Since it was thrust upon private industry two years ago, the Sarbanes-Oxley Act has given corporate executives plenty of sleepless nights. The legislative reform enacted after scandals at Enron and Worldcom was intended to lend amplified rigor and transparency to corporate financial accounting and reporting. It is doing just that.But Sarbanes aka SOX, SOA, or Sarbox is more gray than black and white, particularly in Section 404, where it addresses the internal controls that top brass must have over their organizations (Box, below). Execs have scrambled to satisfy internal and external auditors, but, in many cases, theyre using Excel spreadsheets and archived emails, rather than any cohesive, automated approach. Firms have been completely overwhelmed, says Richard Binswanger, director of special projects at Princeton Center (Pennington, N.J.), which provides software and solutions to leading pharmaceutical companies. Theyve been saying, We just want a passing grade and then be able to walk away." Binswanger adds, The truth of the matter is, theyre still trying to figure it out.SOX burnout is already taking its toll. A recent study by Russell Reynolds Associates, Inc. (New York, N.Y.) found that turnover among CFOs at Fortune 500 companies rose 23% last year, largely due to SOX. Sarbanes carries with it severe penalties, even jail time, for individuals found responsible for their firms noncompliance. Already, some executives have called for clarifications and revisions of the legislation.General frustrations, and the resources needed to comply with Sarbanes-Oxley, have forced management to rethink its approach, and manufacturing is now part of the picture. SOX isnt just about finance and accounting anymore. Its about any activity that might bubble up and impact the firms financial well-being whether accounting fraud, a GMP irregularity, or a gross operational inefficiency.As a result, everyone from plant operators on up even suppliers is viewed as a participant in compliance. Firms will need a collective effort to examine facilities for potential SOX risks, to monitor and address operations weaknesses that may impact the bottom line, to implement procedures and automated systems for analyzing and reporting activities with inherent risk.A year of changeTo date, few in the plant have been part of these efforts, unless they worked in IT. What people did in 2004 was document existing processes and make sure controls were in place, says John Hagerty, VP at AMR Research (Boston). The IT people got the brunt of the work, even though they were brought in late. The plant floor staff, if they felt SOX at all, did so through the back door via their contact with IT, he says.
However, this approach will change. 2005 is shaping up to be a year of major transition, experts agree, as executives, and their organizations, adopt comprehensive SOX strategies, automate processes, manage data, and train employees with an eye toward Sarbanes compliance.Were miles ahead of where we were when we started, says Elizabeth OFarrell, executive director and general auditor for Eli Lilly and Co. (Indianapolis). In 2004, with the sheer volume of sites and processes that we have, the effort to get the documentation we needed, and the subsequent testing and work with our external auditors, was huge. In 2005, were really asking, How can we make this a sustainable process that really adds value to the business?"Thats being done in many ways, says OFarrell. For instance, Lilly is working to further integrate its IT and documentation controls on a global scale, and is incorporating Sarbanes into training throughout the organization so that SOX compliance becomes embedded into Lillys organizational culture as a sort of financial GMP, she says.A mid-size company handling the transition is Millennium Pharmaceuticals, Inc. (Cambridge, Mass.). We spent the first year pressure testing our systems, kicking tires and beating the bushes to see how we were doing things, says Joel Goldberg, associate general counsel. There was never a sense of panic, says Goldberg, but there was a learning curve and costs and staff hours devoted to the effort. The firm engaged PriceWaterhouseCoopers as its implementation partner, as well as Ernst & Young, its external auditing partner, to help.Millennium has undertaken a Sarbanes readiness project in which it has stepped up IT procedures and controls in several areas including information security and sourcing, modified its financial reporting procedures, and developed an internal audit function. It has also added Sarbanes-Oxley elements to its compliance training and code of conduct, Goldberg says.Auditors will look kindly upon companies that understand the legislations spirit and take clear steps to establish greater internal controls and oversight and infuse SOX consciousness into their cultures. There is no one way to comply. Its an essay, rather than a true/false test, says Binswanger.Pharma has an edgePharmaceutical firms may have a leg up in addressing Sarbanes-Oxley. Theyre already regulated to the hilt, so whats another layer? Drug manufacturers have a traditional appreciation for compliance and documentation, says John Rhodes, managing partner of the pharmaceutical and life sciences division of Deloitte and Touche (Parsippany, N.J.). What better companies could you find than pharmaceuticals to comply with Sarbanes? he asks.However, Rhodes notes that pharmaceutical firms efforts at compliance and risk management have historically been siloed. More recently, theyve started to integrate these efforts and create structured communication channels for discussing and reporting compliance and risk issues. SOX dovetails nicely with this trend, Rhodes notes.Another Sarbanes-Oxley driver within pharmaceuticals is the fact that the industry cant afford any more bad press, Rhodes says. Failure cannot be an option. It will be interesting to see what the marketplace implications will be for those who have problems, he says. Forward-thinking execs envision SOX as a tool to be leveraged for enhanced oversight and control of operations, greater efficiencies and profitability down the road. If pharmaceutical firms needed another excuse to implement quality initiatives, process analytical technologies (PAT) or robust data management systems with real-time capabilities, SOX is it.In fact, Sarbanes is like Six Sigma in disguise, says Philip Say, solutions marketing director for mySAP ERP Financials. Proactive drug companies will couple Sarbanes with 21 CFR Part 11 to streamline compliance efforts and use the enhanced data and controls to leverage efficiency and quality efforts. Sarbanes will force firms to align themselves not just around the regulatory obligations of FDA but also those of SOX and the Securities and Exchange Commission.Automate to controlTo make Sarbanes-Oxley work to their advantage, firms will automate. They already have tremendous incentives to do so. AMR Research estimates that corporations as a whole will spend $6.1 billion this year to comply with Sarbanes, up from $5.5 billion in 2004. More than 70% of that total corresponds to hours spent by employees and hired consultants on compliance efforts. Those figures, says AMRs Hagerty, challenge finance and compliance professionals to find ways to let computers do the work.SOX has prompted Millennium Pharmaceuticals to put in place automated controls for information security and to modify some standard processes to leverage existing systems, Goldberg says. It is using its Oracle system to verify proper commitment approvals, for instance.The trick is implementing new systems that will be immediately compliant, says Deloittes Rhodes. This concern has slowed SOX-related IT investment thus far, he says. The nonprofit IT Governance Institute has developed COBIT standards to map out terrain for IT compliance with SOX. Nevertheless, plenty of gray area still exists, spelling opportunity for hardware and software vendors looking to find a market niche that may not have existed prior to the legislation.SAP has folded Sarbanes-Oxley into its overall portfolio, says Say, most notably in its Management of Internal Controls System (MICS). It recently signed a strategic reseller agreement with Virsa Systems to embed software in mySAP ERP for real-time monitoring of security controls and user authentication. SAP is also leveraging its NetWeaver platform to attract new independent software vendor (ISV) partners with Sarbanes applications.Eli Lilly has implemented SAP globally, which has been an advantage for addressing Sarbanes-Oxley, OFarrell says. This is especially true from a 404 standpoint, since IT controls can be maintained and configured centrally.Many major pharmaceutical firms were already using the TrackWise Quality Management System by Sparta Systems, Inc. (Holmdel, N.J.) prior to SOX. Now, says John OBrien, senior sales engineer, theyre configuring the software to fit their specific needs. A company working with PriceWaterhouseCoopers, for instance, can tailor its control assertions to meet those of the auditing firm.Half of the contacts that Sparta has had with its pharmaceutical clients this year have been Sarbanes-related, OBrien says. That includes large firms making improvements for their second go-round and small- and medium-sized firms looking for aid in their first year of compliance.RSA Security (Bedford, Mass.), a provider of employee ID and asset management solutions, has seen increased interest in several applications, including its SecurID two-factor user authentication system, says Laura Robinson, the firms compliance analyst. The system requires any employee seeking access to critical data or systems to have both a PIN and a small LED device which changes its passcode every minute, eliminating the possibility of unauthorized users gaining access through a stolen password. Pharmaceutical firms have used the product for years to limit user access to key functions or secure locations, Robinson says, but now theyre equipping anyone with access to SOX-critical data or systems.Sarbanes requires a culture shift and sustainable approach, Robinson says, and in this regard is way beyond a Y2K effort.IT will also serve Sarbanes from a training and communications standpoint. Pilgrim Softwares (Tampa, Fla.) SmartTrain, for example, automates employee certification related to job functions or policies and proceduresinformation that can easily be passed on to auditors. Firms have thus far been more interested in Pilgrim's broad applications for Sarbanes, such as its SmartAudit software, but are beginning to consider niche products, director of products Nikki Willett says.Beyond your own wallsChicago firm Fieldglass finds itself in the thick of the Sarbanes mix as a provider of workflow automation. It has helped pharmaceutical firms manage the procurement of temporary and contract employees and monitor and control their activities.Sarbanes has changed the dynamics of relationships between suppliers and client firms, says Fieldglass CFO Jim Holtsman. It forces suppliers to be much more responsible to customers, he says. Were responsible for elements of their financial results. If an outsourced employee misreports information because Fieldglass technology did not ensure adequate controls, Fieldglass bears that responsibility, he says.In turn, pharmaceutical clients want to know more about the inner workings of their vendor partners, says Holtsman, including key financial information. Its not enough anymore to offer a good product, improve efficiencies and drive down costs, Holtsman says.Auditors will ask firms, Are you extended beyond your own walls? says Rhodes of Deloitte. Since problems with suppliers can curtail a companys ability to manufacture, auditors will seek reassurances that the standards and financial health of suppliers are equal to those of the firm itself, Rhodes says.Looking aheadTheres a consensus that Sarbanes-Oxley expects too much from the firms it regulates, and that some modifications may be in order. Some of the documentation and testing, especially the duplication of internal and external testing, tends to have less value versus the benefit, says OFarrell of Lilly. Do we really need all the redundancy?Perhaps not, but OFarrell and others agree that, ultimately, Sarbanes-Oxley will be more of a boon than a burden. Itll start happening this year, Princeton Centers Binswanger predicts. And it will happen because it has to, he says. Weaknesses in batch processes, IT security or documentation, if brought to light by SOX, could shake investor confidence and expose a company to financial risk. There will be pressure from the top to minimize that risk.This means that the average line operator, chemist, or maintenance manager will have to be SOX savvy to understand how his or her actions and standard procedures relate to corporate profit or loss. Binswanger says workers can see this as an opportunity for growth. Sarbanes serves as a real chance to capture a good understanding of how a company works, he says, not just for regulatory purposes, but to improve performance.
|GET A GRIP ON SOX|
To comply with Sarbanes-Oxley and reap its benefits, pharmaceutical companies must develop a proactive strategy. John Rhodes, managing partner of the pharmaceutical and life sciences division of Deloitte and Touche, suggests that pharmaceutical manufacturers do the following:
|THE DREADED 404|
The Sarbanes-Oxley Act is a massive document, but getting most of the attention within pharmaceutical manufacturing is Section 404, which requires companies to establish and maintain adequate internal controls.
But what are those controls? The SEC has estimated that companies are spending more than five million staff hours trying to answer that question and establish 404 compliance. Most large firms have had to submit 404 filings with their most recent 10-K annual financial reports submitted to the SEC. Smaller firms have until next year. Companies have gotten some help from COSOa risk management framework established by the Committee of Sponsoring Organizations, a nonprofit consortia of auditing firmsbut have really had to develop home-grown approaches based on their business processes and structure.
Initially, we didnt understand the sweeping implications that 404 was going to have on our resourcing and workload, says Elizabeth OFarrell, executive director and general auditor at Eli Lilly. We had a very strong internal audit program already, and we thought wed just be able to build on that. As we got into it, we became aware of how big a project this was going to be in terms of documentation and testing, she says. Unlike Y2K, it doesnt go away. You have to embed it into the organization.
The Sarbanes efforts currently underway at Millennium Pharmaceuticals are primarily in response to 404, says associate general counsel Joel Goldberg. When the company first began to address Sarbanes-Oxley two years ago, there were other issues, such as new listing and filing regulations for SEC. Those were fairly straightforward to deal with, Goldberg says, unlike 404. 404 kind of encompasses a lot of things not directly stated in Sarbanes-Oxley, he says. That means you actually have to change how you operate in some ways.
For Millennium, that has meant the development of a new internal audit function, the implementation of enhanced automated systems for information security, and improvements in SOPs related to purchase orders and requisitions, and inventory recognition and management.
The search for internal control will include the entire organization. There are going to be certain people at all levels of the company responsible for maintaining controls, AMR Researchs John Hagerty says. Shoddy inventory management in the plant, for example, would represent a Sarbanes flaw in need of mending. Top management will depend upon line operators and supervisors to recognize deficiencies and take the lead in correcting them. In this way, Sarbanes may work its way through the organization from the bottom up as well as top down, and should enhance integration and communication between facilities and headquarters.
Everyone is accountable now, says Philip Say, solutions marketing director for mySAP ERP Financials. Individual process owners have to attest to the quality of their controls and their ability to prevent fraud around a particular business process. Each segment at a microscopic level gets signed off, and it gets rolled up to the department heads and all the way up the chain to the CFO, CEO and internal audit committee. By the time that data hits the committee, there should be a confidence that control is in place, he says.
Operations personnel, supervisors and middle managers can expect to participate in the following aspects of compliance:
|A WHISTLEBLOWER WINDFALL?|
SOX holds everyone, from CEOs to operations professionals, accountable for a firms financial well-being. All employees will be under the microscope to some degree, but so, too, will they be empowered to voice concerns about issues that may affect the corporate bottom line.
A case in point is Mark Livingston, a former Wyeth Pharmaceuticals compliance trainer who says that he was fired after reporting GMP compliance concerns to superiors at the firms Sanford, N.C. facility. The two sides disagree as to the nature of the dismissal, but Livingston has filed suit, claiming whistleblower protection under SOX Section 806 and arguing that the plants GMP issues were a direct threat to profits and shareholder value. A decision in the case could come late this year.
Should Livingston win, a precedent would be set, broadening SOX's whistleblower implications. Livingston says hes been contacted by several individuals who claim to have been dismissed for raising GMP-related concerns and who are considering a similar course of action.
The case occurs during an era of consent decrees, fines and settlements, and whistleblower activity, Deloitte and Touches John Rhodes says. Sarbanes will trend it upwards even more, he says. Companies have responded by establishing anonymous reporting hotlines, developing comprehensive compliance training and codes of conduct, and dedicating more staff to compliance oversight and investigation.
Elizabeth OFarrell, general auditor at Eli Lilly, agrees with Rhodes. Because of Sarbanes-Oxley and all of the OIG activity in general, she says, there is a heightened awareness on the part of both management and employees in regards to compliance. On the whole, thats a good thing, she says.