A Better Approach to Vendor Audits

Dec. 29, 2004
The pharmaceutical industry should move to standardize system integrator audits, handled by an objective third party.
By James Cummings, president, Total Systems Design, Inc.A number of industrial sectors have solved the problem of auditing and qualifying vendors by moving to a third-party system. The automotive industry is a prime example with its QS 9000 program. Other industries, notably the medical devices field, have adapted variations on ISO 9000.As most of you know, the costs and complexity of vendor auditing in the pharmaceutical industry run high, sacrificing time and efficiency. There is an urgent need to reduce the burden and bureaucracy of vendor qualification, and the life sciences industry is finally beginning to address it. An entire session at the recent ISPE annual meeting in San Antonio was devoted to the issue of vendor certification -- for PAT and other products and services. Officials from ISPE and FDA shared their visions, and heard vendor concerns.One suggestion was for third-party auditing for vendors, such as system integrators like myself. It’s an idea whose time has come.The way it isPharmaceutical companies regularly audit product and service vendors as part of their quality assurance programs. Each client develops a checklist of items to be reviewed, then sends an individual or team to the vendor site to examine such things as quality management, documentation, requirements and specifications, programming, testing, installation, change control, support and maintenance, security and electronic records compliance.For vendors, the audits are both good news and bad -- good because they signal new business, bad because they can be extremely time-consuming, particularly for vendors who work with a number of different companies, each of which performs its own audits. System integrators typically spend one to two days preparing for each audit, two to four days dealing with an auditor, and one to two days responding to the audit report -- and they may have to do this several times a year for different clients. Last year, my firm spent 55 hours with one client, and 126 hours with another, on the entire audit process.There are other issues to deal with. All clients, no matter how similar to each other, have their own audit checklist and interpretations -- sometimes a system integrator must perform “triage” deciding which clients to respond to first. Complicating the matter is the fact that client sites can drive audits, so a single vendor may be involved with multiple audits from the same client.Some clients do not have in-house auditing capabilities, choosing instead to contract with a third-party validation company. In this case, there is no guarantee the auditor will understand the system integrator’s role, deliverables and responsibilities. For example, auditors frequently ask us questions more appropriate for a software vendor such as Wonderware than those about turnkey automation systems. For the system integrator, the current approach usually only guarantees that he or she has prepared for and passed an audit. It in no way ensures that quality is built in to our culture.Client firms are vulnerable as well. A system integrator may work for the same client for 10 years without undergoing a re-audit, though his skills, resources or focus may have changed. Turnkey system providers may subcontract services to a system integrator who may never have been audited.What could beClearly, there must be a better way. The suggestion from that San Antonio ISPE meeting of third-party auditing for vendors was on the mark. With a third party involved, audit reports could be shared, eliminating the need for multiple audits, and would provide common benchmarks as well. For equipment vendors, ISO certification with some industry-specific tweaking might be a possibility. For control and information system integrators, a similar program already exists.In 1997, the Control and Information System Integrators Association (CSIA) introduced best practices and benchmarks in seven critical business areas: general management, human resources, project management, quality management, financial management, business development and technical management. In 2001, CSIA established the Registered Member program, whereby an SI becomes a member upon successful completion of an audit, based on the best practices and benchmarks, by a third party. The program gives client companies a means of identifying SIs with confirmed areas of expertise, while giving system integrators a means to evaluate and continuously improve their skills and performance.The CSIA Registered Member program could be of great value to clients in the life sciences industries, given some modifications. Under the current program, the audit report is known only to the system integrator and the auditing company; CSIA is given pass/fail information and recommendations for membership. In a life sciences program, audit reports could be made available to clients. Other changes may also be warranted: a two-year re-audit cycle versus the current three-year, and more emphasis on an integrator’s technical proficiency in areas like software development standards, version control and testing. These are details to be worked out, but the long-term benefits to the industry could be great.If the life sciences industry is serious about quality, standardization and efficient processes, a third-party auditing program of system integrators must be considered. It would make all our lives simpler and more productive.About the AuthorJames Cummings is president of Total Systems Design, Inc., West Chester, Pa.