Scribd Logo
Upload

Welcome to Scribd!

  • GMP Checklist For DI Audit

    Uploaded by

    shri_palani
    263 views4 pages

    Original Title

    GMP Checklist for DI Audit

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    263 views4 pages

    GMP Checklist For DI Audit

    Uploaded by

    shri_palani

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    PCI Audit Checklist for Data Integrity V2

    GMP Checklist for Data Integrity Audit – Information


    Technology and Computerized Systems Portion

    Disclaimer: This checklist is not complete nor is it the purpose of an audit to ask all
    possible questions or review all aspects of a topic.

    This document is made available FOC as a service to industry and regulators and may
    be further distributed which is why it is posted in MS word format. Should any of
    the users have additions to the checklist it would be wonderful if you would share
    them in the spirit of continual improvement.

    Good Luck with your DI audits.

    Karen Ginsbury
    CEO
    PCI Pharmaceutical Consulting Israel Ltd

    Finding
    # Item Description
      
    Data Governance Policy
    1. Is there one and are IT personnel familiar with its content
    Production, operations, QC lab personnel?
    Is there a risk assessment for Data Governance of computerized
    2.
    systems
    Does the risk assessment consider risks related to the IT department
    3.
    Does it consider risks related to outsourced IT operations
    4. Is there a list of authorized IT service providers
    Have IT service providers been audited? Review the most recent
    5. audit report and see if CAPAs have been addressed. Did the audit
    address data integrity / governance
    Is there a quality agreement in place with the service provider – does
    it address data governance expectations / assign and define
    6.
    responsibilities between the service provider, the IT department and
    or individual users?
    Does the service provider interact directly with users or is all
    7.
    communication through the IT department

    Page 1 of 4
    PCI Audit Checklist for Data Integrity V2

    Finding
    # Item Description
      
    Have service providers been provided GMP and specifically data
    8. integrity training and are they familiar with the DI Governance Policy
    Are IT service providers permitted remote access to company
    computers
    If yes, is access with or without prior specific user, or manager,
    9.
    permission each entry to a user’s workspace or a computerized
    system serving a piece of production, laboratory or other GxP
    related activity / operation
    How are changes performed by remote access managed?
    10. Review some of the changes performed – is there a computerized
    audit trail for PROGRAMMING changes?
    11. Is there a computerized systems policy
    Does it require all computerized systems with GxP impact to be
    compliant with:
    12. 21 CFR part 11 (electronic records and electronic signatures)
    Annex 11 of the EU GMPs
    Other standards (define) ________________________________
    Is there a controlled (up-to-date, version number, page #s) list of
    GxP impact computerized systems
    13. Does it describe:
    What the system does, where it is installed (list of PCs on which it is
    installed and authorized users); current validated software version?
    Are there any legacy systems which do not meet part 11
    requirements for:
    14.1 Unique user name / password for each entry with automatic
    LOGOFF.
    14.2 How long after leaving the workstation does it log out
    14. 14.3 Is there a data and time stamped audit trail for each piece of
    software at the data collection level
    14.4 Is there a data and time stamped audit trail for each piece of
    software at the programming level
    14.5 Is the audit trail enabled?

    Are data collection audit trails reviewed?


    15. At what frequency and by whom? Are they attached to the results
    reviewed by QP at release?
    Ask an analyst to print out a data audit trail. Do they know how to
    16. do that. Review it on the computer – are the users identified by
    name or as User 1, 2, 3 or are they all just “User”

    Page 2 of 4
    PCI Audit Checklist for Data Integrity V2

    Finding
    # Item Description
      
    Does the audit trail explain in human readable form, what change
    was made and why. If it describes the change but not the reason –
    17. ask the analyst, separately their manager and separately the QP who
    released the batch – what the reasons are.
    In particular focus on deletions.
    Are programming audit trails (changes to directories, file deletion,
    alteration, changes to metadata) reviewed? At what frequency and
    18.
    by whom. How is the review documented and to whom is the
    outcome reported. Do findings appear in the CAPA system?
    Are the user name and passwords program specific or is a
    workstation accessed by entering a windows user name and
    password.
    19.
    NOTE: if yes, probably all users are entering on a single user name
    and if a workstation has several programs installed, access to those
    programs is not controlled once the workstation is open.
    Who holds the administrator password and what privileges does it
    allow (e.g. is the laboratory manager able to delete files?)
    20.
    Is there a policy describing what the administration is allowed to do
    and how it is documented?
    How are changes to programming, servers, and IT infrastructure
    21. managed? Is it by the company wide change control program or an
    IT change control? Is there QA / Quality Unit sign off
    Check if drawing tools are disabled (might allow “whiting out” a
    22. “small” unwanted peak on a chromatogram and wouldn’t be seen on
    the printout
    Are chromatograms sequential or are there numbers missing in the
    23.
    set?
    Is there an SOP describing how integration of chromatograms is
    24. performed? Is auto-integrate the default? If manual integration is
    performed is the auto-integration also attached?
    Are the integration parameters and set up in general printed out
    25.
    before performing the analysis / as part of the report?
    How and by whom is the system clock set? Can it be changed to
    26.
    show an earlier time of processing data?
    Is there a written policy regarding trial injections as part of system
    suitability? Does it forbid the use of test samples? What is the policy
    27.
    for filing and reporting failing system suitability tests – before,
    during and / or after testing?
    28. Is data deletion possible and how is recorded in the audit trail?

    Page 3 of 4
    PCI Audit Checklist for Data Integrity V2

    Finding
    # Item Description
      
    Are memory sticks / thumb drives or other removable media
    29. allowed? Or is there a policy forbidding their use / drives sealed off /
    computers not fitted with USB ports?
    Is there a written definition as to what constitutes raw data and how
    30.
    that is backed up?
    What is the maximum time from QC results generation until review
    31. and approval / COA issuance? Is this covered by an SOP? Including
    for stability testing results?
    How are COAs generated? Is the template locked? Can it be
    32.
    overwritten? Does it match the specifications?
    Are excel files used for calculating QC results? Is there an SOP and
    33.
    are they validated and locked?
    What provisions are in place (e.g. immediate signing and dating of
    34. printed copy with deletion of original data from template) to prevent
    changing data after calculation
    Check a template – is there data stored in it and do the company
    35.
    overwrite previous data – a known source of error
    Is there an IT Disaster Recovery Plan and does it address data
    36.
    governance
    Are there periodic efforts to restore electronic data back up from
    37.
    archives and documented checks of its integrity
    Is there a procedure for retiring computerized systems / software
    38. which ensures that raw data is preserved and can be reused for
    calculation verification if required. Over what period of time?

    Page 4 of 4

    You might also like