This presentation explains how to prepare for an IT audit. It reviews the life cycle of an audit: the initial request for information, introductory meeting, information gathering and analysis, audit close-out to reporting and follow-up.

1. Prepare to be Audited
(The auditor is coming!
The auditor is coming!)
IT Best Practices
Bob Sturm
Director, IT Validation

2. Life Cycle of an Audit
What Responsibility
Request for information IT Quality
Introductory meeting IT Quality & Mngrs.
Information gathering & IT Quality and
analysis Auditee(s)
Audit Close-out IT Quality & Mngrs.
Reporting & follow-up IT Quality

3. Prepare for the Audit
• HOW?
– Attend this training.
– Read and understand the sample
questions in the handout.
• WHY?
– You may be asked these questions.

4. Three Basic Concepts
• Follow the IT Policy Manual
• Adhering to our ITMS principles means we
are Audit Ready!
• Understand the scope and objectives of
the audit as explained by IT Quality

5. Preparing – IT Quality’s
Responsibilities
• Email people an auditor(s) is coming
• Appoint an escort to be the host for the
auditor(s)
• Ensure work space & appropriate
badge access
• Arrange for a conference room where
auditor(s) can meet

6. Preparing – IT Quality’s
Responsibilities (More)
• Ensure a guest wireless network is
available. Contact IT security if more
bandwidth is needed.
• Confirm that management is available for
the opening and closing meeting
• Confirm that personnel who have key roles
in areas under review are available

7. Assign Tasks for Audit
• IT Quality and Managers meet to assign
tasks needed for the audit

8. What’s Expected of You
• KEY - Know our ITMS practices inside and
out!
• Know what is expected per your job
description
• Understand applicable SOPs, WIs and
other procedures for your job
• If unsure about anything, ask your
manager or IT Quality

9. Conduct and Etiquette
NO  YES 
• Be professional, respectful and truthful with
the auditor
• Have a positive attitude
• If you anticipate a finding, contact IT Quality
• Don’t take anything the auditor says
personally
• Defend our systems and processes but don’t
be overly defensive or argue with the auditor

10. Conduct and Etiquette - More
• Keep the atmosphere and the
conversation friendly but professional
• Do not try to influence an auditor’s
judgment
• Recognize when you are right and when
you are wrong
• Do not become emotionally involved in
the review

11. Conduct and Etiquette – Even More
• Be wary of an auditor who veers off topic
and requests information not associated
with the scope and objectives of audit
– Defer these requests to IT Quality or your
manager
• If the auditor requests information deemed
proprietary, sensitive or highly confidential,
refer the auditor to IT Quality or your
manager

12. Responding to Questions
• IMPORTANT! – Answer only the questions
posed by the auditor. Do NOT volunteer
extra information or expand unnecessarily
on any answer.
• Answer all questions truthfully. Do NOT
stretch the truth or be misleading.
• Provide adequate and accurate answers.
– Just the facts, not opinions!

13. Responding to Questions
- More
• Before answering a question, be sure to
understand the question.
• If unsure about the question, ask for
clarification or paraphrase the question.
• Do NOT guess at the question!
• If unsure of an answer, inform the auditor you
are not sure. Let auditor know you will get an
answer or bring in a person who knows the
answer.
• Follow up and set a date!

14. Sample Questions
• Is there a documented and approved disaster
recovery plan on file? Has it been tested to
ensure reliability?
• How are assets, including data safeguarded?
• Has the computer system been developed in
a manner consistent with applicable
regulatory guidances and industry standards?
• Do personnel have requisite training,
education and experience to perform their job
function and is the training documented?

15. Sample Questions - More
• What methods are established for traceability
of documentation, including changes?
• What procedures exist to assure that
standards are followed?
• Is approval authority for deliverable
documentation clearly established?
• What procedures exist to assure the prompt
detection and correction of deficiencies?
• Are acceptance tests monitored by QA?

16. Requests for Documents
• All document requests are handled by IT
Quality or Managers
• Route all documents through IT Quality or
Managers
• Put documents onto a SharePoint site set
up for the audit by IT Quality

17. Audit Closeout – IT Quality and
Managers
• Purpose is for the auditor to summarize
events of the audit and present preliminary
observations of non-conformance.
• Auditors present the facts of their findings.
• Our company ensures the root cause of the
issue is determined
• Our company discusses the level of risk
associated with the finding

18. Audit Closeout – IT Quality and
Managers (More)
• Discuss potential solutions to the findings
• Our company ensures the auditor is not
overly prescriptive in their
recommendations.
• Provides an opportunity to discuss any
misunderstandings that may have arisen
• IT Quality will ask about expected delivery
of the formal report

19. Reference Material to READ
• Preparation for the Audit – IT Best
practices, www.pharmait.co.uk,
– Read pp 31-35.
• Software Quality Assurance Audits
Guidebook, NASA, November 1990
– Read Appendix B pp 17-21 (Sample Questions).