Internal controls during M&A transactions has been saved
Perspectives
Internal controls during M&A transactions
How sufficient controls and processes can expedite the deal
Given the importance of merger and acquisition (M&A) transactions, companies typically expend considerable effort on the financial and synergy sides of the deal. What may be overlooked, however, are the proper due diligence, risk assessment, and internal controls needed to assess, record, and integrate the acquired company into the overall financial structure of the acquirer. This could be a differentiator as you define long-term success.
M&A deals consistently involve finances, due diligence, combined advantages and integration. However, it is important to not ignore the value internal controls and processes contribute to a suitable and successful financial merging of the acquired or incorporated businesses, as well as managing the accounting that goes into the original recording of the transaction.
Whether public or private, it is important companies focus on internal controls and processes or they may face concerns from a range of stakeholders including regulatory bodies, shareholders, management, boards and audit committees. That’s why management should have a thorough understanding of the financial, operational, and control-related risks, at both the target and the acquiring entities. Thinking through these considerations before, during and after the acquisition can help facilitate a smoother transaction with reduced risk.
Read the blog story on this, "The importance of internal controls in mergers and acquisitions."
When a potential M&A target is identified, management must understand and plan for the mitigation of potential risks. Including those responsible for SOX compliance in the decision-making process can help prevent future issues including identifying the often-overlooked need for an assessment of the target's Governance, Risk, and Control (GRC) maturity.
During the due diligence phase, it's key to undertake certain activities from a GRC perspective, preferably in a pragmatic way. These include performing a risk assessment of the target company to understand its potential material impact and risks on the combined entity. It also involves understanding the target's internal control environment, including its business process controls and technology stack. Assessing the quality of the target's current control environment and understanding its IT environment should also be integral to the due diligence process. These GRC activities provide insights into the target's operations, help identify potential red flags, and enable management to estimate future compliance costs and complexities more accurately.
To enhance value from M&A activities, it's important for the acquiring entity’s management to understand the role internal controls play in valuation and purchase price accounting, beginning with understanding regulatory requirements. The acquirer should design relevant controls over the proper recording of the acquisition and subsequent activity related to acquired balances. This includes assessing the appropriateness of the financial information provided by the acquired entity. Despite differing requirements between public and private entities, a robust risk assessment process and strong acquisition-specific controls should be considered after a material transaction to further support future control implementation. Areas of relevance for internal controls include risk assessment procedures, opening balance-sheet controls, controls over valuation report and purchase price allocation, and financial reporting controls. Proper documentation of key assumptions and early alignment with the external auditor are beneficial for long-term effectiveness and sustainability of the acquired entity.
During the close of an acquisition, companies have an opportunity to harmonize their risk assessment efforts beyond simply combining existing frameworks for internal controls over financial reporting (ICFR). This may require a fundamental change in mindset of the financial reporting team in terms of process, risk, and control, but also legal, treasury, human resources, and payroll departments.
Post-acquisition common pitfalls include attempting acquisition-related SOX implementation with existing staff or technologies or downsizing operational roles that can create compliance risks or technology-related issues. In fact, any planning for SOX compliance post-acquisition must consider technology systems, as well as anticipated changes to these systems. IT issues can cause a variety of controls challenges and serious delays. That’s why a comprehensive strategy would consider a risk and control culture, undertake robust risk assessment and scoping, define and select the appropriate operating model and resources, and explore opportunities to modernize and automate systems, thus examining risk and internal controls in their widest scope.
A key call out for Internal Auditors: Read our “Navigating new obstacles during mergers and acquisitions transactions” report, which may be of particular interest to those involved in the smooth execution of M&A transactions, especially as assessors of the governance, risk, controls of the target company.
Contact us
The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.
Authors
Contributors
Corrie Sparks |
Ross Hargis |
Jack Dean |
|
Recommendations
SOX and internal control over financial reporting services
SOX program needs addressed with people, processes, and technology
Discover Deloitte’s cosource services for accounting and reporting
See why cosourcing may be more strategic than outsourcing
