In a continually evolving and increasingly global business environment, the success of an M&A transaction requires companies to put corporate governance at the top of their due diligence process. If carried out assiduously, pre-acquisition due diligence into a target company's corporate governance processes could go a long way to rebuilding confidence in M&A transactions.

Addressing the nation from the Oval Office thirty-four years ago, President Jimmy Carter made famous the phrase "crisis of confidence." With numerous studies suggesting that as many as nine in every 10 M&A transactions fall short of expectations, it is not surprising that analysts often utter the former president's refrain when commenting on deal prospects.

The enthusiasm for M&A deals thus far in 2013 may sound promising. Two recent surveys conducted by BDO USA found chief financial officers in both the retail and technology sectors to be downright bullish on M&A. But past experience warns us to treat such expectations with skepticism; indeed, the likelihood that even a handful of this year's deals will succeed as hoped is quite low.

There are countless reasons for failed M&A transactions - haphazard integration, misaligned strategy, financial disputes, ineffective leadership and culture clashes, to name a few.

Another contributing factor to our present-day crisis of confidence is insufficient pre-acquisition scrutiny of a target company's corporate governance practices and susceptibility to fraud.

Matters like strict internal controls and risk-management processes, while once viewed merely through the lens of compliance with regulatory standards, are increasingly important indicators of an organization's fitness for investment or purchase.

Hewlett-Packard's $8.8 billion impairment charge is one such example. Late last year, HP disclosed that senior management at Autonomy, the British software firm it acquired for over $11 billion, used accounting improprieties, misrepresentations and disclosure failures to inflate the underlying financial metrics of the company.

As such, an organization's corporate governance must be rigorously analyzed in advance of M&A in order to protect both buyers and sellers.

A handful of considerations for pre-acquisition due diligence can help to prepare companies in their pursuit of lucrative, sustainable deals.

More than a decade ago, the Sarbanes-Oxley Act mandated that public companies establish and maintain an adequate internal control structure and procedures for financial reporting. While that mandate was reviled for the costs it imposed on large organizations, it has been widely viewed as a major step in the right direction. In fact, just last year a survey of corporate governance professionals found broad support for that provision, with 59 percent of respondents calling Section 404 - and its resulting improvement to internal controls - the most significant element of the law.

In deals involving public companies, a careful look at SEC filings - where CEOs and CFOs must attest to the adequacy of their company's internal controls regime - and auditors' tests of the effectiveness of an organization's internal controls, can all provide meaningful insight into an organization's overall risk profile. But responsible due diligence must go further.

Even at companies where a board of directors provides strict governance and oversight, management takes its ownership of internal controls seriously, internal auditors regularly evaluate and monitor for fraud and duties are largely segregated, the possibility of a failure in oversight is always an organizational risk. Internal controls are implemented by human beings, at every level of an organization, and are only expected to provide reasonable assurance - not absolute assurance - to an entity's management, board and investors. Controls can be easily circumvented by the collusion of just two people within an organization or can be overridden by management.

Furthermore, when considering a deal with a private entity or emerging growth company, the examination must be even more rigorous as those companies are not required to have the same corporate governance and internal controls as are required in public corporations. Due to the high costs and lack of short-term benefits of an internal controls regime, organizations all too often fail to implement these measures.

In addition to an audit of a target company's internal controls, it is also important to consider the existing risk management processes the entity has in place.

In 2004, the Committee of Sponsoring Organizations (COSO) issued its initial framework for enterprise risk management (ERM) in an effort to establish a standard for the practice. COSO's efforts have certainly raised the profile of risk management. CEOs, boards and general counsels all regularly tout the importance of it.

But research by the Committee and the Poole College of Management at North Carolina State University found that a company's actions do not always match its words. Despite describing their company's risk culture as "strongly risk averse," 40 percent of executives surveyed said they did not have an ERM process in place. Just 50 percent of executives surveyed said their organizations provide a report to their boards of directors describing the top risk exposures. And 38 percent of leaders told COSO that they maintain entity-wide risk inventories - few of which actually include information on the probability and impact of risks.

In the context of M&A, the aforementioned study found that 33 percent of organizations do no formal assessment of emerging strategic, market or industry risks - crucial information that potential buyers must consider before pursuing a transaction and potentially taking on significant risk from an acquired firm. With updated, more rigorous COSO guidelines published in May and set to go into effect in December 2014, internal control and enterprise risk management are likely to become an even higher priority for acquirers.

For those firms exploring international M&A activity, a third corporate governance consideration takes precedent: the U.S. Foreign Corrupt Practices Act (FCPA). The FCPA prohibits bribing foreign officials and requires companies listed in the U.S. to both maintain accurate books and records and implement a system of internal controls to prevent corruption.

In recent years, the U.S. Department of Justice and the Securities and Exchange Commission have made FCPA enforcement a top priority. In 2012, the enforcement agencies initiated 39 new investigations, more than any other year on record. Businesses making investments in foreign companies or U.S. companies with foreign operations are particularly vulnerable. The FCPA's successor liability provision deems an acquirer of a controlling interest in a corporation financially responsible for any pre-acquisition FCPA violations committed by the target company and that acquirer may have criminal responsibility for any post-acquisition violations.

As a result, pre-acquisition anti-corruption due diligence should, at the very least, involve a high-level assessment of the target company's corruption risk.

 


 

Ben Termini, a partner in BDO USA's New York office, heads risk advisory services, while managing director Brian Mich co-chairs the firm's U.S. anti-corruption compliance and investigations practice.