The purpose of this procedure is to outline the procedure for performing vendor audits of computer system (hardware and/or software) suppliers.
The intent is to ensure that software suppliers are selected based on their capability to provide quality software and documentation which is adequate for validation. Quality cannot be inspected or tested into software. Rather, the quality of software is established during the design of the software and achieved through proper control of the software development process.
The results of vendor audits may be used to recommend potential vendors for new systems being purchased or to specify corrective actions necessary to meet regulatory requirements.
Department/Section: IT, Validation and Client Groups
This SOP applies to all validated computer systems.
Lead auditor – an individual with the appropriate level of validation experience responsible for managing the vendor audit process.
Software Categories – the following list provides a categorization of software referenced in this SOP:
Client – they business system owner is typical the ‘line’ manager responsible for the business process where the computer system will be used.
Validation and the other disciplines listed within this SOP are responsible for ensuring this procedure is followed.
It is the responsibility of the client and IT groups to notify validation management when vendors are being considered to deliver systems.
It is the responsibility of purchasing group to ensure issues arising from the vendor audit are incorporated in purchase agreements as appropriate.
Validation management will determine whether to audit the vendor based on the following:
When implementing updates or new releases to Category 4 and 5 systems, validation personnel will determine whether re-auditing is needed based on the extent of changes to the system, past history, past audit history, and/or quality history of previous updates and releases. Additionally re-auditing will be considered based on changes in regulatory requirements.
Software suppliers who provide customized software must have clearly established procedures for producing this software. Validation should complete an audit of potential suppliers to evaluate the adequacy of their existing procedures. IT staff may assist with the audit. Results of the audit would be used as input in the decision regarding the use of the supplier. The results would also be used to define the procedures that should govern the development of the software. An agreement must be established as part of contract negotiations with the supplier that defines the validation requirements the supplier must work too. It is the responsibility of those who prepare contracts with vendors to include requirements in the contract for:
For customized software, the vendor assumes the role of developer and approves deliverables along with the validation and client groups. The role for approving development documentation will be defined in the Validation Plan.
The audit should be performed using any of the following methods:
The audit leader will notify the vendor of intent to perform an audit and make arrangements for the audit including execution of appropriate Non Disclosure Agreements.
The audit leader will notify the vendor in writing explaining the objectives of the audit and the resources expected from the vendor.
The audit should be performed to assess the vendor on the following topics:
At the conclusion of the audit, a review of the findings should be held with the vendor to clarify the significant observations.
After gathering the audit information, an audit report must be prepared by the audit leader. The audit report should include the following:
Vendors will be sent a letter outlining the key audit findings and will be requested to respond with a plan for corrective actions with implementation dates. The Lead Auditor will review the supplier response to ensure corrective actions are committed to.
Follow up with the vendor to ensure audit findings are implemented as agreed by the vendor. Document follow up requests and responses from the vendor. Add this documentation to the audit file.
When all of the vendor responses are returned satisfactorily, the Lead Auditor will send an audit closure letter to the vendor indicating their status as an approved vendor.
Where the results of a vendor audit indicate the software supplier does not have complete documentation of software being purchased, the project team must pursue other methods of creating the documentation required or select another.