Are you Ready for the Empowered Consumer?

Are you ready for the empowered consumer? How Internal Audit can help life sciences companies change with the times

Introduction Contents The traditional business model of life sciences companies is under unprecedented stress. Demographics and technology are Leading organizations know Introduction .............................. 1 converging to drive a once-in-a-lifetime transformation: as more that the Internal Audit Impact of a changing environment ............ 2 people than ever before are receiving care and chronic illnesses in function can leverage its core Navigating the new landscape ................ 4 an aging population threaten to reach pandemic proportions, competencies and its view consumers have access to devices and data that give them ever- across the enterprise to help The audits that matter ...................... 7 increasing control over their care. identify and assess the risks Conclusion ............................... 11 Across the board, there is an urgent focus on coordinated, lower-cost care with improved that matter. To help further outcomes. Taming escalating costs is essential: in the US, health care costs are expected the discussion, we asked to reach 23% of GDP, up from 17% in 2012,1 our life sciences sector while 13% of adults in the UK and 6% of adults 2 in France face serious challenges in paying their medical bills. At the same time, countries professionals to draw on their around the world are expanding access to health care, and a growing middle class in the knowledge and experience emerging markets is demanding more — and better — care. and develop a list of audits Given the volatility of the landscape and the velocity of innovation and information, it’s to consider. more important than ever for organizations to gain visibility into everything they do. At this inflection point for the industry, organizations that know their supply chain, understand the efficacy of their products and the health outcomes that result from their use, and know their partners and influencers will be best placed for success. Internal Audit (IA) will play an essential role in helping companies gain the visibility they need to succeed. With its ability to look across the enterprise, IA can help spot emerging issues, help sharpen the organization’s focus on compliance, drive efficiencies and add value to the business — all while continuing to provide the baseline assurance the organization requires. In particular, IA can serve the organization by developing audits that focus on the risks that matter. 1 “NHE Fact Sheet,” Centers for Medicare & Medicaid Services website, September 2014. 2 “Health Affairs Web First,” The Common Wealth Survey 2013, November 2013. How Internal Audit can help life sciences companies change with the times | 1

Impact of a changing environment More than 20,000 Seizing the opportunity presented by the evolution of patient- smartphone apps are centric technology, nontraditional competitors with new business models have entered the fray including telecommunications already available, with companies working to empower patients in managing their own more on the way. care, IT companies bringing the power of analytics to help improve patient outcomes, and large retail chains offering health care options to customers. Through social media and “mHealth” — smart mobile applications and devices, including wearable devices — patient self-management is moving closer to a daily reality. These apps and devices allow for remote monitoring and rapid access to clinicians when questions arise. A recent telehealth trial in the UK showed the promise of new technology: it reported a 15% reduction in doctor’s office visits, a 20% reduction in emergency admissions, a 14% reduction in the need for planned admissions and a striking 45% 3 reduction in mortality rates. More than 20,000 smartphone apps are already available, 4 with more on the way, and more than 45 million wearable devices are scheduled to ship in 5 2015, rising to an estimated 126 million units in 2019. And around the world, social media sites are connecting patients and providers in new ways. 3 “Whole system demonstrator programme: Headline findings — December 2011,” UK Department of Health, 5 December 2014. 4 Robert J. Szcerba, “Why Mobile Health Technologies Haven’t Taken Off (Yet),” Forbes website, 16 July 2014. 5 “Worldwide Wearables Market Forecast to Reach 45.7 Million Units Shipped in 2015 and 126.1 Million Units in 2019,” according to International Data Corporation website, 30 March 2015. 2 | How Internal Audit can help life sciences companies change with the times How Internal Audit can help life sciences companies change with the times | 3

Navigating the new landscape Six broad sector issues are increasing pressure on Research, discovery and Global growth Increased compliance risk the top and bottom line: Each issue affects the clinical trials others, and each organization will develop a unique mix of audits to address its particular situation. With stalling demand in mature markets, price pressures in Life sciences companies are focusing on global growth: they are But moving into these new markets presents an increased emerging economies and the “cliff” of expired patents a recent, looking to expand their presence and product offerings in emerging compliance risk, as do evolving regulations in developed and painful memory, effective research, discovery and clinical trials have markets. As the middle class grows in developing countries, they developing countries. Enhanced scrutiny from regulators is a given; if anything become more important. Price pressures are driving the are expanding access to health care to meet the demands of their the life sciences industry is the most targeted sector for US Foreign Reasearch, need for providers to find ever more efficient ways of developing increasingly affluent citizens. And as life expectancy continues Corrupt Practices Act (FCPA) enforcement, and actions by non- discovery and drugs while drug research and development (R&D) has become to increase across the globe, the aging populations in emerging US agencies are also on the rise, thanks to legislation such as the clinical trials harder than ever: even while only one candidate in thousands economies represent a growing market — and a potentially UK Bribery Act. Across all industries, while fraud risks are rising, will reach market approval, it remains impossible to identify with lucrative opportunity. standards are not; controls are frequently inadequate and deal due certainty which candidates in clinical trials will succeed. Targeted Organizations are looking to grow in emerging markets through diligence can be lacking. Regulators have responded by targeting Capital Operations therapeutics show immense promise, but with their use limited by organic growth; alliances with companies that already have a the executives of multinational companies. allocation management definition, organizations must spread the R&D cost over a much significant presence in the market; joint ventures, often with local As organizations expand their operations on a global scale, they smaller population. companies; and outright acquisitions. They are also working to are increasingly likely to face audits from the US Food and Drug At the same time, payers are increasing their scrutiny. They are determine the appropriate mix of products, both branded and Administration (FDA) to verify compliance with Title 21 of the US Risk looking for services that are broad and holistic and that span the generic, to address the needs of these markets, and refining their Code of Federal Regulations (21 CFR) and similar directives. To entire cycle of care. They are also evaluating the costs of specialty business models accordingly. cope, companies are placing a premium on the accuracy of vendor drugs carefully. information, communications and verification. They are also In response, companies are decentralizing their R&D functions investing in resources and tools to help them manage adherence to Increased Global and collaborating with others to increase productivity through not Commercial operations global, regional and local laws and regulations, including sanction compliance risk growth only traditional licensing transactions but also “pre-competitive” lists, embargo lists and export regulations. collaborations that focus on common efficiency issues such as clinical trial enrollment. They are also using big data analytics to improve Capital allocation Commercial their R&D portfolio decisions with an eye toward clinical effectiveness. Organizations are also taking a thorough look at their commercial operations operations. In part, this is due to the growing influence of payers in the life sciences ecosystem: they are partnering with providers Operations management to add value to the patient experience, and they are increasingly unwilling to allow their pharmaceutical partners to focus only on To make growth happen, organizations must be willing to invest; pharma-centric approaches. at the same time, they must meet shareholder expectations for Incentives are changing as the marketplace begins to emphasize dividends and share buybacks, especially given the increasing Top-line pressures are driving the need for increased efficiencies health outcomes. Value-based payment models are gaining currency, prominence of activist investors. The right mix of capital allocation across the value chain. Payers are seeking more discounts or and across the landscape there are emerging examples of care is vital. Organizations are aggressively evaluating their portfolios rebates from drug providers; cost containment is a top priority, and integration for complex illnesses and complex needs. Along the of both products and businesses and considering divestitures of value for money is a close second, if the focus on stricter coverage same lines, leading organizations are making evidence-based businesses that lack the appropriate scale or do not represent a criteria is any indication. decisions on which tests are needed in each patient’s case. strategic fit. They are seeking to improve their capital efficiency, reassessing capital structures, including debt, and exploring Leading organizations have responded by sharpening their Those decisions focus on “real world” evidence of cost and strategies to make the best use of cash “trapped” offshore. operations management. They are using shared services centers effectiveness, as companies adjust their commercial model to the and outsourcing to reduce costs and gain efficiencies in R&D, new reality. Organizations are also working to improve the way they manufacturing, supply chain, commercial operations and support. work with physicians, with an eye toward increased efficiency, and they are exploring “beyond the pill” business models to add value and fuel growth. 4 | How Internal Audit can help life sciences companies change with the times How Internal Audit can help life sciences companies change with the times | 5

The audits that matter How Internal Audit can help Some types of risks (e.g., procure-to-pay, vendor Operations management address these risks management) are common to every organization. But companies in the life sciences sector also face A strong internal audit function can help the organization thrive in very specific risks based on the industry’s unique Potential scope and objectives: this challenging risk landscape by integrating risk and compliance business and regulatory landscape. Here are some Assess the quality management system (QMS) in formulation audits designed to address sector risks that are • seamlessly into the rhythm of the business. development, manufacturing process and analytical process top of mind and could result in significant negative Evaluate the organization’s corrective and preventive actions By aligning its audit plans to key business issues and initiatives, IA • can leverage its deep assurance knowledge to provide the Board and impact for your organization. Evaluate key performance indicators (KPIs) that should be • management visibility into these risks and other pressing concerns. identified and used to monitor effectiveness of processes. These Internal Audit is uniquely placed to offer these insights because indicators can be derived during the development process of its enterprise-wide view, which allows IA to connect the dots and also from manufacturing experience. They can be used as across the entire organization. Leading organizations are taking enablers for continual improvement Research, discovery and Review the use of quality risk management that can facilitate advantage of IA’s strengths by treating the function as a trusted • strategic advisor. Keeping its feet firmly planted in the assurance clinical trials regulatory compliance to a substantial degree and also improve functions that represent its core competency, IA is adding value to quality of communication between industry and regulators Measure process capability life sciences organizations by focusing on the risks that matter. • Potential scope and objectives: Review procedures for continuous quality verification The audits that address these risks require a solid understanding • Evaluate compliance across the clinical trial ecosystem • Evaluate packaging and labeling compliance of the organization’s internal audit standards and approach; • Measure the overall cost of research and development and an understanding of the organization’s strategic objectives and • Key questions to consider business activities; robust, up-to-date technical IT knowledge; clinical trials Are the raw materials tested appropriately? Capture specification (OOS) events from laboratory testing in • strong analytical skills; and the ability to communicate clearly and • good laboratory practices (GLP) environments Are the suppliers evaluated and qualified? concisely. The appropriate mix of resources will vary based on the • organization and its IA bench strength. Are processes aligned with 21 CFR? Key questions to consider • Are past due corrective and preventive actions (CAPA) and Is good clinical practice (GCP) maintained? • • deviations properly identified and monitored? Are patient recruitment targets achieved? • Do the facility and its many departments (organizational units) Are good documentation practices followed for patient records? • • operate in a state of control as defined by the good manufacturing Is safety reporting (adverse events) done appropriately? practice (GMP) regulations? • Does the quality assurance (QA) department or unit routinely Have the contract research organizations (CROs) been paid as per • • the services rendered? review production records to make sure that procedures were Are there any protocol violations? If yes, what are the remedial followed and properly documented? • Are all written QA procedures current and approved? measures taken? • 66 | | HoHow Inw Intternal Audit cernal Audit can help lifan help life se sciencciencees cs compompanieanies change with the times change with the timess How Internal Audit can help life sciences companies change with the times | 7

Global growth Commercial operations Intellectual property (IP) protection Mergers and acquisitions (M&A) Operations Cybersecurity Potential scope and objectives: Potential scope and objectives: Potential scope and objectives: Potential scope and objectives: Evaluate assets analysis and IP identification Evaluate the strategic risk of the M&A to the organization Review the marketing strategy return on investment Review management’s cybersecurity program, including the • • • • Perform IP management gap analysis Assess the valuation, internal controls and synergies in due diligence Evaluate the impact of patent cliff (scenario analysis) strategy, governance and operating models in place to protect its • • • critical assets as well as respond to and contain cyber threats Perform an IP royalty audit Review the deal approval and close process Review the competitive landscape for new drugs and generics • • • Identify IP function process improvement Assess the post-deal integration Analyze technologies used to enhance marketing strategy Key questions to consider • • • Does the organization periodically evaluate cyber risk governance Evaluate partnerships and collaborations • Key questions to consider Key questions to consider • and perform an annual cyber risk assessment? Assess success of relevant KPIs to identified key risk indicators (KRIs) Does the organization have a full list of all trade secrets and Is there a predefined business case with the projected benefits • • • Is there a threat mitigation program in place? intellectual properties with risk exposure in new emerging markets? and costs to assess the M&A impact to the organization? • Key questions to consider Does the organization have an inventory of its highest value What are the current IP management policies, processes, systems, Do the buyer company and the engaged deal service provider • • • Is the company keeping pace with emerging technologies to assets and has the organization evaluated the use of highly tools and team structure? have a solid methodology, tools and team to perform financial • and operational due diligence and synergy validation? enhance marketing capabilities? sensitive data across the organization? Is there an audit provision in the contracts/agreements with the • Does the organization understand how its critical assets could be Is the company leveraging existing technologies to the maximum • joint venture investor, partnership, research and development Does the buyer company have the effective governance and • • extent possible to reduce costs and drive better KPIs? accessed or disrupted? alliance, vendor, distributor or licensee? related processes to manage the deal approval and close? Is there the necessary expertise to build an effective cybersecurity Are customer needs (centricity) taken into full account when • How is the dispute or litigation to be managed in overseas How does the organization or the deal service provider plan • • • developing the commercial strategy? program and respond appropriately to cyberattacks? countries with varied jurisdictions? to manage the post-deal integration covering governance, Is the cybersecurity program robust enough to adapt and Are multiple channels for collaboration being considered to • How does the organization manage the legal and reputation risk? organization, people, process and systems? • • maximize returns on investment and research, e.g., joint ventures? anticipate new types of cyber threats? Is there a well defined benefit realization plan to measure the • Does the cybersecurity team conduct periodic drills to prepare Are regulatory changes anticipated and built into strategic plans? • value of M&A? • Are the company’s capabilities (e.g., talent, technology) keeping for cyber incidents and are the necessary procedures in place for • incident response? pace with the rapidly changing industry? Does the cybersecurity team have effective metrics in place to Are the performance management expectations consistent with • • report on threat management and mitigation? the operational goals of the organization? Are any information security reviews performed on suppliers and • is there a formal process to follow up and close identified risks? 8 | How Internal Audit can help life sciences companies change with the times How Internal Audit can help life sciences companies change with the times | 9

Conclusion Increased compliance Capital allocation The traditional life sciences business model is facing a crisis of sustainability. The combination of rapidly growing demand and disruptive Potential scope and objectives: Potential scope and objectives: technology is forcing organizations to develop Conduct plant good quality practice (GxP) compliance Assess the risk/reward calculation new, untried and untested approaches. In this • • environment, IA will play a more important assessments Review information on which capital allocation decisions are based • part than ever before, not only in its Perform process audit validations • Conduct volatility tests of markets where capital is being • accustomed assurance role but also as a Assess the quality management systems allocated • Assess continuous compliance readiness Evaluate the model that is used to support business decisions for proactive function that helps the organization • • Review IT systems to validate and determine compliance uncertainty and risk assess and organize the risks arising in today’s • Evaluate the tools that are used to plan and assess capital needs Key questions to consider • turbulent risk landscape. Assess the risk criteria used to allocate capital (e.g., volatile and Are plants conforming to GxP compliance requirements? • • emerging markets) IA can become a trusted advisor to the Are quality management systems mature enough to • Key questions to consider organization by leveraging its view across the meet compliance requirements? organization and its knowledge of the industry Do profits exceed capital costs? Are CAPA systems focused on mitigating product • • while building on its core competencies. In deviation issues? Is the organization making the right investments? • earning a seat at the table, IA can help the Are data integrity protocols managed to meet the How long will the advantages last? • • organization survive and thrive in the new life compliance norms? Is the right portfolio of development and business initiatives • sciences environment. Do IT systems support the predicate rule conformance being built? • requirements? Are partnering structures that allow for ongoing collaborations • being created? Is scenario planning considering real options for capital • allocation being performed? Is the organization properly calibrating risk vs. reward? • Is capital allocated as effectively and efficiently as possible • across geographies and business units? “Internal Audit has a key role to play in helping organizations across the sector understand and act on the risks and opportunities inherent in the ever- changing life sciences landscape.” Michael J. O’Leary, EY Global IA Leader 10 | How Internal Audit can help life sciences companies change with the times How Internal Audit can help life sciences companies change with the times | 11

Want to learn more? Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks If there’s no reward without risk, can risk be and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues a good thing? and provide you with valuable insights about our perspective. Please visit our Insights on governance, risk and compliance series at Risk is a much more risky proposition than it used to be. New www.ey.com/GRCinsights. risks emerge every day as markets get disrupted, political instability interrupts supply chains and new technology Insights on governance, risk and compliance pushes boundaries across the risk landscape. Yet, while many October 2014 Harnessing the power organizations see risk as a negative, good risk management of data can actually help companies go faster. How Internal Audit can embed data analytics and drive more value For EY Advisory, a better working world means solving big, complex industry issues and capitalizing on opportunities to deliver outcomes that help grow, optimize and protect our clients’ businesses. We’ve shaped a global ecosystem of consultants, industry professionals and alliance partners with one focus in mind — you. Health reimagined: making sense of a Metrics matter: how Internal Audit can Harnessing the power of data: how We help you make incremental strategic decisions around world in motion help organizations assess performance Internal Audit can embed data analytics risk management to help your business strategy stay on ey.com/megatrends2015 measurement and drive more value course. We help you look at risk from all angles and across ey.com/IAmetrics ey.com/IAanalytics every part of the organization, including cybersecurity, supply chain, internal audit and risk assurance. Insights on EY | Assurance | Tax | Transactions | Advisory governance, risk Insights on Insights on and compliance About EY About EY’s Advisory Services governance, risk governance, risk October 2014 EY is a global leader in assurance, tax, and compliance and compliance Our global connectivity and understanding of your issue transaction and advisory services. The insights Improving business performance while managing risk is an increasingly complex business and quality services we deliver help build challenge. Whether your focus is on broad business transformation or more specifically on August 2014 June 2014 trust and confidence in the capital markets achieving growth, optimizing or protecting your business, having the right advisors on your and in economies the world over. We develop side can make all the difference. outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, Our 30,000 advisory professionals form one of the broadest global advisory networks of we play a critical role in building a better working any professional organization, delivering seasoned multidisciplinary teams that work with world for our people, for our clients and for our inspire us to ask better questions. We then co-create more communities. our clients to deliver a powerful and exceptional client service. We use proven, integrated Step up to the challenge Get ahead of cybercrime methodologies to help you solve your most challenging business problems, deliver a strong EY refers to the global organization, and may performance in complex market conditions and build sustainable stakeholder confidence for EY’s Global Information refer to one or more, of the member firms of the longer term. We understand that you need services that are adapted to your industry Ernst & Young Global Limited, each of which is issues, so we bring our broad sector experience and deep subject matter knowledge to Helping Internal Audit keep pace a separate legal entity. Ernst & Young Global bear in a proactive and objective way. Above all, we are committed to measuring the gains Security Survey 2014 Limited, a UK company limited by guarantee, and identifying where your strategy and change initiatives are delivering the value your Improve your business does not provide services to clients. For more with a volatile risk landscape innovative answers that enable you to develop a top-down, information about our organization, please visit business needs. ey.com. performance To find out more about our Risk Advisory services could help your organization, speak to © 2014 EYGM Limited. your local EY professional or a member of our global team, or view: ey.com/advisory All Rights Reserved. The leaders of our Risk practice are: Transform your governance, risk and EYG no. AU2558 ED none Global Risk Leader compliance program risk-based approach to transforming your risk management In line with EY’s commitment to minimize its impact on the environment, this document has been printed on Paul van Kessel +31 88 40 71271 [email protected] paper with a high recycled content. Global Risk Transformation Leader This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, Matthew Polak +1 412 644 0407 [email protected] tax, or other professional advice. Please refer to your advisors for specific advice. Area Risk Leaders environment. Together, we help you deliver better outcomes ey.com/GRCinsights Americas Amy Brachio +1 612 371 8537 [email protected] EMEIA Jonathan Blackmore +971 4 312 9921 [email protected] Asia-Pacific and long-lasting results, from strategy to execution. Iain Burnet +61 8 9429 2486 [email protected] Japan Yoshihiro Azuma +81 3 3503 1100 [email protected] We believe that when organizations manage risk better, the world works better. So, if there’s no reward without risk, can risk be a good Get ahead of cybercrime: EY’s Global Improve your business performance: Step up to the challenge: helping Internal thing? Ask EY. Information Security Survey 2014 transform your governance, risk and Audit keep pace with a volatile risk landscape The better the question. The better the answer. ey.com/GISS compliance program ey.com/IArisks The better the world works. ey.com/transformGRC Beyond borders: unlocking value Firepower fireworks: focus, scale and Maximizing value from your lines of defense: ey.com/beyondborders growth drive explosive M&A a pragmatic approach to establishing and ey.com/firepowerMA optimizing your LOD model ey.com/LOD 12 | How Internal Audit can help life sciences companies change with the times

EY | Assurance | Tax | Transactions | Advisory About EY About EY’s Advisory Services EY is a global leader in assurance, tax, In a world of unprecedented change, EY Advisory believes a better working world means transaction and advisory services. The solving big, complex industry issues and capitalizing on opportunities to help deliver insights and quality services we deliver outcomes that grow, optimize and protect clients’ businesses. help build trust and confidence in the capital markets and in economies the Through a collaborative, industry-focused approach, EY Advisory combines a wealth of world over. We develop outstanding consulting capabilities — strategy, customer, finance, IT, supply chain, people and leaders who team to deliver on our organizational change, program management and risk — with a complete understanding of promises to all of our stakeholders. In so a client’s most complex issues and opportunities, such as digital disruption, innovation, doing, we play a critical role in building a analytics, cybersecurity, risk and transformation. EY Advisory’s high-performance teams better working world for our people, for also draw on the breadth of EY’s Assurance, Tax and Transaction Advisory service our clients and for our communities. professionals, as well as the organization’s industry centers of excellence, to help clients EY refers to the global organization, deliver sustainable results. and may refer to one or more, of the True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk member firms of Ernst & Young Global management when working on performance improvement, and performance improvement Limited, each of which is a separate legal is top of mind when providing risk management services. EY Advisory also infuses analytics, entity. Ernst & Young Global Limited, a cybersecurity and digital into every service offering. UK company limited by guarantee, does EY Advisory’s global connectivity, diversity and collaborative culture inspires its consultants not provide services to clients. For more to ask better questions. EY consultants develop trusted relationships with clients across the information about our organization, C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to please visit ey.com. leading disruptive innovators. Together, EY works with clients to co-create more innovative © 2015 EYGM Limited. answers that help their businesses work better. All Rights Reserved. The better the question. The better the answer. The better the world works. EYG no. AU3391 1503-1415327 EC ED None. In line with EY’s commitment to minimize its impact on the environment, this document has been printed With 40,000 consultants and industry professionals across more than 150 countries, on paper with a high recycled content. we work with you to help address your most complex industry issues, from strategy This material has been prepared for general informational to execution. To find out more about how our Risk Advisory services could help your purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer organization, speak to your local EY professional or a member of our global team, or to your advisors for specific advice. view: ey.com/advisory ey.com Our Risk Advisory Leaders are: Global Risk Leader Paul van Kessel +31 88 40 71271 [email protected] Global Internal Audit Leader Michael O’Leary +1 585 987 4605 [email protected] Americas Risk Life Sciences Leader Sanjay Narain +1 212 773 7879 [email protected] Area Risk Leaders Americas Amy Brachio +1 612 371 8537 [email protected] EMEIA Jonathan Blackmore +971 4 312 9921 [email protected] Asia-Pacific Iain Burnet +61 8 9429 2486 [email protected] Japan Yoshihiro Azuma +81 3 3503 1100 [email protected]