|
|
|
February 2004 Vol. 1, No. 1 [Text-Only Version] |
|
Welcome to Focus Forward, the monthly newsletter of Tim Rosa Associates. Each issue of Focus Forward will feature a viewpoint on a critical customer topic. We'll focus on what's happening and what's coming down the line. These are issues that you've told us keep you up at night. Though we work with clients in the technology, healthcare, and financial services industries, we hope the newsletter will be informative to all. Our first issue discusses regulatory compliance and how important documentation is to developing and maintaining internal controls. R e g u l a t o r y C o m p l i a n c e: D o c u m e n t a t i o n I s K e y U.S. companies are required to certify that their internal controls-processes and procedures, along with associated documentation and training-comply with stringent federal regulations from the FDA (Food and Drug Administration) and SEC (Securities and Exchange Commission). In a recent global survey conducted by PriceWaterhouseCoopers of 160 senior financial services executives, 53% reported that reputational risk is the biggest risk their organization faces and 60% believe creating effective internal controls mitigates reputational risk.(1) For many companies, documenting processes and procedures can be expensive, time-consuming, and can distract them from their core businesses. Are you developing or enhancing internal controls? Are you developing the regulatory documentation on your own, outsourcing, or both? Can you meet the regulatory requirements? What about the filing deadlines? If not, how do you get started, avoid common pitfalls, and penalties? First, a little history... 2 1 C F R P a r t 1 1 : A B r i e f H i s t o r y The pharmaceutical and medical device industries are increasingly automating all stages of discovery, development, and manufacturing for new drugs and other medical products. In 1991, the industry requested that the FDA accept electronic records and electronic signatures for New Drug Applications. The FDA responded by issuing the rule known as 21 CFR Part 11 (Electronic Records/Electronic Signatures) in March 1997. Part 11 describes the technical and procedural requirements that must be met if a company chooses to maintain records electronically and use electronic signatures. What is the regulation's highest-level purpose? To ensure that electronic records and signatures are trustworthy, reliable, and compatible with the FDA's public health responsibilities. In a recent report released by Bain & Co., it costs $1.7 billion to develop a new drug, and just one compound now reaches the market for every 13 discovered and put in clinical trials.(2) So, non-compliance can increase both the risk and skyrocketing costs of new drug development. S a r b a n e s - O x l e y : A B r i e f H i s t o r y While the pharma industry has been dealing with Part 11, the CEOs, CFOs, CIOs, Boards of Directors, and Audit Committees of US-based public companies are dealing with the implications of the reporting obligations set forth in the Sarbanes-Oxley Act of 2002 (SOA). SOA was enacted largely in response to major corporate and accounting scandals involving some of the most prominent companies in the US. It establishes new or enhanced standards for corporate accountability and penalties for corporate wrongdoing. SOA intends to prevent accounting scandals and other reporting problems from recurring, and to rebuild public trust in corporate business practices and reporting. C o s t s a n d B e n e f i t s o f C o m p l i a n c e Some analysts who track FDA regulations believe the cost of Part 11 compliance could vary from $5 million to $400 million, depending on a company's size and requirements. The Pharmaceutical Research and Manufacturers of America (PhRMA), estimates the industry-wide cost of Part 11 compliance could reach $2 billion by 2006.(3) Analysts estimate the cost of SOA compliance for Fortune 500 companies will be between $2.8 million and $8 million annually per company. Even though the costs to industry to implement internal controls can be significant, there are also substantial benefits. Part 11 and SOA encourage companies to:
Recently, an IT Compliance Officer at one of our pharmaceutical clients learned some valuable lessons during a recent Part 11 documentation project. After working with Tim Rosa Associates, he discovered the importance of identifying the right people and processes upfront, defining the procedures to be documented, creation of templates early on to standardize and accelerate the creation of SOPs and related documents, and significance of lining up technical reviewers in advance. Our 3-D Process kept him and all the key stakeholders current every step of the way. By coincidence, his next project is to validate IT systems for SOA compliance, so his team can apply their new knowledge, immediately reducing the cost of their next regulatory project. S u m m a r y Although it might seem counter-intuitive, consumers and industry officials alike welcome the changes brought about by Part 11 and SOA. They promise to improve the safety of drugs, and increase the overall efficiency, productivity, and accountability of corporations. Without question, these new requirements place increased demands on some companies' executives and internal resources, as well as others involved in corporate reporting. But for many organizations, internal controls embed compliance and responsibility in people's roles more effectively than external regulations. Companies must actively manage and monitor compliance. If not, corporate risks and personal liability of executives can be significant. The key to successful compliance in the regulated space is internal controls. It's simply not enough to assume that established policies and procedures are being followed; they must be documented. In the words of one FDA official, "If you haven't documented it, it's as if it was never done."
 trosa@timrosaassociates.com 617.332.7895
|
|||||||||||||||
