Cloud Computing: Audit / Remote audit of a Cloud Service Provider

The trend in the pharmaceutical industry is also moving towards cloud computing. Financial but also organizational advantages speak for the cloud. At the same time, however, potential dangers and regulatory restrictions should also be taken into account. Nine experts from the pharmaceutical industry and regulatory authorities answer a comprehensive catalog of questions from the following GxP-relevant topics:

  • Basics of Cloud Computing Technology
  • Regulations and Expectations of Inspectors
  • Customer-Supplier-Relationship
  • Requirements for Cloud Service Providers (CSP)
  • Requirements for Supplier Evaluation and Supplier Audits
  • Requirements for Qualification / Validation

The following question is one of a series of questions that we will publish in further GMP News articles on this site in the coming weeks.

Question 11: How many days must be planned for the audit of a CSP? Is it also possible to carry out a remote audit? Topic: Requirements for Supplier Evaluation and Supplier Audits

If activities of the pharmaceutical entrepreneur are outsourced to third parties the contractors are to be qualified. This applies to the outsourcing of the manufacture of active pharmaceutical ingredients, finished medicinal products and medical devices - as has been common practice for decades - as well as to the outsourcing of services in the area of IT, including cloud service providers. In the first place a cost-saving questionnaire that is sent to the service provider via email and evaluated subsequently would be useful as concerns qualification. In doing so, it is nearly impossible to assess the correctness and truthfulness of the answers given.

An increasing number of remote audits of IT service providers has been carried out for some years now. These audits are very demanding for the auditors since video technology reaches its limits when analysing the reactions and body language of the audited party and the reading and assessing of large documents are involved and when taking a tour to the premises (e.g. the data centre).

The best solution is the well-known audit on site where the auditor can get an objective impression of the quality and performance of the future contractual partner.

Depending on the scope of services one or two days on site can be sufficient for an audit of IaaS. In the case of SaaS applications, a very detailed control of the cloud service provider needs to be carried out since this service provider also takes over crucial parts of validation. Here, an audit duration of 5-7 auditor-days is quite common.

Depending on the services outsourced the lead auditor should call in further experts (for instance from the area of security) in order to obtain a complete impression.

For carrying out the detailed planning of the audit the service provider usually obtains a plan which clearly displays the content of the audit. This audit plan can also be integrated into a time schedule. It is recommendable, however, to leave the detailed schedule up to the company audited since the temporal availability of the staff has to be assured for the specific audit topics.

The following is an extract from a SaaS audit plan. On this plan the service provider can see the potential topics so that he can make the corresponding staff and management available for the interviews.

Find more Q&As on the topic "Cloud Computing" which have been answered by the expert team.

The Experts

Frank Behnisch, CSL Behring GmbH, Marburg
Klaus Feuerhelm, Formerly Local GMP Inspectorate / Regierungspräsidium Tübingen
Oliver Herrmann; Q-FINITY Quality Management, Dillingen
Eberhard Kwiatkowski, PharmAdvantageIT GmbH, Neuschoo
Stefan Münch, Körber Pharma Consulting, Karlsruhe
Yves Samson, Kereon AG, Basel
Dr. Wolfgang Schumacher, Formerly F. Hoffmann-La Roche AG, Basel
Dr. Arno Terhechte, Local GMP Inspecorate / Bezirksregierung Münster
Sieghard Wagner, Chemgineering Germany GmbH, Stuttgart

Go back

x