Making Sense of Sarbanes-Oxley | Pharmaceutical Manufacturing

Since it was thrust upon private industry two years ago, the Sarbanes-Oxley Act has given corporate executives plenty of sleepless nights. The legislative reform — enacted after scandals at Enron and Worldcom — was intended to lend amplified rigor and transparency to corporate financial accounting and reporting. It is doing just that.But Sarbanes — aka SOX, SOA, or Sarbox — is more gray than black and white, particularly in Section 404, where it addresses the internal controls that top brass must have over their organizations (Box, below). Execs have scrambled to satisfy internal and external auditors, but, in many cases, they’re using Excel spreadsheets and archived emails, rather than any cohesive, automated approach. “Firms have been completely overwhelmed,” says Richard Binswanger, director of special projects at Princeton Center (Pennington, N.J.), which provides software and solutions to leading pharmaceutical companies. “They’ve been saying, ‘We just want a passing grade and then be able to walk away.’" Binswanger adds, “The truth of the matter is, they’re still trying to figure it out.”SOX burnout is already taking its toll. A recent study by Russell Reynolds Associates, Inc. (New York, N.Y.) found that turnover among CFOs at Fortune 500 companies rose 23% last year, largely due to SOX. Sarbanes carries with it severe penalties, even jail time, for individuals found responsible for their firms’ noncompliance. Already, some executives have called for clarifications and revisions of the legislation.General frustrations, and the resources needed to comply with Sarbanes-Oxley, have forced management to rethink its approach, and manufacturing is now part of the picture. SOX isn’t just about finance and accounting anymore. It’s about any activity that might bubble up and impact the firm’s financial well-being — whether accounting fraud, a GMP irregularity, or a gross operational inefficiency.As a result, everyone from plant operators on up — even suppliers — is viewed as a participant in compliance. Firms will need a collective effort to examine facilities for potential SOX risks, to monitor and address operations weaknesses that may impact the bottom line, to implement procedures and automated systems for analyzing and reporting activities with inherent risk.A year of changeTo date, few in the plant have been part of these efforts, unless they worked in IT. “What people did in 2004 was document existing processes and make sure controls were in place,” says John Hagerty, VP at AMR Research (Boston). “The IT people got the brunt of the work, even though they were brought in late.” The plant floor staff, if they felt SOX at all, did so “through the back door” via their contact with IT, he says.

GET A GRIP ON SOX To comply with Sarbanes-Oxley and reap its benefits, pharmaceutical companies must develop a proactive strategy. John Rhodes, managing partner of the pharmaceutical and life sciences division of Deloitte and Touche, suggests that pharmaceutical manufacturers do the following: Create a culture that promotes risk management and allows employees to ask for help or identify an issue without fear of negative repercussions; Develop a sustainable process to identify and communicate risks to the management team—which needs to be acutely aware of those risks; Move beyond the reactive Sarbox compliance steps to more proactive risk mechanisms, such as early-warning detection systems and processes that enable the right levels of management to identify and respond to risks before there is financial or reputation loss. This is particularly key in the product supply chain; Ensure Sarbanes sustainability by having someone in place to make sure that risk management programs are doing what they are designed to do; Make regulatory compliance a full-time focus to ensure that risk is managed through all business processes—manufacturing, commercial and scientific.

However, this approach will change. 2005 is shaping up to be a year of major transition, experts agree, as executives, and their organizations, adopt comprehensive SOX strategies, automate processes, manage data, and train employees with an eye toward Sarbanes compliance.“We’re miles ahead of where we were when we started,” says Elizabeth O’Farrell, executive director and general auditor for Eli Lilly and Co. (Indianapolis). “In 2004, with the sheer volume of sites and processes that we have, the effort to get the documentation we needed, and the subsequent testing and work with our external auditors, was huge. In 2005, we’re really asking, ‘How can we make this a sustainable process that really adds value to the business?’"That’s being done in many ways, says O’Farrell. For instance, Lilly is working to further integrate its IT and documentation controls on a global scale, and is incorporating Sarbanes into training throughout the organization so that SOX compliance becomes embedded into Lilly’s organizational culture — as a sort of “financial GMP,” she says.A mid-size company handling the transition is Millennium Pharmaceuticals, Inc. (Cambridge, Mass.). “We spent the first year pressure testing our systems, kicking tires and beating the bushes to see how we were doing things,” says Joel Goldberg, associate general counsel. There was never a sense of panic, says Goldberg, but there was a learning curve and costs and staff hours devoted to the effort. The firm engaged PriceWaterhouseCoopers as its implementation partner, as well as Ernst & Young, its external auditing partner, to help.Millennium has undertaken a Sarbanes readiness project in which it has stepped up IT procedures and controls in several areas including information security and sourcing, modified its financial reporting procedures, and developed an internal audit function. It has also added Sarbanes-Oxley elements to its compliance training and code of conduct, Goldberg says.Auditors will look kindly upon companies that understand the legislation’s spirit and take clear steps to establish greater internal controls and oversight and infuse SOX consciousness into their cultures. There is no one way to comply. “It’s an essay, rather than a true/false test,” says Binswanger.Pharma has an edgePharmaceutical firms may have a leg up in addressing Sarbanes-Oxley. They’re already regulated to the hilt, so what’s another layer? Drug manufacturers have a traditional “appreciation” for compliance and documentation, says John Rhodes, managing partner of the pharmaceutical and life sciences division of Deloitte and Touche (Parsippany, N.J.). “What better companies could you find than pharmaceuticals to comply with Sarbanes?” he asks.However, Rhodes notes that pharmaceutical firms’ efforts at compliance and risk management have historically been siloed. More recently, they’ve started to integrate these efforts and create structured communication channels for discussing and reporting compliance and risk issues. SOX dovetails nicely with this trend, Rhodes notes.Another Sarbanes-Oxley driver within pharmaceuticals is the fact that the industry can’t afford any more bad press, Rhodes says. Failure cannot be an option. “It will be interesting to see what the marketplace implications will be for those who have problems,” he says. Forward-thinking execs envision SOX as a tool to be leveraged for enhanced oversight and control of operations, greater efficiencies and profitability down the road. If pharmaceutical firms needed another excuse to implement quality initiatives, process analytical technologies (PAT) or robust data management systems with real-time capabilities, SOX is it.In fact, Sarbanes is like Six Sigma in disguise, says Philip Say, solutions marketing director for mySAP ERP Financials. Proactive drug companies will couple Sarbanes with 21 CFR Part 11 to streamline compliance efforts and use the enhanced data and controls to leverage efficiency and quality efforts. Sarbanes will force firms to align themselves not just around the regulatory obligations of FDA but also those of SOX and the Securities and Exchange Commission.Automate to controlTo make Sarbanes-Oxley work to their advantage, firms will automate. They already have tremendous incentives to do so. AMR Research estimates that corporations as a whole will spend $6.1 billion this year to comply with Sarbanes, up from $5.5 billion in 2004. More than 70% of that total corresponds to hours spent by employees and hired consultants on compliance efforts. Those figures, says AMR’s Hagerty, challenge finance and compliance professionals to find ways to let computers do the work.SOX has prompted Millennium Pharmaceuticals to put in place automated controls for information security and to modify some standard processes to leverage existing systems, Goldberg says. It is using its Oracle system to verify proper commitment approvals, for instance.The trick is implementing new systems that will be immediately compliant, says Deloitte’s Rhodes. This concern has slowed SOX-related IT investment thus far, he says. The nonprofit IT Governance Institute has developed “COBIT” standards to map out terrain for IT compliance with SOX. Nevertheless, plenty of gray area still exists, spelling opportunity for hardware and software vendors looking to find a market niche that may not have existed prior to the legislation.SAP has folded Sarbanes-Oxley into its overall portfolio, says Say, most notably in its Management of Internal Controls System (MICS). It recently signed a strategic reseller agreement with Virsa Systems to embed software in mySAP ERP for real-time monitoring of security controls and user authentication. SAP is also leveraging its NetWeaver platform to attract new independent software vendor (ISV) partners with Sarbanes applications.Eli Lilly has implemented SAP globally, which has been an advantage for addressing Sarbanes-Oxley, O’Farrell says. This is especially true from a 404 standpoint, since IT controls can be maintained and configured centrally.Many major pharmaceutical firms were already using the TrackWise Quality Management System by Sparta Systems, Inc. (Holmdel, N.J.) prior to SOX. Now, says John O’Brien, senior sales engineer, they’re configuring the software to fit their specific needs. A company working with PriceWaterhouseCoopers, for instance, can tailor its control assertions to meet those of the auditing firm.Half of the contacts that Sparta has had with its pharmaceutical clients this year have been Sarbanes-related, O’Brien says. That includes large firms making improvements for their second go-round and small- and medium-sized firms looking for aid in their first year of compliance.RSA Security (Bedford, Mass.), a provider of employee ID and asset management solutions, has seen increased interest in several applications, including its SecurID two-factor user authentication system, says Laura Robinson, the firm’s compliance analyst. The system requires any employee seeking access to critical data or systems to have both a PIN and a small LED device which changes its passcode every minute, eliminating the possibility of unauthorized users gaining access through a stolen password. Pharmaceutical firms have used the product for years to limit user access to key functions or secure locations, Robinson says, but now they’re equipping anyone with access to SOX-critical data or systems.Sarbanes requires a culture shift and sustainable approach, Robinson says, and in this regard is “way beyond a Y2K effort.”IT will also serve Sarbanes from a training and communications standpoint. Pilgrim Software’s (Tampa, Fla.) SmartTrain, for example, automates employee certification related to job functions or policies and procedures—information that can easily be passed on to auditors. Firms have thus far been more interested in Pilgrim's broad applications for Sarbanes, such as its SmartAudit software, but are beginning to consider niche products, director of products Nikki Willett says.Beyond your own wallsChicago firm Fieldglass finds itself in the thick of the Sarbanes mix as a provider of workflow automation. It has helped pharmaceutical firms manage the procurement of temporary and contract employees and monitor and control their activities.Sarbanes has changed the dynamics of relationships between suppliers and client firms, says Fieldglass CFO Jim Holtsman. “It forces suppliers to be much more responsible to customers,” he says. “We’re responsible for elements of their financial results.” If an outsourced employee misreports information because Fieldglass technology did not ensure adequate controls, Fieldglass bears that responsibility, he says.In turn, pharmaceutical clients want to know more about the inner workings of their vendor partners, says Holtsman, including key financial information. It’s not enough anymore to offer a good product, improve efficiencies and drive down costs, Holtsman says.Auditors will ask firms, “Are you extended beyond your own walls?” says Rhodes of Deloitte. Since problems with suppliers can curtail a company’s ability to manufacture, auditors will seek reassurances that the standards and financial health of suppliers are equal to those of the firm itself, Rhodes says.Looking aheadThere’s a consensus that Sarbanes-Oxley expects too much from the firms it regulates, and that some modifications may be in order. “Some of the documentation and testing, especially the duplication of internal and external testing, tends to have less value versus the benefit,” says O’Farrell of Lilly. “Do we really need all the redundancy?”Perhaps not, but O’Farrell and others agree that, ultimately, Sarbanes-Oxley will be more of a boon than a burden. “It’ll start happening this year,” Princeton Center’s Binswanger predicts. And it will happen because it has to, he says. Weaknesses in batch processes, IT security or documentation, if brought to light by SOX, could shake investor confidence and expose a company to financial risk. There will be pressure from the top to minimize that risk.This means that the average line operator, chemist, or maintenance manager will have to be SOX savvy to understand how his or her actions and standard procedures relate to corporate profit or loss. Binswanger says workers can see this as an opportunity for growth. “Sarbanes serves as a real chance to capture a good understanding of how a company works,” he says, “not just for regulatory purposes, but to improve performance.”

THE DREADED 404 The Sarbanes-Oxley Act is a massive document, but getting most of the attention within pharmaceutical manufacturing is Section 404, which requires companies to establish and maintain adequate internal controls. But what are those controls? The SEC has estimated that companies are spending more than five million staff hours trying to answer that question and establish 404 compliance. Most large firms have had to submit 404 filings with their most recent 10-K annual financial reports submitted to the SEC. Smaller firms have until next year. Companies have gotten some help from COSO—a risk management framework established by the Committee of Sponsoring Organizations, a nonprofit consortia of auditing firms—but have really had to develop home-grown approaches based on their business processes and structure. “Initially, we didn’t understand the sweeping implications that 404 was going to have on our resourcing and workload,” says Elizabeth O’Farrell, executive director and general auditor at Eli Lilly. “We had a very strong internal audit program already, and we thought we’d just be able to build on that. As we got into it, we became aware of how big a project this was going to be in terms of documentation and testing,” she says. “Unlike Y2K, it doesn’t go away. You have to embed it into the organization.” The Sarbanes efforts currently underway at Millennium Pharmaceuticals are primarily in response to 404, says associate general counsel Joel Goldberg. When the company first began to address Sarbanes-Oxley two years ago, there were other issues, such as new listing and filing regulations for SEC. Those were fairly straightforward to deal with, Goldberg says, unlike 404. “404 kind of encompasses a lot of things not directly stated in Sarbanes-Oxley,” he says. “That means you actually have to change how you operate in some ways.” For Millennium, that has meant the development of a new internal audit function, the implementation of enhanced automated systems for information security, and improvements in SOPs related to purchase orders and requisitions, and inventory recognition and management. The search for internal control will include the entire organization. “There are going to be certain people at all levels of the company responsible for maintaining controls,” AMR Research’s John Hagerty says. Shoddy inventory management in the plant, for example, would represent a Sarbanes flaw in need of mending. Top management will depend upon line operators and supervisors to recognize deficiencies and take the lead in correcting them. In this way, Sarbanes may work its way through the organization from the bottom up as well as top down, and should enhance integration and communication between facilities and headquarters. “Everyone is accountable now,” says Philip Say, solutions marketing director for mySAP ERP Financials. “Individual process owners have to attest to the quality of their controls and their ability to prevent fraud around a particular business process. Each segment at a microscopic level gets signed off, and it gets rolled up to the department heads and all the way up the chain to the CFO, CEO and internal audit committee.” By the time that data hits the committee, there should be a confidence that control is in place, he says. Operations personnel, supervisors and middle managers can expect to participate in the following aspects of compliance: Enhanced reporting and visibility throughout the firm and plant. SAP’s Say notes that executives will rely more upon “cockpit technologies” that allow them to take a bird’s-eye view of operations and easily drill down into departments and plant floor operations to maintain oversight or locate the roots of problems. Firms will strive to close up every potential loophole that might present an opportunity for fraud. Increased record retention. Firms need to have a policy in place on how individuals should retain records, and workers should be aware of that policy. SOX specifies that records critical to financial reporting should be retained for seven years. The key litmus test before shredding or deleting, AMR’s Hagerty says, is how much risk is involved with a given document. Heightened information security. Simple logins and passwords using your favorite pet’s name are a thing of the past. Firms will tightly control who has access to what information, who can input, and who can’t. They’ll turn to vendors like Thor Technologies (Pleasonton, Calif.), which provides user ID and access management software and solutions. Segregation of duties (SOD). Under SOX, finance-related functions must have convincing checks and balances. This is a “massive issue,” says SAP’s Say. Someone who fills out a purchase order will have to get someone else to write the check. Anyone receiving a shipment will need to have someone else sign off. Smaller companies may struggle to find personnel to establish sufficient SOD, Richard Binswanger of Princeton Center notes. That’s been the case with Millennium Pharmaceuticals, which numbers about 1,500. “Sarbanes-Oxley sees no difference between 1,500- and 15,000-person companies,” says associate general counsel Joel Goldberg. The company is in the process of implementing automated systems to facilitate segregation of duties among developers and application support staff, Goldberg says.

A WHISTLEBLOWER WINDFALL? SOX holds everyone, from CEOs to operations professionals, accountable for a firm’s financial well-being. All employees will be under the microscope to some degree, but so, too, will they be empowered to voice concerns about issues that may affect the corporate bottom line. A case in point is Mark Livingston, a former Wyeth Pharmaceuticals compliance trainer who says that he was fired after reporting GMP compliance concerns to superiors at the firm’s Sanford, N.C. facility. The two sides disagree as to the nature of the dismissal, but Livingston has filed suit, claiming whistleblower protection under SOX Section 806 and arguing that the plant’s GMP issues were a direct threat to profits and shareholder value. A decision in the case could come late this year. Should Livingston win, a precedent would be set, broadening SOX's whistleblower implications. Livingston says he’s been contacted by several individuals who claim to have been dismissed for raising GMP-related concerns and who are considering a similar course of action. The case occurs during an era of consent decrees, fines and settlements, and whistleblower activity, Deloitte and Touche’s John Rhodes says. “Sarbanes will trend it upwards even more,” he says. Companies have responded by establishing anonymous reporting hotlines, developing comprehensive compliance training and codes of conduct, and dedicating more staff to compliance oversight and investigation. Elizabeth O’Farrell, general auditor at Eli Lilly, agrees with Rhodes. Because of Sarbanes-Oxley and “all of the OIG activity” in general, she says, there is a heightened awareness on the part of both management and employees in regards to compliance. On the whole, that’s a good thing, she says.