Skip to main content

Take our TMF Risk Score Survey today!

Everything You Need to Know About eTMF Audit Trails

TMF Expert Insights

Friday, January 27, 2023 | 9:17 AM

tmf coding tmf scanning tmf qc tmf reference model

What is an eTMF audit trail?

An electronic Trial Master File (eTMF) audit trail is information that tracks the creation, modification, and/or deletion of data, including actions at a record or system level from an eTMF system.

Audit trails enable the reconstruction of the history of events occurring in an eTMF—essentially the “who did what, when, and why” within the system.

Why is it required?

EMA guidance states that an eTMF system should have an audit trail in place to identify details for the creation, uploading, modification, and deletion of a document. 
FDA guidance states that closed systems that create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, confidentiality of electronic records so that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls should include the use of secure, computer-generated, time-stamped audit trails to independently record operator entries and actions that create, modify, or delete electronic records. 

eTMF audit trail elements

  • Username – user details of anyone who can access, log in, view, create, upload, approve, review, change, or delete any record in an eTMF system
  • Record identifier 
  • Type of audit entry (new, modification, deletion, eSignature, view, etc.)
  • Old/new value (can be in the document or in the version history/audit trail)
  • Explanation for deletion or modification
  • Date/timestamp with time zone

Regulatory agencies are increasingly looking at eTMF audit trails to gain greater insight into data integrity. We review practical steps to help ensure that your TMF audit trail is ready for inspection, based on regulatory guidelines and lessons learned from actual inspections. 

Data integrity is one of the biggest issues facing regulatory agencies today, leading certain documents in the audit trail to come under review more frequently during inspections. This added scrutiny is especially common when the inspector believes documents do not meet mandated requirements or that there was a failure to follow proper procedure—bringing the information contained within those documents into question. 

To better understand the reasons behind this increased scrutiny, it’s helpful to review key excerpts from relevant regulatory requirements. 

(MHRA Grey Guide chapter 10, p.345) 

Audit trails are a required feature for managing electronic documents associated with a clinical trial.  What should an audit trail contain? The system must have an audit trail in place to identify date/time/user details for the creation, uploading, modification, and approval of a document.  


Ensure that the systems are designed to permit data changes in such a way that the data changes are documented and that there is no deletion of entered data (i.e., maintain an audit trail, data trail, and/or edit trail).  

Changes to source data should be traceable, should not obscure the original entry, and should be explained if necessary (e.g., via an audit trail).  


An audit trail in place to identify date/time/user details for the creation, uploading, modification, approval, and deletion of a document 


4.1.2. Sponsor/CRO Electronic Trial Master File 

An audit trail in place to identify date/time/user details for the creation, uploading, modification, and deletion of a document (explanation of the deletion or modification, if necessary);  

4.2. Quality of Trial Master File  

Article 57 of the Regulation states, “The clinical trial master file shall at all times contain the essential documents.” The sponsor and/or investigator/institution should implement risk-based quality checks (QC) or review processes to ensure the TMF is being maintained and that all essential documents are appropriately filed in the TMF. Areas to consider during QC and review include the following:  

  • Documents only accessible according to the assigned roles and permissions
  • Review of the audit trail (for eTMF) 

This last point—review of the audit trail with the qualifier that it applies only to eTMF systems—demonstrates the near-impossibility of conducting an audit trail review with a paper TMF or with a TMF managed through spreadsheets or generic systems such as SharePoint.  

While eTMFs are not mandated (yet) by regulatory agencies, inspectors have told us quite frankly that it makes their jobs much easier and faster. At the same time, using an eTMF means that complying with TMF mandates requires far less effort on the part of your organization while improving inspection readiness. 

What are some of the benefits of reviewing your audit trail with an eTMF? You ensure that your audit trail is logging activity and showing the steps outlined in your SOPs, which assists in validating your data. In addition, you support critical oversight activities such as tracking user activity as well as the permissions/functionality they have within the system. 

What Should Be Included in Your Audit Trail Review 

Audit trails from electronic systems automatically capture a tremendous amount of information valuable to regulatory compliance. For example, they will record every time the system moves or touches a document and every instance where a human interacts with the document—including when it is simply viewed but not changed. 
At a minimum, your audit trail review should consist of the following:  

  • Changes in user profile history (i.e., what is live vs decommissioned) 
  • Time/date a document was set as final and viewable by all members of the study team
  • Who participated in the processing of a document 
  • What steps a document went through before being set as final 
  • Number/types of issues associated with the document 
  • Documents that were deleted – by whom and why 

In addition, one of the most important—and often overlooked—activities is to review the audit trail for process. What we mean by this is the system should be logging the activities that were taken on a document, which allows you to verify and validate your documented process outlined in your SOP and provide evidence that it has been appropriately followed. 

One of the keys is examining your process for user management in your system of record. Are user accounts being changed or disabled when roles change or people leave? Are permissions set up correctly? For example, does a particular document processor have the correct authorization to act within the scope of their role but cannot impact anything outside of what is defined by the SOP? Are there safeguards in place to prevent access to unblinded data without precise permissions and context?  

Keep in mind, however, that your process does not have to consist of hundreds of pages of every detail—it simply has to cover the key steps so that an inspector can see that you have thought the process through and have the main components (see Figure 1). 

Back to Blog