Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen

1
Audit of IT SystemsSARQA / DKG Scandinavian
Conference, October 2002, Copenhagen

• Sue Gregory

2
Purpose of IT System Audit

• To assure that established standards are met for
  all phases of the validation, operation and
  maintenance of computerised systems.
• To monitor the GxP compliance of computerised
  systems.

3
Types of IT System Audit

• "Spot Check" not an audit in its own right, but
  conducted as part of a facilities-type audit
• Vertical (specific) looks at defined elements
  in great depth
• Horizontal (general) looks at the entire system
  but in less depth
• Or maybe combination review of the entire
  system in general and then specific elements in
  depth

4
IT System Audit - Auditor Requirements

• Auditing skills
• Knowledge of applicable regulations and
  regulatory expectations
• Knowledge of computer system validation process
• Knowledge of software development life cycle
  (SDLC)
• Technical IT skills / knowledge

5
Some applicable regulations and references

• GLP Consensus document, The application of the
  principles of GLP to computerised systems,
  environment monograph 116, OECD 1995
• Rules governing medicinal products in the
  European Community, Volume 4 Annex 11,
  computerised systems, Eudralex.
• 21 CFR part 11 Electronic Records Electronic
  Signatures, Final Rule, FDA 1997
• Guidance for Industry, Computerized Systems used
  in Clinical Trials, FDA 1999.

6
Some applicable regulations and references

• PDA Journal of Pharmaceutical Science and
  Technology, Technical Report No 31 Validation
  and Qualification of Computerized Laboratory Data
  Acquisition Systems, 1999 supplement, Volume 53,
  Number 4
• GAMP guide for validation of automated systems in
  Pharmaceutical Manufacture, version 4, GAMP
  forum, 2001
• International Standard, ISO/IEC 12207
  Information Technology Software life cycle
  processes, 1995 and amendment 1, 2002
• Guidance for industry, General principles of
  software validation final guidance for Industry
  and FDA staff, FDA, 2002

7
Some applicable regulations and references

• And of course
• Any relevant internal policies, guidelines and
  procedures
• Bear in mind that the area is evolving and new
  interpretations are
• frequent. Monitor the literature and relevant
  websites for current
• developments, e.g.
• FDA warning letters, GMP trends etc
• www.crsc.nist.gov/publications/nistpubs/index.html
  
• www.pda.org/techdocs/index.html
• www.groups.yahoo.com/group/21cfrpart11/messages

8
IT System Audit
Required skill Required skill Required skill Required skill Required skill
Audit Type Auditing Validation SDLC Technical
Audit Type Spot check ? ?
Audit Type Vertical ? ? ? ?
Audit Type Horizontal ? ? ? ?
9
Skills vs System compliance level
10
Technical Skills vs System Compliance Level
11
Software Development considerations

• Same standards apply to purchased software and
  software developed in-house
• Documented SDLC followed
• Documented specification of requirements for the
  system fully traceable
• Documented specifications of functionality and
  design fully traceable
• Documented standards for coding followed
• Documented testing by supplier unit, integration
  and system level

12
Approach to IT system "Spot Check"

• Determine implementation date
• Ascertain whether there is a validation report,
  check date, authorisation and conclusion
• Ascertain whether there is a log of changes since
  the implementation date
• Obtain a list of SOPs related to the system,
  ascertain that these are authorised and cover
  use, maintenance, etc.

13
Horizontal IT audit - basics

• User / System Requirements Specification
• It is not possible to validate software without
  predetermined and documented software
  requirements FDA, principles of software
  validation, 2002
• Authorised (internally) and chronologically
  correct
• Precise requirements covering all functions the
  system will perform
• Uniquely identified
• Verifiable

14
Horizontal IT audit - basics

• Traceability
• Check that each requirement is traceable through
  the subsequent specifications and tests
• Is there evidence that each requirement has been
  addressed?

15
Horizontal IT audit - basics

• Validation Plan
• The validation must be conducted in accordance
  with a documented protocolFDA, principles of
  software validation, 2002
• Authorised and chronologically correct
• Describes who does what and when
• Describes or references how

16
Horizontal IT audit - basics

• User Testing
• Test Plan
• Test acceptance criteria
• Test records
• Final test report
• Ensure the system can properly perform its
  intended functions
• Ensure the users can understand and use the system

17
Horizontal IT audit - basics

• Validation Report
• Authorised and chronologically correct
• Summarises the validation exercise
• Describes deviations and errors encountered
• Includes clear statement of success or otherwise
  of validation

18
Horizontal IT audit - basics

• Authorised operating procedures covering
• Maintenance and repair
• Disaster recovery
• Security
• Back-up and restore
• Administration
• Periodic review
• Data collection and handling
• Change and configuration management
• Evidence of their implementation

19
Horizontal IT audit - basics

• Training
• Staff involved in the validation
• Staff involved in routine use of the system
• Staff involved in development and maintenance of
  the system

20
Additional considerations

• Vendor Audit
• Installation
• Development Processes
• Internal IT department

21
Additional considerations

• Vendor Audit (software development)
• ISO Quality Systems
• SDLC

22
Additional considerations

• Development Processes
• Coding written standards, followed
• Code review pre-planned, documented
• Unit tests owned by developers, documented
• Configuration management
• Testing
• Test Strategy
• Test Plan, scripts, cases
• Error reporting
• Release procedure
• User documentation (help files, user manual etc)

23
Additional considerations

• Installation
• IT department SOP
• Protocol, pre-approved and followed
• Records
• Report

24
Additional considerations

• Internal IT Department processes
• Installation
• Change Control
• Security
• Training
• Document control
• etc.

25
Practice makes perfect..

• Start small
• Define audits scope
• Allow plenty of time
• Start with the general requirements
• Focus on the words audit and system

26

• .start practising!