Ensure your Life Science Company Survives Investor Due Diligence

By Robert Thomas, Audit Senior Manager, WithumSmith+Brown, PC and Christian Kelly, IT Auditor, Xantrion Inc. 

Congratulations! Your pharmaceutical, biologic, or medical device startup has developed a promising product, and you’re ready to raise a Series B round of funding. Read on to learn what experts Rob Thomas and Christian Kelly recommend to make it easier to pursue and obtain that critical next round.  

To convince venture capitalists, private equity firms, and banks to make a significant investment in your company, you need to give them confidence that:  

• Your company’s finances are transparent and compliant with US Generally Accepted Accounting Practices (US GAAP) 
• You’re taking appropriate steps to minimize cyber risks that would interfere with your operations, the accuracy of your financial information, and regulatory compliance 

The investor due diligence process invariably includes third-party audits of these areas. These audits are rigorous enough to require 3 to 12 months of preparation. That’s why we recommend starting to make yourself audit-ready now, before investors require it. Companies that struggled to organize and prepare for investor due diligence requirements in late 2021 may have missed their opportunity to raise capital now that markets have changed course in 2022.  

 Financial controls 

Financial audits typically uncover deficiencies around segregation of duties, basic accounting policies, lack of experienced personnel, and lack of technical accounting memos/understanding of early-stage investments. Here are Rob’s top recommendations for getting audit-ready from a financial controls perspective: 

1. Hire an experienced controller and/or chief financial officer to oversee the accounting function. This person is your accounting quarterback. They need to be able to understand the business and its challenges, develop and execute accounting policies, and hire or outsource key functions to others, such as accounting advisory or CPA firms. 
2. Establish proper segregation of duties. Established companies do this by hiring qualified individuals to prepare and review accounting activities and financial statements. Early-stage companies may do better to outsource many of these functions so that the controller or CFO can primarily serve as qualified reviewer. Done right, this can be cost-effective and efficient. 
3. Adopt accounting policies in accordance with US GAAP. Series B investors will expect companies at this stage to prepare financial statements on an accrual basis, with formal accounting policies in place. It is imperative to keep this in mind while following the two recommendations above. A qualified controller or CFO will be able to lead the charge in developing these policies, then consult with the audit firm when they are being implemented and when significant unusual transactions take place. This will avoid costly delays, often caused by the lack of technical accounting memos, when the time comes to provide timely audited financial statements.  
4. Implement advanced accounting software. At this stage, this is not required, but might be sensible depending on how quickly you intend to scale up, since changing accounting software is cumbersome and costly, and only gets more difficult as you grow. Moving to an advanced accounting software solution will improve segregation of duties and data security as well as allow the company to scale through commercialization. If an IPO is a consideration in the future, adopting advanced accounting software tools now will drastically improve the quarterly and annual filing process.  

IT controls 

IT audits typically uncover deficiencies around identity, endpoint, and critical vendor risk management because early-stage companies are understandably focused on advancing their product and keeping the lights on instead of investing in IT. Here’s what Christian recommends for getting audit-ready on the IT side as you pursue your next round of funding. 

1. Implement multi-factor authentication (MFA) everywhere to prevent criminals from accessing data and applications even when they have the password. MFA reduces the chance of an account compromise by a factor of more than 100. 
2. Implement Single-Sign-On (SSO) to extend security to all data and applications, especially if your IT infrastructure is all or primarily cloud-based. An additional benefit of SSO is quick, error-free employee onboarding and termination. 
3. Install remote monitoring, management (RMM), and patching software on endpoints  to patch and update endpoints automatically, and to regularly audit endpoint encryption and compliance with password and data policies. A study by Automax shows that 60% of enterprise data breaches in 2020 were traced to missing patches. As a side note, the earlier you implement this software, the less expensive and time consuming it is, since both scale linearly with headcount. 
4. Install Endpoint Detection and Response (EDR) software. It is more effective than traditional antivirus software against attacks that haven’t been seen before. The cost to implement this software also scales linearly with headcount. 
5. Install Mobile Application Management (MAM) software on phones, tablets and laptops. MAM enables a secure Bring Your Own Device (BYOD) policy and program that makes it safer for employees to use their personal devices at work. This is another cost that scales linearly with headcount. 
6. Implement password and data policies that meet regulatory and insurance requirements. More and more companies are struggling to renew their cyber insurance policies or experiencing sharp increases in premiums if they don’t have these kinds of policies in place. 
7. Hire a team that is trained to detect, respond, and recover from endpoint security issues around the clock. A recent Ponemon report found that detecting and containing a data breach faster can reduce the cost of a breach by $360,000 on average. 
8. Develop or flesh out a due diligence process for critical vendors. If one of your vendors isn’t investing as much effort as you are in application and data protection, all the time and money you’ve invested in security is wasted. A thoughtful vendor due diligence process will ensure your time and money is well spent. 

If you’re struggling with any of the recommendations above, consult with trusted individuals who understand the challenges you are facing at this stage of your company’s growth, such as your CPA, part-time CFO, or other operations advisors. If they can’t remove the obstacles you encounter on your road to additional funding, they can introduce you to other qualified advisors who can, like Rob (rthomas@withum.com) or Christian (ckelly@xantrion.com). In addition to helping ensure you don’t miss out on funding, these advisors will also prevent you from making more common yet costly mistakes.