Auditing the Due Diligence Process

This post was originally published in 2011 and was updated in 2018.

This article presents a framework for auditing merger and acquisition (M&A) pre-acquisition, post-acquisition and sell-side due diligence. Given its tendency to be overshadowed by the more exciting aspects of the M&A process – such as who will head the acquired operation and which offices and facilities will be expanded and which will be closed – internal auditors can contribute significant value by ensuring that a vibrant due diligence process is in place and operating as intended. A rigorous audit of the M&A due diligence process can help companies take advantage of legitimate new business opportunities, while at the same time help minimize the risks.

Making the case for auditing the due diligence process can be awkward for an internal audit function that has not previously done so. Strong relationships with the audit committee and management are a key factor, as well as the reputation of the internal audit department itself. If these two items are lacking, it will be difficult to obtain buy in for auditing the due diligence process or any other new area for that matter. Moving forward we will assume that both of these factors are in place.

Pre-Acquisition Due Diligence

The audit of the due diligence process should begin with the assurance that a senior management champion has been explicitly identified. This individual should assist with management buy-in for the due diligence process and facilitate communication of key issues across all functional areas potentially affected by a new acquisition such as business process owners, legal counsel, the board and its committees, and outside consultants.

Internal audit also should ensure that robust accounting and internal control due diligence checklists exist and have been tailored to address unique risks associated with a prospective subsidiary.

For instance, an accounting due diligence checklist should efficiently and effectively address the following key issues: earnings quality, asset quality, potential for unrecorded or understated liabilities, financial statement projection evaluations, cash flow concerns and fraud due diligence.

An efficient and effective internal control due diligence checklist (based on the COSO Enterprise Risk Management (ERM) Cube, 2004) should assess: a prospective subsidiary’s control and risk mitigation posture relative to acquiring company expectations; whether unmitigated key business risks such as the absence of a repeatable financial institution Allowance for Loan Loss methodology may adversely influence the acquisition decision; the estimated effort required to implement missing controls as a factor in establishing the acquisition price; the compatibility of legacy and outsourced systems with acquiring company systems; and the impact of the subsidiary’s control posture on post-acquisition due diligence.

Post-Acquisition Due Diligence

Pre-acquisition due diligence may miss important issues, especially when it is conducted in a competitive environment in which the acquiring company has only a few days to access financial records and key personnel.

Thus, it is possible for the buyer to overlook fraudulent financial reporting and material weaknesses in internal control. An audit of the post-acquisition due diligence process can help compensate for such risks by providing early identification of unmet initial business plan goals which may allow the acquiring company to take corrective action before substantial losses are incurred.

Critical components of an effective post-acquisition due diligence process should include: a transition manager; business process and control experts; an initial comprehensive business process; and control review and an annual rated audit.

Each new subsidiary should be assigned a transition manager who joins the subsidiary on a full-time basis for several months. The transition manager should be a financial expert who works closely with the subsidiary’s CFO to provide direct assistance with on-site integration including implementing the acquiring company’s culture and act as a liaison with senior management during the integration. Transition managers should not be directly involved in running the business to maintain their objectivity with respect to the integration. They also should receive formal training.

Business process and control experts should have the primary responsibility for integrating the various infrastructure processes such as accounting, finance, IT, procurement and contract management. One or more business process and control experts should be assigned to each new subsidiary depending on the specific infrastructures that need to be integrated.

Within the first 30 to 60 days after an acquisition, the subsidiary should undergo a comprehensive business process and control review. This initial review should be considered an “assist visit” from internal audit. The intent of this visit is to give management of the new subsidiary a “roadmap” of the controls and process changes that need to be implemented to bring the company into alignment with the parent company’s controls, culture and reporting requirements.

Throughout the first few months after acquisition, the business process and control experts and transition manager should employ a supportive, consultative approach toward the new subsidiary with a focus towards implementing the items detailed in the roadmap.

Prior to the end of the fiscal year, the new subsidiary should undergo its first rated audit. A rating of satisfactory or unsatisfactory should be given, based on whether the roadmap’s recommendations have been implemented.

An unsatisfactory rating should be examined closely. If serious process and control deficiencies were identified from the prior review(s) that need an extended time period to fully remediate (i.e. a new accounting system), then this should be taken into account. If control deficiencies have been left to languish, then this could result in the loss of jobs within the subsidiary’s senior management.

Sell-Side Due Diligence

When acquisitions do not work out, due diligence on a subsidiary prior to offering it for sale should be considered. This is especially important if the subsidiary received minimal pre-acquisition or post-acquisition due diligence.

When a company is not completely familiar with a subsidiary, “surprises” may still exist. Potential buyers who discover these surprises during their pre-acquisition due diligence may walk away from the deal or demand a substantial price reduction.

Once the marketplace becomes aware of these aborted deals, it may be more difficult to sell the subsidiary at a reasonable price. In extreme cases, a company’s reputation for impeccable business ethics may be tarnished.

Sell-side due diligence is similar to pre-acquisition due diligence. In general, a buy-side due diligence mindset is needed.

Sell-side due diligence should result in two primary deliverables to management: a due diligence report that identifies issues and exposures that could substantially affect the sales process and final sales price; and recommendations to help mitigate the above exposures.

Conclusion

Internal auditors can assist their companies in ensuring a strong due diligence process is maintained in all its forms: pre-acquisition, post-acquisition and sell side. A strong due diligence process is critical to ensure the acquirer is fully aware of all aspects of the deal and provides access to vital intelligence that is used to negotiate the final price and integrate the new subsidiary more effectively.