INTERNAL AUDIT CHECKLIST - FINAL SCORE

AUDITOR DEPARTMENT DATE

Total Points Available

Max Points for % of

Sections Available
Points Sub-Section Section Score Reviewed Section Points Points
10 1 - Company Structure NAp NAp NAp NAp
8 2 - Document and Data Control NAp NAp NAp NAp
8 3 - IT Management NAp NAp NAp NAp
10 4 -Marketing Specific #REF! #REF! #REF! #REF!
10 5 -Medical Affairs Specific #REF! #REF! #REF! #REF!
10 6 - Lab Specific NAp NAp NAp NAp
10 7 - OPEN NAp NAp NAp NAp
10 8 - OPEN NAp NAp NAp NAp
8 9 - Records #REF! #REF! #REF! #REF!
8 10 - Training NAp NAp NAp NAp
10 11 - Facilities Specific NAp NAp NAp NAp
10 12 - Customer Service Sepcific NAp NAp NAp NAp

112 Total #REF! #REF! #REF! #REF! Audit Score

Auditor's Comments
See cover letter

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.
 INTERNAL AUDIT CHECKLIST

Explanation of Audit Value Ratings

Points
BLANK Not Applicable or Not Audited The procedure or process is not relevant to the vendor
0 No System The procedure and process is not included in the vendor's system.
The procedure or process is included in the system but planning and execution both require
1 System Deficient substantial improvement. The system is documented but not followed.
The system is in place but it is not properly documented or executed. There is a high probability that
the system will not produce consistent results. Improvements to the process documentation are
2 Improvement Needed required.
The procedure or process is included in the supplier's system. Planning and execution meet these
requirements. There is a high probability that the supplier's system will produce consistent results.
3 Acceptable The system can be manual or electronically automated.
The procedure or process is included in the system. Planning and execution are thorough and
exceed these requirements. It is certain that the system will produce exemplary results. Although not
4 Outstanding required, typically electronic data management is used.

Total Points Available by Audit Sub-System

Points Sub-Section Rating Scale: Score (% of available points)

10 1) Department Structure Excellent 90 to 100
8 2) Document and Data Control Satisfactory 70 to 89.9
8 3) Vendor Management Conditional 50 to 69.9
10 4) Marketing Specific Unsatisfactory Less than 50
10 5) OPEN
10 6) Lab Specific
10 7) OPEN
10 8) OPEN
8 9) Records
8 10) Training
10 11) Facilities Specific
10 12) Customer Service Specific
52 Total Available per Dept.

2 of 1
 INTERNAL AUDIT CHECKLIST

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

3 of 1
 1 - COMPANY STRUCTURE ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

1.1 Has the Company established and maintained a heirarchy of control? Score Auditor's Comments
Organizational chart exists which reflects the current reporting structure and succession planning is documented.
Evidence exists which indicate organizational freedom to exercise authority and responsibility.
Job descriptions include responsibilities for supporting objectives.
There is a management representative with defined authority and responsibility for meeting customer compliance.
Qualified technical personnel available for design, process, product, and service support.
Manual has been developed which details the system of policies and procedures.
Procedures identify:
l Who is responsible for action
l What has to be done
l When the actions are required
Written procedures and instruction define the methods for performing work affecting quality for those:
l Managing the work
l Performing the work
l Verifying the work

1.2 Are there corporate goals for continuous quality improvement? Score Auditor's Comments

1.3 Is there a periodic review by management of the effectiveness of the quality management systems? Score Auditor's Comments
Goals are regularly reviewed by top management.
System in place to verify meeting objectives and policy.
Achievement of objectives a high priority in overall performance reviews.
1.4 Are internal audits performed and corrective actions implemented? Score Auditor's Comments
Internal audits are performed with defined reports/distribution.
External audits are performed regularly with deficiencies addressed in a timely manner
Internal audits are conducted semi-annually or scheduled on the basis of status and importance of activity.
Internal audit evaluates effectiveness of activity as well as conformance to procedures.
Management reviews are conducted on results of audits.
Corrective actions are timely, recorded, and evaluated for effectiveness.

Company STRUCTURE SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

Legal Compliance 4 of 15
 2 - DOCUMENT AND DATA CONTROL ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

2.1 Is documentation produced by the company controlled? Score Auditor's Comments

Documentation controlled.
Written procedures have been developed and implemented for controlling design and document control.
Procedures address responsibility and the approval process required to make changes.
Design changes documented and approved by authorized personnel before implementation.
There is a periodic audit of the process to confirm the specification control system functioning properly.
Are current documents (specifications, drawings artworks, etc.) available and readily accessible to all
2.2. Score Auditor's Comment
appropriate areas?
Master list of all controlled documents and the revision level are available.
Current documents are available and readily accessible in all appropriate areas.
There is evidence that the current documents are being referenced and utilized throughout the company to perform the activities required

2.3. Are obsolete documents removed from use? Score Auditor's Comment
Obsolete documents are removed from use.
Written policies and procedures are available to handle obsolete documents.
Obsolete documents are being destroyed in a timely and confidential manner.
There is a periodic audit of the process to conform that obsolete documents are being withdrawn from use.

DOCUMENT AND DATA CONTROL SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

5 of 15
9 - RECORDS ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

9.1 Are records maintained in accordance with governmental regulations and/or company policy? Score Auditor's Comment

Records and related documentation are retained for a specified time period.
There are documented record keeping rules.
Timely and periodic purging of the file system takes place to keep record keeping system up to date with current information.
Centralized filing system (hardcopy or electronic) is maintained in an appropriate environment to prevent deterioration, damage or loss.

9.2. Is there a system in effect to assure that records are reviewed? Score Auditor's Comment
Records are reviewed on a schedule as defined in a procedure or work instruction.
Records are reviewed for the purpose of the following:
l Process refinement/improvement
l Complinace with local/state/federal regulations
l Complinace with company policy

RECORDS SUBSYSTEM SCORE ###

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and
intellectual property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

6 of 15
10 - TRAINING ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

10.1 Have procedures been established and used for identifying training needs? Score Auditor's Comment
Training procedures exist for training all levels, including hourly, technical, and management staff, in company policy and job specific
information.
Training procedures cover all of the following:
l Part-time and temporary employees.
l Procedures/Policies/Work Instructions.
l Safety.
l Equipment.
l Relevant local, state, federal regulations.
Training procedures address future training requirements, retraining, and refresher training.
Training effectiveness is periodically evaluated.
Annual reviews of training procedures and requirements are performed.
Annual training plans are addressed in budget requirements.
10.2. Are qualification and training records maintained for all personnel? Score Auditor's Comment
Qualification and training records are maintained for all personnel and include all of the following:
l Type of training-equipment, method, procedure, or subject.
l Date of training.
l Results of training.
l Date of refresher training, if required.
Training records and results are used as management reviews to assure that training requirements are met.

TRAINING SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and
intellectual property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

7 of 15
11 - FACILITIES ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

11.1 Does the supplier practice good housekeeping? Score Auditor's Comment
The following good housekeeping points are practiced:
l Facilities are clean with no trash around.
l Facilities walking surfaces and fire exit routes are clear.

11.2 Are lighting and utilities sufficient to perform the required operations? Score Auditor's Comment
Acceptable lighting is found in all areas:
Electrical supply is sufficient to handle production requirements.
Back-up generators are installed to handle power outages.

11.3 Is the working environment safe & secure? Score Auditor's Comment
Safety procedures are fully developed.
Fire alarm system is place.
Exit doors are clearly marked and lock from the inside.
OSHA reports are all acceptable or issues have been resolved.
No environmental pollution potential.
Security systems are in place and require use of badge access

FACILITIES SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

8 of 15
12 - CUSTOMER SERVICE ASSUREX HEALTH INTERNAL DEPARTMENT AUDIT

12.1 Are customer or field complaints received, reviewed, and investigated? Score Auditor's Comment
Customer complaints are addressed, recorded, and maintained in a corrective action database.
Verification of customer satisfaction is recorded after corrective action has been implemented.

12.2. Customer Service System Score Auditor's Comment

Customer service calls are monitored/regularly evaluated to assure quality of service and compliance with applicable laws and/or
company policy

CUSTOMER SERVICE SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and
intellectual property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.
5 - BCP/DR ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

5.1 BCP/DR in place Score Auditor's Comment

Policy is written and approved by executive levels

Policy is reviewed regularly
Policy is regularly tested
Policy is stored securely on site and off site
All key personnel have access to the BCP and know what role they play
Policy identified what the critical functions of the business are
Policy identifies timescale for when each function should become available

5.2. Company is able to continue supplying/servicing Assurex Health in the event of a disaster? Score Auditor's Comment

Alternative supply/service source or redundancies are in place

Expected Supply/Service delay in the event of disaster is reasonable

5.3. Score Auditor's Comment

SUBSYSTEM SCORE ###

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding
confidentiality and intellectual property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior
management approval.

10 of 15
 3 - IT MANAGEMENT ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

3.1 ISO 27001 & ISO 27002 certified? Score Auditor's Comment

27001- ISMS: policy in place

Includes risk assessment process; risk treatment process
Includes information security objectives
Operational planning and control documents
3.2. Is security robust? Score Auditor's Comment

3.3 Breaches are monitored 24/7 & responded to immediately? Score Auditor's Comment

3.4. ISO 27799:2008 Score Auditor's Comment

VENDOR MANAGEMENT SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

11 of 15
6 - LAB ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT
6.1 Processes are documented Score Auditor's Comments
Documented process and quality instruction procedures, including applicable standards reflect current practices.
All instruction procedures are controlled documents and are signed off by appropriate personnel.
A formal procedure exists, which details the responsibility for procedure development and approval processes.
All written instruction procedures are routinely reviewed for application of processing methods and accuracy of requirements.
All process changes are documented, reviewed, and approved by appropriate personnel before change is made.
Control plans are routinely reviewed for effectiveness and updated as required.
6.2 Achievement of quality goals Score Auditor's Comments
Consistently meets/exceeds quality goals
Quality goals are regularly reviewed and supported by top management.
6.3 A preventive maintenance program has been documented and implemented. Score Auditor's Comments
Complete preventive maintenance and repair records are readily available for all process equipment.
Preventive maintenance program is structured and performed based on time requirements.

6.4 Does the company maintain a root cause corrective action system that provides for prompt identification and correction of error? Score Auditor's Comments

Written Corrective Action procedures are documented as part of the quality manual.
Corrective Action reports address basic information for identification of problem.
Written Corrective Action procedures address:
l Analyzing data to determine root cause of non-conformance.
l Documenting and reporting corrective action.
Non-conformance reports (e.g. product quality, deviation, audit results, quality records, etc.) used to develop preventive actions.
Supplier maintains a historical database for all Corrective Actions.
Corrective Action procedures are reviewed regularly for continuous improvement.
6.5 Is follow-up action performed to verify the effectiveness of corrective action? Score Auditor's Comments
Written Corrective Action procedures address verification for effectiveness of corrective action.
Effectiveness of Corrective Action is verified and documented.
Effectiveness of Corrective Action is verified by routine audits of original problem.
6.6 Test methods and equipment have been validated for their use. Score Auditor's Comments
Validation is performed on all test methods and equipment.
Validation is documented.
Written validation procedures are available for all test methods and equipment.

All products have been validated for the test method or equipment used.
System in place to provide review and revalidation of test methods or equipment.

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

LABORATORY SUBSYSTEM SCORE NAp

12 of 15
 4 - PRODUCTION LINE
ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

4.1 Receiving Goods- QC/QA Check Score Auditor's Comment

All goods coming into the line have been checked for quality/conformity prior to entering into production
Non-conforming products/components/materials clearly identified and segregated to prevent use

4.2 Assembly Score Auditor's Comment

Personnel have readily available up-to-date procedures, work instructions, etc. required to carry out assembly
Is required test equipment calibrated regularly, with appropriate record keeping
Are the finished products stored/handled in such a way to prevent damage or deterioration
Assembly area tidy/clean/safe
PPI available and used when necessary

4.3. Outgoing Goods- All products are checked for quality prior to leaving the production facility Score Auditor's Comment
Non-conforming products/components/materials clearly identified and segregated to prevent distribution
Finished products are inspected either 100% or at random
Consistently meets/exceeds quality goals

SUBSYSTEM SCORE ###

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding confidentiality and intellectual
property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior management approval.

Page 13 of 15
7 - OPEN ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

7.1 Score Auditor's Comments

7.2 Score Auditor's Comments

7.3 Score Auditor's Comments

7.4 Score Auditor's Comments

SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding
confidentiality and intellectual property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior
management approval.

14 of 2
8 - OPEN ASSUREX HEALTH VENDOR DUE DILIGENCE AUDIT

8.1. Score Auditor's Comment

8.2. Score Auditor's Comment

8.3. Score Auditor's Comment

8.4. Score Auditor's Comment

SUBSYSTEM SCORE NAp

This document may contain confidential information and is considered proprietary information. Use of this document is covered by the corporate agreement regarding
confidentiality and intellectual property. This document is not to be shared with third parties or with employees outside of normal business conduct without prior
management approval.

15 of 15