sign in sign up
<<
Home , Internal audit

THE PRA CTICA L ASPECT

Mergers and Acquisitions, Should Internal Be Involved in Due Diligence?

Corporations today, especially large corporations, United States, a more proactive role for the internal find acquisitions to be a crucial means to achieve audit function in acquisition planning is suggested. Do you have their strategy. Depending on the strategic need, this Researchers observed, “Acquisitions and mergers something may include several desired outcomes: advancing often fail because insufficient attention is given to to say about this their footprint in current technology, abating conducting an organizational audit of the vendor article? competition by eliminating or undermining a prior to signing the deal.” 3 An international study promising start-up that could intensify competition conducted later found that the internal auditor’s Visit the Journal pages of the ISACA ® in the future, extending horizons of the company actual participation in and website (www.isaca. business, or simply fueling further growth when the specific acquisition planning was 27 percent and 4 org/journal) , find the company seems to stagnate. There are important 14 percent, respectively. article and click on benefits of acquisition generally not available the Comments link to through any other means, such as catching up with Does it make sense to involve internal auditors in share your thoughts. lost time in building competitive edge or harnessing due diligence? Here is an example. A Fortune 500 invaluable talent that otherwise would be organization decides to significantly improve its https://bit.ly/2O3BDPn inaccessible. strategic advantage by acquiring a five-year-old start-up poised for success. To do so, the acquiring Corporate (M&A) are company pays a fortune. In a matter of months, the considered significant, from both a strategic and an organization finds that its acquisition was a economic point of view, across almost all sectors of deceitful overture from the acquired organization’s the economy. 1 But the opportunities in acquisitions chief executive officer (CEO). He doctored the are enmeshed with risk that needs to be identified, financial numbers of his organization to make the assessed and mitigated. Not only hostile picture look rosy and attractive for acquisition. Vasant Raval, DBA, acquisitions, but also friendly acquisitions are time- Setting aside the dreams of getting ahead CISA, ACMA consuming and stressful and require an “army” of strategically, the acquiring organization had to Is a professor of people from the hierarchy and even record a material impairment charge, substantially, accountancy at outside to conduct due diligence and all of the acquisition , on the acquisition. Phony Creighton University prepare for the initial approach. Time and timing reseller agreements, back-dated transactions and (Omaha, Nebraska, USA). The coauthor of can be very critical to manage. To quote round-trip transactions were used to inflate two books on researchers: numbers, and the acquirer believed it all information systems was real. M&A is a complex process involving risk and security, his areas that ranges from financial and legal matters of teaching and Could this have happened if the acquiring research interests to sales and marketing challenges and organization included in its due diligence team its include information everything in between. Despite well- internal auditors? Clearly, if the problem was security and corporate established benefits of strategically driven detected early on, the buyer would have saved a governance. He can be expansion and integration of businesses considerable amount of grief and money that it reached at through M&A, the consolidated [email protected] . poured into this acquisition effort. As an acquiring organization exposes itself to a number of organization enters the due diligence phase, internal anticipated, unknown and unintended risk audit can assist in managing acquisition risk. Here Chandni Jalan, factors. 2 are some examples: CISA, CITP, CPA Can be reached at Based on a study of acquisitions made by British • Assess the current risk and control environment. [email protected]. companies both in the United Kingdom and in the Internal auditors can assess the makeup of the

ISACA JOURNAL VOL 5 13 current control structure from a risk viewpoint. environment, leading to a material weakness or a Enjoying For example, is there a disproportionately high significant deficiency. Continued training, timely this article? number of manual controls compared to completion of monthly fluctuation analysis, automated controls? Why? What if the control reconciliations and other high-level environment is not as strong as that of the controls are relevant here. Timely onboarding of • Read Should potential buyer’s? Auditors can assess what key stakeholders from the acquired organization is Internal Audit Be impact, if any, this may have on the due diligence critical to ensure that they understand the company Involved in Due and the bidding decision. culture, , and its commitment to Diligence? ethical and sound business practices. Also, www.isaca.org/ • Review results from internal and external encouraging open communication is critical, so any tools-and- audits to determine the current issues at the issues are discussed and resolved if and when they techniques organization. If management decides to assume are identified instead of “looking the other way.” • Learn more the risk and does not take steps to remediate a about, discuss given deficiency, it is important that the acquiring and collaborate organization understands the cost-benefit on IT audit tools analysis performed and what other entity-level ONCE THE and techniques compensating controls are in place that made in the Knowledge management comfortable that material ACQUISITION HAS BEEN Center . misstatements would be detected on a timely COMPLETED, AN www.isaca.org/ basis. it-audit-tools- INTERNAL AUDITOR • Assess the competency (knowledge, skills, and-techniques experience) and independence of key SHOULD BE ABLE TO process/control owners throughout the ASSIST IN ASSURING organization. THAT THE INTEGRATION Once the acquisition has been completed, an OF THE ACQUIRED internal auditor should be able to assist in assuring that the integration of the acquired organization into ORGANIZATION INTO the acquiring organization is effective and efficient. THE ACQUIRING For example: ORGANIZATION IS • Internal auditors can provide assurance that the acquired business is aligned with the EFFECTIVE AND organization’s control environment. How? This EFFICIENT. starts with a road map that lays out system integration, people integration and process integration, sets the time frame and describes What does the internal auditor bring to the table that how. A road map is key, as any acquisition takes others on the diligence team may not have? time to become integrated, particularly if it is a large acquisition. Depending on what the time line • Independence/objectivity —The internal auditors looks like, the buyer should ensure that it has would typically find themselves walking a fine strong entity-level controls that will cover the line. The control environment is management’s acquired organization as well, so any risk that responsibility, so the auditors need to carefully could lead to a material misstatement is properly determine the steps they can take to ensure that mitigated through those entity-level controls (until they do not impair their independence while still the acquired organization is fully integrated). being able to assist the organization in risk assessment and, if the acquisition materializes, in • The acquired organization may not be fully a smooth transition. The internal auditors should integrated for a few years. How does this impact be mindful of their role as advisors and not the assessment? In what ways would this impact assume a management role/responsibility, thus compliance with current regulations (e.g., the US avoiding being in a position of auditing their own Sarbanes-Oxley Act)? work later. For example, if a new system is • Internal auditors can ensure that the acquired implemented, the internal audit team can organization does not dilute the control brainstorm with the business/process owners to

14 ISACA JOURNAL VOL 5 ensure key risk factors are being considered and the business unit under acquisition consideration designs and implements proper controls to mitigate the risk. Internal audit can provide recommendations on the design, but should not design the control themselves as it is management’s responsibility.

• New systems and technologies at the acquisition target —If the target organization does not have a good IT map of the current environment, it could lead to several challenges for the acquirer, particularly if it is a line of business that is unique, complicated or one in which the potential buyer does not have much experience/expertise. At times, this is precisely the reason the organization is seeking to acquire the innovator. A comprehensive study of the role of internal auditing While the benefits may be nearly certain and during M&A has been conducted. 6 It classified the rather huge, attendant risk needs to be managed process of M&A into four stages—strategy to harness the gains. Internal auditors can development, due diligence, post-acquisition effectively assist in reviewing and, if necessary, integration and post-acquisition audit—and revising existing organization policies to cover the suggested best practices for internal auditors’ risk and to ensure that a feasible IT map, involvement in each stage. For example, the strategy extending several milestones beyond the development stage includes the practice of auditing acquisition date, is prepared and management the process used in assessing and managing risk and review of it is undertaken and documented. offering advice on systems and processes that could • Third-party at the acquisition reduce acquisition risk. In stage three, post- target —The acquisition target may be dealing acquisition integration, best practice would be to with its own network of third parties. It is prepare a checklist of activities necessary to actualize necessary to determine if the risk of having third expected value from the acquisition. parties on board for providing services or products is properly identified and systematically managed. If some risk materializes at the THE SKILLS THAT THE acquired organization level, cascading effects of the compromise could engulf the organization AUDITORS HAVE AND USE seeking the acquisition. This is the case of NORMALLY WITHIN THE vulnerability inheritances. 5 For example, at the organization under acquisition, weaker controls ORGANIZATION ARE around third parties (e.g., not having a proper EQUALLY APPLICABLE AND, of all third parties used; not requesting and/or reviewing Service Organization Controls PERHAPS, ADD MUCH [SOC] 1 reports, if applicable; finding that recent MORE VALUE TO NON- contracts and term agreements are not available) could certainly lead to financial exposure in cases ROUTINE ExERCISES SUCH where there are clauses that are binding and AS M&A. would carry over to the potential acquirer.

• Cost saving and organizational restructuring — These are typical pressures that emerge in the Perhaps because this is not a routine exercise in post-acquisition/integration stage. Internal internal auditing and forensics, the role of auditors auditors can anticipate some of these and in M&A is not a commonly held discussion. respond more effectively if they are also involved However, the skills that the auditors have and use in earlier stages of the acquisition process. normally within the organization are equally

ISACA JOURNAL VOL 5 15 applicable and, perhaps, add much more value to non- 3 Lees, S.; “Auditing Mergers and routine exercises such as M&A. If anything, the payoff Acquisitions—Caveat Emptor,” Managerial is likely much bigger and the opportunities to mitigate Auditing Journal , vol. 7, no. 4, 1992, risk that knocks at the door are truly worth assigning https://www.emeraldinsight.com/ to the audit staff. After all, they know their doi/abs/10.1108/02686909210012806 organization well and should be able to tell if the risk 4 Selim, G. M.; S. Sudarsanam; M. K. Lavine; of acquisition can be effectively managed. Prevention Mergers, Acquisitions, and Divestitures: Control here has huge value compared to the cure. and Audit Best Practices, The Institute of Internal Auditors Research Foundation, USA, Endnotes 2002 5 Raval, V.; S. Shah; “Third-Party Risk 1 Khazanchi, D.; V. Arora; “Evaluating IT Management,” ISACA Journal , vol. 2, 2017, Integration Risk Prior to Mergers and https://www.isaca.org/archives ® Acquisitions,” ISACA Journal , vol. 1, 2016, 6 Dounis, N.; “The Role of Internal Auditing During https://www.isaca.org/archives Mergers & Acquisitions: The European Union 2 Ibid . Experience,” The Institute of Internal Auditors Research Foundation, USA, January 2007

VIR TU AL INSTRUC TOR-LED TRAINING

CI SA EX AM PREP CO URSE 24–27 SEPTEM BER

CRI SC EXAM PREP CO URSE 22–25 OC T OBER

CI SM EXAM PREP CO URSE 8–11 OC T OBER

www .isaca.or g/ VIL T-Jv5

16 ISACA JOURNAL VOL 5