ALCOA+ Principles and Business Central — Data Integrity in Regulated ERP

Data integrity failures are among the most cited findings in FDA warning letters and EU GMP inspection reports. The ALCOA+ framework is the practical standard used by regulators to evaluate whether data in computerised systems meets the integrity requirements of GxP environments. For organisations running Business Central in pharmaceutical, cosmetics, or chemical manufacturing, understanding how ALCOA+ maps to specific BC configuration decisions is a prerequisite for a defensible system.

What ALCOA+ means

ALCOA is the original acronym: Attributable, Legible, Contemporaneous, Original, Accurate. The plus sign extends this to include Complete, Consistent, Enduring, and Available. Each term describes a property that GxP data must have throughout its lifecycle — from initial entry through archival and retrieval.

These are not aspirational principles. They are operationalised requirements that inspectors evaluate against specific system behaviours. A system that does not demonstrate these properties creates inspection exposure, regardless of how well the underlying business processes are managed.

Attributable

Every data entry and change must be traceable to the individual who made it. In Business Central, attribution is handled through Entra ID authentication. Each user action is recorded against the authenticated user account. Shared logins are a direct violation of the Attributable requirement — inspectors look for this specifically, and it is consistently cited in findings. The BC permission model must enforce individual accounts with no generic or shared credentials.

The Change Log captures attributed changes at the field level. The configuration must ensure that all tables and fields containing GxP-relevant data are included in Change Log monitoring. Configuration gaps — tables or fields not included in the scope — are a common finding.

Legible

Records must be readable throughout their required retention period. In Business Central SaaS, this means that archived records remain accessible and readable through the BC interface without requiring specialist tools. Print formats and exported reports must produce output that is clear and interpretable without ambiguity. Abbreviations used in records must be defined in controlled documentation.

Contemporaneous

Data must be recorded at the time the activity occurs. Business Central supports contemporaneous recording through real-time transaction posting — inventory movements, quality inspections, and approval decisions are recorded when executed, not reconstructed after the fact. Any process that involves manually transcribing data from a paper source into BC introduces a contemporaneousness gap that must be addressed through process controls.

Original

The first record of a transaction is the original record. In Business Central, once a transaction is posted, it cannot be deleted — only corrected through a subsequent correcting entry. This preserves the original record. The Change Log captures corrections, maintaining the full transaction history. Inspectors expect to see the original record and any corrections, with the correction rationale documented.

Accurate

Records must correctly represent what occurred. Accuracy in Business Central is supported through validation rules, mandatory field requirements, and approval workflows that prevent posting without required information. Configuration of these controls is part of the validation scope. Inaccurate records arising from misconfigured validation rules or workflows are a system validation deficiency.

Complete, Consistent, Enduring, Available

Complete means all required data elements are present. In BC, completeness is enforced through mandatory field configuration and approval workflow prerequisites. Consistent means data is recorded in the same format across entries and over time — relevant to lot number formats, unit of measure conventions, and classification schemes. Enduring means records are retained for the required retention period and cannot be deleted prematurely. Available means authorised users can retrieve records within a reasonable timeframe — relevant to report design and data archival configuration.

Common data integrity gaps in Business Central

The most frequent ALCOA+ gaps found in BC implementations in regulated environments are: Change Log not configured for all relevant tables; permission sets that allow shared logins or generic accounts; absence of a documented data retention and archival procedure; approval workflows that allow bypass for system administrators; and missing configuration documentation linking BC settings to ALCOA+ requirements.

Addressing these gaps requires a combination of BC configuration review, permission set audit, change control procedure for ongoing configuration changes, and documented evidence that the configuration meets each ALCOA+ requirement.

ALCOA+ as inspection evidence framework

When preparing for an inspection, ALCOA+ provides a structured framework for building the evidence package. For each ALCOA+ property, the evidence package should demonstrate: which BC configuration controls address the requirement, how those controls were validated, and how ongoing compliance is maintained through change control and periodic review.

A documented ALCOA+ mapping — linking each principle to specific BC configuration settings, test evidence, and ongoing monitoring procedures — is a high-value document for inspection preparation. It demonstrates that the organisation understands its obligations and has deliberately addressed them.

Download the full ALCOA+ and Business Central data integrity guide as a PDF using the link below.