Global growth Commercial operations Intellectual property (IP) protection Mergers and acquisitions (M&A) Operations Cybersecurity Potential scope and objectives: Potential scope and objectives: Potential scope and objectives: Potential scope and objectives: Evaluate assets analysis and IP identification Evaluate the strategic risk of the M&A to the organization Review the marketing strategy return on investment Review management’s cybersecurity program, including the • • • • Perform IP management gap analysis Assess the valuation, internal controls and synergies in due diligence Evaluate the impact of patent cliff (scenario analysis) strategy, governance and operating models in place to protect its • • • critical assets as well as respond to and contain cyber threats Perform an IP royalty audit Review the deal approval and close process Review the competitive landscape for new drugs and generics • • • Identify IP function process improvement Assess the post-deal integration Analyze technologies used to enhance marketing strategy Key questions to consider • • • Does the organization periodically evaluate cyber risk governance Evaluate partnerships and collaborations • Key questions to consider Key questions to consider • and perform an annual cyber risk assessment? Assess success of relevant KPIs to identified key risk indicators (KRIs) Does the organization have a full list of all trade secrets and Is there a predefined business case with the projected benefits • • • Is there a threat mitigation program in place? intellectual properties with risk exposure in new emerging markets? and costs to assess the M&A impact to the organization? • Key questions to consider Does the organization have an inventory of its highest value What are the current IP management policies, processes, systems, Do the buyer company and the engaged deal service provider • • • Is the company keeping pace with emerging technologies to assets and has the organization evaluated the use of highly tools and team structure? have a solid methodology, tools and team to perform financial • and operational due diligence and synergy validation? enhance marketing capabilities? sensitive data across the organization? Is there an audit provision in the contracts/agreements with the • Does the organization understand how its critical assets could be Is the company leveraging existing technologies to the maximum • joint venture investor, partnership, research and development Does the buyer company have the effective governance and • • extent possible to reduce costs and drive better KPIs? accessed or disrupted? alliance, vendor, distributor or licensee? related processes to manage the deal approval and close? Is there the necessary expertise to build an effective cybersecurity Are customer needs (centricity) taken into full account when • How is the dispute or litigation to be managed in overseas How does the organization or the deal service provider plan • • • developing the commercial strategy? program and respond appropriately to cyberattacks? countries with varied jurisdictions? to manage the post-deal integration covering governance, Is the cybersecurity program robust enough to adapt and Are multiple channels for collaboration being considered to • How does the organization manage the legal and reputation risk? organization, people, process and systems? • • maximize returns on investment and research, e.g., joint ventures? anticipate new types of cyber threats? Is there a well defined benefit realization plan to measure the • Does the cybersecurity team conduct periodic drills to prepare Are regulatory changes anticipated and built into strategic plans? • value of M&A? • Are the company’s capabilities (e.g., talent, technology) keeping for cyber incidents and are the necessary procedures in place for • incident response? pace with the rapidly changing industry? Does the cybersecurity team have effective metrics in place to Are the performance management expectations consistent with • • report on threat management and mitigation? the operational goals of the organization? Are any information security reviews performed on suppliers and • is there a formal process to follow up and close identified risks? 8 | How Internal Audit can help life sciences companies change with the times How Internal Audit can help life sciences companies change with the times | 9