This post was recently updated on September 19, 2018

Welcome to our three part series on how to audit software vendors. In part one, we’ll review the basic processes and preparation activities. Parts 2 and 3 dig into performing the audit itself and leveraging the results.

The Vendor Audit Process

In general, to audit software vendors, the process is the same for each audit method. Some of the activities may not be performed in the less extensive audits, but you still have to prepare for and conduct the audit, and do some post-audit activities.

Onsite and offsite audits are practically identical other than the fact that for offsite audits, there is no facility tour. You perform all of the activities for steps 2-4, just at your own desk instead of the vendor’s.

Questionnaire assessments typically have no advanced notification or document reviews prior to the assessment or meetings. And the “Discovery” stage is completed by reviewing what the vendor provides. Depending on your satisfaction with the vendor, you might or might not request follow-up.

Basic Assessments are similar to the questionnaire method except there is no audit follow-up.

Not sure which method you should use? Read this post.

Setting the Stage – Audit Roles

All audits have 3 groups of people:

1. Audit Sponsor
2. Lead Auditor and Audit Team
3. Audit Facilitator and Auditee Team

The Audit Sponsor authorizes the audit, determines the Audit Standard and identifies the Auditing Organization. In the case of vendor audits, your company is both the Audit Sponsor and the Auditing Organization. You authorize the audit and will determine the Audit Standard – the basis for the Audit.

Examples of Audit Standards: FDA regulations, customer contracts, published standards (e.g., PIC/S, ISO), internal company standards and best practices.

Each audit team should have a lead auditor – the person with overall responsibility for the audit. The lead auditor is the go-to person for making the audit arrangements with the Auditee (aka the vendor). The lead auditor and audit team conduct the audits, document the results and report the results to the Audit Sponsor. Auditors can be from the same company as the sponsor or can be a separate firm.

Your vendor will most likely have a lead ‘audit facilitator’. The audit facilitator will make logistical arrangements, escort your team of auditors and provides information needed by auditors. Additionally, the vendor will have a designated team, such as subject matter experts, for specific topics (i.e., system expertise, validation testing, development, system support, etc.).

Before the Audit

To prep for your audit, you should be aware of the regulations that apply to you. These can be used directly as an Audit Standard, or incorporated into an audit checklist that you develop. Audit Standards could come from FDA Regulations and Guidance, ICH Guidelines, Eudralex Regulations or contractual agreements you have with the vendor. You can download these regulations and guidelines from our document library.

If a separate firm is performing the audit on your behalf, they should assist you in determining the audit standard.

Audit Preparation

Based on the audit method, these are the activities performed during the audit preparation phase.

Planning

Regardless of the audit method you are using, in the planning stage you need to determine:

• Audit Purpose and Scope
• Audit Standard(s)
• Checklists
• Audit Agenda and Schedule
• Proposed date(s)
• Number of Auditors

Examples of the purpose and scope might include: new vendor, periodic re-audit, quality practices, development methodology, or follow-up on a specific issue. You might be trying to determine the vendor’s stability and commitment.

Additionally, if this is not your first audit of the vendor, review previous results and be sure to follow-up on problem areas.

Vendor Notification & Arrangements

First you must notify the vendor of your intent to audit them. For onsite audits, this should be a formal letter. Offsite audits you might only need to email them or setup an online meeting. If you are sending a questionnaire, you probably don’t need any formal notifications.

When notifying the vendor, provide your plan details regarding the items you determined in the planning stage. This helps the vendor know who needs to be available and how much time they need to prepare.

Ask your vendor for documents in advance that can help to save time during the audit. These might include policies, procedures, organization charts, etc.

Lastly, at this step you agree to dates and times for the audit to ensure those who are needed during the audit will be available.

Team Selection

In the beginning we defined the roles of an audit. Now you need to select the lead auditor and audit team.

The lead auditor should be certified and experienced in auditing. They are responsible for negotiating the audit arrangements with the vendor, running the opening and closing meetings, keeping the audit on track, coordinating the audit report, and requesting/following-up on corrective action requests.

For larger audits, create an audit team. You will need people who have specific expertise, such as a system’s technology or software validation. Be sure to train the team members if they are new to auditing.

Members might include:

• Key users who know the system
• People who know IT processes, like members of tech support, software development and system support
• Those who know validation, especially if you are planning to use the vendor’s documentation

The lead auditor is also responsible for assigning audit team members to specific audit topics, typically aligned with their area of expertise, so that each team member knows where they are needed.

Document Reviews

Reviewing documentation prior to the audit does several things for you. For one, it improves the efficiency of the audit, meaning you can save time and money for both you and your vendor. If you’re already familiar with procedures, you will be able to jump right to examination of evidence.

You’ll also be able to ask better questions during the audit since you’ll have had time to process the information and hone in on target areas rather than trying to do that on the fly.

Additionally, you are also going to get more accurate results from pre-reviewing documentation. Audits are stressful and have tight timelines. You are less likely to miss something when you’re not worried about catching your flight home.

Which documents are best to review ahead of time?

• Organizational charts will help you understand who’s responsible for what
• Quality and testing policies
• Procedures documents – testing, SDLC, change control, incident management, configuration management, training, etc.

For onsite and offsite audits, prepare your Audit Checklists ahead of the audit so that you can keep your auditors on track during the event. They ensure your vendors are evaluated using the same or similar measures. Checklists will also make writing the audit report easier for you and your team after the audit.

What’s Next?

While you’re preparing for the audit, you can expect your vendor to do the same. Between notification and the audit itself, your vendor will be preparing for the audit. They will review checklists and audit standards and determine which systems are in scope. They will staff their auditee team and locate documentation and procedures. And finally, your vendor will conduct a mock audit to prepare for your auditor’s arrival.

Next, we discuss Audit Execution in Part 2 of this software vendor audit series.

  Read More Posts About: Compliance Audits