Making Sense of Sarbanes-Oxley | Pharmaceutical Manufacturing

SOX is moving from the executive suite down to the plant floor.

By Paul Thomas, Managing Editor

1 of 4 < 1 | 2 | 3 | 4 View on one page
Since it was thrust upon private industry two years ago, the Sarbanes-Oxley Act has given corporate executives plenty of sleepless nights. The legislative reform — enacted after scandals at Enron and Worldcom — was intended to lend amplified rigor and transparency to corporate financial accounting and reporting. It is doing just that.

But Sarbanes — aka SOX, SOA, or Sarbox — is more gray than black and white, particularly in Section 404, where it addresses the internal controls that top brass must have over their organizations (Box, below). Execs have scrambled to satisfy internal and external auditors, but, in many cases, they’re using Excel spreadsheets and archived emails, rather than any cohesive, automated approach.

“Firms have been completely overwhelmed,” says Richard Binswanger, director of special projects at Princeton Center (Pennington, N.J.), which provides software and solutions to leading pharmaceutical companies. “They’ve been saying, ‘We just want a passing grade and then be able to walk away.’" Binswanger adds, “The truth of the matter is, they’re still trying to figure it out.”

SOX burnout is already taking its toll. A recent study by Russell Reynolds Associates, Inc. (New York, N.Y.) found that turnover among CFOs at Fortune 500 companies rose 23% last year, largely due to SOX. Sarbanes carries with it severe penalties, even jail time, for individuals found responsible for their firms’ noncompliance. Already, some executives have called for clarifications and revisions of the legislation.

General frustrations, and the resources needed to comply with Sarbanes-Oxley, have forced management to rethink its approach, and manufacturing is now part of the picture. SOX isn’t just about finance and accounting anymore. It’s about any activity that might bubble up and impact the firm’s financial well-being — whether accounting fraud, a GMP irregularity, or a gross operational inefficiency.

As a result, everyone from plant operators on up — even suppliers — is viewed as a participant in compliance. Firms will need a collective effort to examine facilities for potential SOX risks, to monitor and address operations weaknesses that may impact the bottom line, to implement procedures and automated systems for analyzing and reporting activities with inherent risk.

A year of change

To date, few in the plant have been part of these efforts, unless they worked in IT. “What people did in 2004 was document existing processes and make sure controls were in place,” says John Hagerty, VP at AMR Research (Boston). “The IT people got the brunt of the work, even though they were brought in late.” The plant floor staff, if they felt SOX at all, did so “through the back door” via their contact with IT, he says.


To comply with Sarbanes-Oxley and reap its benefits, pharmaceutical companies must develop a proactive strategy. John Rhodes, managing partner of the pharmaceutical and life sciences division of Deloitte and Touche, suggests that pharmaceutical manufacturers do the following:

  • Create a culture that promotes risk management and allows employees to ask for help or identify an issue without fear of negative repercussions;

  • Develop a sustainable process to identify and communicate risks to the management team—which needs to be acutely aware of those risks;

  • Move beyond the reactive Sarbox compliance steps to more proactive risk mechanisms, such as early-warning detection systems and processes that enable the right levels of management to identify and respond to risks before there is financial or reputation loss. This is particularly key in the product supply chain;

  • Ensure Sarbanes sustainability by having someone in place to make sure that risk management programs are doing what they are designed to do;

  • Make regulatory compliance a full-time focus to ensure that risk is managed through all business processes—manufacturing, commercial and scientific.
However, this approach will change. 2005 is shaping up to be a year of major transition, experts agree, as executives, and their organizations, adopt comprehensive SOX strategies, automate processes, manage data, and train employees with an eye toward Sarbanes compliance.

“We’re miles ahead of where we were when we started,” says Elizabeth O’Farrell, executive director and general auditor for Eli Lilly and Co. (Indianapolis). “In 2004, with the sheer volume of sites and processes that we have, the effort to get the documentation we needed, and the subsequent testing and work with our external auditors, was huge. In 2005, we’re really asking, ‘How can we make this a sustainable process that really adds value to the business?’"

That’s being done in many ways, says O’Farrell. For instance, Lilly is working to further integrate its IT and documentation controls on a global scale, and is incorporating Sarbanes into training throughout the organization so that SOX compliance becomes embedded into Lilly’s organizational culture — as a sort of “financial GMP,” she says.

A mid-size company handling the transition is Millennium Pharmaceuticals, Inc. (Cambridge, Mass.). “We spent the first year pressure testing our systems, kicking tires and beating the bushes to see how we were doing things,” says Joel Goldberg, associate general counsel. There was never a sense of panic, says Goldberg, but there was a learning curve and costs and staff hours devoted to the effort. The firm engaged PriceWaterhouseCoopers as its implementation partner, as well as Ernst & Young, its external auditing partner, to help.

Millennium has undertaken a Sarbanes readiness project in which it has stepped up IT procedures and controls in several areas including information security and sourcing, modified its financial reporting procedures, and developed an internal audit function. It has also added Sarbanes-Oxley elements to its compliance training and code of conduct, Goldberg says.

1 of 4 < 1 | 2 | 3 | 4 View on one page
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments