Background A fortune 500 medical device manufacturer that provides advanced treatment solutions for the treatment of vascular diseases was facing regulatory exposure related to exercising control of its Information Technology (IT) suppliers. An internal audit revealed that audits had not been conducted as prescribed by company procedures. Consequently, a solution was required to get overdue audits completed and a schedule set up to ensure ongoing audit compliance.
Business Issue Regulatory guidance is in place that requires that life sciences companies maintain effective surveillance of their suppliers to ensure appropriate procedures and controls are in place that meet predetermined standards and specifications. This oversight is achieved through periodic audits of the supplier’s Quality Management System.
The Objective Update the list of audits to be performed based on criteria contained in the client procedure for Supplier Management. Once completed, the listing of audits to be performed were ranked based on the relative risk posed by the IT supplier’s software solution.
The Solution Arbour Group set up an audit team to perform the supplier audits that included both onsite and desktop (remote) audits:
- Quality System Audit – a comprehensive review of software supplier Quality System controls and procedures
- Software Development Life Cycle (SDLC) – a comprehensive of the supplier’s SDLC and associated Quality System to include incident response, development and maintenance environments and software version management processes
- Hosted Services – comprehensive review of hosting services supplier compliance to include infrastructure and data management, security, availability, change management, backup/recovery, business impact/continuity planning, incidence management, etc.
- A remote review of supplier Quality System controls and procedures based on their completion of a questionnaire as well as review of available written supporting procedural documentation