Audit

Internal Security
1. Access Limitations – Assess Current Procedures and IT systems to ensure the following requirements are adhered to:

1. Access Limitations – Assess Current Procedures and IT systems to ensure the following requirements are adhered to:

1.1 Individual accounts are password-protected. These passwords comply with J&J ITS standards.

1.2 Computer systems are configured to require manual login and logout.

1.3 System automatically limits number of failed login attempts as per J&J IAPP requirements.

1.4 System automatically records unauthorized login attempts as per J&J IAPP requirements.

1.5 Procedures and training are in place to ensure individual account access is not shared with other users.
Verify training files and access request forms.

1.6 Procedures and training are in place to ensure one user does not log on to system to provide access to another user.

1.7 Users are electronically required to change their passwords at regular intervals as per J&J IAPP requirements.

1.8 Computer systems automatically password protect when idle for short periods.

1.9 Systems automatically log users off when idle for long periods.

1.10 Appropriate levels of access based on job requirements are in place and proceduralized with documented evidence of access approval ensuring appropriate segregation of duties.

1.11 System Administrator rights (permitting activities such as data deletion, database amendment or system configuration changes) should not be assigned to individuals with a direct interest in the data (data generation, data review or approval). All changes performed under system administrator access must be visible to, and approved within, the quality system.

1.12 The system provides security access control which is enabled and appropriately implemented.

1.13 Adequate procedures are in place defining administration of the system by the system administrator.

2. Audit Trail - Assess Current Procedures and IT systems to ensure the following can be verified:

2. Audit Trail - Assess Current Procedures and IT systems to ensure the following can be verified:

2.1 Creations, modifications, and deletions are tracked and retrievable electronically.

2.2 All originally entered data is maintained and not obscured when changes are made.

2.3 Changes are time stamped automatically.

2.4 Computer system is configured to require user to record reason for change.

2.5 Identity of individual who made a change is recorded automatically.

2.6 Users are prevented from being able to modify or delete audit trail.

2.7 A procedure is established and followed to periodically review audit trails of the system as well as part of batch release process. All applicable audit trails should be routinely reviewed for electronic data capture and data management systems, and reviews must capture system-related audit trails as well as batch/ run-specific audit trails.

2.8 The frequency of audit trail review should be well-supported (dependent on the type of audit trail and process in place for management of changes) and applied through risk management.

2.9 Archive records are locked such that they cannot be altered or deleted without detection and audit trail.

2.10 Users are prevented from deleting electronic records.

3. Date and Time Controls: Assess IT systems for Adherence to the following requirements:

3. Date and Time Controls: Assess IT systems for Adherence to the following requirements:

3.1 Computer systems synchronize date and time provided by international standards setting.

3.2 Users are prevented from altering the time stamp for the system.

3.3 All date and time changes are documented (except daylight savings time).

3.4 Year, month, day, hour, minute, and time zone are captured in time stamp.

3.5 Any time zone references and naming conventions are defined in documentation.

External Security
4. Assess Current Procedures regarding External Security to ensure the following requirements are met:

4. Assess Current Procedures regarding External Security to ensure the following requirements are met:

4.1 Access to computer system and data are restricted via external software applications by encrypting data as it is transferred and/or using a firewall.

4.2 A cumulative record is maintained that indicates names of authorized personnel, their titles, and a description of their access privileges.

4.3 Controls of external personnel access is managed by Janssen and review period defined procedurally.

4.4 A list of historical users, roles, and uses is maintained.

4.5 Accounts are properly disabled and time frame for disabling is defined procedurally.

4.6 The effect of viruses and other harmful software code is prevented, detected and mitigated.

Data Management
5. Direct Entry

5. Direct Entry

5.1 Are Prompts defined to highlight data out of the specified range?

5.2 Do Current procedures specify valid vs. invalid ranges and include process to alert user?

5.3 Is the system designed / set to enter default data if a field is bypassed?

5.4 Is the System configured to populate field with data duplicated from another field? If so, analyze potential consequences very carefully before doing so.

5.5 Processes and procedures verify that data is entered contemporaneously when activities occur.

5.6 A process is in place for duplicate / retest results as well as the management and storage of original data.

5.7 A documented explanation for cancelled tests / samples / invalid assays (LIMS) is captured.

5.8 For critical data entered manually, an additional check on the accuracy of the data is in place. This check may be done by a second operator or by validated electronic means.

5.9 The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management.

5.10 A Business Continuity / contingency procedure for data entry is in place.

6. Data Retrieval – Ensure Processes for retrieval of Data capture the following requirements:

6. Data Retrieval – Ensure Processes for retrieval of Data capture the following requirements:

6.1 Electronic records being archived must ensure the process preserves the content and meaning of the record, (i.e. all required Meta data must also be captured such that the Design of a computer system attributes data record to each individual subject (sample name, individual etc.)).

6.2 Data Archival systems are designed and verified to reconstruct source documentation accurately and completely.

6.3 Backup and recovery processes are validated.

6.4 Procedures are in place for evaluation of data recovery processes.

6.5 Business Continuity / contingency procedures for automated systems data Retrieval are in place.

7. Data Review – Ensure Review processes meet the requirements outlined:

7. Data Review – Ensure Review processes meet the requirements outlined:

7.1 Adequate written procedures and training programs are in place to describe the process for the review and approval of data, including raw data. Data review must also include a review of relevant metadata, including audit trails.

7.2 Electronic Review of data is conducted in the source system.

7.3 Changes to critical data are clearly visible and outlined in the review process.

7.4 Supervisory review and quality review is conducted in the system in conjunction with all required Meta data.

7.5 Lab Specific: If manual integration is used, the specifics for manual integration parameters should be specified in test methods. The review process for manual integration should be clearly defined procedurally, documenting that all areas of manual integration are visible and in compliance with allowed Test method parameters.

7.7 Lab Specific: Original run sequences which are amended during the run should be printed and included in the data review package.

7.6 Lab Specific: Raw Data which has been invalidated due to failed system suitability criteria should not be stored separately to the QC raw data package and should be captured as part of the review process. Invalid runs should always be evaluated and documented.

Quality Systems
8. System Controls

8. System Controls

8.1 A process is in place to avoid manipulation of electronic data.

8.2 A full backup and recovery system is in place to protect against data loss if records are maintained only in electronic form.

8.3 The backup system maintains data integrity.

8.4 Backups are performed on a regular basis/ automatically and the process is defined procedurally.

8.5 Backup records are stored at a secure offsite facility.

8.6 Backup and recovery logs are maintained.

9. Change Management – Assess Current Operational Change Control and IT and Automation change Control Processes ensure the following:

9. Change Management – Assess Current Operational Change Control and IT and Automation change Control Processes ensure the following:

9.1 Data integrity is maintained when making changes to the computer system, such as software upgrades, security and performance patches, equipment repairs, etc.

9.2 The Process evaluates the effects of any changes before and after making them and validates changes that exceed previous operational limits.

9.3 All computer system changes are documented and require the appropriate level of Quality oversight.

9.4 Changes are made by authorized individuals only and the changes made can be identified to an individual level.

10. Validation – Assess the Validation of each system to ensure it is validated for its intended use in accordance with the following requirements:

10. Validation – Assess the Validation of each system to ensure it is validated for its intended use in accordance with the following requirements:

10.1 A validation summary report is present and all significant test failure are documented and resolved prior to release for use in accordance with defined procedures.

10.2 Validation of computerized system audit trail should ensure SOPs/ procedures are drafted during OQ to define the use and control of the system in a regulated business environment as well as describe the process for audit trail verification.

10.3 ‘Validation for intended use' should include testing during PQ to confirm that the required data is correctly extracted by the custom report, and presented in a manner which is aligned with the data review process described in the data review procedures.

10.4 The acceptance of vendor-supplied validation data in isolation of system configuration and intended use is not acceptable. In isolation from the intended process or end user IT infrastructure, vendor testing is likely to be limited to functional verification only, and may not fulfill the requirements for performance qualification.

10.5 Procedures define the requirements that Computerized systems are reviewed periodically to confirm that they remain in a validated state.

11. Documentation Management

11. Documentation Management

11.1 An up to date listing of all relevant systems and their GMP functionality (inventory) is available.

12. Training

12. Training

12.1 Individuals who develop, maintain and use computer system have sufficient education, training, and experience to perform tasks.

12.2 Training in the operation of the computer system is led by qualified individuals.

12.3 Training sessions are conducted on a continuing basis in case of changes in personnel and the computer system.

System Complies with Requirements?

Access Limitations

Audit Trail

Date & Time Controls

External Security Procedures

Data Management - Data Retrieval

Data Management- Data Entry

Data Management - Data Review

System Controls

Change Management

Validation

Document Management

Training

Please note that this checklist is a hypothetical example and provides basic information only. It is not intended to take the place of, among other things, workplace, health and safety advice; medical advice, diagnosis, or treatment; or other applicable laws. You should also seek your own professional advice to determine if the use of such checklist is permissible in your workplace or jurisdiction.