prepare for an i.t. audit

Prepare to be Audited

(The auditor is coming!

The auditor is coming!)

IT Best Practices

Bob Sturm Director, IT Validation

Life Cycle of an Audit

What

Responsibility

Request for information IT Quality

Introductory meeting IT Quality & Mngrs.

Information gathering & analysis

IT Quality and Auditee(s)

Audit Close-out IT Quality & Mngrs.

Reporting & follow-up IT Quality

Prepare for the Audit

• HOW? – Attend this training. – Read and understand the sample

questions in the handout.

• WHY? – You may be asked these questions.

Three Basic Concepts

• Follow the IT Policy Manual

• Adhering to our ITMS principles means we

are Audit Ready!

• Understand the scope and objectives of the audit as explained by IT Quality

Preparing – IT Quality’s Responsibilities

• Email people an auditor(s) is coming • Appoint an escort to be the host for the

auditor(s) • Ensure work space & appropriate

badge access • Arrange for a conference room where

auditor(s) can meet

Preparing – IT Quality’s Responsibilities (More)

• Ensure a guest wireless network is available. Contact IT security if more bandwidth is needed.

• Confirm that management is available for the opening and closing meeting

• Confirm that personnel who have key roles in areas under review are available

Assign Tasks for Audit

• IT Quality and Managers meet to assign tasks needed for the audit

What’s Expected of You

• KEY - Know our ITMS practices inside and out!

• Know what is expected per your job description

• Understand applicable SOPs, WIs and other procedures for your job

• If unsure about anything, ask your manager or IT Quality

Conduct and Etiquette

• Be professional, respectful and truthful with the auditor

• Have a positive attitude • If you anticipate a finding, contact IT Quality • Don’t take anything the auditor says

personally • Defend our systems and processes but don’t

be overly defensive or argue with the auditor

YES NO

Conduct and Etiquette - More

• Keep the atmosphere and the conversation friendly but professional

• Do not try to influence an auditor’s judgment

• Recognize when you are right and when you are wrong

• Do not become emotionally involved in the review

Conduct and Etiquette – Even More

• Be wary of an auditor who veers off topic and requests information not associated with the scope and objectives of audit – Defer these requests to IT Quality or your

manager • If the auditor requests information deemed

proprietary, sensitive or highly confidential, refer the auditor to IT Quality or your manager

Responding to Questions

• IMPORTANT! – Answer only the questions posed by the auditor. Do NOT volunteer extra information or expand unnecessarily on any answer.

• Answer all questions truthfully. Do NOT stretch the truth or be misleading.

• Provide adequate and accurate answers. – Just the facts, not opinions!

Responding to Questions - More

• Before answering a question, be sure to understand the question.

• If unsure about the question, ask for clarification or paraphrase the question.

• Do NOT guess at the question! • If unsure of an answer, inform the auditor you

are not sure. Let auditor know you will get an answer or bring in a person who knows the answer.

• Follow up and set a date!

Sample Questions

• Is there a documented and approved disaster recovery plan on file? Has it been tested to ensure reliability?

• How are assets, including data safeguarded? • Has the computer system been developed in

a manner consistent with applicable regulatory guidances and industry standards?

• Do personnel have requisite training, education and experience to perform their job function and is the training documented?

Sample Questions - More

• What methods are established for traceability of documentation, including changes?

• What procedures exist to assure that standards are followed?

• Is approval authority for deliverable documentation clearly established?

• What procedures exist to assure the prompt detection and correction of deficiencies?

• Are acceptance tests monitored by QA?

Requests for Documents

• All document requests are handled by IT Quality or Managers

• Route all documents through IT Quality or Managers

• Put documents onto a SharePoint site set up for the audit by IT Quality

Audit Closeout – IT Quality and Managers

• Purpose is for the auditor to summarize events of the audit and present preliminary observations of non-conformance.

• Auditors present the facts of their findings. • Our company ensures the root cause of the

issue is determined • Our company discusses the level of risk

associated with the finding

Audit Closeout – IT Quality and Managers (More)

• Discuss potential solutions to the findings • Our company ensures the auditor is not

overly prescriptive in their recommendations.

• Provides an opportunity to discuss any misunderstandings that may have arisen

• IT Quality will ask about expected delivery of the formal report

Reference Material to READ

• Preparation for the Audit – IT Best practices, www.pharmait.co.uk, – Read pp 31-35.

• Software Quality Assurance Audits

Guidebook, NASA, November 1990 – Read Appendix B pp 17-21 (Sample Questions).