Audits for
computerized systems
Given the criticality and importance of computerized systems in the life sciences sector, control measures must be put in place. Audits, whether internal or external, are essential tools to ensure the quality, security, and integrity of computerized systems. They allow verification of compliance with regulatory and normative requirements, client and user requirements, and help identify gaps to enable proactive risk management. Different types of audits can be carried out depending on the objectives to be achieved.
Assessments and compliance
Would you like to verify that one or more of your computerized systems currently in use meet today’s regulatory requirements and your organization’s operational needs?
A structured assessment based on several key points should be performed:
- Quality management system compliance: Verification of policies, validation plans, training, and procedures in place.
- Risk management: Identification of critical areas and associated risks related to the use of the system.
- Security controls: Evaluation of data protection and access measures.
- Validation: Confirmation that the system has been validated for its intended use, including measures related to data integrity.
The objective is to ensure that a computerized system is used and operates in a reliable, secure, and compliant manner in accordance with validated specifications and defined procedures. Where deviations are identified, a remediation plan is established.
Service provider audits
With the increasing outsourcing of IT services, auditing service providers has become essential to ensure that partners comply with regulatory and contractual requirements.
Cloud Computing service provider audits – IaaS, PaaS, SaaS
The three main “as a Service” cloud models differ in terms of the degree of management handled by the service provider.
- IaaS (Infrastructure as a Service): Only the management of the network, servers, virtualization, and storage is outsourced.
→ In this context, the audit will verify the proposed infrastructure, redundancy and availability of servers and networks, physical and logical security measures, and business continuity with backup measures. - PaaS (Platform as a Service): The provider not only delivers the infrastructure but also all management, operations, and development software, while the client remains responsible for managing business applications and data.
→ Here, the audit ensures compliance with security standards and regulations of the provided tools and services; continuous monitoring and support by the provider; and regular updates and maintenance. - SaaS (Software as a Service): The highest form of outsourcing, where the entire business application is managed by the provider via a web browser.
→ In this case, the audit focuses on the application’s compliance with current GxP requirements, system and data access management, availability and continuity including service contract review (SLA and exit conditions); and checks on the provider’s use of subcontractors.
Cloud service provider audits thus enable the selection or confirmation of the most suitable providers for the client organization’s needs, ensuring protection of critical data, system availability, and compliance.
Integrator / Application provider audits
Business applications requiring client-specific configurations are often offered by providers with defined installation and configuration services. In some cases, an integrator different from the original system developer may be chosen. Auditing the provider or integrator aims to assess their ability to meet contractual, regulatory, and operational requirements.
Key audit points include:
1. Evaluation of the developer’s and integrator’s technical capabilities
The auditor checks planned and completed training, certifications, and recorded experience within the team’s competency plan; as well as the methods and tools used for system development, integration, and qualification.
2. Compliance with regulatory requirements
Traceability of implementation processes and associated deliverables is verified, as well as provided documentation and risk management.
3. Project management process
Particular attention is paid to change management, system evolutions, and corrections during the project; and communication with the client, especially regarding transparency on issues encountered and proposed solutions.
4. Developer and integrator quality control
Documentation of all tests performed prior to system delivery, integration of verification and validation processes for release, management of nonconformities, corrective actions, and evolutions are examined to ensure the quality of the delivered system.
Contact the Efor Audit Center
Our audits are conducted in line with defined steps based on ISO 19011 recommendations and by certified auditors.
Do you want to strengthen the compliance and security of your computerized systems?
The Efor Audit Center offers tailored audit services to meet the specific needs of life sciences companies. Our team of experts supports you in evaluating your systems, selecting and qualifying suppliers, and ensuring compliance with GxP requirements.
Are you looking for support for specific one-off audits, or would you like to benefit from a service center approach with complete audit activity management?
The Efor Audit Center offers different modes of engagement to help you optimize the time and resources dedicated to your evaluations and audits.
Contact us today to discuss your needs and schedule a customized audit.