Data Integrity (ALCOA+) in SaaS/Cloud: audit trail, access, electronic signatures and operational controls

In a GxP context, the auditor’s question is always implicit:

“How do you demonstrate that your data are reliable?”

In the cloud, this question becomes even more central because:

• systems are highly interconnected,
• access is often remote,
• updates are frequent,
• and part of the technical controls is managed by the provider.

The answer is not a single “policy”. It is a coherent combination of:

• technical controls,
• operational processes,
• governance.

The guide summarizes this with a key concept: Data Integrity by design, combining technical controls (audit trail, permissions, signatures) and procedural controls (SOPs, audit trail review, dual checks) to ensure ALCOA+ for electronic records.

ALCOA+ (explained as I would use it in a URS)

ALCOA+ is not theory: it is a set of requirements that can be translated into configurations and procedures.

• Attributable: who did what (identity, signature, role)
• Legible: data are readable and interpretable
• Contemporaneous: recorded at the time the activity is performed
• Original: the original source is preserved
• Accurate: correctness, controls and error prevention
• Complete / Consistent / Enduring / Available: data are complete, consistent, retained over time and available (including during audits)

Where the cloud can create gaps (if not addressed upfront)

Typical examples:

• overly powerful “admin” roles,
• audit trail enabled but never reviewed,
• shared accounts or test users left active,
• SaaS updates that change workflows or reset configurations,
• lack of clarity on backup/restore and data location.

Annex 11, for example, emphasizes aspects such as risk management, audit trail, backup and security; in the cloud context it requires additional focus on data location, encryption, data segregation between customers, and on how the company periodically verifies data integrity (e.g. re-extractions and reconciliations).

Practical framework: the 5 Data Integrity controls you must “close” in SaaS

1) Identity & Access Management (IAM) + segregation of duties

In SaaS you cannot “control the servers”, but you can fully control:

• who accesses the system,
• with which role,
• and with which permissions.

Best practices:

• least-privilege roles,
• segregation of duties (e.g. QA ≠ technical admin),
• periodic access reviews.

The guide also recommends a Roles and Permissions Matrix as an audit-ready document to demonstrate segregation of duties and authority checks (Part 11).

2) Audit trail (enabled, protected, reviewable)

Questions you must be able to answer:

• which events are logged? (logins, changes, approvals, deletions, etc.)
• is the audit trail immutable?
• who can view it and who (if anyone) can modify it?
• how is it reviewed (frequency, sampling, criteria)?

3) Electronic signatures and Part 11 controls

“It has a signature” is not enough:

• it must be uniquely attributable to the user,
• it must be linked to the record and its meaning (approval, review, etc.),
• governance must exist for passwords, sessions, timeouts, etc.

In the URS, it is useful to map compliance requirements to regulatory references (Part 11 / Annex 11) to ensure completeness and traceability.

4) Data lifecycle: retention, export, availability

In the cloud you must also plan for exit:

• data export in a readable format,
• retention and archiving,
• accessibility at contract termination.

(This is often governed through the Quality Agreement and the exit strategy.)

5) Procedural controls: SOPs + review + training

Technical controls without procedures are fragile.

Minimum expectations:

• SOP for account management,
• SOP for audit trail review,
• SOP for change control (including SaaS updates),
• documented and periodic training.

“Audit trail review” done properly: a small operational procedure (example)

To be credible, clearly define:

• Frequency: monthly/quarterly, based on risk
• Role: QA or delegated personnel under QA oversight
• What to look for: abnormal login attempts, role changes, deletions, workflow bypasses
• Evidence: reports/extracts, review records, any deviations/CAPA

If you want checklists and templates to verify Data Integrity, configure roles/permissions, build “compliance-by-design” URSs, and present solid evidence during audits, you will find them in the guide “SaaS & Cloud Validation: Implementation Guide for GxP” on guidegxp.com.