Introduction
In every FDA inspection, whether GCP, GMP, or GLP, the fundamental question is the same: can the organisation prove that what it says happened actually happened, in the way it says it happened, at the time it says it happened?
That question is answered through evidence: source documents, audit trails, training records, batch records, deviation logs, and the systems that capture and protect them. The phrase most commonly heard in regulatory circles is “if it isn’t documented, it didn’t happen,” and this is not hyperbole. According to a data analysis published by IntuitionLabs, more than half of FDA Form 483 observations issued to clinical investigators over a 20-year period contained data-integrity findings, and 6 out of 10 warning letters issued to clinical investigators by the FDA cited failure to maintain adequate and accurate case histories.
This practice test is designed for regulatory affairs professionals, quality managers, clinical research coordinators, and investigators preparing for FDA inspections or GxP certification examinations. It tests understanding of what constitutes adequate evidence under FDA standards, how ALCOA and ALCOA+ principles apply in practice, and how to recognise documentation failures that commonly result in inspection findings.
Work through each question before reading the explanation, and pay particular attention to the answer explanations for options you mark wrong, since the reasoning behind incorrect options reflects the most common misunderstandings inspectors encounter.
Fundamentals
Question 1 (Beginner)
What does the acronym ALCOA stand for in the context of GxP data integrity?
A) Accurate, Legible, Compliant, Organised, Archived B) Attributable, Legible, Contemporaneous, Original, Accurate C) Auditable, Legible, Controlled, Original, Accessible D) Attributable, Licensed, Contemporaneous, Official, Accurate
Correct answer: B
Why B is correct: ALCOA was formalised by the FDA to describe the minimum quality attributes that source data and records must possess. The FDA compliance expert Dr. Stan W. is credited with introducing this mnemonic to address growing concerns about data manipulation and poor documentation practices. Each letter represents a specific, testable quality attribute.
Why the others are incorrect: – A: “Compliant” is not an ALCOA attribute. Compliance is the outcome; the ALCOA attributes are the criteria used to assess whether records support that claim. – C: “Auditable” and “Controlled” are not ALCOA terms. “Accessible” is part of the extended ALCOA+ framework, not the original acronym. – D: “Licensed” and “Official” have no place in documentation integrity standards.
Knowledge expansion: The original ALCOA framework has since been extended to ALCOA+ (adding Complete, Consistent, Enduring, and Available) and even ALCOA++ in some jurisdictions. The draft EU GMP Chapter 4 published in July 2025 formally codifies ALCOA++ in regulation. ICH E6(R3), finalised in January 2025, establishes data governance requirements that align with ALCOA principles for clinical trials globally.
Question 2 (Beginner)
A clinical investigator documents a protocol deviation in the source record three weeks after it occurred, without noting that the entry was made late. Under ALCOA principles, which attribute is most clearly violated?
A) Accurate B) Legible C) Contemporaneous D) Original
Correct answer: C
Why C is correct: “Contemporaneous” means the record is created at the time the event occurs, or as close to that time as is practicable. A three-week delay, without documentation of the reason for the delay, fails this standard.
Why the others are incorrect: – A: The entry may be factually accurate, but accuracy alone does not compensate for a failure of contemporaneity. – B: Legibility relates to the readability of the record, not its timing. – D: “Original” refers to the first capture of information. A late entry is not a copy of another document; it is a new record, but its late creation is a contemporaneity problem, not an originality problem.
Knowledge expansion: Late entries are not automatically disqualifying if they are clearly identified as such. The acceptable practice is to document a late entry explicitly: note the date and time the entry is being made, the date and time the event occurred, and the reason for the delay. Undated or undisclosed late entries are treated as potential data falsification.
Question 3 (Beginner)
Under GMP regulations, what does the phrase “if it isn’t documented, it didn’t happen” most accurately describe?
A) A legal standard that allows inspectors to impose criminal penalties for missing records B) The regulatory expectation that compliance with a procedure must be evidenced by contemporaneous records, not by oral testimony or retrospective reconstruction C) A requirement that every staff interaction with equipment be recorded in writing D) The principle that electronic records are always preferred over paper records
Correct answer: B
Why B is correct: This phrase describes the evidentiary standard in GxP environments: regulators and inspectors assess compliance based on documented evidence. What someone says happened, or what a procedure says should have happened, is not the same as documented proof that it did.
Why the others are incorrect: – A: Missing records can lead to enforcement action, but the phrase is not itself a legal standard for criminal prosecution. It describes a documentation philosophy, not a criminal evidentiary threshold. – C: Not every staff interaction requires individual written documentation; the standard is that procedures, outcomes, deviations, and key decisions must be documented according to the applicable GxP framework. – D: GxP regulations accept both paper and electronic records under different frameworks (21 CFR Part 11 for electronic). The phrase makes no distinction between formats.
Documentation and Records
Question 4 (Intermediate)
An FDA inspector asks for documentation proving that a technician was trained on a specific SOP before performing a procedure. Which of the following would best satisfy this request?
A) The supervisor’s verbal statement that the technician completed training B) A training record signed and dated by the technician and the trainer, completed before the procedure was performed C) The technician’s current job description, which includes the relevant procedure D) A copy of the SOP itself, showing the technician’s name in the distribution log
Correct answer: B
Why B is correct: A training record signed and dated by both parties, completed before the procedure, directly evidences that training occurred, who received it, who delivered it, and when. This satisfies the attributable, contemporaneous, and accurate requirements of ALCOA.
Why the others are incorrect: – A: Verbal testimony from a supervisor is not documented evidence. It cannot be verified, it is not contemporaneous to the training event, and it does not appear in the record. – C: A job description describes what a role should do, not what a specific individual has been trained to do. It is not evidence of training completion. – D: Appearance in an SOP distribution log shows the person received the document, not that they were trained on its content and demonstrated understanding.
Knowledge expansion: Training records are among the most frequently requested documents during FDA inspections, and training record gaps are among the most common findings in both GMP and GCP environments. A strong training programme documents not just attendance but competency assessment, particularly for critical procedures.
Question 5 (Intermediate)
During an FDA GMP inspection, an inspector reviews a batch record and notices that an entry recording a critical measurement has been crossed out with a single line, initialled, and re-entered with a new value. The original value is still legible. Is this acceptable?
A) No, corrections must always be made electronically to be valid B) Yes, this is the correct method for correcting a paper record under GMP standards C) No, any correction to a batch record requires the approval of the quality unit D) Yes, but only if the corrected value is lower than the original
Correct answer: B
Why B is correct: The correct method for correcting a paper GMP record is a single line through the error (preserving legibility of the original), followed by the corrector’s initials, the date, and optionally a brief reason for the correction. This preserves the original data (satisfying the “original” attribute) while documenting the correction transparently.
Why the others are incorrect: – A: Electronic records are not required for GMP batch records. Both paper and electronic records are acceptable under different regulatory frameworks, and paper records have their own valid correction standards. – C: Not all batch record corrections require quality unit approval, though significant alterations or corrections to critical data points may trigger a deviation or investigation process depending on the procedure. – D: The direction of the correction (higher or lower) is irrelevant to the acceptability of the method.
Knowledge expansion: One of the most common data integrity red flags inspectors look for is corrections that obscure the original entry (using correction fluid, multiple crossing-out layers, or pasting over). These raise immediate concerns about data falsification, regardless of whether the corrected value is accurate. The logic is straightforward: if the original entry is hidden, there is no way to verify whether the correction was legitimate.
Question 6 (Intermediate)
A clinical research site uses an electronic data capture (EDC) system for a clinical trial. An FDA inspector asks for the audit trail for a specific subject’s data. What must this audit trail demonstrate?
A) Only that the subject consented to the trial B) A chronological record of who created or changed each data entry, what the original value was, what the new value is, and when each change occurred C) The subject’s medical history prior to trial enrolment D) A summary of the investigator’s qualifications
Correct answer: B
Why B is correct: An audit trail in an EDC system must capture the full history of each data entry: the original value, all subsequent changes, who made each change (attributable), and when (contemporaneous). According to IntuitionLabs’ analysis of FDA and EMA inspection questions, demonstrating data integrity involves audit trail reports as the most direct evidence of data controls. Inspectors often ask for these reports for specific fields or subjects.
Why the others are incorrect: – A: Informed consent documentation is separately maintained and separately inspected. The audit trail for EDC data addresses data entry integrity, not consent. – C: Medical history is a clinical record, not an audit trail function of an EDC system. – D: Investigator qualifications are maintained in the regulatory binder and delegation log, not in the EDC audit trail.
Knowledge expansion: FDA 21 CFR Part 11 requires that audit trails for electronic records be computer-generated, not operator-alterable, time-stamped, and retained for a period at least as long as the record itself. A system that allows users to disable or delete audit trail entries is non-compliant, regardless of whether any deletions actually occurred.
Scenario-Based Learning
Question 7 (Advanced - Scenario)
During a routine monitoring visit, a clinical research associate (CRA) notices that temperature logs for a trial medication storage unit show a gap of four days with no recorded temperatures. When the site coordinator is asked about this, the coordinator says the temperature was checked daily but the person responsible “forgot” to write it down and assures the monitor that temperatures were fine. What is the most appropriate next step?
A) Accept the coordinator’s verbal assurance and document this in the monitoring report as “verbally confirmed” B) Document the gap as a protocol deviation, raise it with the investigator and sponsor, and assess whether the medication’s integrity can be established through alternative evidence C) Ask the coordinator to write in the temperatures retroactively, backdating the entries to the dates in question D) Instruct the site to discard the medication from those four days and replace it
Correct answer: B
Why B is correct: A four-day gap in temperature logs is a documentation failure and likely a protocol deviation. The appropriate response is to formally document it, escalate to the investigator and sponsor, and assess whether the medication’s integrity can be demonstrated through any alternative evidence (equipment alarm logs, calibration records, maintenance records). The outcome of that assessment determines what action follows.
Why the others are incorrect: – A: Verbal assurance cannot replace a contemporaneous record. Documenting a verbal assurance in a monitoring report does not repair the underlying data gap and would not satisfy an inspector asking for the temperature logs. – C: Instructing the site to backdate entries is data falsification. This is one of the most serious violations in GCP, and any monitor or investigator who facilitates it faces significant regulatory and legal exposure. – D: Discarding medication may ultimately be required depending on the outcome of the assessment, but it is not the immediate next step and cannot be decided without that assessment.
Knowledge expansion: Retrospective documentation of events that should have been recorded contemporaneously is a critical red flag for FDA inspectors. When source data gaps are discovered, the question inspectors ask is: “what alternative evidence exists that this procedure was actually performed?” If no alternative evidence exists, the inspector may conclude the procedure did not occur.
Question 8 (Advanced - Scenario)
An FDA GCP inspector is reviewing a trial master file. The inspector finds that several serious adverse event (SAE) reports are present in the file, but notes that the dates on the regulatory submissions are later than the timelines required by 21 CFR and the protocol. The study coordinator explains that the SAEs were reported late because the site was “very busy at the time.” How should this situation be assessed?
A) Late SAE reporting due to workload is an acceptable explanation and the inspector should note it in the report without further action B) Late SAE reporting is a regulatory violation regardless of the reason, and should be documented as a finding. “Busy” is not a mitigating factor under FDA enforcement C) The site can remedy this by submitting amended reports with corrected dates D) The severity of the finding depends entirely on whether any participants were harmed by the delay
Correct answer: B
Why B is correct: SAE reporting timelines are set in regulation (21 CFR), the ICH GCP guideline, and the specific protocol, and these timelines are not adjusted for workload. A 483 observation or warning letter finding related to late SAE reporting does not include an exception for resource constraints. The “busy” explanation may be noted in the inspector’s report as context but it does not mitigate the violation.
Why the others are incorrect: – A: Workload is not an accepted justification for regulatory non-compliance. Inspectors document what happened against what was required; they do not assess reasonableness of reasons for failure. – C: Amended reports with corrected dates are a data integrity violation if the dates are changed to appear compliant. The original submission dates are the record; they cannot be retroactively altered. – D: Whether anyone was harmed is relevant to severity determination in enforcement but is not the basis for whether a regulatory violation occurred. The violation is the late reporting itself.
Compliance Requirements
Question 9 (Intermediate)
Under 21 CFR Part 11, what is a key requirement for electronic signatures in GxP records?
A) Electronic signatures may only be used if the organisation has received prior FDA approval B) Electronic signatures must be uniquely linked to one individual and cannot be reused or reassigned C) Electronic signatures require a witness signature in all cases D) Electronic signatures are only valid for documents reviewed after 2010
Correct answer: B
Why B is correct: 21 CFR Part 11 requires that electronic signatures be unique to one individual and that organisations ensure they cannot be used by anyone other than the signer. The regulation explicitly prohibits sharing, reassigning, or allowing others to use an electronic signature.
Why the others are incorrect: – A: 21 CFR Part 11 does not require prior FDA approval for organisations to use electronic signatures. The regulation sets the standards that electronic signature systems must meet, but compliance is the organisation’s responsibility. – C: A witness signature is required for some paper signature contexts (certain consent documentation), but 21 CFR Part 11 does not universally require witness signatures for electronic signatures. – D: 21 CFR Part 11 was issued in 1997 and applies based on the nature of the record and the activity, not based on the date of the document.
Question 10 (Beginner)
What does “source data” mean in the context of GCP?
A) The original trial protocol, from which all other documents are derived B) All information in original records or certified true copies of original records used to reconstruct and evaluate the clinical trial C) Data that has been entered into a clinical database and reviewed by a data manager D) Laboratory data specifically, as opposed to clinical assessment data
Correct answer: B
Why B is correct: ICH GCP defines source data as all information contained in original records and certified copies of original records of clinical findings, observations, or other activities in a clinical trial necessary for the reconstruction and evaluation of the trial. Source data may exist on paper, electronically, or as any other medium.
Why the others are incorrect: – A: The protocol is a directing document, not source data. Source data is the contemporaneous evidence of what occurred during the trial, not what was planned. – C: Data that has already been entered into a clinical database and reviewed is derived data, not source data. The source is the original capture point. – D: Source data covers all categories of trial data (clinical assessments, laboratory results, imaging, observations), not laboratory data alone.
Advanced Scenarios
Question 11 (Advanced)
An FDA inspector discovers that a study site uses a shared administrator login for its EDC system, meaning multiple staff members log in under the same username. What is the most likely finding and why?
A) No finding, as long as the shared login is documented in an SOP B) A minor observation that the site should resolve before its next inspection C) A significant data integrity finding, because audit trail attributability is compromised: it is impossible to determine which individual made any specific data entry D) A finding that applies only if the system is used for primary data capture
Correct answer: C
Why C is correct: Shared login credentials directly violate the “attributable” requirement of ALCOA and the 21 CFR Part 11 requirement that electronic signatures and records be uniquely linked to one individual. When multiple people share one login, the audit trail cannot identify who performed any specific action, making the records unverifiable. As noted by GMP Annex 11 guidance: “shared admin accounts are indefensible in a GxP environment.”
Why the others are incorrect: – A: An SOP documenting the use of shared credentials does not make the practice compliant. SOPs can document workflows, but they cannot make a fundamentally non-compliant practice acceptable. – B: This is not a minor observation. Shared credentials represent a systemic failure of attributability across all records in the system. It would typically appear as a significant or major finding. – D: The scope of the finding is not limited to primary data capture. Any GxP system used to record, review, approve, or modify regulated records falls within the attributability requirement.
Question 12 (Advanced)
A company’s quality system flags a consistent pattern of deviation reports being submitted two to three weeks after deviations occur. While each deviation report is individually complete and accurate, the systematic delay suggests a process gap. What type of regulatory concern does this pattern raise?
A) No concern, since each individual report is complete and accurate when submitted B) A trend reporting concern: the pattern may indicate a systemic weakness in the deviation detection or escalation process, which is itself an inspectable compliance issue C) Only a concern if any of the deviations are classified as critical D) A concern only if the same person is responsible for all the delayed reports
Correct answer: B
Why B is correct: While individual deviation reports may be complete, a systematic pattern of late reporting indicates a process-level failure in how deviations are identified, escalated, and documented. FDA inspectors are trained to look for patterns, not just individual findings. A consistent delay raises questions about whether deviations are being properly identified in real time, or whether there is a cultural or systemic barrier to timely escalation.
Why the others are incorrect: – A: Individual completeness does not resolve a systemic process gap. Inspectors assess the quality system as a whole, and a pattern like this would typically trigger deeper investigation into the deviation management process. – C: The classification of the deviation affects severity, but a systematic process gap is a concern regardless of deviation class. – D: Whether one person or many are responsible is a root cause question. The systemic concern exists regardless of whether the pattern traces to one individual.
Supporting Resources
These topics are explored in depth in related content on this site:
- A guide to FDA GMP inspection preparation, covering how inspectors assess documentation systems and what constitutes “inspection ready.”
- A Law overview of 21 CFR Part 11 requirements for electronic records and signatures, with a compliance checklist.
- A Situational walkthrough of how a site should respond when a data integrity concern is raised during a monitoring visit.
- An Insights analysis of FDA and EMA inspection finding trends over the past decade, examining which deficiency categories are growing and which have declined.
For the regulatory source material that underpins this practice test, refer to ICH E6(R3) Good Clinical Practice (finalised January 2025), 21 CFR Part 11, and the FDA’s guidance documents on data integrity and computer system assurance.
Sources
- IntuitionLabs, “FDA and EMA Inspection Questions: 10-Year Data Analysis”
- IntuitionLabs, “ALCOA+ Principles: A Guide to GxP Data Integrity”
- Florence, “ALCOA-C in Clinical Trial Electronic Document Management”
- PMC, “Documentation and Records: Harmonized GMP Requirements”
- PMC, “Descriptive Analysis of Good Clinical Practice Inspection Findings from U.S. FDA and European Medicines Agency”
- Sware, “ALCOA Principles in Pharma: Ensuring Data Integrity and Compliance”
- Mosio, “ALCOA Meaning in Clinical Research: Definition and Examples”
- SGSystems Global, “EU GMP Annex 11: Computerised Systems and Data Integrity”