Something shifted at the FDA in the second half of 2025. Between July and December, the agency issued 327 warning letters, a 73% jump over the same period in 2024. Data integrity failures and quality-system deficiencies were among the most cited causes.
That number should matter to every clinical trial sponsor, CRO, and biotech quality team reading this. Because "data integrity failure" very often traces back to one specific weakness: an audit trail that doesn't hold up under scrutiny.
What FDA Inspectors Are Actually Looking For
When an FDA investigator walks in, they're not just checking whether you have an electronic signature system. They want to reconstruct what happened, and when, and who authorized it.
The regulation is explicit. Under 21 CFR Part 11, the FDA requires computer-generated, time-stamped audit trails that independently record the date and time of operator entries and any action that creates, modifies, or deletes an electronic record. That audit trail has to be available for agency review. Not eventually. Not after you scramble to pull it together. Available.
What gets firms in trouble isn't usually the absence of a signature. It's signatures that can't be tied to a specific, authenticated individual. It's timestamps that were generated by the system clock on a local workstation that someone could have adjusted. It's records where the audit trail was turned off "temporarily" during a data migration and never turned back on.
Those aren't hypothetical failure modes. They're exactly the kinds of findings that generate Form 483 observations and, eventually, warning letters.
QMSR Changed the Stakes for Device Manufacturers Too
If your work touches medical devices, February 2, 2026 was a significant date. The FDA's Quality Management System Regulation (QMSR) took effect, replacing the old Quality System Regulation under 21 CFR Part 820 and incorporating ISO 13485:2016 by reference.
One thing that didn't change: Part 11 compliance is still mandatory for any company using electronic systems to manage documents, records, and signatures. The QMSR's records control requirements under Part 820.35 now align with ISO 13485 record controls, but the underlying expectation for electronic signature validity is unchanged.
What did change is how the FDA conducts inspections. The agency retired the Quality System Inspection Technique (QSIT) on February 2nd and shifted to the new Inspection of Medical Device Manufacturers Compliance Program. The new program expands FDA's authority to inspect management reviews, quality audits, and supplier audit records in ways that weren't accessible before.
That's a broader inspection surface. Which means more opportunities for an incomplete audit trail to surface.
The Sponsor Is Always Responsible
One thing that trips up sponsors working with CROs: the assumption that responsibility for Part 11 compliance transfers when you hand off a function to a contract organization.
It doesn't.
The FDA has been clear on this for years. A regulated entity may contract with IT service providers or CROs, but the sponsor remains accountable for ensuring Part 11 compliance across every system that touches study data. If your CRO's electronic signature platform doesn't produce a defensible audit trail, that's your problem in a regulatory sense.
This is especially relevant as decentralized trials have pushed data collection out to more systems, more vendors, and more geographies. Each new node is a potential audit trail gap. Sponsors who haven't explicitly mapped their electronic records across every data-originating system are carrying more risk than they probably realize.
What "Audit Trail Ready" Actually Means
Inspection readiness isn't a one-time checkbox. It's a state you maintain. Here's what it looks like in practice for electronic signatures and records:
Attribution is unambiguous. Every signature links to a specific, verified individual. There's no shared login, no generic service account signing off on critical steps.
Timestamps are trustworthy. Time and date stamps come from a controlled source, not a local clock that someone could modify. If your system generates timestamps, those timestamps need to be defensible.
Changes are visible, not hidden. Any modification to a signed record leaves a trace. The original entry, who changed it, when, and why. The FDA expects to see the full history, not just the current state.
The audit trail can't be disabled. This sounds obvious. But in practice, systems that allow administrators to pause or clear audit logs are a serious compliance exposure. The logs have to run continuously, and they have to be protected from modification.
Retention matches your record-retention schedule. Audit trails must be retained at least as long as the records they document. If you're required to keep trial records for 15 years, the audit trail goes with them.
And critically: the audit trail has to be available on demand. Not archived on a system that takes three days to restore. Not dependent on a vendor who's gone out of business. Available.
The Signature Validity Problem Nobody Talks About
Most conversations about electronic signatures focus on whether you have them. The harder question is whether they're valid.
A signature is only as good as the system that produced it. If that system can't demonstrate that the person who signed was authenticated at the time of signing, that the record wasn't altered after signing, and that the audit trail documenting the transaction is complete and unmodified, then the signature's evidentiary value is questionable.
That's not a hypothetical concern. It's exactly the standard FDA inspectors apply. And it's why "we use e-signatures" is very different from "our signatures are Part 11 compliant."
The 73% increase in warning letters is a signal. The FDA is inspecting more, enforcing more, and finding more. And the pattern in the enforcement data is consistent: firms that can produce clean, complete, unambiguous electronic records move through inspections. Firms that can't end up with observations, warning letters, and consent decrees.
What to Do Before Your Next Inspection
A few concrete things worth doing now:
Run an audit trail audit. Pull a sample of signed records and verify that the audit trail is complete, that the timestamps are from a controlled source, and that no records show unexplained gaps or modifications.
Map every system that touches study data. If you're a sponsor, that includes your CRO's systems, your site management systems, and any third-party platforms capturing data that will be submitted to FDA. Each one needs to meet Part 11 standards, and you need documentation proving it.
Check your access controls. Unique user IDs, authentication at the time of signing, and a current, documented list of authorized users are all Part 11 requirements. Firms that have grown fast often have orphaned accounts and outdated permissions lists.
Verify your retention posture. Your audit trails should be as durable as your records. If your electronic signature vendor can't tell you exactly where your audit data lives and how long it's retained, that's worth pressing on.
The FDA's enforcement pace in 2025 wasn't an anomaly. The agency has been clear that it intends to hold electronic systems to a high standard. But inspections don't have to be adversarial. Teams that build Part 11 compliance into how they work, rather than treating it as a pre-inspection scramble, tend to get through them cleanly.
The audit trail tells the story of your data. Make sure it's a story you'd be comfortable having an FDA investigator read.