Practical Regulatory Compliance Audit Minimizes Legal
The Practical Solutions Group was hired by a leading Pharma client to perform a two-day standard regulatory due diligence assessment regarding regulatory compliance of a software vendor, which the Pharma client was considering to contract with, and the hosting facility - a third party - which was to be retained by the software vendor through a cross-licensing agreement. The Pharma company had not yet formalized a contract with the software vendor at the time of the audit so no study activity had begun.
At the start of the audit, the audit team was informed that agreements between the software vendor and the hosting facility had not yet been formalized either and that the hosting facility was in the process of doing its own due diligence regarding the software vendor. This came as a surprise to everyone. The challenge thus became determining what issues were more significant to the Pharma company: the issues regarding the formalization of the business relationship between the vendor and the hosting facility or regulatory compliance issues that might exist with the software or hosting environment.
The Practical Solutions Group suggested that the Pharma company rely on the hosting facility's capability to do the due diligence of the software vendor. The rationale was that the hosting facility would not go through with the relationship with the software vendor if it determined that significant business or regulatory risks were identified. This eliminated the need to perform a thorough review of the software vendor's compliance status. Instead, the focus was shifted on the more risky areas of the overall business relationship between the Pharma company, its software vendor and the hosting facility. As a result, the assessment was streamlined to only two areas: (1) nature and scope of the hosting facility's due diligence from the system validation, 21 CFR part 11 compliance and quality assurance perspectives and (2) the technical capabilities and qualifications of the hosting facility staff that was to perform the due diligence of the software vendor.
The practical vision on part of The Practical Solutions Group allowed the Pharma client to include a stipulation into the contract that if the business relationship between the software vendor and the hosting facility did not work out, the Pharma company could back out of the contract with a software vendor without any penalties. How is that for minimizing the legal and financial business risks through what was intended to be a mere regulatory compliance audit?