sop_0111_10 - vendor audit sop

8/13/2019 SOP_0111_10 - Vendor Audit SOP

1/9

Title Vendor Audit SOP

Version Status Date Page

1.0 Commercial in Confidence 08-Aug-2006 1 of 9

Vendor Audit SOP

Document No: SOP_0111

Prepared by: David Brown

Date: 09-Aug-2006

Version: 1.0


2/9




Document Approval

Name Role Date Signature

David Brown Author

Document Control

Version Author Date Description

1.0 David Brown 08-Aug-2006 Version 1


3/9




Table of Contents

1 Introduction ................. ................. .................. ................. .................. ................. .................... 41.1 Purpose ........................................................................................................................... 41.2 Scope ............................................................................................................................... 41.3 Definition........................................................................................................................ 41.4 Responsibility................................................................................................................. 51.5 References ...................................................................................................................... 5

2 Procedure .................. .................. .................. .................. .................. ................. .................. ... 52.1 Determining Whether to Audit the Vendor................................................................ 52.2 Re-Auditing Vendors..................................................................................................... 52.3 Customized Software..................................................................................................... 62.4 Audit Methods ............................................................................................................... 62.5 Perform Audit................................................................................................................ 72.6 Audit Report .................................................................................................................. 82.7 Follow-Up....................................................................................................................... 82.8 Project Impact ............................................................................................................... 9


4/9




1 Introduction1.1 Purpose

The purpose of this procedure is to outline the procedure for

performing vendor audits of computer system (hardware and/orsoftware) suppliers.

The intent is to ensure that software suppliers are selectedbased on their capability to provide quality software and

documentation which is adequate for validation. Quality cannot

be inspected or tested into software. Rather, the quality ofsoftware is established during the design of the software andachieved through proper control of the software development

process.

The results of vendor audits may be used to recommendpotential vendors for new systems being purchased or to specify

corrective actions necessary to meet regulatory requirements.

1.2 ScopeDepartment/Section: Validation and Client Groups.

1.3 DefinitionClient The business group commissioning or using a computersystem.

Lead auditor an individual with the appropriate level ofvalidation experience responsible for managing the vendor auditprocess.

Software Categories the following list provides a

categorization of software referenced in this SOP:

Category 1 - Operating Systems Category 2 - Standard Instruments, Micro Controllers,

Smart Instrumentation

Category 3 - Standard Software Packages Category 4 - Configurable Software Packages Category 5 - Application Specific or Custom Built Software


5/9




1.4 ResponsibilityValidation and the other disciplines listed within this SOP are

responsible for ensuring this procedure is followed.

It is the responsibility of the client and IT groups to notify

validation management when vendors are being considered todeliver systems.

It is the responsibility of purchasing group to ensure issuesarising from the vendor audit are incorporated in purchase

agreements as appropriate.

1.5 ReferencesDocument ID Title

2 Procedure2.1 Determining Whether to Audit the Vendor

Validation management will determine whether to audit thevendor based on the following:

Vendors of Category 1- Operating Systems softwarewill not be audited because these systems are in wide

distribution and validation of this software is implicitlyperformed through testing of the applications.

Vendors of Category 2 and 3- Standard Instruments,Micro Controllers, Smart Instrumentation and Standard

Software Packages will not be audited because thesesystems are widely distributed and validation of this

software is performed through testing of the applications.

Vendors of Category 4 and 5- Configurable SoftwarePackages and Application Specific or Custom BuiltSoftware will be audited when the vendor uses a

significantly different development life cycle.

2.2 Re-Auditing VendorsWhen implementing updates or new releases to Category 4 and5 systems, validation personnel will determine whether re-


6/9




auditing is needed based on the extent of changes to the

system, past history, past audit history, and/or quality history of

previous updates and releases. Additionally re-auditing will beconsidered based on changes in regulatory requirements.

2.3 Customized SoftwareSoftware suppliers who provide customized software must have

clearly established procedures for producing this software.Validation should complete an audit of potential suppliers to

evaluate the adequacy of their existing procedures. IT staffmay assist with the audit. Results of the audit would be used as

input in the decision regarding the use of the supplier. The

results would also be used to define the procedures that shouldgovern the development of the software. An agreement mustbe established as part of contract negotiations with the supplier

that defines the validation requirements the supplier must worktoo. It is the responsibility of those who prepare contracts with

vendors to include requirements in the contract for:

producing deliverables according to the purchasingcompanies procedures or specifying the procedures to be

used;

approvals of deliverables by the purchasing company; timeline for project deliverables, and; a statement from the vendor assuring that the software

does not contain undocumented features, does not

contain hidden mechanisms that could be used tocompromise the softwares security, and will not require

the modification or abandonment of existing computersecurity systems.

For customized software, the vendor assumes the role of

developer and approves deliverables along with the validationand client groups. The role for approving development

documentation will be defined in the Validation Plan.

2.4 Audit MethodsThe audit should be performed using any of the following

methods:

Using employees from single or multiple divisions of thecompany;


7/9




Joint audit with other companies with each companyissuing their own audit report, and;

Joint audit with other companies with a joint audit reportbeing issued as long as the audit report satisfies therequirements specified in this procedure.

2.5 Perform AuditThe audit leader will notify the vendor of intent to perform an

audit and make arrangements for the audit including executionof appropriate Non Disclosure Agreements.

The audit leader will notify the vendor in writing explaining theobjectives of the audit and the resources expected from the

vendor.The audit should be performed to assess the vendor on thefollowing topics:

The stability of the company to ensure continued supportof the computer system;

The stability of the computer system to ensure it willcontinue to be supported;

Ensure staff have appropriate credentials for theirpositions and have appropriate training in the Quality

Program to ensure appropriate practices are in place;

Quality Program in place to ensure development practicesare being followed;

Quality Program to control release of product; Change control program in place to ensure documents are

updated for changes;

Appropriate documentation supports development; Appropriate development, security, backup, test, change

control, documentation, problem tracking procedures,and;

Ensure training programs are provided by the vendor tousers and support personnel.

At the conclusion of the audit, a review of the findings should be

held with the vendor to clarify the significant observations.


8/9




2.6 Audit ReportAfter gathering the audit information, an audit report must be

prepared by the audit leader. The audit report should includethe following:

Cover page with a unique Report ID, Title, Name of auditleader and other team members, Date, Approval blockand Distribution list. The Distribution list should include

the Director of any area potentially affected by the results

of the audit and the Validation Audit File. The Approvalblocks must include the manager of the Validationrepresentative and the Manager of QA Supplier and

Internal Auditing.

The Report ID is assigned using the format_VA_nnnn.

Purpose and Scope of the audit to include the vendorsname and location.

Confidentiality Statement to clearly state who isauthorized to receive a copy of the audit report.

Conclusion of the audit as to whether the vendor satisfiescomputer validation requirements.

Key audit findings which are the summary of theinformation gathered during the audit. Group the

information by similar content.

Detailed audit observations which were encounteredduring the audit. Give specific references to documents

reviewed where observations were noted.

Recommendations related to the content of purchasecontract conditions, system validation andimplementation considerations and audit follow-up plans.

Attachments of supporting documentation gatheredduring the audit, where permitted by the vendor.

The audit report should be routed for approval prior todistribution. Approval of the audit report shall constituteacceptance of the audit findings and agreement of the

audit conclusions and recommendations.

2.7 Follow-UpVendors will be sent a letter outlining the key audit findings andwill be requested to respond with a plan for corrective actions


9/9




with implementation dates. The Lead Auditor will review the

supplier response to ensure corrective actions are committed to.

Follow up with the vendor to ensure audit findings areimplemented as agreed by the vendor. Document follow uprequests and responses from the vendor. Add this

documentation to the audit file.

When all of the vendor responses are returned satisfactorily, theLead Auditor will send an audit closure letter to the vendor

indicating their status as an approved vendor.

2.8 Project ImpactWhere the results of a vendor audit indicate the software

supplier does not have complete documentation of softwarebeing purchased, the project team must pursue other methods

of creating the documentation required or select another

vendor.

sop_0111_10 - vendor audit sop

Documents