Adapting to the new normal: third-party audits

Many organisations have switched to remote audits during their vendor selection and due-diligence auditing phase. For some organisations, especially those within the life sciences industry, this is their first time remote auditing; and the auditors themselves have had to adjust to the challenge of auditing using web conferencing tools. However, with the expense of sending an auditor around the world, many companies will continue to use remote auditing after we finally beat Covid-19.

As an IRCA lead auditor, I know one of the benefits of being onsite is the peripheral information you can glean from being able to read body language, the time it takes to find evidence can tell a story in itself or overhearing hushed conversations at the watercooler.  

Avoiding onsite audits

At the Medicines and Healthcare products Regulatory Agency’s ‘Good Manufacturing Practice Symposium’ in December 2020, the regulatory auditors acknowledged the challenges they had faced making the transition to remote auditing. The agency’s guidance on remote inspections was that a GxP organisation can carry these out where an onsite inspection is not possible; and these should be followed up with onsite inspections where possible. However, we aren’t at a point where we can return to on-site audits.

There is a need for companies to reduce their risk and obtain better insights into the quality, compliance and information security practices of vendors. This can be achieved using reports such as the SOC® Service Organizations: Trust Services Criteria Report, which includes full coverage and details against 200 clauses. It details any exceptions noted and could be used to contribute to creating a much clearer risk profile of the vendor. I would suggest this is preferable to an ISO certificate, because the SOC report often provides sufficient insight that it may be considered justification to not need to carry out supplementary on-site audits.

Due diligence checks

A potential mitigation to the challenge of being able to physically audit is to be able to demonstrate that sufficient checks for due diligence have been adequately carried out. This can be done during remote audit, in combination with detailed reviews of the supplier’s compliance documentation, such as ISO certification. However, there are limitations to what can be seen in a remote audit and the consensus is that face-to-face still allows for a better level of insight and reviewing an ISO certificate alone is not sufficient.

When assessing a vendor, particularly remotely, the evidence we review is critical. While certifications such as ISO 9001 (requirements for a Quality Management System) and ISO 27001 (requirements for an Information Security Management System) do provide assurance, there is a limit to information transparency. An organisation may have had several minor findings but could still achieve certification. However, these could exceed the assessing parties’ acceptable risk profile and there is no way of identifying this using the certification itself. This could mean that certifications such as ISO 9001 alone could leave a pharmaceutical organisation feeling unsure they could demonstrate to regulators that any risk has been sufficiently mitigated.

The SOC audit

I believe that something more is needed. A potential solution could be to use something that details thoroughly the way a provider is set up, the controls they have in place and any deviations or exceptions. The SOC audit inspects almost 200 aspects of organisational control and best practice. Its focus on information security, data integrity and availability provides enough insight into the management system to meet the expectations of ISO 9001 and 27001.

My belief in why this report provides more risk mitigation during supplier assessment comes from the style in which the audit is carried out. For an organisation to show they are compliant with SOC, they must not only show they have the relevant controls in place, but also that the controls have been operating effectively over a six to 12-month period. This prolonged and multipoint audit is something that would not be possible if a customer came for an onsite audit of one to two days once every few years. The ability to see what the auditor examined step-by-step and the details of all observations adds a layer of transparency not seen elsewhere. This deeper insight into how an organisation operates will be desirable even once we return to a more normal way of operating. 

Unlike the ISO certifications that have very limited information, the SOC report contains details in a structured and easily auditable format. The independent auditor’s report includes a statement from the organisation’s leadership. The “Service Description” lays out exactly how the provider is structured and controlled. More importantly, the report includes any observations or exceptions seen by the auditor and these are truly transparent.

There is a suggestion from some regulatory bodies that they are unsure of the effectiveness of the SOC audit as the company pays for the service, but the same argument could be made for any certification or audit. ISO auditors charge for their service too. Many auditors will charge a large percentage before an engagement begins. This approach is used to prevent any perception that they are being paid for a good audit or clean report. In some ways, it could be perceived as more independent than a customer carrying out the assessment themselves. A customer carrying out a supplier audit might have already decided their preferred supplier and have some inherent unconscious bias that could lead to assumptions being made or risks downplayed. Therefore, it’s arguable that the SOC audit and report with the controls in place provide a truly independent, although sponsored, insight into a company.

When we cannot carry out on-site audits, we have a reduced ability to accurately define the risk profile of an organisation. Utilising the detailed examination of the SOC – Service Organizations: Trust Services Criteria audit report would give a high degree of visibility of these organisations. SOC would give a comparable level of assurance to a standard management system audit. Some might even argue that it gives a better assessment than an on-site audit due to the expanse of records and time period audited.

For more information on the SOC report, click here.