Simplify your IT Systems Validation for Regulatory Compliance
Information technology has become a core enabler of business processes within the organizations today. As a result, companies are required to audit and validate their relevant IT systems to ensure that their business processes and underlying records comply with regulations such as the Sarbanes-Oxley Act of 2002 or Healthcare Insurance Portability and Accountability Act (HIPAA) or 21 CFR Part 11(FDA). This paper defines an “easy-to-implement” framework for auditing and validating IT systems for regulatory compliance. It also identifies a best practice which calls for IT organizations and software vendors to proactively audit their software development and implementation processes on an ongoing basis to identify and correct any systemic issues to lower the cost of compliance.
In our July 2004 issue, we discussed best practices for incorporating audits into your operational framework. In this issue, let us take the discussion further and pose the question, on how to most effectively implement audits in a global organization. To put the problem in context, let us look at a specific use case scenario at a large retail chain.
A large and diverse retail organization selling convenience and fast food products has set up a global organization for field audit management. The fully staffed field audit team comprising of internal staff and contracted auditors are chartered to work closely with the store management, retail staff, company auditors and regional sales managers.
Internal auditing is a mechanism by which an organization examines a business process to evaluate its ability to comply with internal and external requirements. It is also a very effective tool to implement a discipline of continuous improvement. Internal audits enable management to:
Discover what's really going on within the organization, which enables objective decision making and enables managers to direct the resources towards the right issues
Learn about potential problems before they become burning issues
Identify failure points within a process, so relevant stakeholders can implement corrective actions in a timely manner
Determine the effectiveness of controls within a process
Ensuring Regulatory Compliance through Training and Certification
Role of Training and Certification in Regulatory Compliance
In recent years, there has been a dramatic growth in compliance and regulatory requirements across all industries. There are over 130,000 pages of rules in the Code of Federal Regulations. In addition, over 60 Federal Agencies issue about 4,000 new regulations every year. These federal regulations are the law-of-the-land and organizations covered under such regulations need to actively implement them. Non-compliance can cost organizations millions in fines, litigation, opportunity costs and production delays. Organizations need to ensure that they are fully compliant with all of the regulations and reporting requirements of their industry in order to avoid being fined and cited by the respective regulatory bodies.
"Acceptable Quality Level, also referred to as Assured Quality Level, is the largest quantity of defects in a certain sample size that can make the lot definitely acceptable. Customer will definitely prefer the zero defect products or services and will ultimately establish the acceptable level of quality. There is only one ideal acceptable quality level - zero defects - all others are compromises based upon acceptable business, financial and safety levels."
"In many industries, competitive advantage is rapidly shifting to the management of suppliers, which can account for as much as 60 to 80 percent of manufacturing costs. Companies that effectively involve suppliers in their internal product development achieve a new strategic advantage."