THE PRA CTICA L ASPECT Mergers and Acquisitions, Should Internal Audit Be Involved in Due Diligence? Corporations today, especially large corporations, United States, a more proactive role for the internal find acquisitions to be a crucial means to achieve audit function in acquisition planning is suggested. Do you have their strategy. Depending on the strategic need, this Researchers observed, “Acquisitions and mergers something may include several desired outcomes: advancing often fail because insufficient attention is given to to say about this their footprint in current technology, abating conducting an organizational audit of the vendor article? competition by eliminating or undermining a prior to signing the deal.” 3 An international study promising start-up that could intensify competition conducted later found that the internal auditor’s Visit the Journal pages of the ISACA ® in the future, extending horizons of the company actual participation in strategic planning and website (www.isaca. business, or simply fueling further growth when the specific acquisition planning was 27 percent and 4 org/journal) , find the company seems to stagnate. There are important 14 percent, respectively. article and click on benefits of acquisition generally not available the Comments link to through any other means, such as catching up with Does it make sense to involve internal auditors in share your thoughts. lost time in building competitive edge or harnessing due diligence? Here is an example. A Fortune 500 invaluable talent that otherwise would be organization decides to significantly improve its https://bit.ly/2O3BDPn inaccessible. strategic advantage by acquiring a five-year-old start-up poised for success. To do so, the acquiring Corporate mergers and acquisitions (M&A) are company pays a fortune. In a matter of months, the considered significant, from both a strategic and an organization finds that its acquisition was a economic point of view, across almost all sectors of deceitful overture from the acquired organization’s the economy. 1 But the opportunities in acquisitions chief executive officer (CEO). He doctored the are enmeshed with risk that needs to be identified, financial numbers of his organization to make the assessed and mitigated. Not only hostile picture look rosy and attractive for acquisition. Vasant Raval, DBA, acquisitions, but also friendly acquisitions are time- Setting aside the dreams of getting ahead CISA, ACMA consuming and stressful and require an “army” of strategically, the acquiring organization had to Is a professor of people from the management hierarchy and even record a material impairment charge, substantially, accountancy at outside consultants to conduct due diligence and all of the acquisition cost, on the acquisition. Phony Creighton University prepare for the initial approach. Time and timing reseller agreements, back-dated transactions and (Omaha, Nebraska, USA). The coauthor of can be very critical to manage. To quote round-trip transactions were used to inflate two books on researchers: accounting numbers, and the acquirer believed it all information systems was real. M&A is a complex process involving risk and security, his areas that ranges from financial and legal matters of teaching and Could this have happened if the acquiring research interests to sales and marketing challenges and organization included in its due diligence team its include information everything in between. Despite well- internal auditors? Clearly, if the problem was security and corporate established benefits of strategically driven detected early on, the buyer would have saved a governance. He can be expansion and integration of businesses considerable amount of grief and money that it reached at through M&A, the consolidated [email protected] . poured into this acquisition effort. As an acquiring organization exposes itself to a number of organization enters the due diligence phase, internal anticipated, unknown and unintended risk audit can assist in managing acquisition risk. Here Chandni Jalan, factors. 2 are some examples: CISA, CITP, CPA Can be reached at Based on a study of acquisitions made by British • Assess the current risk and control environment. [email protected]. companies both in the United Kingdom and in the Internal auditors can assess the makeup of the ISACA JOURNAL VOL 5 13 current control structure from a risk viewpoint. environment, leading to a material weakness or a Enjoying For example, is there a disproportionately high significant deficiency. Continued training, timely this article? number of manual controls compared to completion of monthly fluctuation analysis, automated controls? Why? What if the control balance sheet reconciliations and other high-level environment is not as strong as that of the controls are relevant here. Timely onboarding of • Read Should potential buyer’s? Auditors can assess what key stakeholders from the acquired organization is Internal Audit Be impact, if any, this may have on the due diligence critical to ensure that they understand the company Involved in Due and the bidding decision. culture, tone at the top, and its commitment to Diligence? ethical and sound business practices. Also, www.isaca.org/ • Review results from internal audits and external encouraging open communication is critical, so any tools-and- audits to determine the current issues at the issues are discussed and resolved if and when they techniques organization. If management decides to assume are identified instead of “looking the other way.” • Learn more the risk and does not take steps to remediate a about, discuss given deficiency, it is important that the acquiring and collaborate organization understands the cost-benefit on IT audit tools analysis performed and what other entity-level ONCE THE and techniques compensating controls are in place that made in the Knowledge management comfortable that material ACQUISITION HAS BEEN Center . misstatements would be detected on a timely COMPLETED, AN www.isaca.org/ basis. it-audit-tools- INTERNAL AUDITOR • Assess the competency (knowledge, skills, and-techniques experience) and independence of key SHOULD BE ABLE TO process/control owners throughout the ASSIST IN ASSURING organization. THAT THE INTEGRATION Once the acquisition has been completed, an OF THE ACQUIRED internal auditor should be able to assist in assuring that the integration of the acquired organization into ORGANIZATION INTO the acquiring organization is effective and efficient. THE ACQUIRING For example: ORGANIZATION IS • Internal auditors can provide assurance that the acquired business is aligned with the EFFECTIVE AND organization’s control environment. How? This EFFICIENT. starts with a road map that lays out system integration, people integration and process integration, sets the time frame and describes What does the internal auditor bring to the table that how. A road map is key, as any acquisition takes others on the diligence team may not have? time to become integrated, particularly if it is a large acquisition. Depending on what the time line • Independence/objectivity —The internal auditors looks like, the buyer should ensure that it has would typically find themselves walking a fine strong entity-level controls that will cover the line. The control environment is management’s acquired organization as well, so any risk that responsibility, so the auditors need to carefully could lead to a material misstatement is properly determine the steps they can take to ensure that mitigated through those entity-level controls (until they do not impair their independence while still the acquired organization is fully integrated). being able to assist the organization in risk assessment and, if the acquisition materializes, in • The acquired organization may not be fully a smooth transition. The internal auditors should integrated for a few years. How does this impact be mindful of their role as advisors and not the assessment? In what ways would this impact assume a management role/responsibility, thus compliance with current regulations (e.g., the US avoiding being in a position of auditing their own Sarbanes-Oxley Act)? work later. For example, if a new system is • Internal auditors can ensure that the acquired implemented, the internal audit team can organization does not dilute the control brainstorm with the business/process owners to 14 ISACA JOURNAL VOL 5 ensure key risk factors are being considered and the business unit under acquisition consideration designs and implements proper controls to mitigate the risk. Internal audit can provide recommendations on the design, but should not design the control themselves as it is management’s responsibility. • New systems and technologies at the acquisition target —If the target organization does not have a good IT map of the current environment, it could lead to several challenges for the acquirer, particularly if it is a line of business that is unique, complicated or one in which the potential buyer does not have much experience/expertise. At times, this is precisely the reason the organization is seeking to acquire the innovator. A comprehensive study of the role of internal auditing While the benefits may be nearly certain and during M&A has been conducted. 6 It classified the rather huge, attendant risk needs to be managed process of M&A into four stages—strategy to harness the gains. Internal auditors can development, due diligence, post-acquisition effectively assist in reviewing and, if necessary, integration and post-acquisition