COMPLIANCE INITIATIVES IN LIFE SCIENCES Life sciences firms are bound by regulatory requirements in addition to the SOX Act of 2002. These requirements may include Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs) and Good Clinical Practices (GCPs), as well as the Title 21 Code of Federal Regulations (21 CFR Part 11) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The compliance challenges for the Security and Exchange Commission's SOX Act of 2002 are focused around the following sections: 302, 404, 409, and 802. Section 302 states that the CEO and the CFO must certify the accuracy and content of financial statements included in each annual or quarterly report. These officers are also responsible for internal controls that ensure the accuracy of these financial statements.4 SOX costs include business process mapping, which demonstrates the flow of financial data from order entry to accounts receivable, and testing business processes.Section 404 states that companies are required to include an annual internal control report, and policies and procedures must exist to manage information systems that impact financial reporting. It also requires independent auditing to demonstrate that procedures are adhered to.5 Examples include internal controls surrounding network infrastructure, backup and recovery, disaster recovery, and configuration management for financial systems. SOX costs include investments in auditing, assessments, staff training, policy and procedure development, technology, and organizational structure realignment.
Section 409 stipulates the requirement of real-time disclosure of "material changes in the financial condition or operations" of the company.6 Computerized systems, as they support business operations and financial management, play a significant role in the detection and management of material events. Firms must capture operational information and establish procedures for responding to adverse events. Additionally, the integration of any new financial system should be tested to demonstrate real-time reporting capability and accuracy.
Section 802 states that a company's financial and audit records cannot be fabricated or destroyed. Auditors are required to maintain all audit or review work papers for a period of five years following the end of the fiscal period in which the audit or review was concluded.7
At each stage of drug or device development, FDA regulations assure that a product is safe for animal or human use, that results are documented and, when FDA approved, the product is manufactured under conditions that ensure safety, efficacy, and quality. Noteworthy sections of FDA's Code of Federal Regulations include 21 CFR Part 11 and the GMP, GLP, GCP (or GxP) predicate rules.
21 CFR Part 11 describes the internal controls that must be in place for electronic systems that manage GxP data. To help industry implement 21 CFR Part 11, FDA wrote in a recently published guidance, "We intend to enforce all other provisions of Part 11 including, but not limited to, certain controls for closed systems [such as document management, retention, security and validation]." This indicates the priority FDA places on internal controls.8