OR WAIT null SECS
As the bustle of Sarbanes-Oxley (SOX) 2004 compliance deadlines for companies winds down, executives have an opportunity to reconsider their company's compliance strategy.
As the bustle of Sarbanes-Oxley (SOX) 2004 compliance deadlines for companies winds down, executives have an opportunity to reconsider their company's compliance strategy. In 2005, AMR Research predicts SOX compliance costs will exceed $15 billion.1 The CPA Journal estimates that first year Section 404 compliance costs for companies with a net worth over $5 billion will exceed $4.6 billion, and small to medium companies on average of $2 million.2 Some are questioning the value of complying with SOX and its associated costs. In a Price-WaterhouseCoopers survey, 42 percent of executives thought "SOX is a well-meaning attempt, but saddles companies with unnecessary extra costs."3 In life sciences companies, SOX is not the only compliance initiative. Companies should be mindful of the value that is lost with multiple compliance initiatives operating independently. Savvy executives and management should consider centralizing compliance efforts to drive down associated expenditures.
Life sciences firms are bound by regulatory requirements in addition to the SOX Act of 2002. These requirements may include Good Manufacturing Practices (GMPs), Good Laboratory Practices (GLPs) and Good Clinical Practices (GCPs), as well as the Title 21 Code of Federal Regulations (21 CFR Part 11) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The compliance challenges for the Security and Exchange Commission's SOX Act of 2002 are focused around the following sections: 302, 404, 409, and 802. Section 302 states that the CEO and the CFO must certify the accuracy and content of financial statements included in each annual or quarterly report. These officers are also responsible for internal controls that ensure the accuracy of these financial statements.4 SOX costs include business process mapping, which demonstrates the flow of financial data from order entry to accounts receivable, and testing business processes.
Section 404 states that companies are required to include an annual internal control report, and policies and procedures must exist to manage information systems that impact financial reporting. It also requires independent auditing to demonstrate that procedures are adhered to.5 Examples include internal controls surrounding network infrastructure, backup and recovery, disaster recovery, and configuration management for financial systems. SOX costs include investments in auditing, assessments, staff training, policy and procedure development, technology, and organizational structure realignment.
Section 409 stipulates the requirement of real-time disclosure of "material changes in the financial condition or operations" of the company.6 Computerized systems, as they support business operations and financial management, play a significant role in the detection and management of material events. Firms must capture operational information and establish procedures for responding to adverse events. Additionally, the integration of any new financial system should be tested to demonstrate real-time reporting capability and accuracy.
Section 802 states that a company's financial and audit records cannot be fabricated or destroyed. Auditors are required to maintain all audit or review work papers for a period of five years following the end of the fiscal period in which the audit or review was concluded.7
At each stage of drug or device development, FDA regulations assure that a product is safe for animal or human use, that results are documented and, when FDA approved, the product is manufactured under conditions that ensure safety, efficacy, and quality. Noteworthy sections of FDA's Code of Federal Regulations include 21 CFR Part 11 and the GMP, GLP, GCP (or GxP) predicate rules.
21 CFR Part 11 describes the internal controls that must be in place for electronic systems that manage GxP data. To help industry implement 21 CFR Part 11, FDA wrote in a recently published guidance, "We intend to enforce all other provisions of Part 11 including, but not limited to, certain controls for closed systems [such as document management, retention, security and validation]." This indicates the priority FDA places on internal controls.8
Additional regulatory requirements that may impact a life sciences firm include HIPAA. HIPAA requires that patient data be controlled and protected. Companies are required to implement safeguards to protect the confidentiality, integrity, and availability of patient data stored in an information system or transmitted electronically.
A common theme among all of the regulations is control and record accuracy. Additional commonalities between GxP and SOX regulations include risk management, record retention, and monitoring (Table 1).
Table 1. Commonality Matrix
Without a strategic approach to compliance, SOX, GxP, Part 11, and HIPAA can add up to financial trouble. A vice president of finance for a $10-billion biotechnology firm described how the finance department of his company ground to a halt while attempting to meet the 2004 deadline. His company had a well-developed quality program in place, but the project team did not include any members from the quality control or validation departments. The question must be asked: What could this company have saved by being more strategic?
Life sciences companies have an opportunity to save resources by coordinating compliance initiatives. For example, both FDA and SEC require companies to implement configuration management procedures. Additionally, system implementations may have quality and financial impacts — such as Enterprise Resource Planning (ERP) implementations — with other modules that impact the manufacturing of quality product and still other modules that impact the booking of revenue.
While companies in other industries are struggling with interpretation of SOX requirements, life sciences companies can leverage the software implementation approach for GxP systems. Many firms have a compliance program that can be expanded. For example, the program, as defined in a validationmaster plan, includes information on responsible roles, systems requiring validation, and required documentation. This document could also incorporate SOX and HIPAA requirements and related systems.
Recommendations for Aligning Compliance Initiatives
The finance manager of an $8-billion biotechnology firm said, "We have just begun coordinating GMP, GCP, and GLP under a quality management system. The resistance that we had to this was tremendous. However, the executives now see the value of a centralized approach. We are more able to ensure quality through consistency. If this minimizes our risk, we are going in the right direction." As to whether this quality management system will be expanded to include SOX, along with GMP, GCP, and GLP, the finance manager said, "We have been working on the quality management system for the past two years; this will take time."
In discussions with an associate director of validation of a $66-million biotech firm (Company X) about its approach to SOX compliance, he noted the company was taking steps to coordinate the GxP and SOX effort. However, there are challenges inherent in this, "Since the SOPs for GxP and SOX overlap, the validation scope needs to encompass both GxP and SOX requirements. In the last couple of weeks, we have seen some of the deliverables from the SOX initiative. They are not at an acceptable level to get group approval."
There are commonalities surrounding requirements for risk assessment. FDA recommends the application of a risk-based approach.12 Similarly, to comply with SOX, there is a requirement for risk assessment at the corporate and system level. On the system, each component or requirement is rated based on likelihood and effect of failure. This rating helps to determine the level of documentation and the extent of testing that needs to be performed — a higher rating requires a higher degree of testing.
Company X uses the same approach for risk assessment of systems with both financial and GxP impact. The project that launched this was an ERP implementation with both SOX and GXP impact. The associate director of validation said, "I think you will see these enterprise-wide projects drive cooperation among the initiatives. More project deliverables will have to consider both GxP and SOX to maintain cost effectiveness as well as project timelines."
In a PriceWaterhouseCoopers survey, 64 percent of executives said their senior management and board of directors see SOX as one of the many steps in a larger corporate governance initiative.13
Many life sciences companies have employed cross-functional project teams in GxP implementations including IT, business operations, quality, and validation. Sixty-two percent of public companies are using cross-functional teams for SOX compliance; and in 72 percent of that group, the finance department is assuming responsibility for the leadership position.
The SOX team of Company X used cross-functional representation including quality, validation, information systems, and finance leadership. To help work through the dilemma of impending deadlines and getting the documentation to an approvable point, finance looked to the validation department. It was this collaboration and cooperation that allowed them to succeed.
As many companies complete the sprint to meet end-of-year deadlines to put controls in place and test financial systems, maintaining SOX compliance will call for future projects that begin to vary in size. For example, as new IT systems that impact financial statements are added, they will need to be tested. Existing controls will need to be evaluated and updated on an annual basis. Good cross-functional representation will be critical for ongoing projects.
Many companies within the life sciences arena are still struggling with SOX compliance. Life sciences companies have an advantage in responding to compliance initiatives because the quality assurance function is already entrenched in operations. But change requires leadership and executive support. The costs of compliance are steep and the immediate effect of centralizing compliance is to lower overall costs of compliance. This is just the edge a company needs to gain a competitive advantage.
Vega Finucan is a managing partner for US Data Management LLC, 1746-F S. Victoria Ave., No. 388, Ventura, CA, 93003-6538, 888.231.0816, ext. 188, fax: 775.213.5943, firstname.lastname@example.org.
1. Hagerty J. Regulatory Compliance: An $80B Opportunity. AMR Research. 2005 Monday Jan 31.
2. D'Aquila JM. Tallying the Cost of the Sarbanes-Oxley Act. CPA Journal. 2004 Nov.
3. Yoon L. Sarbanes-Oxley Increases Risks, Costs. CFO.com. 2003, March 25.
4. Sarbanes-Oxley Act of 2002, Title III, Section 302. 2002 Jan 23.
5. Sarbanes-Oxley Act of 2002, Title III, Section 404. 2002 Jan 23.
6. Sarbanes-Oxley Act of 2002, Title III, Section 409. 2002 Jan 23.
7. Sarbanes-Oxley Act of 2002, Title III, Section 802. 2002 Jan 23.
8. Guidance for Industry, 21CFR Part 11, Electronic Records; Electronic Signatures — Scope and Application. US Department of Health and Human Services. Food and Drug Administration. 2003 Aug.
9. As defined in the FDA's Code of Federal Regulations.
10. Guidance for Industry, 21CFR Part 11, Electronic Records; Electronic Signatures — Scope and Application. US Department of Health and Human Services. Food and Drug Administration. 2003 Aug.
11. Committee of Sponsoring Organization (COSO) in the Internal Control — Integrated Framework, which is referenced in the PCAOB Auditing Standard No. 2.
12. Guidance for Industry, 21 CFR Part 11, Electronic Records; Electronic Signatures — Scope and Application. US Department of Health and Human Services. Food and Drug Administration. 2003 Aug: p. 6.
13. US Companies Have SOX On The Brain. Top-level results from a PricewaterhouseCoopers' Management Barometer survey. Compliance Pipeline, www.compliancepipeline.com/news/45200014. 2003 Aug 27.
14. Hagerty J. Emerging Best Practices and Benchmarks for Sarbanes-Oxley Compliance. AMR Research. 2004.