• Site Performance Metrics: High protocol deviations or inconsistent data may flag the site for governance risk.
• Technology Use: Use of eSource, direct data capture, or custom tracking logs may require deeper audit trail review.
• Regulatory History: Previous inspection findings may highlight systemic governance issues to re-assess.
• Sponsor Oversight Logs: Monitoring reports and vendor oversight logs can identify gaps in training, documentation, or role clarity.

The audit plan should include a specific focus on:

• SOPs related to data handling, documentation, and system use
• Training records for investigators and coordinators
• Source data traceability and data flow from entry to reporting
• eCRF data vs. source record reconciliation

Auditors should also prepare pre-audit checklists that cover:

• Document version control at site (SOPs, ICFs, logs)
• Roles and responsibilities for data collection and verification
• Availability of audit trail exports from systems used
• Site-specific governance procedures (e.g., delegation of authority logs)

On-Site Activities: Verifying ALCOA+ Compliance at the Site Level

Once on site, auditors should prioritize evidence-based verification of ALCOA+ compliance. Key areas of assessment include:

• Attributability: Are all source data entries clearly linked to an individual via initials, signatures, and system IDs?
• Legibility and Traceability: Is handwritten data legible and fully transcribed into electronic systems? Are audit trails preserved?
• Originality: Are original data sources stored securely and free from duplication or overwrite risk?
• Accuracy and Contemporaneity: Are entries made in real time? Are corrections properly dated, reasoned, and signed?

Consider the following dummy example for a data correction log audit:

Date	User	Field	Original Value	Corrected Value	Reason for Change
2025-02-10	site001_coordinator	Blood Pressure (Visit 3)	145/90	135/85	Transcription error

Auditors should verify whether such changes are properly justified, timestamped, and approved where necessary, and whether paper and electronic records match.

To learn more about source data verification policies, visit pharmaValidation.in.

Interviewing Site Personnel on Data Governance Understanding

A key part of any governance-focused audit is assessing personnel awareness. Auditors should conduct interviews with investigators, sub-investigators, and coordinators to evaluate:

• Understanding of ALCOA+ principles and their application to daily documentation
• Familiarity with site-specific SOPs on data handling, corrections, and source documentation
• Knowledge of system audit trails, access roles, and how to retrieve them
• Delegation of responsibilities and backup procedures

Sample questions include:

• “How do you ensure data entries are contemporaneous?”
• “Who is responsible for reviewing audit trails in your EDC system?”
• “Can you describe how changes to source data are documented and justified?”

If staff are unaware of these practices, it indicates a training or procedural gap that must be addressed post-audit.

Audit Trail Review and System Access Control Checks

For sites using electronic systems (EDC, eSource, ePRO), audit trail review is essential. Auditors should request:

• Audit trail exports showing all entries, edits, and deletions
• Role-based access logs for study staff
• Logs of system downtimes, overrides, or manual data imports
• Access revocation records for departed or inactive staff

A common inspection finding from EMA reviews includes failure to remove EDC access for former site staff, leading to ALCOA+ violations due to lack of attribution.

Auditors should verify that:

• Only authorized users had access to make or edit entries
• Audit logs were reviewed periodically by site or sponsor monitors
• System-generated timestamps are accurate and match source documentation

Post-Audit Reporting and Corrective Action

After completing the site visit, the auditor should compile a report detailing:

• All findings related to governance policies and execution
• Deviation from ALCOA+ or GCP principles in documentation practices
• Examples of non-compliance or audit trail gaps
• Recommendations for corrective and preventive action (CAPA)

The site should be requested to provide CAPA responses that outline:

• Root cause of the governance gap
• Immediate containment and mitigation actions
• Long-term preventive actions (e.g., revised SOPs, retraining)

These CAPAs must be tracked to closure and filed in the sponsor’s Quality Management System and Trial Master File (TMF).

You can find audit reporting templates and CAPA trackers at PharmaSOP.in.

Conclusion: Making Site Governance Audits Routine and Risk-Based

Auditing for data governance is not just a quality activity—it is a compliance safeguard. As clinical trials become more decentralized and digital, the need to proactively verify governance at the site level increases.

Sponsors and CROs should:

• Use risk-based metrics to prioritize site audits
• Include specific ALCOA+ criteria in their audit checklists
• Train auditors on evaluating data traceability, audit trails, and source control
• Ensure CAPAs from governance gaps are implemented across the network

Proper auditing ensures that site-generated data holds up under regulatory scrutiny and protects the validity of your trial outcomes.

For full inspection-ready audit templates and GCP audit SOPs, visit PharmaRegulatory.in or refer to audit best practices published on ICH.org.