Mergers and acquisitions

Mergers and acquisitions (M&A) can be undertaken for a number of strategic reasons and there are different phases and complexities dependent on the transaction type. It is critical that internal audit considers and articulates its involvement at every stage and assists the organisation in identifying any challenges on a timely basis, given that M&A is often high risk and doesn’t always deliver anticipated returns.

This guidance provides chief audit executives (CAEs) and senior internal auditors an understanding of the various phases of M&A activities and a practical guide as to internal audit’s assurance and advisory role.


It is critical internal audit is involved throughout the M&A transaction process to:

  1. Assess how relevant parties across the three lines are working
  2. Ensure all risks and issues are being identified and managed
  3. Ensure there is clear governance and reporting in place over the programme of activity and progress made

Internal auditors must be sufficiently competent and experienced to undertake M&A audits, it would not be unusual given the sensitivities for CAEs to perform the work themselves. If the internal audit function does not have the available skills, they should not undertake the work (ref Standard 1210).

This role enables internal audit to provide key insights to the business and the audit committee such as:

  • Highlighting if objectives are unclear
  • If there are any gaps in the plan or unidentified synergies
  • If roles and responsibilities are blurred or the second line is not visible
  • Flag any concerns around culture or behaviours
  • Escalate if the programme is not being well managed, specifically any concerns around synergy tracking
  • If risks and issues are not being identified or appropriately managed

Internal audit needs to be proactive and ensure they are involved from an early stage in any transaction activity as we are uniquely placed to challenge throughout the M&A process and ensure the governance, risk management and control processes remain in place and appropriate. 

It is also important to be sharing your proposed approach to covering the stages of the M&A with management, executives and the audit committee from the outset as senior management do not always recognise the skills, remit and role of internal audit.

In addition, do not underestimate the time you will need to spend understanding the work-stream activities and status of the overall M&A. CAEs may require additional budget or reprioritise planned assurance. Also, the audit plan will need to be fluid to accommodate for reviews and changes to timing as the transaction progresses. It is good practice that a proposed approach to overseeing the M&A is formally discussed and agreed with the audit committee and takes into account other assurance providers and their role/contribution to the M&A process. Support from the audit committee is critical when requesting an increase in budget.

Key takeaways for CAEs

  • Make sure you are involved at each stage of the M&A - it is a critical emerging risk
  • Share your approach with the audit committee early to validate the assurance required
  • Flex your approach to ensure it delivers insight on a timely basis
  • Consider an advisory/observer role alongside more formal assurance work
  • Make sure you are assessing the effectiveness of the programme as well as the individual activities
  • Resource accordingly – your audit plan will need to be able to adapt and change
  • Keep asking the difficult questions

The three stages of a merger or acquisition

The key stages for M&A are:

  • Strategy stage
  • Due diligence/negotiation stage and day one readiness/integration planning (target operating model)
  • Integration execution stage

M&As often fail to create the predicted value for the stakeholders of the organisations and internal audit should consider how these risks are being mitigated at all stages:

  • Cost reduction post-merger/acquisition is not achieved
  • Overestimation of synergies
  • Inadequate due diligence
  • Culture differences
  • Poor planning
  • Poor technology assessment
  • Transaction disruptions
  • Fully integrated end state is not achieved, manual workarounds lead to opportunities not being achieved
  • Tax structure not optimised

1) Strategy stage (when the organisation has identified a target)

There will often be sensitivity at this stage around sharing information as it will likely be market sensitive and also executive management will be nervous that the transaction must not be slowed down. It is important internal audit has visibility at this early stage and is likely to be involved as an advisor. 

Given our unique position of having a holistic view of the organisation and being emotionally unattached from the transaction (objective), we can challenge the business as to whether all risks and issues have been considered with the target and where applicable are further investigated and understood part of the due diligence. In addition, if the acquisition is cross-border, internal audit can challenge if the right skill sets are involved to consider any additional risks.

Management may be unrealistic, overly positive or too narrow in their thinking. Internal audit can objectively help determine what events or circumstances could cause an obstacle in order to meet corporate objectives and positive synergies identified as part of the M&A.

Organisations often significantly underestimate the amount of time and resources required for a M&A project, consider auditing the resource plans and particularly how and when third parties are being utilised and how this is overseen to ensure the programme of activity is delivered as agreed.

In practical terms, relevant members of the audit team will most likely be subject to a non-disclosure agreement. They will need to obtain all necessary information about the transaction and the corporate objectives or strategy. If internal audit does not receive all information, then you cannot effectively assess the possible control environment and if all risks and issues have been considered. 

The initial stage of M&A can be considered over a relatively short time frame, so making sure all risks and issues are considered is critical. This may cause some friction where management is nervous that internal audit may disrupt the process. Be sure to be absolutely clear on timelines and share any concerns on a real time basis to ensure this is proactively managed. It may be that you present verbally on an ongoing basis at the working group/executive committee and then summarise all key messages in a memo. The key is to ensure any concerns are shared on a real time basis so these concerns can be properly considered and addressed.

2) Due diligence/acquisition stage and day One readiness/integration planning

A target organisation is often reluctant to disclose confidential information to the possible buyer, who is usually a competitor, preferring to use third-party consultants who sign confidentiality agreements and report to the buyer in a controlled and confidential manner. Although internal audit will likely have the skillset to perform the due diligence it is common practice to have third-party involvement (such as professional firms and lawyers) and outsource the due diligence stage. There is often significant time pressure at this stage.

It is within the remit of internal audit to provide assurance over the M&A process including for example the selection and use of appropriate expert advisors.

It is critical that internal audit continues to ensure that there is a thorough risk assessment in place which is driving the due diligence process and ensure the risk assessment covers all applicable principal risks and considers how these will be impacted; strategic (governance and reputation), operations (customer, supply chain, IT), financial (credit, tax and operational) and regulatory/compliance. It is also important to gain an understanding of how management is obtaining a detailed understanding of the target organisation including the control environment, culture, reporting lines, information systems, and structure. This can be completed on an advisory or assurance basis with a formal memo providing an opinion, particularly if the risk assessment does not adequately consider all risks and issues.

Depending on the objective of the M&A it is likely that at this stage the businesses, in a non-hostile scenario, will start to collaborate to develop the target operating model and outline at a high level how they expect to realise anticipated synergies. Internal audit should observe these meetings in order to decide how assurance will be provided over the various work streams, understand any risks (such as data transfer risk) from the approach being taken as well as observe how the teams work together to better understand any differences in culture and values. If poor behaviours are observed, internal audit will need to escalate any concerns as well as any issues with approach or with decisions being taken.

There may be an obligation or right to audit the target organisation’s internal audit function. This will require obtaining key audit reports performed over the last few years and the annual audit opinion to understand the CAEs perspective of the current control framework and culture of the target organisation. It is also helpful to review second line reporting such as compliance assurance, operational risks reports and sector specific regulatory related reports. Understanding the target organisation’s internal audit reporting line, budget, staff numbers, experience and tenure as well as quality of the outputs will help CAEs ascertain how robust the three lines are in the target organisation. This will be insightful once the transaction completes as it provides an indication of the risk maturity of the target organisation. 

CAEs of both organisations may also be required to collaborate to create the target operating model for internal audit. Advice from an experienced CAE is to make budgetary allowance for duplicate assurance across both organisations during the integration phase while synergies are being realised in addition to the additional required integration assurance.

The final aspect at this stage is the day one readiness. This will depend on the extent of change planned for day one and if the impact on the control framework. Internal audit should provide assurance that there is:

  • Clear lines of responsibility and appropriate senior management oversight
  • Adequate focus on Day One, and dependencies are understood across work streams
  • A list of critical actions leading up to Day One and on Day One itself and these actions have appropriate governance
  • Clarity of what is changing, risks are understood and required interim controls are in place
  • A defined communication plan from Day One
  • A command centre is in place and there are adequate disaster recovery plans for the new organisation should an incident occur.

3) Integration execution stage

Given its importance and the extent of change, it is likely a steering group at board level will be set up as well as numerous working groups to support delivery. Internal audit will need to embed itself into the governance framework of the integration through observing work streams, attending steering committees and also having regular meetings with the programme manager. At an early stage, assurance that the newly formed organisation has formulated a clear strategy and set of objectives should be provided to the audit committee; without board direction M&A is unlikely to be successful.

Internal audit will need to oversee that the following is in place:

  • Clear objectives
  • End state target operating model
  • Detailed roadmap to deliver the objectives by work stream
  • Alignment with wider risk management framework
  • Clarity on how the three lines will support the integration
  • Sector specific arrangements such as:
    • Financial service - plans for internal capital adequacy process, internal liquidity adequacy process, recovery and resolution planning have been established. Also, that executive structure and any senior managers and certificated regime (SMCR) duties where applicable remains clear and responsibilities maps updated
    • Charities - that charity commission requirements have been addressed, and, depending on risk appetite, liaising with the Charity Commission during the transaction to demonstrate an open and transparent approach

For the integration programme itself, ongoing assurance could include that there is:

  • Appropriate governance over the integration programme
  • Clear objectives and understanding of the critical path
  • Management information and reporting (including ongoing process against plan and budget)
  • Dependencies identification and tracking
  • Go / No-go decision making criteria established by work stream
  • Escalation of any significant delays
  • Clear resourcing plans including dependency on third parties
  • Clear communication plans for both internal and external stakeholders
  • Approval process for changes to the programme scope
  • Risk and issue identification tracking, escalation and management
  • Synergy and cost management processes
  • Appropriate early warning indicators on impact on business as usual

All organisations have change programmes, in a M&A these are interconnected, so internal audit needs to ensure all dependencies between technology systems, organisational changes and process changes have been identified and understood.

All synergies will need to have been mapped to the work streams and there needs to be a clear linkage as to how these will be developed. An ongoing synergies audit can provide assurance as to how the organisation plans to deliver, through monitoring and eventually to realisation of the synergy objectives.

The organisation also needs a robust set of key performance indicators and key risk indicators to manage the success of the integration and oversee the impact on the wider business and culture. Internal audit can provide assurance that management sets up the right quantitative and qualitative indicators early on to successfully measure what is happening. Also, the role of the second line is fundamental, so a review of this nature should consider how they are independently assessing and commenting on the risks and issues of the integration programme. 

If the target organisation did not have a detailed IT systems map of its environment during the acquisition stage, it could lead to integration challenges, particularly if it is niche, complicated or one in which the acquirer has limited experience/expertise. In addition, it is likely that even where two operations are performing similar activities, they will use different systems or different instances of the same system. It will be fundamental that IT and the business finalise their target operating model as a priority to inform changes required in the system architecture. Internal audit can undertake advisory and assurance activity depending on the risk maturity of the IT function.

Early in the integration stage, internal audit could provide assurance as to the effective management of critical third-party arrangements. M&A can create overlap of services and add complexity to existing contractual arrangements. Considerations should be given to how the organisation has identified its critical third parties, performed due diligence and that future ways of working will be appropriately managed with all risks clearly understood.

Once the integration has momentum and work streams start to be delivered, internal audit can help ensure that there are “lessons learned” exercises and reporting being undertaken and where appropriate that this feeds into the wider integration programme and reporting.

Finally, internal audit can consider if real time assurance is required for individual areas of high-risk activity particularly where data is being transferred.


M&A can be a challenging period for internal audit and the wider business. There will be multiple competing priorities all trying to oversee that the business is meeting its M&A benefits alongside business as usual. CAEs and the audit team will also be dealing with the impact of merging two different cultures and ensuring controls are in place to prevent a “them” and “us” culture forming, not only in the wider organisation but also within internal audit itself where it’s important to maintain motivation and engagement.

To summarise, internal audit can ensure the business is:

  • Investing in planning
  • Resourcing appropriately
  • Suitable senior management engagement
  • Clear in its objectives
  • Constantly reviewing its risks and issues
  • Gaining insight from a range of stakeholders and taking action on this insight
  • Critically reviewing a robust set of key risk and performance indicators including insight on culture

Further reading

Internal Audit’s Role in Mergers and Acquisitions

The Role of Internal Auditing During Mergers & Acquisitions: The European Union Experience

The Practical Aspect: Mergers and Acquisitions, Should Internal Audit Be Involved in Due Diligence?

Content reviewed: 13 December 2021