Connecting the Dots: Sarbanes-Oxley and M&A

The Sarbanes-Oxley Act of 2002, designed to improve corporate governance, never mentions mergers and acquisitions, and could easily appear irrelevant to the work of corporate development officers. However, nothing could be further from the truth. Sarbanes-Oxley is not a mere post-close housekeeping detail for your finance and legal departments to work out. Provisions of the law reach down into every part of a business, affecting both existing and newly acquired operations. While failure to investigate Sarbanes-Oxley issues early in the deal process may not always land a corporate development officer or his CEO in handcuffs, it can lead to embarrassing and costly last-minute “surprises” that can reduce management’s credibility, hurt a company’s stock price, and ultimately tarnish reputations. For all executives involved in m&a – from the CEO to business unit leaders and heads of finance – the act places a warning label on m&a activities that reads: “Proceeding without an adequate understanding of Sarbanes-Oxley can be hazardous to your career, finances, and liberty!” Key Provisions for Corporate Dealmakers Section 302 of Sarbanes-Oxley requires chief executive and financial officers of an SEC registrant to certify in writing that: *The financial and non-financial information they file with the SEC is accurat, and *They have assumed responsibility for establishing effective disclosure controls and procedures followed in generating this information. In its annual report, management also must reveal how it determines whether its internal controls and procedures for financial reporting are adequate. These assessments must be well documented since Section 404 of the act requires that a public company’s external auditor attest to management’s assertions on these matters. Disclosure controls and procedures cover all items in a company’s public filings, including both financial and non-financial information such as market share, data on the competitive or regulatory environment, business goals, governance matters, planned acquisitions, customers, supply chain, and contracts. These certification requirements apply to the consolidated entity. This means that once a deal closes, the CEO and CFO are on the hook for any acquisition they consolidate. Accordingly, as part of diligence, corporate deal teams and their advisers must carefully consider the status of each target’s internal control processes, financial reporting procedures, and documentation. This entails determining whether the target’s internal controls and financial reporting procedures support the buyer’s reporting process and can be audited in their current form. If they cannot, the buyer must estimate the cost, effort, and resources required to make them auditable by the next annual reporting date. Corporate development officers must make sure that their companies do not close on any transaction where these conditions cannot be met within the allotted time and at a reasonable cost. Since further SEC guidance is likely, the full impact of these rules on the deals market is unclear. Will buyers begin to require certification representations? Will the discovery of fraud or a controls breakdown constitute a materially adverse condition that can trigger a price reduction? What information on a target’s internal controls will buyers request during diligence, and investment bankers require for offering memoranda and data rooms? What will happen to demand for carve-outs from troubled companies? The list of questions and considerations can go on and on, but two things are virtually certain: *Buyers will begin to weigh Sarbanes-Oxley issues as they screen and perform due diligence on target companies, and will amend the typical contract provisions to consider a range of Sarbanes-Oxley matters. *Sellers will look at businesses they wish to dispose of from a Sarbanes-Oxley perspective. Management must be willing to take reasonable steps to make them marketable and compliant in order to avoid the embarrassment and financial risks that can come from having to pull a business from the market because of adverse buyer diligence. Five Keys for Corporate Development Officers Communicate with your disclosure committee. Corporate development officers should begin by establishing a dialogue with those at their company primarily responsible for compliance. At most public companies, this will be the Disclosure Committee established specifically for this purpose. Since your disclosure committee may not have begun to think about the implications of Sarbanes-Oxley for buy- and sell-side deal activity, it will be your job to bring key issues to their attention. Close cooperation with the disclosure committee will help ensure that it keeps corporate development abreast of evolving SEC rules regarding the application of the act, and of any changes in your company’s control processes that must be considered when assessing the internal controls of an acquisition target. Conversely, it is corporate development’s responsibility, before a deal closes, to inform senior executives and the disclosure committee of any control issues in a target’s operations that could affect quarterly and annual certifications. Key questions to ask the disclosure committee during initial discussions are: *Should the corporate development leader be a member of the disclosure committee and, if not, who will be the committee’s liaison with the m&a team? *Has the disclosure committee integrated m&a activities into the company’s Sarbanes-Oxley compliance framework? *What assurances will the disclosure committee require about an acquisition target before a deal closes, and what is the content and timing of required communications between the deal team and the committee as a deal progresses? The goal is to establish a process for communicating with the disclosure committee on Sarbanes-Oxley issues and integrating acquisitions into a company’s compliance process before a deal is on the table. Identify potential pre-close issues. Concerns about internal controls and Sarbanes-Oxley certifications will rarely kill deals. That said, they can be embarrassing, especially when they turn up late in the deal process. Imagine the chagrin of a CEO who has to retrench after publicly signaling a willingness to buy another company, or who must tell shareholders that the internal controls in place at their company are not adequate to ensure timely, accurate financial reports? Even worse, picture what would happen if your company were trying to sell a business and a prospective buyer uncovered a major internal control deficiency at the last minute? To minimize the risk of such occurrences, both buy- and sell-side deal teams will have to add another layer of diligence early in the deal process. While in the past, due diligence teams may not have paid much attention to internal control issues, to gloss over such issues now is dangerous. Furthermore, corporate board members are likely to pay more attention to these issues when reviewing acquisitions, especially as the SEC issues further guidance. Accordingly, the deal team must ensure that it has considered all potential pre-close issues, including: *What information on the acquisition must be included in your company’s filings, and are sufficient disclosure controls and procedures in place at the target to ensure the accuracy of this information? *What information/assurances regarding the acquired operations will your CEO and/or CFO require before signing the combined company certification? *What is the human and financial cost of establishing the appropriate level of disclosure controls and procedures at the target company by the next quarterly certification date? Can the adequate internal controls and procedures for financial reporting, an assessment process, and appropriate documentation be established at the acquired business by the end of the reporting period? *Do members of the deal team have the expertise necessary to evaluate the target’s control environment? Assessments of internal controls have long been the domain of internal and external auditors. Making them advisers to the deal team is now more critical than ever. *Who will be responsible for integrating your control processes into the acquired operations? What are the transition arrangements? How long will the acquired operations be subject to the seller’s control structure, and does that structure include the level of controls and documentation your management requires for its certifications? *If the CEO and/or CFO of the target will lead the combined company, what information will they require on your company’s filings and control processes prior to signing the combined company certification? Conduct diligence on Sarbanes-Oxley issues. There is no substitute for thorough diligence, and now this must be expanded to assess potential Sarbanes-Oxley issues. The nature and extent of this diligence will vary from deal to deal, depending on the size of the target and whether it is an SEC registrant or a private company. Understanding the status of the target’s control processes and documentation are key to determining the potential time, effort, and cost required to incorporate the acquired operations into your company’s certification process. When evaluating an acquisition target, deal teams should focus on several general areas, regardless of the nature of the transaction or the status of the acquirer or target. These include the overall financial health of the target, its organizational structure, and the integrity of its management, especially if they will join the combined company, and the incentives target management receives. Other questions the deal team should be asking include: *What is the target’s industry, and does it present new disclosure requirements, and therefore new control requirements, for the combined company? *Does it conduct business in emerging markets? *How aggressive are its accounting policies? Buying a public company? The level of Sarbanes-Oxley diligence required will vary depending on whether the target is public and currently subject to the act. SEC registrants may have their disclosure controls and procedures in place and be in the process of documenting their internal controls and procedures for financial reporting for the required auditor attestation. To determine whether these controls should be retained, strengthened, or replaced, the deal team must consider whether it is buying an entire company, a division, a product line, or a basket of assets. It must get answers to specific questions during diligence, including: *What is the post-close integration plan and organizational structure? Will the target operate separately or be integrated into the your company’s operations? *What process did the target employ to issue its previous certifications? Is that process acceptable? *How do the disclosure controls and procedures of the target compare to yours? Has the deal team conducted a gap analysis? *What was the scope and findings of the external and internal auditors’ testing of the target’s internal controls and procedures for financial reporting? Buying a private company? For public companies, the riskiest deals involve buying private or family-owned businesses, since these companies generally have less robust reporting and internal controls. Private companies with operations in markets where fraud and misconduct are prevalent are especially vulnerable. When evaluating these businesses, your deal team should determine the disclosures and procedures that would be necessary if the target were an SEC registrant, then focus on the time and effort required to establish your company’s control processes within its operations, rather than spending too much time assessing its existing controls. Planning an IPO or public debt offering? Since Sarbanes-Oxley applies to SEC registrants only, a private company that buys another private firm remains exempt so long as it remains private after the deal closes. However, its status will change if it makes a public debt or equity offering. Accordingly, a private corporation that expects to go public after an acquisition, or a private equity firm that plans a public debt offering for a newly-acquired portfolio company should conduct Sarbanes-Oxley diligence to prepare for post-registration compliance. Mind the gap in post-deal integration. Once a deal closes, members of your disclosure committee (or the controller, chief risk officer, the appropriate business unit leaders, and the heads of the compliance, legal, and investor relations departments) are likely to be responsible for ensuring ongoing compliance with Sarbanes-Oxley. However, the deal team must ensure that any gaps in control and certification processes are identified and remediated before turning its attention to the next transaction. Quickly implementing any necessary changes will allow management to move from reporting issues to their biggest challenge: achieving performance targets. Make sure operations for sale are ready for Sarbanes-Oxley. It has always been true that sellers who effectively manage the divestiture process and arm themselves with well thought-out answers to the questions buyers are likely to ask are more likely to get their price and avoid a drawn-out sales process that erodes value and eats up management time. In the post-Sarbanes-Oxley world, buyers are likely to pay more attention to everything that affects the certification process including the accuracy of your financial and non-financial information, the rigor of your internal controls and reporting procedures, and management integrity and transparency issues. To prepare for increased scrutiny on these matters, corporate development teams should determine the extent to which the businesses they wish to sell are ready to comply with the act. This will entail assessing and documenting the disclosure controls and reporting processes in place at those units. This will help speed buyer diligence, and certainly put you in better position to respond to buyers’ inquiries in this area. Failure to comply with the provisions of Sarbanes-Oxley can result in jail terms and substantial fines for your CEO and CFO. Anticipate intense scrutiny if a problem arises, even if it takes years to surface. Prosecutors, regulators, journalists, and plaintiffs’ lawyers surely will examine each step of the deal process for missteps. Deal teams need not be Sarbanes-Oxley experts. They must, however, know enough to ensure that their company assigns the appropriate resources and covers all of the essential issues. Dana Drury , Jonny Frank, and Michael Wathen are transaction services partners at PricewaterhouseCoopers. Copyright 2003 Thomson Media Inc. All Rights Reserved. http://www.thomsonmedia.com