External Hosting Providers: Sample Audit Agenda
Life sciences companies (biotech, med device, diagnostic, digital health) are routinely outsourcing their IT systems and processes. As part of standard due diligence during provider and system selection, life sciences companies should be performing vendor audits on hosting providers, especially when there is compliance, regulatory, and/or patient safety risk.
I am presenting on this topic in San Francisco at the KENX Network Infrastructure and Cloud Qualification conference in June 2019. The lucky attendees get to hear all about my external hosting provider audit process (and the one for SaaS vendors) which includes planning the audit, conducting the audit, reporting on findings, and mitigating risks around the findings.
Rather than kill some more trees (as we do in computer validation work), I decided to provide the agenda here for you and the lucky attendees.
My client engagements are all different for this type of work due to my client’s risk assessment of the system being audited, budget and resource allocation, and the external hosting providers themselves.
The following sample agenda assumes a one day audit. My clients (and the vendor) typically aren’t interested in anything longer than a day. And I usually audit alone. If a QA person was with me, we’d be able to review twice as much but usually it’s just me. Note: if the vendor provides additional services beyond hosting (like software development or system integration), the audit agenda should be expanded to accommodate.
Preparing For the Audit
In order to be as efficient and complete as possible during the audit, I do a fair bit of planning and preparation including:
· Send the external hosting provider an audit questionnaire to get a sense of the organization, its locations, and their general practices. This helps to determine where to conduct the audit, how long to plan for and what areas to focus on.
· Request SOC (service organization control) reports for the external hosting provider and any vendors supporting their services. While these were originally intended for financial control purposes, they contain valuable information about how the vendor (and its subs) operate and in some cases, can provide insight into control issues. These also help determine what areas to focus on during the audit.
· Request and review financial statements for the prior two years to look for ongoing concern issues and allocation of resources. If a company is outsourcing their critical business, regulatory, clinical, and quality systems to a third party, it’s important to make sure they are going to be a viable business and that they adequately fund critical business functions. An NDA is often required to review these documents. Expect resistance from privately-held vendors on this one.
· Perform a social media and website review. I found out about an acquisition that hadn’t been disclosed to my client while preparing for an audit. This expanded the scope of the audit questioning.
· Review all agreements (assuming they haven’t been signed) for anything that is being promised or committed to by the vendor. I use the audit to cross-check some of the commitments made by the sales team. There’s often a disconnect.
· Request the names of the external hosting provider audit participants and their roles. Once I have the names, I look at the LinkedIn profiles to confirm their current role, review their past experience, and see if we have any shared connections. I use this information to build rapport at the beginning of the audit.
· Once we’ve agreed on the agenda, the location(s), and the participants. I provide a list of documents to have available for the audit so the vendor can be prepared. The ‘we’ here includes the vendor, me, and my client. Since the audit is part of building the vendor/customer relationship, it’s important that this is not an antagonistic process for the external hosting provider.
Once the audit is scheduled, planned, and prepared for, it’s time to conduct the audit, report on findings, and look for ways to mitigate risks associated with the findings.
Feel free to reach out if you have any questions on external hosting provider audits and the auditing process. I can be reached by email at firstname.lastname@example.org. To learn more, visit my website at Solutions2Projects, LLC.
Related Article: SaaS Vendor Audits: Sample Audit Agenda