Software Vendor Audit Methods

How to Audit Software Vendors – Which Method is Right for You?

By Deb Bartel,

This post was recently updated on September 19, 2018

How do you audit a software vendor? Which is the right method for your company? These are some questions you may be asking yourself. The answer is “it depends”. It depends on lots of things – how much time, money and expertise do you have available for the audit? If you don’t audit your vendor, what are the risks? How critical is the system to your product or patient safety?

FDA Guidance on computer system validation allows for the use of vendor supplied documentation in your validation. That means there is a potential that your validation efforts could be reduced as a result of an audit. However, you retain responsibility for the systems your company uses.

There are multiple methods for auditing your software vendors, and not all of them involve going to their site. Each method has pros and cons.

software-vendor-audit-methods

Let’s look at each audit method in detail.

Onsite Audit

This is the traditional audit approach. It’s the most thorough and accurate approach because you get to see the vendor’s facilities, personnel, documentation and practices first hand. It’s the recommended approach for critical applications, especially if you intend to leverage their documentation.

The downsides are that onsite audits are costly, time-consuming (for you and the vendor) and some vendors won’t even agree to the audit. Most of the big software vendors (SAP, Microsoft) that have thousands of customers are probably not going to agree to an onsite audit, but warning flags should be raised if this is a new or small vendor.

Offsite Audit

These are similar to onsite audits except they are often performed via online meetings, phone interviews, document reviews, etc. Offsite audits are shorter and less expensive than onsite meetings, but they are also less thorough. They are great option for less critical systems.

Questionnaire

For low-risk applications or services with low-reliability, a simple approach would be to have questionnaires or surveys completed by the vendor. These require little time and money, but there is no real way to ensure the accuracy of a vendor’s responses. Some vendors might not even complete the survey and you should always follow-up on any unacceptable responses prior to approving the vendor. To help bolster the effectiveness of this audit method, you could request copies of SOPs, training requirements, etc.

Basic Assessment

Basic assessments require little or no interaction with the vendor. You take a look at the company’s public information and contact other users. You should only do this for non-critical applications or when you have no other options to select a different vendor. Here you can look into financial ratings, Gartner group assessments, awards received and internet search results. You can also look into customer lists (they are probably pre-screened by the vendor to give favorable feedback) and attend user group meetings.

Which audit method is right for you?

Think about the regulatory guidance documents and answer these questions:

  • How critical is the system to the quality of your product? To patient safety?
  • Will you be relying on the vendor’s documentation such as requirements or testing?
  • What has your experience been with this vendor so far? Is this your first application with them or have you used their applications before?

We use a risk-based model for audit method selection taking these factors into account. Here is an example:

software-vendor-audit-risk-assessment

As the risk factors decrease, the audit methods shift from onsite to basic assessment, to no audit required. You can develop your own risk-based model for your company’s level of tolerance.

Attend a Webinar

For more information on auditing software vendors, you can attend our free 90-minute Auditing Software Vendors webinar.

Register for the next live session

  Read More Posts About: Compliance Audits