prepare for an i.t. audit
DESCRIPTION
This presentation explains how to prepare for an IT audit. It reviews the life cycle of an audit: the initial request for information, introductory meeting, information gathering and analysis, audit close-out to reporting and follow-up.TRANSCRIPT
Prepare to be Audited
(The auditor is coming!
The auditor is coming!)
IT Best Practices
Bob Sturm Director, IT Validation
Life Cycle of an Audit
What
Responsibility
Request for information IT Quality
Introductory meeting IT Quality & Mngrs.
Information gathering & analysis
IT Quality and Auditee(s)
Audit Close-out IT Quality & Mngrs.
Reporting & follow-up IT Quality
Prepare for the Audit
• HOW? – Attend this training. – Read and understand the sample
questions in the handout.
• WHY? – You may be asked these questions.
Three Basic Concepts
• Follow the IT Policy Manual
• Adhering to our ITMS principles means we
are Audit Ready!
• Understand the scope and objectives of the audit as explained by IT Quality
Preparing – IT Quality’s Responsibilities
• Email people an auditor(s) is coming • Appoint an escort to be the host for the
auditor(s) • Ensure work space & appropriate
badge access • Arrange for a conference room where
auditor(s) can meet
Preparing – IT Quality’s Responsibilities (More)
• Ensure a guest wireless network is available. Contact IT security if more bandwidth is needed.
• Confirm that management is available for the opening and closing meeting
• Confirm that personnel who have key roles in areas under review are available
Assign Tasks for Audit
• IT Quality and Managers meet to assign tasks needed for the audit
What’s Expected of You
• KEY - Know our ITMS practices inside and out!
• Know what is expected per your job description
• Understand applicable SOPs, WIs and other procedures for your job
• If unsure about anything, ask your manager or IT Quality
Conduct and Etiquette
• Be professional, respectful and truthful with the auditor
• Have a positive attitude • If you anticipate a finding, contact IT Quality • Don’t take anything the auditor says
personally • Defend our systems and processes but don’t
be overly defensive or argue with the auditor
YES NO
Conduct and Etiquette - More
• Keep the atmosphere and the conversation friendly but professional
• Do not try to influence an auditor’s judgment
• Recognize when you are right and when you are wrong
• Do not become emotionally involved in the review
Conduct and Etiquette – Even More
• Be wary of an auditor who veers off topic and requests information not associated with the scope and objectives of audit – Defer these requests to IT Quality or your
manager • If the auditor requests information deemed
proprietary, sensitive or highly confidential, refer the auditor to IT Quality or your manager
Responding to Questions
• IMPORTANT! – Answer only the questions posed by the auditor. Do NOT volunteer extra information or expand unnecessarily on any answer.
• Answer all questions truthfully. Do NOT stretch the truth or be misleading.
• Provide adequate and accurate answers. – Just the facts, not opinions!
Responding to Questions - More
• Before answering a question, be sure to understand the question.
• If unsure about the question, ask for clarification or paraphrase the question.
• Do NOT guess at the question! • If unsure of an answer, inform the auditor you
are not sure. Let auditor know you will get an answer or bring in a person who knows the answer.
• Follow up and set a date!
Sample Questions
• Is there a documented and approved disaster recovery plan on file? Has it been tested to ensure reliability?
• How are assets, including data safeguarded? • Has the computer system been developed in
a manner consistent with applicable regulatory guidances and industry standards?
• Do personnel have requisite training, education and experience to perform their job function and is the training documented?
Sample Questions - More
• What methods are established for traceability of documentation, including changes?
• What procedures exist to assure that standards are followed?
• Is approval authority for deliverable documentation clearly established?
• What procedures exist to assure the prompt detection and correction of deficiencies?
• Are acceptance tests monitored by QA?
Requests for Documents
• All document requests are handled by IT Quality or Managers
• Route all documents through IT Quality or Managers
• Put documents onto a SharePoint site set up for the audit by IT Quality
Audit Closeout – IT Quality and Managers
• Purpose is for the auditor to summarize events of the audit and present preliminary observations of non-conformance.
• Auditors present the facts of their findings. • Our company ensures the root cause of the
issue is determined • Our company discusses the level of risk
associated with the finding
Audit Closeout – IT Quality and Managers (More)
• Discuss potential solutions to the findings • Our company ensures the auditor is not
overly prescriptive in their recommendations.
• Provides an opportunity to discuss any misunderstandings that may have arisen
• IT Quality will ask about expected delivery of the formal report
Reference Material to READ
• Preparation for the Audit – IT Best practices, www.pharmait.co.uk, – Read pp 31-35.
• Software Quality Assurance Audits
Guidebook, NASA, November 1990 – Read Appendix B pp 17-21 (Sample Questions).