22. Due Diligence Auditing of IT Services

A Certificate signed by the Lead Auditor can be used to verify that an audit did occur on a stated date for an identified auditee and the certificate is shown during audits and inspections as evidence that the audit took place. (p.270)


As the 2011 update of the EU Annex 11 so clearly states below, EMA and FDA regulated companies must have a contract for each third party supplier of computerized services and electronic data products. As per Annex 11, “third parties” now include the company’s internal IT Department. For strategic GXP systems and data services, “Due Diligence” audits are performed BEFORE contract signing to verify the competence and reliability of a supplier at the start and then periodically during the duration of the contract to assess continued compliance to agreed terms and relevant regulations.


The application should be validated; IT infrastructure should be qualified.

  1. Suppliers and Service Providers (EU GMP Annex 11, 2011)

3.1  When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous. 

3.2   The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

Due Diligence audits for GXP systems are best performed as a team effort. The QA member examines regulatory compliance for 21 CFR Part 11, EU GMP Annex 11, and other relevant GXP regulations and guidance. An end user member looks at the fit of the system/data service to the regulated work process being served. The IT knowledgeable person looks at how the technology and data are being controlled and maintained and whether the IT operations are of sufficient rigor to assure GXP data quality.

A supplier-completed survey form is sometimes used as an introductory exercise prior to an onsite audit. Self-reporting surveys, however, are no substitute for onsite qualification audits of suppliers. The IEEE Standard for Software Reviews and Audits (Std. 1028) is a good source for practical audit ideas.

While the 2011 EU Annex 11 requests that full audit reports be made available to Inspectors, industry practice has long been to provide an Audit Certificate and NOT to provide the full report unless there is a court order to do so.

Next Month: Audit and Validation Issues for “Cloud” Services: IaaS, PaaS, SaaS


A third emerging option is to subscribe to an internet-based cloud service which provides large scale services for computation, backup storage, and software as a service (SaaS)… PQ can still be performed by users as usual using their work process to validate the ability of the cloud-hosted software application to perform as expected. (p.160)