sop_0111_10 - vendor audit sop
TRANSCRIPT
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
1/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 1 of 9
Vendor Audit SOP
Document No: SOP_0111
Prepared by: David Brown
Date: 09-Aug-2006
Version: 1.0
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
2/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 2 of 9
Document Approval
Name Role Date Signature
David Brown Author
Document Control
Version Author Date Description
1.0 David Brown 08-Aug-2006 Version 1
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
3/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 3 of 9
Table of Contents
1 Introduction ................. ................. .................. ................. .................. ................. .................... 41.1 Purpose ........................................................................................................................... 41.2 Scope ............................................................................................................................... 41.3 Definition........................................................................................................................ 41.4 Responsibility................................................................................................................. 51.5 References ...................................................................................................................... 5
2 Procedure .................. .................. .................. .................. .................. ................. .................. ... 52.1 Determining Whether to Audit the Vendor................................................................ 52.2 Re-Auditing Vendors..................................................................................................... 52.3 Customized Software..................................................................................................... 62.4 Audit Methods ............................................................................................................... 62.5 Perform Audit................................................................................................................ 72.6 Audit Report .................................................................................................................. 82.7 Follow-Up....................................................................................................................... 82.8 Project Impact ............................................................................................................... 9
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
4/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 4 of 9
1 Introduction1.1 Purpose
The purpose of this procedure is to outline the procedure for
performing vendor audits of computer system (hardware and/orsoftware) suppliers.
The intent is to ensure that software suppliers are selectedbased on their capability to provide quality software and
documentation which is adequate for validation. Quality cannot
be inspected or tested into software. Rather, the quality ofsoftware is established during the design of the software andachieved through proper control of the software development
process.
The results of vendor audits may be used to recommendpotential vendors for new systems being purchased or to specify
corrective actions necessary to meet regulatory requirements.
1.2 ScopeDepartment/Section: Validation and Client Groups.
1.3 DefinitionClient The business group commissioning or using a computersystem.
Lead auditor an individual with the appropriate level ofvalidation experience responsible for managing the vendor auditprocess.
Software Categories the following list provides a
categorization of software referenced in this SOP:
Category 1 - Operating Systems Category 2 - Standard Instruments, Micro Controllers,
Smart Instrumentation
Category 3 - Standard Software Packages Category 4 - Configurable Software Packages Category 5 - Application Specific or Custom Built Software
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
5/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 5 of 9
1.4 ResponsibilityValidation and the other disciplines listed within this SOP are
responsible for ensuring this procedure is followed.
It is the responsibility of the client and IT groups to notify
validation management when vendors are being considered todeliver systems.
It is the responsibility of purchasing group to ensure issuesarising from the vendor audit are incorporated in purchase
agreements as appropriate.
1.5 ReferencesDocument ID Title
2 Procedure2.1 Determining Whether to Audit the Vendor
Validation management will determine whether to audit thevendor based on the following:
Vendors of Category 1- Operating Systems softwarewill not be audited because these systems are in wide
distribution and validation of this software is implicitlyperformed through testing of the applications.
Vendors of Category 2 and 3- Standard Instruments,Micro Controllers, Smart Instrumentation and Standard
Software Packages will not be audited because thesesystems are widely distributed and validation of this
software is performed through testing of the applications.
Vendors of Category 4 and 5- Configurable SoftwarePackages and Application Specific or Custom BuiltSoftware will be audited when the vendor uses a
significantly different development life cycle.
2.2 Re-Auditing VendorsWhen implementing updates or new releases to Category 4 and5 systems, validation personnel will determine whether re-
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
6/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 6 of 9
auditing is needed based on the extent of changes to the
system, past history, past audit history, and/or quality history of
previous updates and releases. Additionally re-auditing will beconsidered based on changes in regulatory requirements.
2.3 Customized SoftwareSoftware suppliers who provide customized software must have
clearly established procedures for producing this software.Validation should complete an audit of potential suppliers to
evaluate the adequacy of their existing procedures. IT staffmay assist with the audit. Results of the audit would be used as
input in the decision regarding the use of the supplier. The
results would also be used to define the procedures that shouldgovern the development of the software. An agreement mustbe established as part of contract negotiations with the supplier
that defines the validation requirements the supplier must worktoo. It is the responsibility of those who prepare contracts with
vendors to include requirements in the contract for:
producing deliverables according to the purchasingcompanies procedures or specifying the procedures to be
used;
approvals of deliverables by the purchasing company; timeline for project deliverables, and; a statement from the vendor assuring that the software
does not contain undocumented features, does not
contain hidden mechanisms that could be used tocompromise the softwares security, and will not require
the modification or abandonment of existing computersecurity systems.
For customized software, the vendor assumes the role of
developer and approves deliverables along with the validationand client groups. The role for approving development
documentation will be defined in the Validation Plan.
2.4 Audit MethodsThe audit should be performed using any of the following
methods:
Using employees from single or multiple divisions of thecompany;
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
7/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 7 of 9
Joint audit with other companies with each companyissuing their own audit report, and;
Joint audit with other companies with a joint audit reportbeing issued as long as the audit report satisfies therequirements specified in this procedure.
2.5 Perform AuditThe audit leader will notify the vendor of intent to perform an
audit and make arrangements for the audit including executionof appropriate Non Disclosure Agreements.
The audit leader will notify the vendor in writing explaining theobjectives of the audit and the resources expected from the
vendor.The audit should be performed to assess the vendor on thefollowing topics:
The stability of the company to ensure continued supportof the computer system;
The stability of the computer system to ensure it willcontinue to be supported;
Ensure staff have appropriate credentials for theirpositions and have appropriate training in the Quality
Program to ensure appropriate practices are in place;
Quality Program in place to ensure development practicesare being followed;
Quality Program to control release of product; Change control program in place to ensure documents are
updated for changes;
Appropriate documentation supports development; Appropriate development, security, backup, test, change
control, documentation, problem tracking procedures,and;
Ensure training programs are provided by the vendor tousers and support personnel.
At the conclusion of the audit, a review of the findings should be
held with the vendor to clarify the significant observations.
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
8/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 8 of 9
2.6 Audit ReportAfter gathering the audit information, an audit report must be
prepared by the audit leader. The audit report should includethe following:
Cover page with a unique Report ID, Title, Name of auditleader and other team members, Date, Approval blockand Distribution list. The Distribution list should include
the Director of any area potentially affected by the results
of the audit and the Validation Audit File. The Approvalblocks must include the manager of the Validationrepresentative and the Manager of QA Supplier and
Internal Auditing.
The Report ID is assigned using the format_VA_nnnn.
Purpose and Scope of the audit to include the vendorsname and location.
Confidentiality Statement to clearly state who isauthorized to receive a copy of the audit report.
Conclusion of the audit as to whether the vendor satisfiescomputer validation requirements.
Key audit findings which are the summary of theinformation gathered during the audit. Group the
information by similar content.
Detailed audit observations which were encounteredduring the audit. Give specific references to documents
reviewed where observations were noted.
Recommendations related to the content of purchasecontract conditions, system validation andimplementation considerations and audit follow-up plans.
Attachments of supporting documentation gatheredduring the audit, where permitted by the vendor.
The audit report should be routed for approval prior todistribution. Approval of the audit report shall constituteacceptance of the audit findings and agreement of the
audit conclusions and recommendations.
2.7 Follow-UpVendors will be sent a letter outlining the key audit findings andwill be requested to respond with a plan for corrective actions
-
8/13/2019 SOP_0111_10 - Vendor Audit SOP
9/9
Title Vendor Audit SOP
Version Status Date Page
1.0 Commercial in Confidence 08-Aug-2006 9 of 9
with implementation dates. The Lead Auditor will review the
supplier response to ensure corrective actions are committed to.
Follow up with the vendor to ensure audit findings areimplemented as agreed by the vendor. Document follow uprequests and responses from the vendor. Add this
documentation to the audit file.
When all of the vendor responses are returned satisfactorily, theLead Auditor will send an audit closure letter to the vendor
indicating their status as an approved vendor.
2.8 Project ImpactWhere the results of a vendor audit indicate the software
supplier does not have complete documentation of softwarebeing purchased, the project team must pursue other methods
of creating the documentation required or select another
vendor.