How to Address Risk and Internal Controls in Business Combinations
Merger and acquisition (M&A) activity reached all-time highs in 2021, outpacing even the ample capital markets activity, and the momentum is projected to continue this year. M&A transactions have myriad impacts, often spurring significant changes in company operations, reshaping finance functions, and more. These transactions also present inherent risks—organizations may face integration challenges or IT security threats, for instance.
Getting the most out of an M&A strategy requires a forward-thinking, comprehensive approach, including consideration of the accounting and financial reporting risks stemming from these transactions.
When facing a major transaction, here are three tips for strategically incorporating risk and controls:
1. Evaluate risk and controls holistically
After completing a business combination, organizational leaders justifiably focus on the work of realizing the strategic benefits of the transaction, such as access to new markets, increased market share, and access to top talent. While unlocking the full potential of the transaction, leaders and compliance professionals should concurrently approach the new, transformed organization with a complete controls risk assessment.
A controls risk assessment is an exercise that helps management think critically about key business risks, the susceptibility of existing information to errors and fraud, and the controls in place to mitigate the risks. It is completed using a top-down, risk-based approach, considering each financial statement line-item across all lines of the organization.
Timing is a critical component of controls risk assessments. While they are typically performed annually, in times of change, the frequency of the assessment should be adapted to reevaluate the risks the organization faces on an as-needed basis. For example, due to a business combination, accounts that were previously immaterial or low-risk may become more prominent in the risk landscape. As a result, the organization may now need to focus on processes that are net new or ones that were previously considered low risk, which call for new controls in order to appropriately mitigate the new and more critical risks. For example, after completing a transaction that expands an organization’s footprint into new geographical markets, it may be necessary to assess existing processes and controls documentation at the acquired company to determine the impact, if any, to the existing controls documentation.
2. Assess IT implications
If a single function can stake a claim that “the only constant is change,” members of the IT department often enthusiastically raise their hands. Business combinations spur many changes and are full of IT challenges. To remain aware of risks and keep related controls up to date, management should periodically—at least annually—assess if the company’s technology infrastructure continues to meet the organization’s needs. Consider the following questions:
- Is the IT department sufficiently staffed to provide the right support to meet strict SEC requirements and deadlines?
- Are the right people in the right roles?
- Do the applications and tools meet the company’s current business needs?
- Given recent changes, are the security and privacy protocols sufficient?
Organizations must evaluate changes in IT to ensure risks are adequately addressed. Much like the controls risk assessment, IT should be reviewed holistically to address system operations, change management, access, segregation of duties, and cybersecurity. It is important to note that what worked before the transaction may not work going forward. For instance, if a private organization is acquired by a public company, the acquiree may need to comply with Sarbanes-Oxley (SOX) as a result. In these instances, it is likely that finance and compliance leaders will want to review whether there is appropriate evidence of operating effectiveness of controls related to all systems and applications that have an impact on financial reporting. Historic IT controls may not be appropriately designed to address the organization’s current risks and regulatory requirements.
A common challenge that organizations need to mitigate after a merger is ensuring IT control activities include newly acquired systems and applications. Management should review the scope of current IT controls and identify compensating controls and processes to mitigate the impact of any noted deficiencies.
3. Plan for a runway to SOX compliance
In a period of change, it is easy to put compliance activities on the backburner while operations are stood up and risk and control evaluation deadlines appear to have a long runway. Leaders should start early when preparing to comply with regulations that require a heavy lift, such as SOX compliance, which is often a substantial effort for any business that combines with a publicly-traded company. A typical path to SOX compliance can often take 12 to 18 months, and it is no small feat to understand the current controls environment and subsequently remediate any identified issues in advance of the first annual report—which requires management’s assessment of internal control 404(a).
With M&A activity, if the acquirer is already publicly held, special attention needs to be given to the acquired company’s control environment to allow management to begin their journey to overall compliance under the new umbrella of the new consolidated entity. While the SEC grants a one-year deferral on SOX 404(a) compliance for these situations, establishing and maintaining appropriate controls over financial reporting often takes just as long as the runway provided.
After undergoing any significant organizational change, management should prioritize the compliance timeline. Doing so is key to having sufficient time to address any material weaknesses in control design and operation.
Maintaining the focus on risk and controls during times of significant change is a challenge, and it can be a struggle for even the largest organizations. Successful governance, risk, and compliance (GRC) programs take time, and effective approaches require a solid foundation from which to grow. Organizations that prioritize GRC in periods of change are likely to be more prepared for future compliance demands such as the new lease accounting standard and recent climate-related disclosure requirements