Medical Device Link.

Originally Published June 2000

REGULATIONS & LEGAL AFFAIRS

Regulatory Due Diligence: An Ounce of Prevention

Conducting regulatory audits prior to any significant business transaction can save medical product manufacturers years of headaches—and potentially lots of money, too.

Due diligence audits are an integral part of modern business life. Companies are expected to conduct adequate due diligence reviews before entering into significant business transactions. For example, when one healthcare company announced last year that it would have to restate earnings because of a company it had acquired—causing the value of the company's stock to plunge by billions of dollars in a single day—the Wall Street Journal reported that "Several analysts wondered why [the company] hadn't conducted a comprehensive audit of the [seller's] operations prior to closing the deal."

The need to conduct meaningful due diligence audits applies equally to transactions involving medical device manufacturers. Understandably, such audits typically emphasize financials, intellectual property, and other key business factors. Assessing regulatory risks tends to be given less emphasis, sometimes with unfortunate consequences.

This article will explain why regulatory due diligence is important and give some guidance on how to conduct useful audits.

Why Audit Regulatory Compliance?

Regulatory audits should be conducted for the same basic reasons as other types of audits: they make good business sense, they can help companies avoid regulatory problems later on, and they can save money. Medical device manufacturers operate in a heavily regulated environment. A device company's ability to comply with FDA requirements can determine a company's profitability—or even its fate. A company that can't manufacture in compliance with FDA requirements, can't get approval from FDA, or can't market its products without running afoul of FDA is a good candidate for failure.

Acquiring a company that has significant regulatory problems can be a costly mistake. After Japanese drug manufacturer Fujisawa bought the American drug company Lyphomed, for instance, it sank $800 million into the company. Fujisawa discovered only after the deal closed that some of its new acquisition's product approvals had been based on fraud. Similarly, a leading device manufacturer had to take strong remedial measures to avoid being on FDA's "fraud list" after discovering that a company it had acquired had been less than candid with FDA.

These are dramatic but rare examples; the typical regulatory blemishes are more mundane and less expensive. Even so, they can range from being an unpleasant nuisance to a significant, time-consuming, energy-draining morass. Investing in a company because of a promising new product only to discover that the clinical studies were conducted improperly can mean losing a large part of the investment. Choosing a new contract manufacturing facility that then receives a warning letter from FDA for violations of the quality system regulation (QSR) can mean wasted time and resources.

Representations and warranties can help mitigate the economic impact when problems arise, but they are no substitute for spotting the flaws in advance. Once the business transaction has closed, attempting to recover from the seller for breaching "reps and warranties" can be a costly, contentious experience. The litigation initiated by Fujisawa to try to recoup some of its money resulted in more than 20 different court decisions. A company is far better off avoiding the problems in the first place.

Moreover, many "reps and warranties" rely on general promises, such as "the seller shall be in material compliance with all applicable FDA requirements." Collecting on such a vague commitment can be tricky. (Making sure that contracts contain appropriate regulatory clauses is another important, but often neglected, area.) Litigation and delayed payment are likely outcomes. Properly performed due diligence audits can allow the purchasers and investors to identify and target the regulatory issues that should be the subject of specific representations.

Regulatory due diligence audits are sometimes viewed as an unproductive expense. In fact, they can help the buyer save money. For example, regulatory weaknesses that are located in advance can be advantageously used in negotiations. The need for the buyer to correct regulatory problems, such as QSR noncompliance, can result in a downward adjustment in price. An alternative way to deal with regulatory problems that are uncovered during an audit is for money to be placed in an escrow account by the seller to pay for later regulatory fixes that may be necessary. This helps ameliorate the financial harm caused by the noncompliance. Even if identifying regulatory problems does not lead to better financial terms, it allows the buyer to make a more informed judgment about the costs and risks of the transaction.

While there are many good reasons to conduct regulatory audits, spotting fraud is not one of them. Regulatory audits are typically narrow in scope, short in duration, and not conducive to digging deeply. Competent fraud will be concealed well enough to escape detection during a standard audit. Fortunately, fraud in the device industry is a relatively rare phenomenon. However, device companies and investors making acquisitions can land themselves in many expensive regulatory predicaments short of fraud.

When to Audit

Device manufacturers enter into numerous types of transactions. Many of these transactions will not require any regulatory due diligence activities. However, given the economic and financial forces affecting the device industry, many companies will encounter situations that do call for regulatory due diligence. These events include buying other device companies, making large investments in device companies, entering into joint ventures or other significant commercial relationships, acquiring the distribution rights to devices (especially unapproved devices), and using another company's manufacturing facilities. When deciding whether a regulatory due diligence audit is needed, the company should ask itself the following question: If the other company has violated FDA requirements, how badly can we be hurt? If the buyer/investor could incur significant regulatory exposure as a result of the transaction, it should consider conducting a regulatory audit.

The question "when" has another component: at what point in time should the regulatory due diligence be performed? Sometimes, regulatory due diligence is conducted at the outset, as an integral part of analyzing the potential investment. This has several advantages. For example, if regulatory issues are identified, it leaves time for follow-up investigation. And if fundamental regulatory flaws are spotted, the company can evaluate that information before other resources have been expended. For example, if it is determined that the seller is unduly optimistic in predicting FDA approval of its device next year and approval is really at least three years away, the deal may no longer be of interest.

Conversely, conducting regulatory due diligence toward the end of the transaction can result in giving little weight to the auditors' findings. Once a transaction has considerable momentum behind it, the regulatory auditors are sometimes instructed to look only for "deal breakers." Significant regulatory headaches may be ignored with this type of directive, but the issues must still be dealt with later.

Auditing for regulatory compliance is sometimes perceived as a search for tiresome details. Yet if the audit hunts exclusively for large land mines that might derail the deal, the company may overlook smaller regulatory flaws that result in nasty, explosive FDA surprises later on. Needing to revalidate a manufacturing process or audit all the clinical investigators can be costly and painful. An audit earlier in the process is more likely to lead to financial terms that reflect these costs and also allow management to appreciate more fully what troubles it may be inheriting.

What to Look for

The scope of an audit will vary widely, depending on the specific circumstances. The audit of a proposed contract manufacturing site will focus on QSR compliance. A device company or venture capital fund considering an investment in a new company with promising technology will want to examine preclinical and clinical data carefully.

Auditors need to be adaptable. During the course of the audit, it is common for a particular document to trigger an entirely unexpected line of inquiry. For example, examining a standard operating procedure (SOP) for clearance of promotional materials might lead to reviewing sign-off sheets for advertisements, which might, in turn, reveal that off-label promotional information has been improperly posted on the company's Web site. Flexibility and inquisitiveness are important virtues for the individuals conducting the audit.

At the same time, it is very helpful for the buyer to identify in advance what major areas it needs to cover. Consider the purchase of a hypothetical device company with some marketed 510(k) products. The audit team may want to cover, at a minimum, the basic elements of regulatory compliance (see sidebar).

These elements may readily lead to additional issues that need to be explored in depth. For example, if a company distributes a financially important device under another company's 510(k) notice, the ability to distribute can be disrupted by a falling out between the companies. Under FDA regulations, the 510(k) holder—and not the distributor—controls the ability to commercialize the device. This is true even if the distributor is the manufacturer. Thus, the auditors would be well advised to review the contract and determine how secure the distribution rights are.

The types of questions and the complexity of the audit plan can expand quickly if the seller is also conducting clinical studies. The buyer will want to determine, among other items, how well the studies have been run, what the available data show, when the study will be completed, and the status of regulatory compliance (see sidebar).

The audit should also encompass international distribution. With the increasing importance of overseas sales, the audit should determine the status of the seller and its products outside the United States. The audit should also examine the likelihood of obtaining regulatory clearance for new products in key foreign markets. And if a device is being sold overseas, but not yet in the United States, a review of foreign data may yield useful insights into potential safety problems.

The audit may even stumble upon legal issues outside the domain of FDA. For instance, in reviewing marketing arrangements, an auditor might discover that physicians are receiving compensation for purchasing products. This arrangement may violate provisions of federal and state law, and be subject to heavy civil and criminal fines. The audit team needs to be alert to these ancillary but important issues.

Just as no two companies are the same, no two audits will be identical. Checklists need to be tailored to the individual circumstances. Nevertheless, by starting with a list of principal topics, the buyer can increase the likelihood of covering the most important topics.

Who Should Conduct the Audit?

Choosing the right set of individuals to conduct the audit is important. The composition of the auditing team depends on a number of factors, such as the nature and complexity of the transaction. In the hypothetical preacquisition audit discussed above, the buyer would probably want to have the seller evaluated both by regulatory affairs and quality assurance personnel. If clinical data are involved, then clinical affairs (or its counterpart) should also participate. If there are complex regulatory compliance issues relating to software (e.g., software hazard analyses), then a software expert could be brought in as well. Because of FDA's new rule regulating electronic recordkeeping, software expertise will become more important when doing comprehensive audits.

The size of the transaction matters. For a small, seemingly routine transaction, a team may not be cost-effective or necessary—a single person in regulatory affairs may suffice. However, if the stakes are higher or the seller's business potentially contains regulatory wrinkles such as a complicated history, multiple products, or drug-device combinations, more than one auditor should participate.

Different auditors will bring to bear different types of expertise and perspectives. A quality assurance employee may tend to focus on compliance with QSR, while a regulatory affairs employee may concentrate on different areas, such as advertising and whether FDA clearance was needed before the device was modified. Personality should also be factored in. An auditor who is abrasive and adversarial is less likely to dig up information than someone who is more congenial. Interrogative tactics don't work well during regulatory due diligence audits.

For large or complex transactions, the buyer should also consider bringing in outside experts. For example, if the impetus to buy a company comes from promising data in a clinical study and the buyer does not have an employee experienced in auditing clinical trials, the buyer should hire a clinical consultant to help out. By the nature of their profession, lawyers with a specialty in FDA regulations tend to be aware of some of the worst—and most costly—regulatory mistakes. They can also add a perspective and a skill set that complement in-house personnel and other team members (see sidebar).

Where to Conduct the Audit

The question of where to conduct the audit also depends on the scope and importance of the transaction. For some relatively simple transactions, a due diligence audit can be performed adequately through a review of documentation. For example, if the buyer wants to acquire a small company making Class I devices that are exempt from 510(k) and QSR requirements, there may be no need to travel. The seller may be able to supply the paperwork necessary to conduct a credible off-site review (e.g., registration and listing forms, complaint SOPs, medical device reports, trending reports, copies of the most recent complaint investigations, and so on).

However, if the seller's regulatory risks are more significant, a purely paper audit will not adequately substitute for an on-site inspection. Remote inspections suffer from several handicaps. Paradoxically, they can take longer. The buyer requests information, the seller responds with documents, which leads to new requests from the buyer. This iterative process can be very slow when coordinated from two or more locations. Also, paper audits do not promote thorough follow-up. Some of the most important observations can come from tracking a series of documents (e.g., a complaint leads to a corrective action, which leads to an engineering change order with a questionable decision not to submit a new 510(k)). This type of digging is much more cumbersome if the auditors are not on-site.

Furthermore, paper audits will not lead to personal disclosures. Sometimes, an employee at the audited company will candidly discuss the seller's regulatory strengths and weaknesses. When interviewed in person, employees may volunteer negative information about the seller. The chance to collect that type of information is largely forfeited when telephones, faxes, e-mails, and overnight deliveries replace face-to-face discussions. For any significant regulatory due diligence audit, the added insights of an on-site audit will outweigh the financial costs.

What to Expect

Just like other types of audits, regulatory due diligence audits are not foolproof. Even a modest-sized device company can present tens of thousands of document pages to review, ranging from complaints and engineering change orders to marketing materials and SOPs. Auditing even a small percentage of all documents is not feasible. Regulatory audits, by their very nature, review only a minute sample of all possible sources of information. One of the challenges is to select auditors who can make the most productive use of a limited sample and limited time.

A properly performed audit can result in uncovering potential problems and, equally important, analyzing their significance. It is unrealistic to expect the seller to be in perfect compliance. Finding regulatory deviations is easy; uncovering significant areas of noncompliance and assessing their relative importance is much harder. Putting the audit observations in context is critical.

The likelihood of conducting a useful audit grows if a skilled audit team is given sufficient time to review the key records at the seller's facility. What to do with the resulting information is a different issue. The decision to proceed with the transaction—and on what terms—ultimately belongs to management. However, if the ingredients for a successful regulatory audit are in place, the chances are much greater that management will receive the information it needs to make an informed and profitable choice.

Jeffrey N. Gibbs is a partner in the law firm of Hyman, Phelps & McNamara (Washington, DC).

Illustration by Sally Wern Comport/SIS

Back to the MDEP main page | Back to the Table of Contents