From the article Internal Audits for Pharma and Biotech , the following is the IT section where the author (MICHAEL J. GREGOR, PRESIDENT, COMPLIANCE GURUS INC.) details some of the rational for auditing the IT department and some of the questions and or documents that should be in place.
“The IT department is responsible for data security and data integrity. An underlying network must be qualified in order to ensure the security and integrity of the data that resides on it. In addition to the network, the applications and networked applications must be validated as well. A recent Warning Letter to Genzyme cited the following: “ Your firm failed to maintain computerized systems in a validated state”4 Some key areas to focus your attention are the validation of regulated applications as well as the maintenance and qualification state of the network. Standard operating procedures an auditor should be checking are: change control for both software and hardware, configuration management for the network, computer system validation lifecycle, network qualification, backup restore, disaster recovery, and security. Some questions you should ask as an auditor are: Does your data get backed up regularly? If so,where are the backup tapes stored? Offsite? Do you exercise a Disaster Recovery Plan? Is there physical security for the Data Centers? Can I see your change log for both software and hardware? Can I see a recent example of a computer system validation of a system? These are all good questions to ask when auditing the IT area. Training records for SOPs should also be checked to ensure employees, contractors, and consultants are trained on the procedures they are carrying out. Next, we turn to Manufacturing.”
