Performing a third party C/S supplier audit

Summary

To date in our audit series we have discussed how the rise in outsourcing computerised system activities has resulted in an increased demand in third party computerised system audits. We put forward our thoughts that those with the combined expertise in software engineering, quality assurance within the software space and experience of GXP needs make great auditors. Additionally, we briefly touched upon the principles or, characteristics if you like, of the auditor and the preparation to be undertaken by the auditor. Today, we are going to round up our audit series by discussing the requirements for performing the audit. 

Check list (Preparation Stage)

A checklist (which is discussed in more detail below) is created during the planning stage that can be used as an aid for the auditor to follow lines of enquiry. The checklist, is based on GxP requirements, ISO9002 or project planning documentation.

Introduction Meeting (Performing the Audit)

During this introduction meeting, a brief overview of the objectives of the audit and what areas the audit will concentrate on will be discussed. Furthermore, the auditor will ascertain that the required audit activities can be performed. The auditor will meet with members of the auditee team, obtaining a description of what each member is responsible for, and ascertain their names for later inclusion in the audit report. 

An experienced auditor should communicate clearly and listen intensively at this stage and throughout the rest of the audit. Effective oral, listening and written communication is a must!

Audit (Performing the Audit)

How the audit is performed 


The audit is performed via interviews, observations and review of documents and records. If there are areas of potential weakness identified during the audit, the auditor may decide to focus on these and elicit more detailed information. However, if the auditor feels that a particular line of enquiry is progressing to a satisfactory outcome then they can easily switch attention to another area. 

If the supplier is in a long term relationship, it is recommended that the audit is used as a tool for process improvement.  After-all, an improvement in the suppliers quality approach should equate in an improvement in their services/products that the organisation uses. The combined technical/quality auditor will encourage the team to consider suggestions they have for the improvement of their quality approach. This provides great insight into the quality maturity of the organisation.

A number of lines of enquiry can be covered, for example; project process, continual improvement, deliverables  scheduling, traceability, testing, documentation control, review practice, change control and so forth. In all of these cases the auditor must be concerned with whether the documentation is traceable, consistent and complete. For CS audits the QMS change control and project change control approaches should be highlighted. 


Once completed, a close out meeting will be held where the auditor will discuss the audit findings with the audites:

• Agree any non-conformance's, observations and improvements with the auditee
• Agree corrective/preventative actions and completion dates with the appropriate team member.
• Ensure to highlight areas of excellence within the auditee team

Report (Post Audit)

The audit report summarising the findings of the audit, including all agreed corrective actions should be completed by the auditor.  All non-conformances and observations on the audit report will be given a clearance date for the corrective and preventive actions (CA/PA) to be completed. 

Follow-up & Close

 It is the responsibility of the Auditee to perform the CA/PA's and report back to the auditor, that they have been implemented, and to provide evidence that the action has been carried out. The auditor can only sign an action complete when they have seen this evidence, and should add relevant comments (s) to the report when closing the action. Consideration should be made on whether a follow-up visit is necessary to confirm closure of CA/PA's. A follow-up visit may need to be arranged depending on the criticalities. 

When all actions are complete the auditor must sign off the audit report including any associated follow-up list. Any unresolved audit actions will be escalated if open after the agreed closure time-frame.

Are the same lines of enquiry applicable when auditing the cloud?

We spoke about validating the cloud at our recent breakfast seminar in Cork where Cloud supplier audits was examined. Pharmaceutical and medical device companies should ensure that they treat Cloud suppliers as they would any other computerised system third party supplier: ensure comprehensive risk based strategies are in place before entering into a relationship with the supplier; robust contracts/SLA's are defined; and assess the supplier.

Due to the increased risks associated with Cloud, suppliers must be audited regularly in order to confirm the quality of service is maintained in terms of the SLA and GxP needs.

Click here to be redirected to an excerpt from EmpowermentQE's information security checklist, which we hope provides some areas to consider when planning on auditing a Cloud supplier.

To conclude

Diagram 1

The need for third party computerised system supplier assessments/audits will be identified when performing a risk assessment of any GxP area impacted by the supplier's CS product or service. Audits can be intensive undertakings. The disadvantages commonly cited against the audit include; time and costs and that auditees naturally feel defensive when they hear an is taking place (a technical auditor can help overcome defensive barriers). 
Audits should not be feared by suppliers, they should view the audit as an opportunity to improve their own approach and also as an opportunity to advertise their effectiveness. 

The underlying rational behinds audits is to help ensure patient safety. The audit can also help to enhance relationships were there is long term engagement between the supplier and the client. It can increase confidence, enhance productivity, open the opportunity for a least burdensome approach and it can help to reduce overall costs for the supplier and the regulated user. 

Change is constant that we can be certain of, with that in mind, it’s important to realise that the audit is a continuous process as illustrated in the diagram 1.

EmpowermentQE's  audit consultants provide additional benefits;

• Reduce the technical gap of CS development 
• Provide ojective and independent and technical expertise
• Provide in depth technical expertise that can be leveraged to allay non technical auditor fears and ensure that auditors are not bewildered by technical jargaon
• Provide technical expertise to verify whether technical processes and approach will continuously yield a quality outcome
• Trained ISO 9001 auditors 
• Technical expertise in all roles and all stages of the SDLC (we know the inherent weaknesses in building computerised systems).
• Experienced 3rd party supplier auditors.

EmpowermentQE audit and assessments evolved from Total Software Quality Management, ISO9001, GxP and our vast quality and technical experiences. We have performed 3rd party supplier audits of Oracle Ireland and ICTi on behalf of a clinical trials company and we are technical partners for one of the top 10 global pharmaceutical companies. We have applied our audit approach as a health check for IT companies as key input to our process improvement approach. Our audit service range from training GxP auditors on what to look for in computerised system audits, designing postal questionnaires, and follow-up reports to providing a fully comprehensive ISO9001 based audit.

 Should you wish to discuss our Audit services in more detail, then, please do not hesitate to email  Ciara and request and request a call back.

Next month’s topic 

In next month’s post Barry will be discussing COTS selection and validation.