OR WAIT null SECS
Why do we audit our suppliers and what do we hope to achieve when we do?
Why do we audit our suppliers and what do we hope to achieve when we do? Certainly, regulated companies need to ensure their systems meet both business and regulatory requirements, which include systems provided by third-party suppliers.
To meet the rapidly evolving needs of regulated companies, many technology suppliers have adopted advanced development, implementation and hosting methods. All too often, however, unprecedented and unfamiliar methodologies leave these same regulated companies unsure of how to audit in a way that is sufficient for purpose and compliant with regulatory expectations and their own procedures. Thus, audit practices need a facelift to keep pace with the technologies that need to be assessed.
While some regulators have a reputation of not accepting new technologies, in mid-2012, the U.S. Government Accounting Office identified a number of practices and approaches as effective for applying Agile software development methods to IT projects. Government officials who have used Agile methods positively commented on the effectiveness of these practices.1 More recently, in mid-2013, the U.S. Federal Risk and Authorization Management Program (FedRAMP) announced its approval of a cloud technology provider for use in government business, under an assessment sponsored by the U.S. Department of Health and Human Services (HHS).2 Although these notices are specific to the U.S. and do not explicitly reference the FDA, it is not a great leap to envision other government entities within the U.S., as well as other healthcare regulators worldwide, recognizing the value and necessity of considering new technologies as they look to improve their own operations.
Supplier audits are generally focused on compliance with regulatory requirements by assessing the adequacy of the overall quality system, validation, training, security and privacy, and product and service quality. The following section examines a sampling of challenges associated with these practices and the overall auditing process:
Additionally, SaaS providers offering single instance multi-tenant (SIMT) solutions means that all users are upgraded to a new version of the software at the same time. As with Agile, this change also presents challenges for auditors who are familiar with reviewing validation documentation for a specific version of the software. Instead, the SaaS provider should be prepared to demonstrate (and auditors prepared to assess) a strong change control process as a means of ensuring that the version of the software being deployed is well managed and that any and all versions of software used at any particular time are clearly identifiable.
Many regulated companies and suppliers are now supplementing traditional on-site audits with alternative auditing approaches, thereby decreasing the frequency of on-site audits and increasing knowledge transfer between organizations to improve audit quality. Several approaches are being adopted, including conducting supplemental audits with (or instead of) periodic on-site audits remotely, thereby reducing the high cost of face-to-face interactions. The following section examines a sampling of audit alternatives:
To explore newer, more productive ways of complying with regulatory expectations regarding supplier assessments, regulated companies and suppliers need to work together. This will allow each organization to do what it does best to achieve its business and regulatory goals. These same suppliers and regulated companies can also provide examples of more constructive supplier audits that might well identify problems or potential gaps, but simultaneously present joint opportunities for improvement.
Frances E. Nolan, Vice President, Quality & Regulatory Affairs, Medidata Solutions