If activities of the pharmaceutical entrepreneur are outsourced to third parties the contractors are to be qualified. This applies to the outsourcing of the manufacture of active pharmaceutical ingredients, finished medicinal products and medical devices – as has been common practice for decades – as well as to the outsourcing of services in the area of IT, including cloud service providers. In the first place a cost-saving questionnaire that is sent to the service provider via email and evaluated subsequently would be useful as concerns qualification. In doing so, it is nearly impossible to assess the correctness and truthfulness of the answers given.
An increasing number of remote audits of IT service providers has been carried out for some years now. These audits are very demanding for the auditors since video technology reaches its limits when analyzing the reactions and body language of the audited party and the reading and assessing of large documents are involved and when taking a tour to the premises (e.g. the data Centre).
The best solution is the well-known audit on site where the auditor can get an objective impression of the quality and performance of the future contractual partner.
Depending on the scope of services one or two days on site can be sufficient for an audit of IaaS. In the case of SaaS applications, a very detailed control of the cloud service provider needs to be carried out since this service provider also takes over crucial parts of validation. Here, an audit duration of 5-7 auditor-days is quite common.
Depending on the services outsourced the lead auditor should call in further experts (for instance from the area of security) in order to obtain a complete impression.
For carrying out the detailed planning of the audit the service provider usually obtains a plan which clearly displays the content of the audit. This audit plan can also be integrated into a time schedule. It is recommendable, however, to leave the detailed schedule up to the company audited since the temporal availability of the staff has to be assured for the specific audit topics.
To learn more about the SaaS audit plan, please write to firstname.lastname@example.org