled software

• Complete logging: All changes and user actions are automatically recorded.
• Electronic signatures: Ensure that every entry is authorized (e.g., according to 21 CFR Part 11).
• User rights & access control: Prevent unauthorized users from making changes.
• Long-term data archiving: Fulfill regulatory requirements and ensure traceability.

The Business Central industry ERP solution

Designed for the needs of regulated industries, Business Central industry solution offers comprehensive audit trail functions:

• Automated audit trails: Complete documentation of all relevant process steps
• User and authorization management: Protection against unauthorized changes
• Electronic signatures and FDA/GMP compliance: Four-eyes principle, compliant with 21 CFR Part 11 and EU-GMP
• Industry focus: Tailored for regulated sectors such as pharmaceuticals, chemicals, food, cosmetics, biotechnology, and medical technology