How to Get the Best from Supplier Audits

– A Webinar for Clinical Trial Sponsors and Clinical Trial Service Providers –

Open PDF of slides

If you have any problems accessing these resources please contact

Questions and Answers:

Why should Quality be responsible for qualifying GCP suppliers? How would you sell this to your organization/sponsors?

Qualification evaluation has to be a team effort between Quality and the appropriate internal Functional SME’s. Quality Assurance is the appropriate owner of this process as the most knowledgeable of Regulatory Compliance Requirements. However, the internal Functional SME’s must partner with QA to ensure the appropriate scope is evaluated that aligns with the future scope of work that may be outsourced to a particular vendor.

Typically, how long would you spend on preparation prior to performing a vendor audit?

A typical amount of effort to prepare for a Vendor Audit or Vendor Qualification Assessment is typically 8-12 hours. The total effort does vary and is somewhat dependent on the availability and early access to requested key documents (e.g. QMS, SOP’s, Organization Charts, Training Records, etc.)

For a vendor qualification audit, so with no actual work done, would you request access to [Vendor’s] systems?

Generally, a Vendor Qualification Assessment is focused on evaluating the Quality & Compliance Framework that has been established by a Vendor. Review of Quality Agreements, Quality Manuals, Policies, SOP’s, Training, etc., are utilized to ensure a solid quality framework is in place to produce consistent quality products and services. While there may be a need to have direct access to a system if the primary product being purchased is system utilization, often only a demo of system capability may be necessary.

Is it required to audit vendors annually? Can we define a different frequency and what aspects should we consider to define this?

Every Sponsor Quality Management System defines the requirements for Qualification and Audit as is appropriate for their business. There is no regulatory mandated requirement for annual audits. Some qualify once and then shift a vendor to Audit cycles based on the level of risk of a Vendor (e.g. High Risk may have annual audits, Medium risk every 2 years, Low Risk every 3 years).

How long does it take on average to qualify a new Vendor?

This can vary based on the availability of the Vendor to host an Auditor led Vendor Qualification Assessment (VQA). If the Vendor can quickly host these VQA’s, we can complete the first draft VQA report within 45 days from request. Time to Final VQA Report depends on the time required to identify an adequate Corrective Action/Preventative Action (CAPA) plan from the Vendor which can add 30-60 days to the process.

Any recommendations on how to handle situations where vendors don’t speak English?
How to conduct an audit when there are language barriers (procedures in another language, etc)? Are we better off at looking at other providers?
How do you handle a language barrier – where the vendor predominantly doesn’t speak or have documents in English?

This is a difficult question to answer without knowing your business needs and cost of switching Vendors which vary based on the length of existing contracts being in place. Diligent has conducted Vendor Qualification Assessments (VQA’s) with non-English speaking Vendors. This has required identifying an Auditor that is bilingual and fluent in both English and the local language. If a qualified Auditor cannot be found, then a qualified Translator will have to be hired to support the Auditor. This bi-lingual approach also requires 2 VQA Reports (one in English, one in Local Language) be written and finalized which increases the cost of evaluation. Industry best practice is to use Vendors that can operate in English for both the Sponsor and Regulatory Agency Inspectors that all operate in English.

What key checks do you look for with cloud vendors to verify data integrity?

1) Does the cloud vendor have independent audit reports and/or certifications. The following
standards may be in scope:
a) ISO 27001 – Information Security Management
b) ISO 27701 – Data Privacy
c) System and Organization Controls (SOC)
i) SOC 1 [Financial Reporting]
ii) SOC 2 [Compliance and Operations]
iii) SOC 3 [High level summary of SOC 2]
Note: these independent reports may assist in documenting the checks described below.
2) Does the cloud vendor have IT Infrastructure controls in place for the following (as applicable):
a) Is there an uptime guarantee proposed in a service level agreement and is there evidence of performance?
b) Data center physical security controls to prevent unauthorized access?
c) Power conditioning & redundancy to mitigate power failure risk?
d) Internet connectivity & redundancy to mitigate Internet connection failure risk?
e) Environmental monitoring and fire suppression to mitigate equipment damage?
f) Network monitoring tools in place to monitor health and operational performance?
g) Back-up (methods, frequency, archive, restore, tests) to protect data from damage, corruption or loss?
h) Disaster recovery & business continuity plans in place to enable swift recovery from a disaster?
i) Stated metrics for Recovery Time Objective (RTO) and Return Point Objective (RPO)
ii) Technical capabilities and services are in place for high-availability and ability to meet RPO and RTO
iii) Disaster Recovery tests are executed with some frequency to show the capability to meet RPO and RTO
i) Support capabilities (hours of operation, response, escalation, tracking, metrics and trending)?
j) Network logical security controls to prevent unauthorized access?
k) Additional security controls in place (for example: Firewalls, database encryption, data isolation, virus protection, intrusion detection, data transfer controls)?
l) Application and network security penetration tests are performed with some frequency (by experts) to identify vulnerabilities?
m) Incident management & communication procedures are in place to standardize the process and enable quick reaction?
i) This includes what to do when there is a data privacy breach
n) Provisioning and qualification procedures in place for network devices (e.g. servers, switches, storage, back-up)
i) IQs for installation
ii) Equipment maintenance records
o) Vendor oversight in place for controls that are sub-contracted
3) Does the cloud vendor have an adequate system of procedures and training for managing the above controls?
4) Does the cloud vendor have adequate staff resources to manage the IT Infrastructure controls?
a) How is management and quality oversight organized and staffed?
5) Does the cloud vendor have a process for managing problems and deviations?
a) Does this include processes for communicating back to the client until a problem is resolved (based on criticality)?
6) Has the cloud vendor assessed themselves against applicable regulatory requirements (e.g. 21 CFR Part 11, Annex 11)?
a) Are software technologies that generate regulated records compliant with these requirements including validation?

What is the best way during qualification to ensure that Vendor subcontractors are qualified/have sufficient oversight? Is the sponsor required to be notified of all subcontractors?

Industry leading practice is to ensure that a Vendor has adequate Third Party Management (Selection, Contracting, Qualification, & Oversight) processes in place with appropriate Quality Management System requirements (SOP’s). Vendors should have their own “Approved Vendors List” that documents which Vendors they have qualified as subcontractors. Sponsors are ultimately accountable for the quality of work performed by Vendors and their Subcontractors.
Many sponsors require written approval before sub-contracting in their Vendor Contracts/Master Service Agreements and this is frequently implemented with Vendors.