Mergers and acquisitions (M&A) can be undertaken for a number of strategic reasons and there are different phases and complexities dependent on the transaction type. It is critical that internal audit considers and articulates its involvement at every stage and assists the organisation in identifying any challenges on a timely basis, given that M&A is often high risk and doesn’t always deliver anticipated returns.
This guidance provides chief audit executives (CAEs) and senior internal auditors an understanding of the various phases of M&A activities and a practical guide as to internal audit’s assurance and advisory role.
It is critical internal audit is involved throughout the M&A transaction process to:
Internal auditors must be sufficiently competent and experienced to undertake M&A audits, it would not be unusual given the sensitivities for CAEs to perform the work themselves. If the internal audit function does not have the available skills, they should not undertake the work (ref Standard 1210).
This role enables internal audit to provide key insights to the business and the audit committee such as:
Internal audit needs to be proactive and ensure they are involved from an early stage in any transaction activity as we are uniquely placed to challenge throughout the M&A process and ensure the governance, risk management and control processes remain in place and appropriate.
It is also important to be sharing your proposed approach to covering the stages of the M&A with management, executives and the audit committee from the outset as senior management do not always recognise the skills, remit and role of internal audit.
In addition, do not underestimate the time you will need to spend understanding the work-stream activities and status of the overall M&A. CAEs may require additional budget or reprioritise planned assurance. Also, the audit plan will need to be fluid to accommodate for reviews and changes to timing as the transaction progresses. It is good practice that a proposed approach to overseeing the M&A is formally discussed and agreed with the audit committee and takes into account other assurance providers and their role/contribution to the M&A process. Support from the audit committee is critical when requesting an increase in budget.
The key stages for M&A are:
M&As often fail to create the predicted value for the stakeholders of the organisations and internal audit should consider how these risks are being mitigated at all stages:
There will often be sensitivity at this stage around sharing information as it will likely be market sensitive and also executive management will be nervous that the transaction must not be slowed down. It is important internal audit has visibility at this early stage and is likely to be involved as an advisor.
Given our unique position of having a holistic view of the organisation and being emotionally unattached from the transaction (objective), we can challenge the business as to whether all risks and issues have been considered with the target and where applicable are further investigated and understood part of the due diligence. In addition, if the acquisition is cross-border, internal audit can challenge if the right skill sets are involved to consider any additional risks.
Management may be unrealistic, overly positive or too narrow in their thinking. Internal audit can objectively help determine what events or circumstances could cause an obstacle in order to meet corporate objectives and positive synergies identified as part of the M&A.
Organisations often significantly underestimate the amount of time and resources required for a M&A project, consider auditing the resource plans and particularly how and when third parties are being utilised and how this is overseen to ensure the programme of activity is delivered as agreed.
In practical terms, relevant members of the audit team will most likely be subject to a non-disclosure agreement. They will need to obtain all necessary information about the transaction and the corporate objectives or strategy. If internal audit does not receive all information, then you cannot effectively assess the possible control environment and if all risks and issues have been considered.
The initial stage of M&A can be considered over a relatively short time frame, so making sure all risks and issues are considered is critical. This may cause some friction where management is nervous that internal audit may disrupt the process. Be sure to be absolutely clear on timelines and share any concerns on a real time basis to ensure this is proactively managed. It may be that you present verbally on an ongoing basis at the working group/executive committee and then summarise all key messages in a memo. The key is to ensure any concerns are shared on a real time basis so these concerns can be properly considered and addressed.
A target organisation is often reluctant to disclose confidential information to the possible buyer, who is usually a competitor, preferring to use third-party consultants who sign confidentiality agreements and report to the buyer in a controlled and confidential manner. Although internal audit will likely have the skillset to perform the due diligence it is common practice to have third-party involvement (such as professional firms and lawyers) and outsource the due diligence stage. There is often significant time pressure at this stage.
It is within the remit of internal audit to provide assurance over the M&A process including for example the selection and use of appropriate expert advisors.
It is critical that internal audit continues to ensure that there is a thorough risk assessment in place which is driving the due diligence process and ensure the risk assessment covers all applicable principal risks and considers how these will be impacted; strategic (governance and reputation), operations (customer, supply chain, IT), financial (credit, tax and operational) and regulatory/compliance. It is also important to gain an understanding of how management is obtaining a detailed understanding of the target organisation including the control environment, culture, reporting lines, information systems, and structure. This can be completed on an advisory or assurance basis with a formal memo providing an opinion, particularly if the risk assessment does not adequately consider all risks and issues.
Depending on the objective of the M&A it is likely that at this stage the businesses, in a non-hostile scenario, will start to collaborate to develop the target operating model and outline at a high level how they expect to realise anticipated synergies. Internal audit should observe these meetings in order to decide how assurance will be provided over the various work streams, understand any risks (such as data transfer risk) from the approach being taken as well as observe how the teams work together to better understand any differences in culture and values. If poor behaviours are observed, internal audit will need to escalate any concerns as well as any issues with approach or with decisions being taken.
There may be an obligation or right to audit the target organisation’s internal audit function. This will require obtaining key audit reports performed over the last few years and the annual audit opinion to understand the CAEs perspective of the current control framework and culture of the target organisation. It is also helpful to review second line reporting such as compliance assurance, operational risks reports and sector specific regulatory related reports. Understanding the target organisation’s internal audit reporting line, budget, staff numbers, experience and tenure as well as quality of the outputs will help CAEs ascertain how robust the three lines are in the target organisation. This will be insightful once the transaction completes as it provides an indication of the risk maturity of the target organisation.
CAEs of both organisations may also be required to collaborate to create the target operating model for internal audit. Advice from an experienced CAE is to make budgetary allowance for duplicate assurance across both organisations during the integration phase while synergies are being realised in addition to the additional required integration assurance.
The final aspect at this stage is the day one readiness. This will depend on the extent of change planned for day one and if the impact on the control framework. Internal audit should provide assurance that there is:
Given its importance and the extent of change, it is likely a steering group at board level will be set up as well as numerous working groups to support delivery. Internal audit will need to embed itself into the governance framework of the integration through observing work streams, attending steering committees and also having regular meetings with the programme manager. At an early stage, assurance that the newly formed organisation has formulated a clear strategy and set of objectives should be provided to the audit committee; without board direction M&A is unlikely to be successful.
Internal audit will need to oversee that the following is in place:
For the integration programme itself, ongoing assurance could include that there is:
All organisations have change programmes, in a M&A these are interconnected, so internal audit needs to ensure all dependencies between technology systems, organisational changes and process changes have been identified and understood.
All synergies will need to have been mapped to the work streams and there needs to be a clear linkage as to how these will be developed. An ongoing synergies audit can provide assurance as to how the organisation plans to deliver, through monitoring and eventually to realisation of the synergy objectives.
The organisation also needs a robust set of key performance indicators and key risk indicators to manage the success of the integration and oversee the impact on the wider business and culture. Internal audit can provide assurance that management sets up the right quantitative and qualitative indicators early on to successfully measure what is happening. Also, the role of the second line is fundamental, so a review of this nature should consider how they are independently assessing and commenting on the risks and issues of the integration programme.
If the target organisation did not have a detailed IT systems map of its environment during the acquisition stage, it could lead to integration challenges, particularly if it is niche, complicated or one in which the acquirer has limited experience/expertise. In addition, it is likely that even where two operations are performing similar activities, they will use different systems or different instances of the same system. It will be fundamental that IT and the business finalise their target operating model as a priority to inform changes required in the system architecture. Internal audit can undertake advisory and assurance activity depending on the risk maturity of the IT function.
Early in the integration stage, internal audit could provide assurance as to the effective management of critical third-party arrangements. M&A can create overlap of services and add complexity to existing contractual arrangements. Considerations should be given to how the organisation has identified its critical third parties, performed due diligence and that future ways of working will be appropriately managed with all risks clearly understood.
Once the integration has momentum and work streams start to be delivered, internal audit can help ensure that there are “lessons learned” exercises and reporting being undertaken and where appropriate that this feeds into the wider integration programme and reporting.
Finally, internal audit can consider if real time assurance is required for individual areas of high-risk activity particularly where data is being transferred.
M&A can be a challenging period for internal audit and the wider business. There will be multiple competing priorities all trying to oversee that the business is meeting its M&A benefits alongside business as usual. CAEs and the audit team will also be dealing with the impact of merging two different cultures and ensuring controls are in place to prevent a “them” and “us” culture forming, not only in the wider organisation but also within internal audit itself where it’s important to maintain motivation and engagement.
To summarise, internal audit can ensure the business is: