As the bustle of Sarbanes-Oxley (SOX) 2004 compliance deadlines for companies winds down, executives have an opportunity to
reconsider their company's compliance strategy. In 2005, AMR Research predicts SOX compliance costs will exceed $15 billion.1 The CPA Journal estimates that first year Section 404 compliance costs for companies with a net worth over $5 billion will exceed $4.6 billion,
and small to medium companies on average of $2 million.2 Some are questioning the value of complying with SOX and its associated costs. In a Price-WaterhouseCoopers survey, 42 percent
of executives thought "SOX is a well-meaning attempt, but saddles companies with unnecessary extra costs."3 In life sciences companies, SOX is not the only compliance initiative. Companies should be mindful of the value that is lost
with multiple compliance initiatives operating independently. Savvy executives and management should consider centralizing
compliance efforts to drive down associated expenditures.
COMPLIANCE INITIATIVES IN LIFE SCIENCES
Life sciences firms are bound by regulatory requirements in addition to the SOX Act of 2002. These requirements may include
Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs) and Good Clinical Practices (GCPs), as well as the Title
21 Code of Federal Regulations (21 CFR Part 11) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The compliance challenges for the Security and Exchange Commission's SOX Act of 2002 are focused around the following sections:
302, 404, 409, and 802. Section 302 states that the CEO and the CFO must certify the accuracy and content of financial statements
included in each annual or quarterly report. These officers are also responsible for internal controls that ensure the accuracy
of these financial statements.4 SOX costs include business process mapping, which demonstrates the flow of financial data from order entry to accounts receivable,
and testing business processes.
Section 404 states that companies are required to include an annual internal control report, and policies and procedures must
exist to manage information systems that impact financial reporting. It also requires independent auditing to demonstrate
that procedures are adhered to.5 Examples include internal controls surrounding network infrastructure, backup and recovery, disaster recovery, and configuration
management for financial systems. SOX costs include investments in auditing, assessments, staff training, policy and procedure
development, technology, and organizational structure realignment.
Section 409 stipulates the requirement of real-time disclosure of "material changes in the financial condition or operations"
of the company.6 Computerized systems, as they support business operations and financial management, play a significant role in the detection
and management of material events. Firms must capture operational information and establish procedures for responding to adverse
events. Additionally, the integration of any new financial system should be tested to demonstrate real-time reporting capability
Section 802 states that a company's financial and audit records cannot be fabricated or destroyed. Auditors are required to
maintain all audit or review work papers for a period of five years following the end of the fiscal period in which the audit
or review was concluded.7
At each stage of drug or device development, FDA regulations assure that a product is safe for animal or human use, that
results are documented and, when FDA approved, the product is manufactured under conditions that ensure safety, efficacy,
and quality. Noteworthy sections of FDA's Code of Federal Regulations include 21 CFR Part 11 and the GMP, GLP, GCP (or GxP)
21 CFR Part 11 describes the internal controls that must be in place for electronic systems that manage GxP data. To help
industry implement 21 CFR Part 11, FDA wrote in a recently published guidance, "We intend to enforce all other provisions
of Part 11 including, but not limited to, certain controls for closed systems [such as document management, retention, security
and validation]." This indicates the priority FDA places on internal controls.8