Title

Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 1 of 9

Vendor Audit SOP

Document No: Prepared by: Date: Version:

SOP_0111 David Brown 09-Aug-2006 1.0

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 2 of 9

Document Approval
Name David Brown Role Author Date Signature

Document Control
Version 1.0 Author David Brown Date 08-Aug-2006 Description Version 1

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 3 of 9

Table of Contents

Introduction ............................................................................................................................ 4 1.1 1.2 1.3 1.4 1.5 Purpose ........................................................................................................................... 4 Scope ............................................................................................................................... 4 Definition ........................................................................................................................ 4 Responsibility................................................................................................................. 5 References ...................................................................................................................... 5 Determining Whether to Audit the Vendor ................................................................ 5 Re-Auditing Vendors..................................................................................................... 5 Customized Software..................................................................................................... 6 Audit Methods ............................................................................................................... 6 Perform Audit................................................................................................................ 7 Audit Report .................................................................................................................. 8 Follow-Up ....................................................................................................................... 8 Project Impact ............................................................................................................... 9

Procedure................................................................................................................................ 5 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 4 of 9

1
1.1

Introduction
Purpose
The purpose of this procedure is to outline the procedure for performing vendor audits of computer system (hardware and/or software) suppliers. The intent is to ensure that software suppliers are selected based on their capability to provide quality software and documentation which is adequate for validation. Quality cannot be inspected or tested into software. Rather, the quality of software is established during the design of the software and achieved through proper control of the software development process. The results of vendor audits may be used to recommend potential vendors for new systems being purchased or to specify corrective actions necessary to meet regulatory requirements.

1.2

Scope
Department/Section: Validation and Client Groups.

1.3

Definition
Client The business group commissioning or using a computer system. Lead auditor an individual with the appropriate level of validation experience responsible for managing the vendor audit process. Software Categories the following list provides a categorization of software referenced in this SOP: Category 1 - Operating Systems Category 2 - Standard Instruments, Micro Controllers, Smart Instrumentation Category 3 - Standard Software Packages Category 4 - Configurable Software Packages Category 5 - Application Specific or Custom Built Software

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 5 of 9

1.4

Responsibility
Validation and the other disciplines listed within this SOP are responsible for ensuring this procedure is followed. It is the responsibility of the client and IT groups to notify validation management when vendors are being considered to deliver systems. It is the responsibility of purchasing group to ensure issues arising from the vendor audit are incorporated in purchase agreements as appropriate.

1.5

References
Document ID Title

2
2.1

Procedure
Determining Whether to Audit the Vendor
Validation management will determine whether to audit the vendor based on the following: Vendors of Category 1 - Operating Systems software will not be audited because these systems are in wide distribution and validation of this software is implicitly performed through testing of the applications. Vendors of Category 2 and 3 - Standard Instruments, Micro Controllers, Smart Instrumentation and Standard Software Packages will not be audited because these systems are widely distributed and validation of this software is performed through testing of the applications. Vendors of Category 4 and 5 - Configurable Software Packages and Application Specific or Custom Built Software will be audited when the vendor uses a significantly different development life cycle.

2.2

Re-Auditing Vendors
When implementing updates or new releases to Category 4 and 5 systems, validation personnel will determine whether re-

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 6 of 9

auditing is needed based on the extent of changes to the system, past history, past audit history, and/or quality history of previous updates and releases. Additionally re-auditing will be considered based on changes in regulatory requirements.

2.3

Customized Software
Software suppliers who provide customized software must have clearly established procedures for producing this software. Validation should complete an audit of potential suppliers to evaluate the adequacy of their existing procedures. IT staff may assist with the audit. Results of the audit would be used as input in the decision regarding the use of the supplier. The results would also be used to define the procedures that should govern the development of the software. An agreement must be established as part of contract negotiations with the supplier that defines the validation requirements the supplier must work too. It is the responsibility of those who prepare contracts with vendors to include requirements in the contract for: producing deliverables according to the purchasing companies procedures or specifying the procedures to be used; approvals of deliverables by the purchasing company; timeline for project deliverables, and; a statement from the vendor assuring that the software does not contain undocumented features, does not contain hidden mechanisms that could be used to compromise the softwares security, and will not require the modification or abandonment of existing computer security systems.

For customized software, the vendor assumes the role of developer and approves deliverables along with the validation and client groups. The role for approving development documentation will be defined in the Validation Plan.

2.4

Audit Methods
The audit should be performed using any of the following methods: Using employees from single or multiple divisions of the company;

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 7 of 9

Joint audit with other companies with each company issuing their own audit report, and; Joint audit with other companies with a joint audit report being issued as long as the audit report satisfies the requirements specified in this procedure.

2.5

Perform Audit
The audit leader will notify the vendor of intent to perform an audit and make arrangements for the audit including execution of appropriate Non Disclosure Agreements. The audit leader will notify the vendor in writing explaining the objectives of the audit and the resources expected from the vendor. The audit should be performed to assess the vendor on the following topics: The stability of the company to ensure continued support of the computer system; The stability of the computer system to ensure it will continue to be supported; Ensure staff have appropriate credentials for their positions and have appropriate training in the Quality Program to ensure appropriate practices are in place; Quality Program in place to ensure development practices are being followed; Quality Program to control release of product; Change control program in place to ensure documents are updated for changes; Appropriate documentation supports development; Appropriate development, security, backup, test, change control, documentation, problem tracking procedures, and; Ensure training programs are provided by the vendor to users and support personnel.

At the conclusion of the audit, a review of the findings should be held with the vendor to clarify the significant observations.

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 8 of 9

2.6

Audit Report
After gathering the audit information, an audit report must be prepared by the audit leader. The audit report should include the following: Cover page with a unique Report ID, Title, Name of audit leader and other team members, Date, Approval block and Distribution list. The Distribution list should include the Director of any area potentially affected by the results of the audit and the Validation Audit File. The Approval blocks must include the manager of the Validation representative and the Manager of QA Supplier and Internal Auditing. The Report ID is assigned using the format <Project name or ID>_VA_nnnn. Purpose and Scope of the audit to include the vendors name and location. Confidentiality Statement to clearly state who is authorized to receive a copy of the audit report. Conclusion of the audit as to whether the vendor satisfies computer validation requirements. Key audit findings which are the summary of the information gathered during the audit. Group the information by similar content. Detailed audit observations which were encountered during the audit. Give specific references to documents reviewed where observations were noted. Recommendations related to the content of purchase contract conditions, system validation and implementation considerations and audit follow-up plans. Attachments of supporting documentation gathered during the audit, where permitted by the vendor. The audit report should be routed for approval prior to distribution. Approval of the audit report shall constitute acceptance of the audit findings and agreement of the audit conclusions and recommendations.

2.7

Follow-Up
Vendors will be sent a letter outlining the key audit findings and will be requested to respond with a plan for corrective actions

Title
Version 1.0

Vendor Audit SOP

Status Commercial in Confidence Date 08-Aug-2006 Page 9 of 9

with implementation dates. The Lead Auditor will review the supplier response to ensure corrective actions are committed to. Follow up with the vendor to ensure audit findings are implemented as agreed by the vendor. Document follow up requests and responses from the vendor. Add this documentation to the audit file. When all of the vendor responses are returned satisfactorily, the Lead Auditor will send an audit closure letter to the vendor indicating their status as an approved vendor.

2.8

Project Impact
Where the results of a vendor audit indicate the software supplier does not have complete documentation of software being purchased, the project team must pursue other methods of creating the documentation required or select another vendor.