Application of SOC 2+ Process to Assessment of GxP Suppliers of Services
To facilitate the assessment and mitigation of compliance risks associated with a third-party service organization, its services, and the systems used to provide the services, this article proposes adopting an approach from the financial sector that, with a little modification, could be used to assess suppliers of GxP-regulated IT services.
One of the presiding tenets of GxP (good manufacturing, laboratory, or clinical practices) compliance is supplier management. Regulators recognize that many life sciences companies outsource activities that they either do not wish to or cannot effectively execute themselves, but regulatory agencies nonetheless expect the companies to manage the quality of such activities. In the past, the largest concern involved managing organizations like contract manufacturers and clinical research organizations. Concerns regarding information technology (IT) groups were generally limited to verifying that software applications had been developed and were supported in a controlled manner.
However, a recent trend in IT is the broadscale outsourcing of services, including a wide variety of cloud-based services. Some companies have effectively reduced their internal IT capability to little more than project management, while outsourcing virtually all traditional IT support activities for infrastructure and applications.
This state of affairs means that the need for IT supplier management is much greater, but the existing approaches are hardly more sophisticated than they were two decades ago. For lower-risk suppliers, simple research may be sufficient, or GAMP® 5 suggests the possibility of remote audit via questionnaire1. The primary tool for higher-risk suppliers is often a direct audit by the life sciences company’s quality assurance (QA) organization, perhaps augmented by some metrics. An added complication in higher-risk scenarios is that many of the cloud-service providers that are ideal partners from a financial standpoint have little or no experience in the GxP realm. Furthermore, some of the larger providers are likely to decline to be audited by their customers.
Fortunately, within the financial sector, there is a process many businesses use to facilitate the assessment and mitigation of compliance risks associated with a third-party service organization (i.e., supplier), its services, and the systems used to provide the services: the Statement on Standards for Attestation Engagements (SSAE 18) Service Organization Controls (SOC 2) reporting process, as defined by the American Institute of Certified Public Accountants (AICPA)2. With a little modification, this approach could be used to assess suppliers of GxP-regulated IT services.
Under this process, an IT service provider engages an independent third-party audit firm to perform a detailed examination, supported by documented testing. This audit provides evidence about the design, operation, and effectiveness of controls within the supplier’s systems and their key compliance processes. The SOC 2 examination report includes a detailed description of the supplier’s system as designed and implemented, and whether the controls stated in the description were suitably designed and operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on criteria relevant to the security, availability, processing integrity, and confidentiality or privacy of its system. The SOC 2 report is intended for users seeking information assurance regarding information handling and can be distributed to customers or users having sufficient knowledge of the service organization’s system and services. This process is heavily leveraged by companies’ vendor management programs to support vendor compliance and monitoring; it is also used in support of regulatory oversight or risk-management processes (e.g., compliance with the Sarbanes–Oxley Act, which regulates corporate financial disclosures).
Key tools in the SOC 2 process are the Trust Services Principles and Criteria, which provide a framework to address IT-associated risks and opportunities. The Trust Services Principles and Criteria were jointly developed by AICPA and the Canadian Institute of Chartered Accountants (CICA) and are used for SOC 2 and SOC 3 reports3. Trust services are defined as a set of professional assurance services based on a common framework, which comprises a core set of principles and criteria. The framework has been designed to address the risk and opportunities associated with IT. The existing SOC 2 process and trust service criteria already overlap significantly with the needs of GxP organizations: they address issues such as change control, incident management, security management, access control, and so on. In fact, for a large percentage of cloud-service suppliers, the existing SOC 2 process and the associated trust services criteria probably provide sufficient evaluation of supplier processes without any additional criteria. Infrastructure as a service (IaaS) and platform as a service (PaaS) suppliers will generally fall into this category.
However, for software as a service (SaaS) suppliers, the question of validation arises. There is no question that the life sciences company is accountable for the validation state of a SaaS application and that the company owns and is accountable for the data. However, many of the processes involved in validation (e.g., specification, verification, operational management) are the responsibility of the supplier. Evaluating these activities is not within the scope of current trust services criteria.
Under recent changes to the standard, a service organization may request that the service auditor’s report address either criteria in addition to the applicable trust services criteria or additional subject matter related to the service organization’s services, using additional suitable criteria related to that subject matter, or both. The result is an SOC 2+ report, which is intended to create flexibility for industries and service providers to define controls that were not historically covered.
The Case for a GXP SOC 2+ Process
The responsibility for the quality of IT software and services will always reside with the life sciences company that uses them. Having a vendor or even an independent third party produce an independent attestation regarding the control environment’s effectiveness does not affect that obligation. However, with the expanding use of such services, the need to maximize the efficiency of quality assessments has become a more significant challenge. In addition, suppliers are starting to offer services with significant GxP risk, such as laboratory information management systems (LIMS) as an SaaS application. The use of such high-risk services is a driver for a structured and controlled approach to supplier assessment.
Key tools in the SOC 2 process are the Trust Services Principles and Criteria, which provide a framework to address IT-associated risks and opportunities.
An adaptation of the SOC 2+ process geared toward assessing supplier suitability to support a GxP process would be of great utility. The potential benefits of this are threefold:
- A life sciences company could examine an existing report when evaluating whether to engage a supplier. Based on risk, the company could elect to accept the report as adequate evidence of quality processes, or it could opt to conduct its own additional audit, which could require fewer resources and less effort because the SOC 2+ report allows auditors to focus on perceived weaknesses. In addition, reviewing the annual report would provide a degree of assurance that the supplier is maintaining an acceptable level of control over the client’s processes.
- Service suppliers with a substantial GxP customer base currently devote considerable resources to audit support. Adopting this process would allow them to reduce the footprint needed to support customer audits, because one comprehensive audit would provide much of the evidence that is currently presented repeatedly during customer audits. The production of an SOC 2+ report could also be used as a differentiator for the supplier when attracting new customers.
- Regulators would be assured of a consistent process for supplier evaluation carried out by an independent third party. The documented testing generated during the audit would provide stronger and more comprehensive evidence that appropriate controls are effectively executed. In addition, with an approach modeled after the SOC 2+ process, audits would be carried out annually and provided to customers routinely, which would provide more frequent evaluations than most companies’ direct audit policy.
This article proposes an SOC 2+–type tool usable by life sciences companies in support of supplier management and adapted to leverage the SOC 2+ process with modification to address the gaps between the SOC 2+ process and GxP expectations. Although this type of tool does not negate the need for a quality agreement between the customer and supplier, it can be a significant aid to transparency and thus strengthen the confidence of all parties involved that controls are appropriate, comprehensive, and being followed.
The SOC 2 report is clearly essential from a customer perspective because it provides evidence that processes are not only implemented but also followed. However, the decision to initiate an SOC 2+ audit lies with the supplier. This decision may be driven by a request from a life sciences customer, but, generally, the supplier will engage the audit firm and fund the process. The third-party audit firm should not have any conflict of interest with the supplier that would inhibit a willingness to honestly appraise an unsatisfactory audit.
Before a service auditor can accept a new SOC 2+ examination, certain preconditions must be met. This is a requirement for financial evaluations as defined by AICPA and an expectation for application of the process in the GxP world. These preconditions include service auditor requirements and engagement set forth by professional standards. An understanding of management’s and the service auditor’s responsibilities in the SOC 2+ examination must be established.
Service organization management is responsible for making decisions that define the scope of the examination, which include, but are not limited to:
- Identifying the services and system to be the subject matter for the examination
- Specifying the type of SOC report to be performed and the period of coverage (i.e., Type 1 [point in time] or Type 2 [period of time])
- Identifying risks that could prevent the achievement of the service organization’s service commitments and system requirements
- Selecting the trust services categories to be included in the scope (e.g., security, availability, processing integrity, confidentiality, and privacy) as well as any supplemental subject matter
- Identifying relevant subservice organizations and determining the method of presentation (e.g., an inclusive approach, in which the auditor directly evaluates and reports on the effectiveness of the control activity carried out by a subsupplier, or a carve-out method, in which the subsupplier’s control activity is indirectly evaluated, such as through a separate SOC report from the subsupplier)
- Designing, implementing, operating, monitoring, and documenting controls that are suitably designed and, in a Type 2 examination, operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria
- Specifying complementary user-entity controls
If the SOC 2+ report is not enough to satisfy the life sciences company of the supplier’s ability to meet expectations, additional evaluation may be necessary.
Service organization management may require additional clarification from the service auditor to address these responsibilities. Whereas a service auditor can provide assistance to management to help clarify questions about scope and timing, the service auditor is required to maintain independence from management and cannot make decisions on management’s behalf. Once the service auditor’s and service organization management’s responsibilities have been established, they are acknowledged in an engagement letter or other suitable form of written communication.
Whereas a service auditor can provide assistance to management to help clarify questions about scope and timing, the service auditor is required to maintain independence from management and cannot make decisions on management’s behalf.
When assessing IT service suppliers for GxP purposes, some additions or modifications to the approach used for financial clients are appropriate. The online version of this article (https://ispe.org/pharmaceutical-engineering) includes an appendix that presents a trust services table that augments the commonly evaluated trust services criteria with additional criteria geared toward specific GxP aspects. It should be noted that the table is not a boilerplate suitable for all scenarios. In all cases, the final assessment of the audit content and the approach to evaluating the testing of the controls must account for the specific nature of systems or services being provided. This process is intended to be an industry standard and should suffice for most user companies; however, if the life sciences company is doing something unique that is not covered by the standard criteria, additional evaluation might be warranted.
Upon acceptance of an SOC 2+ engagement, the service organization’s management is responsible for preparing a complete and accurate description of its system and for providing a written assertion that will accompany the system description, both of which will be provided to report users.
The service auditor is responsible for obtaining an understanding of the service organization’s system and developing the test plan to evaluate whether the controls specified by management were designed, implemented, and operated effectively to provide reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria. During the examination, management must provide unrestricted access to records, personnel, and other resources requested by the service auditor. Management must also disclose any known instances of noncompliance with laws or regulators, fraud, deficiencies in control design or operating effectiveness, or other significant incidents that resulted in the impairment of the system or service. The service auditor is required to consider the materiality of any identified risks during the course of executing its examination procedures.
Generating the Audit Report
The service auditor is responsible for issuing a report that expresses their opinion about whether the system description was presented fairly, the controls were suitably designed, and, in the case of a Type 2 report, whether controls operated effectively during the specified period to achieve the service organization’s service commitments and system requirements based on the applicable trust services criteria. The service auditor includes descriptions of the tests of controls performed and the test results in the final report. If uncorrected misstatements or control deficiencies are identified, the service auditor may design and perform additional procedures to obtain sufficient appropriate evidence needed to form a conclusion. However, if sufficient appropriate evidence cannot be obtained, the service auditor is required to modify its opinion.
At the conclusion of the examination and prior to report issuance, service organization management will modify their assertion (if required) to align with the service auditor’s opinion and will provide the service auditor with written representations. The service organization management is responsible for controlling distribution of the final report once it is issued.
When control testing deviations are identified, supplier management can choose to disclose root cause, mitigating factors or compensating controls, and/or remediation activities performed to respond to the deviation within the examination report. This information may help users of the report to evaluate and understand the impact of the identified deviations, as well as reduce the need for users to request this information from the service organization. Management can describe this information in the description of its system, in which case it is considered within the scope of the examination and requires the service auditor to perform audit procedures to validate the information described by management. Alternatively, management can include this information within an “Other Information” section, which is not covered by the auditor’s report and is considered an “unaudited” section.
Sustaining the Audit
The general expectation in the financial sector is that SOC audits are repeated annually. Many life sciences firms do not conduct their own onsite audits that frequently. However, review of an annual SOC audit is appealing because this process will often be the sole source assessment for those suppliers that would not normally permit a QA audit (e.g., large cloud-service companies). Furthermore, the supplier will want to present reasonably fresh results to potential new customers. Ergo, suppliers should plan on an annual cycle for SOC 2+ audits.
Leveraging the Audit at the Life Sciences Company
It is imperative for the customer who plans to reference an SOC 2+ report to understand that this is simply one tool for supplier evaluation, albeit a very important one (and, sometimes, the only one). Nonetheless, the life sciences company is still ultimately responsible for ensuring that any suppli-er-managed applications are appropriately validated and that the data managed by the supplier have integrity.
The life sciences company will obtain the most recent audit report from the supplier. Ideally, it should be a Type 2 report, which examines the controls over a defined period, rather than a Type 1 report that only considers a point in time.
Before evaluating the SOC 2+ report, the life sciences company will need to document its own user requirements and assess them for risk. If this step is not taken, the company will find it very difficult to recognize critical deficiencies and drive appropriate corrective actions (either internal or at the supplier), if any are uncovered.
Acting on the SOC Report
There are two potential reasons why the SOC 2+ report might not satisfy the life sciences company.
- The report may reveal deficiencies that the company deems unacceptable. It is important to realize that this conclusion is based on customer risk and may be reached even if the auditing firm finds that the supplier is adequately controlled.
- Even if the auditing firm has concluded that all controls are in place and operating effectively, the life sciences company may still conclude that the SOC 2+ report alone is not evidence of control, either because of the report’s level of detail or because some service aspects are insufficiently covered.
If the SOC 2+ report is not enough to satisfy the life sciences company of the supplier’s ability to meet expectations, additional evaluation may be necessary, most commonly via an onsite audit that focuses on controls deemed inadequate or missing. If the concerns are minor, they might be addressable via remote evaluation of additional evidence.
In some cases, a supplier (e.g., a large cloud-service supplier or a software developer whose main customer base is in not the life sciences industry) may be reluctant to support a customer audit, especially in view of the fact that the supplier has spent a considerable sum for the SOC audit. In such cases, the life sciences company may need to make a somewhat uncomfortable judgment as to how much evaluation is really enough. Some companies may conclude that they cannot use a supplier with an unsatisfactory or incomplete SOC 2+ report if that supplier refuses to support an audit.
In the constant effort to both control costs and ensure maximum performance and flexibility, life sciences companies will likely need to leverage services from suppliers whose primary customer base is not the life sciences industry. Several factors make the SOC 2+ process a potentially valuable tool in the QA arsenal.
- The SOC 2+ methodology has been proven effective for years in the financial sector, where data integrity concerns are every bit as serious in the healthcare sector.
- The SOC 2+ audit provides stronger evidence of compliance for the controls being evaluated because the conclusions are supported by testing.
- The cost of supplier evaluation processes should decrease for both the life sciences company, which is receiving the audit report for no cost, and the supplier, which must support one expensive audit but is relieved of the repetitive process of supporting multiple single-client audits. If further evaluation is deemed necessary by the life sciences customer, it will be briefer and much more focused, even if it involves an audit.
- Audit results should be more consistent because they are generated by experienced auditors from an independent third party who test evidence in support of conclusions.
- The ability to do an annual review of a refreshed SOC 2+ report provides assurance that supplier processes remain in a state of control. This is a substantially more frequent period of assessment than most companies can currently achieve.
Given these factors, it would be highly advisable for the life sciences industry to take advantage of this process, and for regulators to recognize its value as a tool for ensuring data integrity.
Appendix: Example of a Trust Services Table
- 1. Bredesen, A., S. Brooks, J. Buffi, W. Cappucci, M. Cherry, C. Clark, G. Evans, H. Hambloch, C. Jones, P. Kane, T. Margetts, A. Perez, P. Robertson, K. Sam-ways, D. Selby, G. Wingate, and S. Wyn. “M2 Supplier Assessment.” In GAMP 5 Guide: Compliant GxP Computerized Systems. Tampa, FL: ISPE, 2008.
- 2. American Institute of Certified Public Accountants. “Clarified Statements on Standards for Attestation Engagements.” Accessed 21 May 2019. https://www.aicpa.org/research/standards/auditattest/ssae.html
- 3. SSAE16. “Trust Services.” Accessed 30 May 2019. http://www.ssae16.com/SSAE16_trustservices.html