AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Mergers and acquisitions: two into one

Steve Welsh, head of internal audit at Funding Circle UK and former head of audit – integration, performance and quality – at CYBG

What do you see as the primary issues for internal audit?”

The primary issue is balance – managing the interlinked challenges of dealing with change and disruption to the internal audit team while maintaining an effective internal audit service.

There will be pressure to deliver cost savings and headcount reductions, so the head of internal audit must be confident that the desired level of assurance can still be delivered, or be clear about what can no longer be assured. The phasing of headcount reductions in internal audit is important. In the short term, the organisation’s risk profile is likely to increase, so there is potentially a need for greater assurance. You may need temporary additional resources in specific areas or for particular specialisms.

Bringing two internal audit teams together requires careful planning and communication. Team members may feel a range of emotions, which could affect the focus of the team. Recognising, acknowledging and engaging with the team about how they are feeling, while also progressing changes is critical.

Management will focus on delivering business process changes and cost savings. They are unlikely to welcome audit reviews and may ask internal audit to defer work. That may be appropriate, but sometimes the level of risk or mandatory requirements will mean that audits need to go ahead. Internal audit needs to be even clearer about which areas are a priority and should minimise business disruption.

Judging what to audit and when is important. It may be tempting to pivot towards the areas that are changing, and pay insufficient attention to the processes and controls. It is vital to balance limited resources to merge internal audit, audit the merger and audit business as usual and this depends on planning and communication.


What questions would you ask the board and senior managers?

Direct engagement with the board and senior managers is essential. Question them about the strategic rationale and expected benefits. The stakeholders’ perspectives on the challenges ahead and areas where they would appreciate internal audit focus can help to shape the audit plan. Ask about the information used for decision-making and how they are monitoring business performance and merger progress.

Bottom-up questions should focus on business area priorities and how managers plan to deliver changes while meeting customer, colleague and regulatory expectations. Ask about changes to be made, the budget, capacity and capability for these changes, the assumptions and scenarios considered, whether there is a plan B and how progress will be monitored.

This is not a one-off exercise. As new information emerges and priorities shift, internal audit needs to continue asking questions.


At what points would you expect internal audit to be involved and where do you think internal audit can add most value?

First, I would expect internal audit to review the strategic decision framework and due diligence before the transaction is completed. Identify capable and credible resources in internal audit, across the lines of defence and among external specialists. It is challenging to assess the strategic decision-making framework and outcomes, but internal audit’s perspective is hugely valuable for the board.

The changes within the internal audit function itself offer insights into the stresses for, and decisions being made, across the whole of the merged organisation.

The changes are interconnected: business process, technology systems, brand and marketing, location, structural and organisational design all affect other areas. Internal audit should audit the merger programme to ensure managers have considered these interconnections and made reasonable assumptions about timing, phasing, scenarios, resourcing and success measures. Internal audit can assess the execution of the merger at key stages and milestones, escalating concerns early and identifying underlying themes and root causes.

Internal audit should also ensure that the audit plan focuses enough on “business as usual” activities and controls. It is vital to have an agile and responsive internal audit plan that focuses on the key areas of risk and control.


How can the head of internal audit manage the uncertainty and changes in their own team and support the wider business and the board as they plan and implement the merger?

The audit team will have a range of concerns and uncertainties – from job security and reporting lines to new methodology and ways of working. The head of audit needs to be clear about the expectations for internal audit and how to deliver these: in particular, the implications for structural change and role reductions.

Communicating one-to-one, in small groups and with the whole team, using all communication channels, is critical – especially face-to-face with the whole team. It is essential to have “grown up” conversations. Team members will be aware that structural change and redundancies are likely. As implications become clearer, messages need to be increasingly certain and specific. The head of audit should engage directly with those affected by the changes and should let the wider team know as soon as possible afterwards.

Support from the audit committee is crucial. It is helpful to share the options, the recommended approach, rationale and implications of changes for the internal audit team with the audit committee chair – not just to get buy-in, but to use them as a sounding board for the proposals and the way in which they could be best handled. Leveraging the experience and perspective of non-executive directors is hugely beneficial.



What are the key risks for the organisation in the short and longer term?

Short-term risks arise from balancing multiple competing priorities. The desire to reduce costs, merge the business and deliver benefits has to be balanced with the continued need to meet customer experience expectations, maintain a skilled and motived workforce and meet regulatory and legislative requirements.

These trade-offs create significant risk, and the business and internal audit must judge what to prioritise. Being clear about constraining factors such as capital and cashflow limitations, agreements with unions and regulators and overall capacity and capability to manage and cope with change effectively give helpful insights.

However, unexpected risks and issues will arise – eg, class actions from disgruntled shareholders or community concerns about the environmental impact of the merged company.

Consider the impact that cultural differences will have on the performance of the merged organisation and the merger activities. Merging two organisations (especially rivals) could create a “them” and “us” perspective. Each side may hold on to preferred ways of working and existing networks. Take regular “pulse checks” to see how colleagues feel and share the results along with the steps the business will take as a result.

Comprehensive, timely and accurate qualitative and quantitative metrics on the key enablers, constraints and progress against merger objectives are critical for decision-making. However, this is only part of the story – the organisation should also continue monitoring external risks that could have a significant impact.

The volatility of these short-term risks affects the longer term risk that the merger benefits are not realised fully. Investing time in planning, reviewing, assuring and course-correcting all aspects of the merger, including assurance over the merger itself, is critical. While most strategic transactions do not completely deliver the expected value, comprehensive due diligence and planning, excellent judgment and execution with the support of a focused and motivated internal audit team will increase your chances of success. n


Mal Sivapunniyan, director of risk and audit at Dentsu Aegis Network

What do you see as the primary issues for internal audit?

We’ve done over 100 acquisitions in the past five years, so we have experience managing these situations. Our perspective is governed by our remit – the team is responsible for enterprise risk as well as for internal audit. We have other departments that ensure appropriate due diligence, and detailed risk assessments are thoroughly considered before agreeing a deal, however we are currently working with the mergers and acquisitions team to make the process of assessing the risk of potential acquisitions easier and more consistent.

The main issues for internal audit are around integration and our work starts once a deal is completed. We used to do a full audit about 18 months after the deal, so that everyone had time to settle in, but we’ve recently changed this and now do a lighter audit after six months to note any red flags to management and find out how the new entity is progressing against its integration plan. We’ve found that it can help to catch any potential issues at an early stage, before they become significant and more challenging to remediate. By the time we do the full audit at 18 months, controls should be embedded and we can do a deep dive to see how it’s all working.


What questions would you ask the board and senior managers?

Focusing on the integration post-deal, we
would ask management:

What is your largest concern?

What could go wrong?

What mitigations do you have in place?

We have various pillars that help us to measure our progress against an integration plan. We ask whether the entity has integrated the way management intended it to – for example, if the plan said that it would be fully integrated to our systems by x date, did this happen and, if not, why not?

We also ask whether the right oversight mechanisms are in place. For example, how is the new acquisition reporting its financials? On the people side, we would ask questions about leadership, cultural fit and HR, and we would want to know what kind of succession planning is in place, particularly if the former owner/directors are contracted to stay on for a specific time to manage the transition. And, of course, we would ask about the commercial side: is the acquisition performing as management expected?

We have strict criteria for management on areas such as return on investment, growth and margins, so we would ask how the new entity is achieving these. The key to getting this right is ensuring that the deal has the correct level of sponsorship from when it’s signed through to full integration. Mergers or acquisitions can fail if a key senior manager moves on before it is complete and leaves it to a team that is unfamiliar with the details. We would ask whether the proposed sponsor can put in the time and effort required and whether they have others around them who know about the integration and could take over if necessary.

At what points would you expect internal audit to be involved and where do you think internal audit can add most value?

Each integration plan has sponsors who are responsible at functional and business levels for ensuring that the integration is followed through and completed. Internal audit needs to assess the success of the integration against the plan and dig deep into the controls that are in place – do they align with our processes and our policies?

This is important when, for example, it comes to technology. We want new acquisitions to align with our systems and processes, but there are always challenges on the IT side. We need to look closely at how these are dealt with, what solutions are implemented, and whether they work.

Internal audit can help if there are tensions or misunderstandings between the leadership of the acquired entity and our management team. This is not uncommon, particularly when the managers of the newly acquired entity are on earn-out clauses. Internal audit can bring a balanced, more independent view that can help to find a mutually acceptable solution. We can also look at the culture and leadership style in the newly acquired entity and ask how it fits with our culture and how well our culture is understood by the new employees. Do the acquired managers want to integrate or do they see the deal purely in terms of income?

From our perspective, we’re buying a business that is all about its people and their capabilities. The people perspective is therefore essential – everything hinges on it. We would want to see that management roles and responsibilities are as clear and detailed as possible.

Thorough and robust risk assessment is vital from the start. It’s easy for a sponsor who wants to do a deal to see it as a sales pitch to the board. They start seeing all the reasons why they want it to happen, instead of stepping back and saying “this is why it fits the group’s strategic goals and the associate risks”. Internal audit can help to bring objectivity and encourage management to see a proposed deal as a risk-assessed business option that needs to be conducted according to all the usual processes, rather than as a partisan argument for a favourite project.


How can the head of internal audit manage uncertainty and changes in their own team?

We manage risk and uncertainty all the time. The key is to be agile and able to respond as quickly as possible. All heads of internal audit can improve the way they work at times of uncertainty. We need to be more confident about working with it. Most internal auditors prefer certainty – we like to have a plan. I tell my team that they have to become comfortable with change.

There are a number of coping strategies that help if the pace of change seems overwhelming. For a start, create a structure for yourself and put a realistic timeline against it. It may help to talk this through with a manager. It’s important to be clear about what you can and can’t do, and to ensure this message gets across. It’s vital to feel connected to the direction the whole team is going in – remember that everyone in the team is working to achieve the same end. If you feel that everyone around you is working together, it’s easier to ignore the outside noise.


What are the key risks for this organisation in the short and longer term?

Return on investment – inaccurate forecasts or margins.

Leadership and people – how do the two cultures of the organisations fit with each other? Will you hang on to people on earn-out clauses and is there a succession plan?

Client portfolio – can we hold on to clients who are close to specific managers if they leave?

Synergies: Is the integration plan robust? Will the synergies happen? Is someone tracking progress and responsible for it?

Sponsorship – if no one cares enough about a particular entity then integration won’t work properly, and small problems may become fires.

Accountability – clear roles and responsibilities are essential for success.

Strategy – if the merger or acquisition does not fit the wider strategy of the group it will not produce the expected returns. n



Tom Lloyd, chief internal auditor at Standard Life Aberdeen

What do you see as the primary issues for internal audit?

There are three core issues: the merger of two teams, the risk impact of the transaction and the need to keep audit delivery and the function operating effectively. You need to work fast, so start to turn up the dial before the transaction is concluded.

Auditors must get used to working with imperfect information and the function should get its own house in order first. You need to practice what you preach and set an example for the rest of the business.

Your workload will increase so you may need extra budget. Get into conversations early to ensure that the budget and resources are in place. It’s easy for management to forget the needs of audit or push them to the back of the queue, so take control of your own destiny.

On the plus side, the fact that audit is independent and is often a smaller, independent team can make the integration of the audit team easier than in some other parts of the business. If you get the merger right in the audit team it can act as an example for larger functions and you can pass on valuable lessons to others.

You need to set out a vision of the desired culture early and take the best from both heritages. Initially, everyone needs to be at a “good enough” level and then you can build on this base. If people don’t want to be part of the new culture and structure, then you need to find out early on. Employees need to feel part of the process and you want them to be excited by the opportunities as well as understanding the challenges. It could be a great development opportunity and managers could get a chance to iron out existing “niggles” where things haven’t operated as you wished in the past.


What questions would you ask the board and senior managers?

Internal audit needs to challenge all the assumptions – for example, it’s easy to assume that the underlying data in both entities is adequate and correct. We found that in practice it’s often flawed. You also need to connect the dots. Many teams and systems operate in silos and internal audit is in the best position to see across the whole organisation. During a merger, there will be inevitable hitches and disruption to operations, so you need to have a good view across silos and data.

You also need to challenge cultural and operational assumptions. It’s easy to underestimate the challenges created by a merger – mergers are much, much harder to execute successfully than acquisitions. Auditors need to ask managers whether they have thought enough about the challenges and prepared adequately for what could go wrong. What is the contingency planning? How are platforms, the processes and people being merged?

Culture is too important to be left wholly to one team or department. It needs lots of work from the start and the direction must come from the top management. Ideally, the senior manager responsible for it should not also be responsible for operational issues during the merger.

Internal audit should track progress by referring back to the business case for the merger and how management is defining and measuring its success. It’s easy for organisations to put too much emphasis on how hard everyone is working and other inputs and not enough on the results being achieved. Auditors should check that the business is also monitoring the impact on external stakeholders and customers.


At what points would you expect internal audit to be involved and where do you think internal audit can add most value?

Internal audit needs to have a clear view of the risks from day one – there is lots of work they can do before the transaction completes. They need to know what the risk appetite is and how this is being managed. For example, in the case of counter-party risk, both teams may have a good view on this, but how will it be managed from the day the merger takes place? What is the attitude of the audit committee and what do they need to see and know?

There will be distinct pre- and post-merger work for the audit team. Given the heightened risk and subsequent increase in workload, you may want to call on co-sourced resources to help with some of it.

After the merger, you will need to look at whether the integration programme is delivering. There are lots of ways to slice and dice this. You can review the overall process and how different parts of the organisation have managed it. You will need to show the chief executive the broad themes, but also be able to dive deep into details for specific groups. Collaboration is vital to this.


How can the head of internal audit manage uncertainty and changes in their own team?

You need to recognise commercial reality while also prioritising treating people with respect. Be open about the fact that synergies may mean job losses and don’t let difficult subjects become a “conversation vacuum”. If you do, you’ll lose trust. If you go silent then other people will fill in the gaps.

Transparency is vital. People are grown-ups and know there will be implications, but focus on the positive aspects and new opportunities. Create a clear vision of where you want to get to and how you intend to get there. This gives those who are staying in the team a bright horizon to look to.

It’s important to give a top-down view – a north star to aim for. If you try to approach it from the bottom up you will drown in volume and complexity.


What are the key risks for this organisation in the short and longer term?

Delivering the deal rationale and driving value. Ask why did we do this and did we get the value we anticipated? How is it seen by the market?

Governance – you need to establish whether the organisation is up and running as well as possible as quickly as possible.

Ensure spend generates results. It’s easy to waste money and there’s a danger of becoming “busy fools”. Just because you’ve spent 50 per cent of the budget doesn’t mean you’re half-way through the process.

Overload – how do you look after people
during a period of heavy workload when they still have to do their day jobs as well as merger-related activity?

Are you mobilising fast enough? If you don’t get your business processes and technology working quickly you are storing up problems for 12-18 months’ time.

You may need to have a different group of people on the deal team and on the integration team. Team members will need different skills and you may also want to look at team structures. This may be a hard conversation, but it’s important to get the right people in place. Focusing on all of this should set individuals, teams, the function and wider organisation up for success. 


This article was first published in November 2020.