menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose

Top risks in life sciences for internal audit in 2024

Adam Pajakowski, Mike Varney, Bo Qiu
2/14/2024
Top risks in life sciences for internal audit in 2024

Life sciences organizations face unique risks. In this report, Crowe specialists offer insight on identifying and mitigating those risks.

In the rapidly evolving world of life sciences, 2024 is poised to bring forth a unique set of challenges and risks for the internal audit profession. This comprehensive report delves into the complexities of these risks, examining their potential impacts on life sciences organizations and shedding light on a future that, while unpredictable, can be navigated with a strategic approach, proactive measures, and solid internal audit plans.

In their pursuit of innovation and growth, life sciences organizations must confront a burgeoning landscape of risks, including technology disruptions, regulatory changes, and global operational complexities. A crucial pivot in managing these risks lies within the capabilities of the internal audit teams, who play a critical role in mitigating risks, determining compliance, and being a strategic partner to help enhance the overall efficiency and effectiveness of the organization. This report offers insights into the strategies internal audit teams can employ to help life sciences organizations better anticipate, prepare for, and mitigate potential risks.

Financial risk

Financial risk is a top concern for life sciences organizations. Because of recent and current economic conditions, limited access to capital, and pricing pressures, organizations have to do more with less. Life sciences leaders need to be aware of how various financial risks could cause potential problems for their organizations and how to mitigate them.

Capital funding

The initial public offering (IPO) market slowed in 2023 and early 2024, and capital funding poses a top risk for life sciences organizations of all types and sizes as they grapple with funding based on fluctuations in the economy. Many organizations are delaying funding (or IPOs) and seeking alternative sources such as private equity. In an environment in which elevated interest rates have made it more difficult for life sciences organizations to compete for capital, private equity funds are ready to deploy the cash on their balance sheets and offer an alternative source of funding. This type of funding and approach can bring other risks to the leadership environment and can lead to possible audits regarding those items.

Life sciences organizations operate on very thin margins to keep cash flows steady so they can extend their organizational life cycle, and financial planning, budgeting, and strategy are becoming even more critical. Organizations need to examine key third-party relationships for proper payments and billing in addition to reviewing budgets more frequently. Specifically, internal audit functions need to review processes regarding clinical trial spend, U.S. Food and Drug Administration (FDA) approval time, and expected revenue to efficiently manage risks.

Next steps for internal auditors:
  • Review clinical trial budgeting, spending, and compliance
  • Review third-party contract compliance, billing, and payment structure
  • Review financial planning and budgeting
  • Review operational spending, process, disbursements, and trends

Pricing and charge-backs

As it was in 2023, drug pricing is a top risk for life sciences organizations in 2024. Scrutiny of rising prescription drug costs led to the passage of the Inflation Reduction Act of 2022 (IRA), which, among other provisions, includes policies for managing the cost of prescription drugs. Drug manufacturers have long felt considerable pricing pressure between escalating rebates extracted by pharmacy benefit managers (PBMs) to potential “double-dipping” by covered entities claiming reimbursement under Medicaid and 340B.

For products sold through wholesalers, charge-backs represent a top risk for life science organizations, and they are often one of the largest expenditures. As the volume of transactions resulting in charge-backs and related dollar value increases, so do potentially inaccurate billings from wholesalers. Life sciences organizations need to confirm that their wholesalers are operating in accordance with their contracts.

Next steps for internal auditors:
  • Review third-party contract compliance, rebates, and PBM contracts
  • Review financial planning and budgeting

Back to top

Operational risk

Operational risks are a constant discussion for life sciences organizations. Lack of funding is one of the main financial factors that can lead to changes in operations. An uncertain balance sheet can result in lack of oversight or control over critical operational areas, such as supply chain, inventory, and key third-party relationships.

Vendor and supply chain management

Vendors and supply chain management continue to be focused risk areas. As organizations become leaner in headcount, reliance on solid vendor relationships will be key. Specific risk areas that likely will evolve in 2024 include vendor rebates, royalties, and security and privacy. In addition, due diligence processes for new vendors should be reviewed as an area of scrutiny as organizations merge, reduce headcount, and, potentially, operate under unclear timelines and metrics. Lastly, in the context of fast-tracked FDA approvals, if life sciences organizations do not set up proper supply chain functions for new product rollouts, they likely will continue to encounter issues with supply chain management.

Next steps for internal auditors:
  • Review sourcing, bidding, and inventory ordering
  • Model and test supply chain resiliency
  • Review contract compliance, including rebates, royalties, and volume-based discounts

Inventory management

Maintenance of inventory systems is an enduring challenge for life sciences organizations. Purchasing levels and excessive ordering that were problematic during the pandemic have decreased, but now organizations want to understand how much emergency or on-hand inventory is needed compared to normal inventory levels. Many organizations face the risk of inventory expiring versus not having enough on hand for just in time (JIT)-type purchases. As life sciences organizations become leaner and more frequently outsource these areas, inventory management will be a focus area for cost savings and efficiencies.

Next steps for internal auditors:
  • Review purchase order setup and processing
  • Review sourcing, bidding, and inventory ordering
  • Perform inventory management reviews, including JIT and automatic purchases and emergency levels

Contract development manufacturing organization relationships

As more organizations rely on outsourcing key functions such as drug development and manufacturing, the scrutiny of these relationships continues to rise. The focus is on the integrity of shared data and levels of review of that data. Can life sciences companies rely on the contract development and manufacturing organization (CDMO) data? Is it timely? In what manner is the data received? Are manual spreadsheets that are ripe for effort or data issues in use? Shared data – and protecting that data – is a critical and reoccurring topic with life sciences companies of all sizes, and regular reviews are needed to review key information from CDMOs.

Next steps for internal auditors:
  • Review CDMO contract compliance, with a specific focus on data storage, data transfer, key performance indicators (KPIs), access, and billing

Economic uncertainty

Amid economic uncertainty, rising operational costs, stiffening competition, ongoing patent expirations, evolving environmental, social, and governance (ESG) requirements, and increasing pressure on drug prices, life sciences organizations will need to navigate thoughtfully to be successful. In past years marked by economic uncertainty, drug development, clinical trials, and new drugs coming to market slowed down. By the time life sciences organizations were ready to invest and ramp back up, ingredients and manufacturing capacity were scarce. This situation led to drug shortages and affected patient care. By taking a proactive approach to such financial pressures, life sciences organizations can limit the impact of the issues they might encounter during periods of economic uncertainty. Organizations can focus on advancing commercialization of new products, sourcing strategically, applying data analytics of historical trends, and establishing strategic partnerships with CDMOs.

Next steps for internal auditors:
  • Review financial planning and budgeting procedures
  • Review operational spending, including process, disbursements, and trends
  • Audit supply chain resilience
  • Establish an emergency preparedness plan for physical and technology backup
  • Review contract compliance, with a specific focus on individual vendors or commodity and clinical trials

Back to top

Strategic risk

Life sciences leaders can better understand strategic risks by implementing or strengthening an enterprise risk management (ERM) strategy. With limited access to capital, mergers and acquisitions (M&A) might become more prevalent, and organizations might want to divest parts of their portfolios. In addition, with recent innovations in technology and science, new products might enter the market, and understanding the impact these products might have can help guide the development of a strategic response.

Identifying and managing enterprisewide risk

Identifying and managing risks helps life sciences leaders mitigate potential negative events and identify potential opportunities. A comprehensive ERM framework consolidates and improves risk reporting to better identify, quantify, and manage key risks and implement the proper controls to eliminate or reduce threats. Understanding enterprisewide risks helps executives and internal audit functions view the risk universe and develop a strategy and audit plan unique to their organizations’ specific goals and objectives.

Next steps for internal auditors:
  • Review current ERM process
  • Understand risk appetite of the organization
  • Review internal audit approach as it relates to ERM

Mergers and acquisitions

M&A remains a viable transformation tool for life sciences organizations. Large pharmaceutical companies continue to pursue midsize biotech companies to expand business lines and services. Private equity firms are also acquiring innovative healthcare assets. With the slowdown of the IPO market, sale processes have emerged as an exit strategy for investors. In addition, with high interest rates creating a difficult financing environment, divestitures likely will become more important as a capital-raising mechanism. M&A activities introduce risks such as poor due diligence, overpaying, overestimating synergies, integration challenges, unexpected costs, faulty communications, and insufficient security. Proper valuation, strong internal controls over M&A, and technology implementation and integration can help mitigate these risks.

Next steps for internal auditors:
  • Review valuation process
  • Review controls, design, and testing of M&A process

Product innovation

In the life sciences industry, innovation is the process of using scientific knowledge and technological advancements to create new products, services, and processes that help promote human health and well-being. Innovation holds the potential to revolutionize the healthcare industry, improve quality of life, and foster economic growth. It involves the collaboration of scientists, engineers, healthcare practitioners, and business executives to develop solutions to help people live longer and healthier lives. However, when new products are developed, they might render previous products obsolete and potentially affect revenue negatively. Whether a new product with the potential to cannibalize an existing product is developed inside or outside of the organization, leaders need to be aware and ready to address that event. In addition, leaders need to consider supply chain impacts of new products. By employing data analytics, organizations can better measure the impacts of product cannibalization and develop strategies to address it.

Next steps for internal auditors:
  • Review internal controls for product planning, budgeting, and operations
  • Model and test supply chain resiliency
  • Review vendor management

Back to top

Commercial risk

The value chain of life sciences companies is often global and complex, with many stakeholders involved in delivering lifesaving and life-enhancing therapies and products to patients. Inherent in such an intricate value chain are business models in which stakeholders require a cut of the end price as compensation for the services they provide. For life sciences organizations responsible for innovating, developing, and manufacturing such life-changing products, the challenge is doing so profitably, which can be difficult given the considerable external pressure, both regulatory and political, to lower costs.

Drug pricing pressure

The life sciences industry, particularly in the U.S., continues to face significant federal scrutiny as well as public pressure to better control costs and reduce pricing. The IRA is a result of such scrutiny. It is wide-ranging in nature and features several provisions aimed at regulating the pricing of drugs covered through government programs such as Medicare. The core tenets of the legislation include requiring manufacturers of certain drugs to engage in price negotiations with Medicare, imposing rebates under Medicare Part B and Medicare Part D for price increases that outpace inflation, and replacing the Part D coverage gap discount program with a new discounting program. While many of the requirements do not take effect for a few years, the industry has already recognized the profound impacts that the legislation might have, and some are challenging its legality. Regardless of the outcome of these efforts, public pressure likely will continue to result in more restrictive price controls across more jurisdictions, both at the federal and state levels.

Next steps for internal auditors:

  • Review controls, design, and testing of gross-to-net (GTN) processes
  • Review third-party contract compliance, specifically rebates and charge-backs

Gross-to-net accounting

GTN reserves are one of the largest estimates on financial statements, and many variables have a substantial impact on how they are accounted for, many of which are outside manufacturers’ control. Private health plans and PBMs that negotiate on their behalf exercise significant leverage in managing access and use while extracting higher rebates from manufacturers. The IRA likely will precipitate these factors further through the redesign of the Medicare Part D discount program, in which prescription drug plans will need to contribute a much larger share of overall prescription drug costs than they currently do for Medicare Part D beneficiaries. In turn, manufacturers can expect that PBMs will try to pass that additional cost back down to the manufacturer wherever possible, either through formulary exclusion, step edits, or other negotiating tactics. With these ever-changing industry forces, being able to reliably estimate and report GTN reserves becomes more challenging for life sciences companies. This situation is further compounded by the fact that much of the GTN estimation process still takes place in manual spreadsheets with few automation solutions available.

Next steps for internal auditors:

  • Review controls, design, and testing of GTN processes
  • Review third-party contract compliance, such as rebates and charge-backs

Licensing and collaborations

Many companies depend heavily on other life sciences organizations to collaborate in research, development, manufacturing, and commercialization of products and product candidates. Substantial investment is often made up front to support the viability and success of these collaborative efforts that might or might not come to fruition. Reliance on third parties for critical activities such as drug development, manufacturing, and commercialization is an immense risk for life sciences organizations because, for the most part, they are not able to exercise much control over third parties. Failure by any key collaborator to complete agreed-upon activities on schedule or in accordance with expectations could create many adverse effects for life sciences organizations, including delays in product development, approval, manufacturing, or commercialization; suboptimal quality of service delivery or deliverables; supply disruptions; or noncompliance with legal and regulatory requirements or industry standards.

Next steps for internal auditors:

  • Review controls, design, and testing of licensing and collaboration processes
  • Review contract compliance, licenses and collaborations, financials, KPIs, access, and objectives

Back to top

Clinical trial risk

Clinical trials are the lifeblood of many life sciences organizations. Having access to and managing clinical trials are critical to the success of the organization. However, clinical trials also pose many risks. Managing clinical trials is complex, as they involve many stakeholders who play a part in their operations and ultimately their success – patients, third parties, investigators, scientists, and procurement and accounting teams, to name a few. Managing risk across all trials and across all regions in which organizations operate is key.

Research and development

The discovery and development of new products, as well as the development of new uses for existing products, are core activities for many life sciences. As patents on products expire and lose market exclusivity, it is important for life sciences organizations to replenish their product portfolios with new and innovative products that address unmet medical needs among patients. In recent years, the nature of how products are discovered and developed has changed considerably and in several different ways. First, treatments using precision medicine continue to grow rapidly, as has the use of artificial intelligence (AI) and machine learning technologies. Second, the COVID-19 pandemic, as well as the need for sponsors to execute clinical trials faster and improve the experience for patients and healthcare providers, prompted the increase and popularity of hybrid, virtual, and decentralized clinical trials. While these trial designs offer many benefits, they also raise risk considerations that could affect several facets of a trial across site activation, patient enrollment, and the conducting of the clinical trial. Third, as many life sciences organizations begin to expand clinical trial operations across borders, they face new and evolving global risks that could affect core research and development (R&D) activities, such as clinical trial site selection, patient enrollment, and clinical trial portfolio management, among many others.

Next steps for internal auditors:

  • Review controls, design, and testing of R&D processes
  • Review R&D tax credits
  • Review third-party contract compliance

Clinical trial accounting

Managing clinical trial accounting is a singular challenge that nearly all life sciences companies encounter. As a significant estimate on financial statements, considerable pressure comes from multiple arenas to confirm that clinical trial accruals are reported accurately and reliably. This pressure is further compounded by the inherent risks and challenges of managing clinical trials, such as frequent changes to contracts and change orders, unreliability of data provided by third-party clinical research organizations, as well as the variable and opaque nature of investigator spend and the challenges of manually managing information through myriad spreadsheets.

Next steps for internal auditors:

  • Assess controls, design, and testing of clinical trial accounting process
  • Review financial reporting of clinical trials, including close process, trial balance access, and key accrual calculations

Back to top

Reputational risk

Reputational risk is a threat to the name or standing of a business or entity. Reputational risk can occur directly because of company actions or indirectly because of an action from an employee or joint venture. Reputational risk management in the life sciences industry is pivotal amid tightening regulations, leadership changes, and growing reliance on third parties. As the world becomes more connected through technology, reputational issues can become widespread quickly. Most business risks can lead to some degree of reputational risks.

Ethics and leadership

Ethical risk typically arises from acts relating to conflicts of interest, fraud, and corruption. It can also include any risks that limit social, economic, and environmental progress. Ethical risk can also be in the form of pressure to compromise standards, misconduct, and retaliation. Generally, ethics violations happen at the middle- to top-manager levels. Ethics issues can also be geographically focused, with a heightened emphasis on regions that demonstrate higher risk.

Leadership risks sometimes involve senior leader mistakes that could damage the reputation of the organization. Because of the nature of their positions, leaders are naturally placed under a more focused lens. Decisions at the leadership level can be discussed with a group of peers to help achieve the best resolution for the organization. This due diligence can lead to a lower leadership risk when all outcomes are considered.

Next steps for internal auditors:

  • Review board of directors and committee structures
  • Conduct leadership sensitivity training
  • Review compliance program effectiveness

Operational

Operational risk emerges during the normal course of operating the business, such as supply chain, production, product quality, distribution, and anything that goes into the product or service a company delivers. Unaddressed or ineffective operational activities can affect company financials, and they can affect company reputation, too. Creating a road map can help address risks and decrease the overall possibility of a reputational impact. Organizations can decrease the likelihood of a negative reputational event by proactively addressing business- and industrywide operational risks as well as specific areas of risk.

Next steps for internal auditors:

  • Audit product marketing
  • Audit product return and customer complaint process
  • Review trade show policy and process

Cybersecurity

Cybersecurity is a major area of risk, especially in light of increased cyberattacks and data breaches that, if successful, can negatively affect a company’s reputation because of lost data or exposed intellectual property (IP). For example, ransomware attacks can cost a company a substantial amount of money in ransom payments, but lost sales, supply chain delays, legal penalties, and overall detriment to brand reputation collectively can surpass the original ransom demand.

Next steps for internal auditors:

  • Audit cybersecurity breach response preparedness
  • Audit breach reporting process
  • Review compliance program effectiveness

Environmental, social, and governance

ESG risks are coming into focus as organizations become more aware of their impact on society’s well-being. Companies are starting to measure their ESG and sustainability impacts to educate their stakeholders on how they are managing their risks and opportunities regarding sustainability concerns. As organizations identify their ESG impacts, they might change their business strategy, which can affect customer and vendor relationships. By some estimates, 83% of consumers think companies should be engaged in ESG best practices. As companies address ESG issues and listen to what customers desire regarding such initiatives, they might begin asking their current vendors about their ESG practices and researching their inputs to confirm that their ESG efforts are in line with their strategy. Companies can also search for new vendors that place a heightened focus on ESG quality and compliance. As the ESG environment matures and new regulations emerge, companies can take steps to identify and address ESG risks and opportunities.

Next steps for internal auditors:

  • Audit responsible sourcing assessment
  • Review diversity, equity, and inclusion initiatives
  • Audit supplier diversity reporting and process

Back to top

Cyber risk

Cyber risk includes any risk of financial loss, business continuity disruption, or reputational damage that occurs because of the failure of one or more of the organization’s information technology systems. Cyber risk management is critical in the life sciences industry because these organizations handle personal health information (PHI), and many consumers depend on minimal disruptions for their treatment or care.

Cyberattacks

Cyberattacks come in many different forms and often lead to the loss of sensitive data, business continuity disruptions, and reputational damage, and they are becoming more common and costly. In 2022, 5.5 billion malware attacks occurred worldwide. According to IBM, the cost of healthcare data breaches averaged $10.93 million in 2023– the highest average across industries. These attacks include but are not limited to:

  • Phishing attacks, in which attackers attempt to trick employees into sharing sensitive information
  • Ransomware attacks, in which hackers encrypt company’s files and data and demand payment for encryption keys
  • Denial-of-service attacks, in which attackers flood critical websites or online services with requests, rendering those sites and services unavailable
Life sciences companies that fall victim to cyberattacks are at risk of regulatory penalties and jeopardizing critical medical processes if the correct mitigation strategies are not implemented. During a clinical trial, companies prefer to digitize health records, which poses risk of exposing participants' PHI. Data breaches targeting PHI are a constant concern across the life sciences industry.
Next steps for internal auditors:
  • Audit key security policies and procedures
  • Audit inventory of valuable systems and data
  • Review security controls

Data loss

Life sciences companies process sensitive data such as the clinical trial subject PHI and organizational IP as part of R&D efforts. Regardless of the data type, it can be very easy for data to escape the environment – maliciously or accidentally. When protected data falls into the wrong hands, it loses value because it becomes corrupted and unreliable, and this loss of data integrity can lead to significant financial repercussions.

Many organizations struggle to implement effective data loss prevention (DLP) solutions due to the complexity of the data they seek to protect. However, a staggered rollout of a DLP solution can allow organizations to focus on their highest criticality data first. Regardless of the implementation strategy, rigorous testing of the DLP solution is recommended to verify that it restricts data that should not leave the environment while not flagging too many false positives that could interrupt operations.

Next steps for internal auditors:
  • Audit network- and email-based DLP technology
  • Determine if the solutions are tested and operate effectively

Lack of adaptation and updating of compliance frameworks

It is imperative for the life sciences industry to comply with a multitude of regulations, including the Health Insurance Portability and Accountability Act of 1996, the FDA’s guidance on cybersecurity, the Securities and Exchange Commission’s (SEC’s) cybersecurity disclosure requirements, and industry frameworks such as the National Institute of Standards and Technology (NIST) cybersecurity framework (CSF). As these regulations and industry standards are ever-changing, organizations must stay up to date with changes or be responsible for financial and reputational damages that result from noncompliance. Adopting a control framework that aligns with industry standards is vital to establishing compliance. Some examples include but are not limited to the NIST CSF, ISO/IEC 27001, and ISO/IEC 27002. Once a framework is adopted, compliance staff should continue to update that framework to avoid potential penalties. Any updates and changes to the framework must be clearly communicated and understood by all personnel to guarantee effectiveness.

Next steps for internal auditors:
  • Audit cybersecurity framework and applicable policies

Back to top

Technology risk

Technology risk management is the ongoing process of continually identifying, analyzing, evaluating, and addressing risks associated with the technology that companies use to support their strategy, objectives, operations, processes, and people. Including technology in the scope and assessment of ongoing enterprise risk management initiatives can help confirm that the technology risk is considered appropriately and response plans are established for any potential vulnerabilities.

Information security

Information security risks originate from diverse sources, including cyberthreats, data breaches, and other security incidents that can affect the confidentiality, integrity, and availability of sensitive data or information. Sensitive data can include PHI, trade secrets, IP, and other confidential information. It is critical to assess attack vectors that malicious actors seek to exploit and confirm if proper identification and response mechanisms are in place to address potential loss of data.

Next steps for internal auditors:
  • Review penetration testing program
  • Review incident response processes
  • Review and audit data classification program
  • Review data and cybersecurity training

Cloud management

The cloud is an effective and secure method to store and manage sensitive information. Cloud service providers have access to robust cloud cybersecurity technologies that can better safeguard sensitive information that might not be accessible to most companies. Despite its effectiveness in managing data, several risks, including unmanaged attack surfaces, insufficient access management, shadow IT, malware infections, zero-day exploits, and human error all need to be considered and addressed as part of cloud management strategies.

Next steps for internal auditors:
  • Audit cloud security
  • Review configuration hardening
  • Review cloud management policies and procedures

Back to top

Digital transformation risk

Digital transformation initiatives to create new or augment existing business processes, culture, and customer experiences can generate opportunities for growth and enhanced resiliency. However, rapid digital transformation also introduces new risks. With the perpetual development of technologies like AI, machine learning, internet of things, cloud computing, robotic process automation (RPA), and big data, threats are constantly evolving in scale and complexity.

System implementations

From simplifying processes and optimizing efficiencies to enhancing security and achieving a competitive advantage in the market, implementing the latest IT systems is a foundational element to an organization’s digital strategy. Yet transformative innovations can produce new risks when they do not get the attention they require.

The absence of a well-designed and well-executed project plan for system implementations can result in cascading impacts to key downstream processes. Ineffective implementations include inefficiencies, subpar integration, and compliance risk.

From an operational risk perspective, unforeseen inefficiencies can arise if organizational change management is not properly implemented throughout a project. Implementations of new systems and tools can increase time and effort to complete daily tasks if end users are not properly trained and if awareness and alignment with overall business and strategic objectives are not clearly communicated.

Incompatible system integration can result from a lack of due diligence as early as the vendor selection process or during the requirements gathering phase if the ability to integrate with other new or existing systems, such as cloud applications, payroll systems, and warehouse management systems, is not clearly defined. Confirming appropriate and secure communication among the various systems is critical to avoiding issues. Any deviations of the system dependencies that require additional development should be defined and considered as part of the project and thoroughly tested to confirm security, confidentiality, availability, and integrity.

If compliance is overlooked, significant regulatory and reputational damages can result. Risk management plays a key role in mitigating compliance risk. Management should follow a sequential approach for developing and implementing controls by process maturity. Throughout each phase, it is important to internalize the components and customize deliverables to meet specific departmental and organizational goals. The approach should increase the efficiency of management’s efforts to implement an effective internal control environment over financial reporting, based on the SEC’s guidance for management and the auditing standards of the Public Company Accounting Oversight Board.

Next steps for internal auditors:
  • Conduct pre-implementation review (system development life cycle, data, security, process, and controls)
  • Conduct post-implementation review
  • Conduct integration and middleware review

Robotic process automation

RPA uses bots to facilitate and automate routine manual processes. While RPA has been a hot topic in recent years, its technical complexity has slowed its adoption. With recent advancements and lower-cost providers now available, RPA use is expected to continue throughout 2024. Some key benefits of RPA for the life sciences industry include:
  • Real-time analysis and decision-making to respond to emerging situations
  • Analyzing trends to address supply chain risks and availability of key drugs and medical supplies
  • Eliminating wasted time on manual tasks and opening up capacity to focus on competitive innovation
While it’s important to take advantage of automation’s benefits, it’s equally important to manage the risk of deploying this technology. Bots can be considered as digital workers if proper controls are in place. As organizations continue to digitize processes through RPA, it is important to consider and address key risks by:
  • Segregating duties of digital workers to assign a unique identity to each digital worker and developing process to maintain segregation among functions
  • Preventing abuse and fraud by restricting access (similar to end users) and enabling privileged ID sessions for which elevated access is required
  • Establishing log integrity to confirm audit logging capabilities and implementing procedures to monitor activity regarding sensitive access
Next steps for internal auditors:
  • Audit RPA governance
  • Audit RPA security
  • Review data integrity
  • Audit RPA IT general controls

Artificial intelligence

AI has the potential to transform industries and day-to-day jobs, and the life sciences sector has only scratched the surface of its potential. AI could revolutionize nearly every stage of drug development, from drug discovery and diagnostics to clinical trials and supply chain operations. While the opportunities to transform the industry using AI are immeasurable, it is imperative that companies are aware of the risks and challenges to consider, including:

  • Data privacy. The use of sensitive PHI and IP are keys to success in the life sciences industry. AI applications can use such confidential information to automate processes, which could pose a risk to exposing confidential and proprietary information. The rapid development of open-source AI tools such as generative AI could pose a threat to a company’s confidential data if appropriate mechanisms are not in place. Such privacy risks might exist through data access, data processing, and data retention.
  • Data bias and discrimination. The life sciences industry relies on immense quantities of data from patients, providers, and payers in drug development processes, which might inherently contain biases. Because AI tools use real-world information, data sets and algorithms must be designed to eliminate biases to generate the most value and eliminate adverse consequences.
  • Regulatory compliance. Several countries are in the process of drafting AI regulations and guidance frameworks; however, regulations are largely not yet in place due to the rapid technological advancements. The current regulations that exist include guidance in Canada and the European Union (EU), which serve as strong benchmarks for companies to consider, including Canada’s Artificial Intelligence and Data Act (AIDA) and the EU’s Artificial Intelligence Act.
  • Knowledge and skill gaps. With the rapid adoption of AI across the industry, there remains a large gap of knowledge and skill sets to be able to fully use the technology while maintaining a risk-averse mindset. While knowledge and skills are evolving to meet technological advancements, it is important to educate employees on best practices and avoid risks that AI might pose. The first step in adapting to these changes is to develop and communicate policies regarding AI use within the organization.
Next steps for internal auditors:
  • Review AI policy and procedure
  • Review AI governance framework
  • Audit algorithmic fairness and bias

Back to top

Legal and compliance risk

Taking legal and compliance risks into consideration when developing and optimizing the internal control framework can help companies avoid potentially massive penalties. Legal and compliance frameworks are continually evolving, such as U.S. privacy laws, so staying up to date on the landscape is imperative for internal auditors.

FCPA regulation programs: Anti-bribery and anti-corruption

The Foreign Corrupt Practices Act (FCPA) prohibits U.S. companies from offering certain payments to foreign officials for services. Companies continue to be fined and penalized for bribing foreign government officials for company financial gain. Specifically in the life sciences industry, some companies have been repeatedly fined by the SEC and the U.S. Department of Justice for bribing physicians (as well as other healthcare personnel) in foreign countries through facilitation payments, such as cash and gifts. Other companies have bribed foreign doctors to gain a competitive advantage over their peers (for example, doctors will only use or prescribe a certain company’s drug).

The internal audit functions for these life sciences organizations struggle with how much emphasis they need to place on anti-bribery and corruption within their compliance programs, particularly outside the U.S. where the risk is high. Reduced headcount has affected the efficacy of anti-bribery and anti-corruption programs, and organizations have shifted to more desktop reviews versus on-site audits. This approach can lead to a lack of understanding of local regulations as well as potential misses in the audits or compliance monitoring.

Next steps for internal auditors:
  • Audit distributor process and payments
  • Audit sales and marketing personnel travel and expenses
  • Audit FCPA reporting process

U.S. privacy regulation programs

Compliance with privacy regulations in the U.S. is an ever-evolving area of concern for life sciences companies. Often, internal auditors in these organizations struggle to stay up to date with U.S. privacy laws because of the proliferation of new technologies and devices. Reputational and financial damage (fines and penalties) are two of the dominant risks that life sciences companies face because of noncompliance with U.S. privacy laws. As of September 2023, 12 U.S. states have passed comprehensive privacy laws that entail specific requirements. Most of these regulations enable U.S. consumers to have several data protection rights granted to them, which requires organizations to intake these requests and respond accordingly. Specifically, the California Privacy Rights Act, which builds on the California Consumer Privacy Act, grants consumers the right to correct any inaccurate data that a company collects about them. Adhering to U.S. privacy regulations remains a critical component for internal auditors to consider in their company’s compliance programs, where building trust with consumers is paramount.

Next steps for internal auditors:
  • Review U.S. privacy law regulation education and training
  • Review privacy and data protection policy

Healthcare provider interactions

How life sciences companies interact with healthcare providers (HCPs) to minimize any financial, reputational, or compliance risks continues to be a focal point in the pharmaceutical compliance landscape. The Pharmaceutical Research and Manufacturers of America (PhRMA) has developed advanced codes that seek to govern these interactions while educating HCPs on product risks, providing ongoing medical education, and providing speaker programs. In recent years, as part of an ongoing commitment to focus on patients’ health, PhRMA has updated its principles to place additional emphasis on the purpose of speaker programs, dictated that alcohol is not paid for or provided in connection with speaker programs, and clarified various principles related to attendance at speaker programs. Ultimately, prioritizing patients’ health and other needs must remain the focus of life sciences organizations, and adhering to PhRMA codes is a step in the right direction.

Next steps for internal auditors:
  • Review policies and procedures, including governing interactions with HCPs
  • Audit PhRMA code verification
  • Audit speaker programs
  • Audit transfer of value
  • Review monitoring of company support for continuing medical education 

Back to top

Workplace planning, retention, and succession risk

The workforce landscape has changed dramatically in the last few years. However, more recently, it seems that the workforce is on the tail end of the Great Resignation, and the job market demand for new personnel seems to be leveling out. As a result of the turbulent times, companies have started to investigate the causes and impacts of increased turnover, refine their recruiting practices, and take into account potential candidates' needs.

Recruiting, retention, and reduction

The recruiting difficulties many life sciences organizations face can be summarized into the following categories: headcount reduction, budget constraints, workplace culture, and talent not aligning to need. Specifically, within the small and medium-size life science companies, headcount reductions have been on the rise and have had a direct impact on the job market, causing companies to approach hiring cautiously, especially as readily available liquidity has been hard to find. Coupled with budget constraints as businesses balance candidate salary expectations with available financial resources, these factors have made the recruitment landscape more challenging.

Organizations are going through a transformation in which talent alignment doesn’t always align to talent need, which has raised concerns about retaining talent and maintaining a stable work environment. This disconnect is especially true for workforces that are dependent on the ever-looming results needed to continue to the next stage of product development from R&D to release. It is a delicate balancing act to reduce costs and retain valuable talent. Employee retention is a pressing issue, and economic uncertainty creates an atmosphere of job insecurity. Companies must grapple with preserving a positive workplace culture and ensuring high levels of employee engagement amid these challenges.

Next steps for internal auditors:
  • Audit workforce planning process
  • Analyze talent retention
  • Review incentive compensation

Succession and transition planning

In the context of the evolving job market, companies are preparing for future talent needs. Identifying and developing internal talent for leadership roles is a priority. Supporting a smooth transition of knowledge and responsibilities from outgoing employees to new hires or internal successors has become essential. Companies are taking a proactive approach to succession planning to mitigate potential disruptions caused by headcount reduction and workforce changes. This strategic planning allows organizations to maintain continuity and minimize the impact of workforce fluctuations on their operations.

Next steps for internal auditors:
  • Review succession planning

Back to top

Navigating risk in 2024

Understanding the top risks life sciences organizations might encounter in 2024 is critical for strategic planning and organizational growth. While these risks might pose considerable challenges, they equally hold the potential for organizational development and innovation.

The role of the internal audit teams is indispensable. Equipped with the right strategy, knowledge, and approach, internal audit teams can effectively counteract these risks, fostering a secure, transparent, effective, and resilient organization. While risks might be substantial, organizations can navigate their way through the multitude of challenges and capitalize on the opportunities afforded by the ever-evolving landscape of life sciences.

Risk is an integral part of any business, and it cannot be eliminated entirely. However, by adequately preparing for the relevant risks and maintaining an agile internal audit function, life sciences organizations can mitigate and manage them effectively.

Back to top

Contact us

Adam Pajakowski
Adam Pajakowski
Principal, Consulting
+1 216 623 7539
Profile
Bo Qui
Bo Qiu
Principal, Consulting
+1 312 857 7405
Profile
Mike Varney - social
Mike Varney
Partner, Consulting
+1 216 623 7553
Profile