Computerized systems are inherently linked with today´s value chain of a pharmaceutical company. Moreover, there is a clear tendency to utilize commercial-off-the-shelf software packages - as opposed to homegrown solutions - in support of business operations. When it comes to a system´s employment in regulated areas, accountability for a well-functioning fit-for-purpose software package stays with the business process owner. Therefore, computer systems validation comes into play to provide documented evidence for intended use.In order to focus a pharmaceutical company´s efforts in the provided context, quality controls of the software vendor shall be utilized. This approach is commonly known, described in renowned frameworks, and applied in the industry. Consequently - and in combination with the aforementioned accountability - (documented) assessment of the supplier comes into play. As a matter of fact, on-site audits of software package manufacturers are quite often conducted.

Innovation is a hallmark of the software industry. Thus, an auditor must expect a high degree of industrial automation when visiting a software vendor´s premises. As a consequence, evidence of conducted activities will very likely only be traceable in electronic form. Also, efficacy of controls must be assessed based on the IT-tool landscape used by the auditee. Within this context, typical questions will come up, for example in the area of automated testing, code commenting guidelines and reviews, or qualification of utilized (open source) tools. Therefore, one can expect a slightly different spin on the audit´s nature, which has an impact on the audit agenda.

This presentation shall share practical insights gained during a series of software vendor audits ranging from small, highly specialized providers through big, renowned players in the industry. On an abstract level, a commonly encountered, simplified "tool landscape" will be used as backbone to demonstrate a software vendor´s typical operations mode. Along these lines, exemplary, real-life observations will be discussed regarding their potential implications on (software) quality output. Dependent on the nature of software application - LIMS, clinical data repository, regulatory document and submission management system, change control system, manufacturing execution system to name a few - a software vendor´s controls might be of more or less importance when tied into later validation activities. Therefore, the purpose of this presentation is not to give a distinct answer of implications of a control´s nature or lack of it but to create sensitivity. In addition, the presenter would like to draw the attention to the fact that a software vendor´s audit might require different areas to put under scrutiny than - provokingly speaking - a mere review of quality management system and training records.