The importance of an M&A internal controls framework | Deloitte US has been saved
By Stefan Ozer, Audit & Assurance Partner; Jim Traeger, Audit & Assurance Partner; and Kajal Shah, Audit & Assurance Partner, Deloitte & Touche LLP
Good news: M&A activity is once again showing signs of growth after declining in 2022 and most of 2023 following record activity in 2021 totaling more than $5 trillion in deal value.2 Companies that remained on the sidelines because of uncertainty with inflation and interest rates may now be considering growing their businesses through an M&A deal. If yours is one of them, now may be the time to revisit your internal controls and processes to understand what is in place to assess, record, and integrate an acquired company into your overall financial structure.
Ready to take the first step? Here’s some information to help you get started.
Merging two companies could bring a host of due diligence, governance, and financial reporting challenges. You will likely face increased expectations of management’s risk assessment and control documentation, new reporting requirements resulting from acquired entity operations, and business goals that have to dovetail with financial reporting objectives.
Addressing these challenges can be complicated. For starters, many companies have limited in-house technical accounting experience. They can also face challenges integrating complex legacy and acquired company systems, an inadequate governance structure to manage the merged organization, and unfamiliarity with the acquired company’s internal control and accounting frameworks.
Internal controls can be essential to overcoming these challenges. Let’s look at each stage of the M&A life cycle and how internal controls can help you reduce surprises and support long-term synergies.
Pre-acquisition due diligence
An important yet sometimes overlooked component of any M&A transaction is assessing the target’s governance, risk, and controls (GRC) environment. Understanding how a company is run and how the financial data flows into key reports helps determine how reliable the financial data is and substantiates other information uncovered in the pre-deal diligence. Without considering GRC in the diligence process, there may be unforeseen challenges and costs. Incorrect financial data could result in restatements, internal control deficiencies and related errors, and even the failure of the deal or increased costs due to the transaction.
Flipping the lens to the acquiring company’s internal control structure, the acquirer should have internal controls in place to properly account for the transaction once it has happened. Not having the necessary controls can lead to errors in purchase price allocation of the opening balance sheet.
Purchase price allocation and acquisition accounting
For many companies, M&A transactions are few and far between. That means they may not have documented controls to address risks related to a significant transaction. The scope of required controls may also vary from transaction to transaction. Internal auditors can advise management on risks associated with the transaction, including the extent of the work needing to be performed to ensure the amounts recorded in purchase accounting are complete and accurate, as well as evaluating any third parties supporting the transaction and the diligence completed around them.
Post-acquisition
Once the acquisition has closed, companies have an opportunity to take a fresh look at their GRC program. For example, misaligning on potential synergies could increase cost to comply long term and be a missed opportunity for long-term efficiencies. These types of transactions are opportunities to refresh and rethink your GRC program. Building out an integration road map that emphasizes efficiency, technology, and automation opportunities can potentially promote growth and collaboration for the combined organization.
Whether your company is a public or private entity, M&A may be a significant milestone for you. Developing and applying a strong internal controls framework during due diligence, purchase price allocation or acquisition accounting, and post-transaction integration is fundamental to help meet the expectations of specific stakeholders.
There is a lot to consider as you and your organization work through the internal control considerations related to mergers and acquisitions. To learn more about the role of internal controls in the M&A process, read our recent article. And please don’t hesitate to reach out to us to discuss further.
An important yet sometimes overlooked component of any M&A transaction is assessing the target’s governance, risk, and controls (GRC) environment. Understanding how a company is run and how the financial data flows into key reports helps determine how reliable the financial data is and substantiates other information uncovered in the pre-deal diligence.
Endnotes
1 Deloitte, Regional webcast series titled Internal controls for M&A transactions, October 2023. Combined, more than 1,360 C-suite executives and senior leaders were polled online during the East, Central, and West region webcasts.
2 Joshua Fineman, “UBS sees pickup in mergers and acquisitions next year,” Seeking Alpha, November 12, 2023.
Stefan is an Audit & Assurance partner with Deloitte & Touche LLP, based in Charlotte, NC. He serves as our east region governance, risk, and controls (GRC) leader within our Accounting and Reporting Advisory business and has extensive experience in public accounting providing audit and risk services to many of Deloitte’s largest clients across a variety of industries, including industrial products, manufacturing, power and utilities, technology, and healthcare. Stefan primarily leads and provides advisory services to clients on SOX readiness (including IPO and SPAC transactions), process transformation, modernization, control design and optimization, rationalization, compliance, gap analysis and deficiency remediation, post-merger integrations, and internal audit services. Stefan also spent three years in our firm’s National Office leading multiple efforts including internal controls, data analytics, risk assessment, and statistical applications. Stefan specialized in internal controls consulting on highly technical matters from our most complex clients around the world, responding to regulatory matters, and various facets and uses of emerging technologies.
Jim is an Audit & Assurance partner with Deloitte & Touche LLP, based in Houston, TX. He serves as our central region governance, risk, and controls (GRC) leader within our Accounting and Reporting Advisory business. Jim has more than 26 years of experience with a particular focus on the oilfield services, manufacturing, and retail sectors and has served a wide range of publicly traded and private companies. He has extensive experience providing external audit and advisory services, including U.S. GAAP and industry-specific oversight, SEC financial reporting, and Sarbanes-Oxley (SOX) internal control readiness and attestation services to a variety of companies. He has led his clients through such challenges as mergers and acquisitions, divestitures, impairments, and recapitalization efforts. Over the course of Jim's career, he has served some of the firm’s largest and most complex multi-national clients as well as small and mid-market and start-up private entities. Jim holds a Bachelor of Science in Accountancy from California State University in Fresno, CA. He is a Certified Public Accountant (CPA) in the state of Texas.
Kajal is an Audit & Assurance partner with Deloitte & Touche LLP, based in San Jose, CA. She serves as our west region governance, risk, and controls (GRC) leader within our Accounting and Reporting Advisory business. Kajal brings more than 17 years of combined work experience in external audit, Sarbanes-Oxley (SOX) compliance, internal audit, investment banking and tax advisory at multinational organizations. In her current role within Deloitte’s Accounting Advisory and Transformation Services business, Kajal focuses on overall risk management including SOX readiness, SOX co-sourcing, operational internal audit, enterprise risk management (ERM), mergers and acquisitions (M&A) related internal controls, material weakness remediation, general IT controls, internal controls related to ESG, SOX modernization, automation, and other relevant areas. Kajal has been interviewed on SOX and internal control matters by business journals and has also co-authored various Deloitte thoughtware around GRC. Prior to her current role, she worked as an internal audit professional at several multinational companies. Kajal received her bachelor’s of commerce from University of Mumbai, India, is a Chartered Accountant from India, and a CPA in California.