Christian Phillips, chief security officer at payment processing company Regulus and an old hand at running corporate IT departments, knows all too well the challenges of blending IT departments after a merger.
In fact, he’s doing it right now.
Regulus was acquired in April by publicly traded 3i Infotech for $100 million. Phillips now must combine two separate IT operations, complete with compliance obligations, audit continuity, security programs, and more. He likens the technical challenges of mergers to the Hippocratic oath of medical doctors: Do no harm.
“To be sure, there’s no universal checklist in these situations but security and IT are not strictly audit situations; they are fundamentally a business question,” he says. “I think what’s done immediately should be pretty common in terms of assessing strengths and vulnerabilities just like any business, as well as looking at the risk profile and critical physical and logical locations, and determining business’s dependence on e-commerce.”
Phillips’ task has all the complexity of modern compliance challenges: The corporate headquarters is in New Jersey, but the company is managed by Indian nationals and traded on the Bombay Stock Exchange—and, like Regulus, has scores of Fortune 500 corporate clients who must meet Sarbanes-Oxley requirements and expect vendors like 3i Infotech to do the same. He must also contend with the prospect of having to adopt foreign accounting standards into his company’s audit program and the possibility of talented staff members departing for greener pastures before, during, and after the merger process.
Phillips and other IT compliance pros say the most visible mistake in corporate mergers is underestimating the challenge of integrating technologies, from data migration and partitioning to enterprise-wide password integrity to relationships with new and pre-existing vendors—not to mention risk management and turbulent staff morale.
“It’s easy to sit down and be happy about the merger process and say, ‘Yeah let’s integrate X into Y and A into Z.’ Then you look up, and it’s become a two-year project,” Phillips says.
The first step for compliance executives in the wake of a merger is to establish a risk universe at the entity level and keep management informed of what those risks are. Rolling the IT audit and security process into that is vital, experts say. They cite three specific areas of attention:
Information Security: Make sure the newly combined enterprise has solid access controls, password assignment and protection policies, and up-to-date firewalls at the network level as well as a secure database. All these things should be tested and documented by both companies with the findings presented to management for audit process integration and monitoring.
“What’s germane to this is looking at the alignment between the two audit and compliance strategies—comparing and contrasting them—and then looking immediately at where your gaps are by doing a thorough control gap analysis.”
— Robert Stroud,
EVP, IT Audit,
Change Management: A well-known buzzword in the audit community, “change management” applies well to mergers because it’s all about documenting change and putting processes in place to anticipate change. Depending on the industry, there may be different technical needs or a need to upgrade systems. This process must be documented and tested so that an audit trail can be created for everything from system upgrades for rank-in-file users to implementation of new enterprise resource planning software and the hiring of outside consultants.
Information Systems Operations: Documenting and testing this process has everything to do with how financial data and mission-critical information flows through the computer system. Making sure information flows correctly so that figures are valid and can be booked on time is crucial.
Robert Stroud, an executive vice president in charge of IT audit for computer consultant firm Computer Associates, says a merger is more like a marriage of methodology than a simple co-joining of two businesses.
“It’s like anything else when entities come together: You need to merge the existing governance and audit process with the counterpart’s similar processes,” he says. “What’s germane to this is looking at the alignment between the two audit and compliance strategies—comparing and contrasting them—and then looking immediately at where your gaps are by doing a thorough control gap analysis.”
The “gap analysis” should be part of any risk assessment and is central to implementing ERM policies at a merged entity. Essentially, it’s the process of benchmarking and mapping control objectives and activities of both companies, identifying mitigating controls, and also finding risks within the new combined scope that neither companies risk matrices or audit programs cover.
Get It Done
No matter how big the processing environment, what the industry is, or whether the companies are public or private, everyone agrees that the surest way to prevent interruptions in business continuity is to identify overall goals from day one and build a risk assessment into those goals on that same day.
Michael Cangemi, a past president of both Financial Executives International and the Information Systems Audit and Control Association, says that in his experience with mergers he’s learned that everyone from C-level managers down to business process owners should move quickly, yet thoughtfully.
“There is always risk and while you need to move fast, you do need to consider IT controls and scope very carefully and make sure you have conversion controls built into your plan,” Cangemi says.
Continuous auditing and monitoring of IT systems from a security, operations, and change management perspective can also come in handy when it’s time to put a combined computer processing framework into production or re-launch separate but jointly operated IT systems.
“This can produce enormous efficiencies, consolidate compliance methodologies, and maximize controls testing in the wake of the merger,” Cangemi adds.
Andrew Storms, director of security for ERM consultancy nCircle, like many others, identified access control and identity management as “critically important in any merger.”
“These systems are so critical to the confidential information of both companies and to the merger documents themselves that they are no longer considered a technology for the IT guys, but an integral part of business process,” he says. “This really is good news if you have a well run identity management system since the myriad business objectives involved in every merger always affect a wide range of systems, in addition to compliance and regulatory objectives.”
IT May Feel Sting
Computer Associates’ Stroud predicts that in today’s economy, there will be several mergers and divestitures that come as a result of cost-cutting measures, and the IT function will be one of the first departments to feel the effects.
“We’re definitely going to see rationalization in IT organizations going forward, whether it be through cost cutting or automation of compliance processes,” he says. “There will also be regulatory reactions to our credit crunch that may again affect the compliance profession systemically, and we need to think those through.”
He adds: “In my experience with mergers, the best ones were when things were integrated in a business-as-usual framework, while the worst ones were when no one was talking, or they were spending too much time talking without any real communication between merged parties.”