Ask any pharmaceutical quality director whether their Veeva Vault instance is 21 CFR Part 11 compliant. They will tell you yes—and they will be right. Veeva maintains complete audit trails. Electronic signatures are linked to individual users. Records cannot be modified without a logged reason. The system passed validation.
Ask the same question about SAP. Same answer. Validated, compliant, audit trail intact.
Now ask this: when your quality team pulled a supplier’s certificate of analysis from Veeva, cross-referenced it against the component specification in your LIMS, and then approved a batch in SAP—where is the audit trail for that workflow?
Most quality directors pause.
That workflow—the cross-system decision chain that underlies every batch release, every deviation disposition, every CAPA closure—has no audit trail. Not because the individual systems failed. Because no system owns the space between systems.
This is the real 21 CFR Part 11 gap in modern pharmaceutical stacks. It is not discussed openly because acknowledging it requires admitting that compliance at the system level does not equal compliance at the process level.
What 21 CFR Part 11 actually requires
21 CFR Part 11.10 establishes requirements for closed electronic systems. The relevant controls include:
- Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
- The ability to generate accurate and complete copies of records
- Audit trails that capture the date and time of operator entries and actions that create, modify, or delete electronic records
- Sequentially numbered audit trails that are computer-generated and include the date and time of any change, the identity of the person making the change, and the previous and current value of the change
These requirements are written for individual systems. The regulation was drafted in 1997, when a typical pharmaceutical company might have one or two electronic systems managing GxP records. The concept of an orchestrated workflow spanning five or six validated systems was not in scope.
FDA has since updated its thinking. The agency’s 2018 data integrity guidance explicitly addresses data governance across all GxP computerized systems and recognizes that data integrity assessments must consider the complete data lifecycle—not the lifecycle within any individual system.
The practical implication: if a batch release decision involves records from multiple systems, the audit trail for that decision should capture the complete chain of access and evaluation across all of those systems.
The three categories of cross-system audit gap
1. Query audit gaps
When a quality reviewer queries Veeva to retrieve a supplier certificate, that access is logged in Veeva. When they cross-reference it against a specification in a separate LIMS instance, that access is logged in the LIMS. But the fact that those two queries were part of a single decision-making workflow—that a human being looked at both records in relation to each other before approving a batch—is not captured anywhere.
This matters when an investigator asks: “What information did your quality reviewer have access to when they made this disposition decision?” The answer should include everything they consulted. Reconstructing that answer after the fact, across multiple system logs, in the middle of an inspection, is an exercise in incomplete archaeology.
2. Cross-system change propagation gaps
A component specification change is documented in Veeva. It triggers a change control record in TrackWise. The change has downstream effects on a batch record template in SAP and a test method in the LIMS. Each of these records is modified in its respective system, each modification logged in that system’s audit trail.
But the audit trail for the chain—the fact that Veeva change control CR-2024-0891 propagated to SAP batch template BT-0054 and LIMS method LM-0112—requires manual reconstruction. If an investigator asks “what was the complete impact of this change control?”—the answer is not in any single audit trail.
3. Identity continuity gaps
User identities in Veeva, SAP, LIMS, and TrackWise are typically managed separately. Single sign-on (SSO) addresses authentication, but it does not necessarily create a unified identity record that links the same person’s actions across all systems throughout their employment history.
This becomes a real problem when a signer’s authority changes—a promotion, a role change, a departure. The question “did this person have authority to sign this record at the time of signing?” should be answerable from a single source. In most organizations, answering it requires checking the user administration records in each system independently and cross-referencing them with HR records.
Why this gap persists
The individual system owners—Veeva, SAP, the LIMS vendor—have no incentive to solve a problem that exists between their systems. Each vendor’s validation is bounded by their system. Cross-system audit continuity is a customer problem, not a vendor problem.
Internal IT teams recognize the gap but typically address it with manual procedures: a standard operating procedure that requires quality reviewers to document which systems they consulted in their review record. This is better than nothing. It is not ALCOA-compliant. It relies on humans to contemporaneously document their own behavior, which is exactly the kind of human-dependent control that data integrity enforcement is designed to move away from.
What a compliant cross-system audit trail looks like
A genuinely compliant cross-system audit trail requires:
| Requirement | What it means in practice |
|---|---|
| Unified identity layer | A person’s identity in System A maps unambiguously to their identity in System B. Role changes propagate across all systems. |
| Query logging at the workflow level | When a user accesses records across multiple systems as part of a single workflow, those accesses are associated with the workflow, not just the individual system sessions. |
| Change propagation tracing | When a change in System A causes changes in Systems B and C, the causal chain is recorded and retrievable as a single audit event. |
| Cross-system timestamp synchronization | Timestamps across all systems are synchronized to a single time source and the synchronization is documented. |
| Completeness at the decision level | For any batch release, deviation disposition, or CAPA closure, the complete set of records consulted in reaching that decision is associated with the decision record. |
The regulatory trend
FDA investigators have been increasingly sophisticated in their data integrity queries since the 2016 data integrity guidance and the 2018 update. The pattern in recent 483 observations is a shift from “this system’s audit trail is missing an entry” toward “the relationship between records in these two systems cannot be demonstrated.”
This is not a speculative trajectory. Warning letters issued in the last three years increasingly cite the inability to demonstrate complete data lineage—the origin, transformation, and use of data across a workflow—as the core finding. The individual systems passed validation. The cross-system workflow did not.
For quality teams planning their next inspection, the most important question to ask is not “is each of our systems compliant?” It is “can we demonstrate the complete audit trail for our cross-system workflows?”
If the answer requires pulling logs from five systems and assembling them manually, the answer to the inspector’s question is: not yet.
Related reading: