Planning Ahead to Manage M&A Due Diligence

Lots of mergers look great on paper. And when you diagram the merger of financial and IT systems on the whiteboard—hey, what can go wrong?

Here in the real world, however, integrating two corporate IT systems can not only be a headache for the IT department; core business functions can be compromised—including financial reporting or other tasks crucial to effective corporate compliance.

“Technology integration is among the most important parts of an M&A transaction,” says William Kucera, co-chair of the M&A practice at law firm Mayer Brown. “This is the on-the-ground, nuts-and-bolts work of combining one complicated business with another. It is not easy, and how systems integrate must be thought out from the very beginning.”

Managing high-risk third parties and avoiding inherited corruption problems will be nearly impossible if the target company doesn’t track, inventory, and monitor such problems efficiently. Internal control breakdowns are inevitable. Sarbanes-Oxley compliance is at risk. Adherence to accounting and auditing standards can be endangered. In worst-case scenarios—such as when Hewlett-Packard acquired Autonomy in 2011—huge writedowns in goodwill can happen.

“The whole acquisition is predicated on synergies. Unless you are really doing a good job mitigating the compliance issues and addressing financial reporting, you are not going to get at those synergies very quickly, if ever,” says Milton Marcotte, a partner with the consulting firm McGladrey who leads due diligence teams.

The problem, according to Dan Wangerin, a professor at Michigan State University who studies M&A trends, is that confirming the internal controls for a target company are operating effectively is difficult when you lack an understanding of what the fundamental IT systems are. Without proper due diligence on the front end of the deal, post-merger problems from technology clashes can quickly multiply.

“It is common to find payroll, reporting, and compliance issues,” Marcotte says. “There are often external audit issues because the financial reporting is not very good, is not accurate, and not timely. That can be very disruptive, especially if you are in a highly regulated industry.”

Another sleeper issue in failed IT integration is tax compliance. “Maybe their system doesn’t facilitate the reporting needed to do that properly. What revenue do we get by state? ‘Well, we don’t know; our system doesn’t provide that,’” he says.

Days 1 to 100

Before and during a transition period, companies need to determine an IT integration strategy that works best for their needs. An initial choice will be whether to integrate everything into the buyer’s infrastructure, take a hybrid approach, or jettison anything the target company has in place. “I’ve seen situations where the systems are like an unwanted stepchild, that the parent can’t wait until they are out of the house,” Wangerin says.

Marcotte agrees that a first step is to develop an “ultimate goal and exit strategy” from which incremental decisions will be made, and he warns that every approach has its pitfalls.

“You end up over-compensating with staff and end up with more manual financial reporting and compliance that would otherwise have been done with an automated system,” he says. “Not only is that costly, time consuming, and a waste of employee resources; you end up having not-as-good financial reporting, slower reporting, and less management information and analytics.”

“Technology integration is among the most important parts of an M&A transaction. This is the on-the-ground, nuts-and-bolts work of combining one complicated business with another.”
William Kucera, Co-Chair, M&A Practice, Mayer Brown

Then again, maintaining separate systems is no bargain either. “You have more cost because you are maintaining multiple systems along with all the manual stuff that comes with a transition,” Marcotte says. And reporting can get mind-numbingly complicated when a company is on a buying spree and acquiring several acquisitions at once.

Get Ahead of the Headache

Early in the due diligence process, determine the biggest potential problems and don’t try to solve all of them at once, Marcotte suggests. This is important because you don’t want to spend needlessly if the deal falls apart. List the biggest three or five risks so you can prioritize your evaluations and wade into transaction costs a bit more slowly and thoughtfully.

“The level and depth of diligence should match the risk inherent in the deal,” says Richard Plansky, executive managing director at consulting firm K2 Intelligence. “You don’t want to do the full scorched earth approach for every single deal, so have a risk-based approach.”

WHAT TO ASK

Questions that need to be asked early and often:

Who developed the ERP system? How old is it and what are the annual costs?

Can the disparate systems be brought together to give the compliance officer and management a global view of operations?

How are third parties monitored? Is it done on a single platform or multiple nodes? Can the target company quickly identify all resellers, business agents, and distributors by location?

Has system software been regularly maintained and updated?

Who has responsibility for control and maintenance of the target company’s IT systems?

Is there a disaster recovery plan?

How does the company secure and protect data? What is its privacy policy?

Does the system comply with a security framework, such as those developed by the National Institute of Standards and Technology, International Organization for Standardization, or the Payment Card Industry Data Security Standard.

What training is in place, or needs to be, to transition employees to new software and hardware?
—Joe Mont

After an initial review of controls and risks, a 100-day integration plan should be drafted before completing the deal, Marcotte says. It should outline, step-by-step, how the buyer wants to address identified issues, and who has ownership of each one. “Smart companies are ready to start integrating and addressing those issues on Day 1,” he says. “They will often have a project management office that is in charge of implementing that plan and addressing big items up-front.”

The transition team should not be limited to the IT department and upper management. Compliance, internal audit, accountants, and HR should all be at the table to bring their expertise into as assessment of the target’s infrastructure. “That way, when they have all these work-streams going on, stuff doesn’t start falling between the cracks,” Marcotte says.

Some companies also opt to hire an operational person from the target company’s industry, “so there is more of that industry knowledge and specific company knowledge brought into the transaction,” Marcotte says. If the target uses a particular software platform, adding someone to the team who has experience with it can also aid both due diligence and assessing post-acquisition risk.

Don’t Forget Security

Security and privacy are also concerns that need to be addressed given the threat of hackers, breaches, and the regulatory and reputational damage that will accompany an inability to secure customer or patient data. This is especially important for a cross-border deal that may need to bridge different regulatory regimes.

“In a number of the data breaches we have been involved with, problems have arisen from the failure to integrate systems following an acquisition,” Plansky says. “When you squish a bunch of companies together it changes your information security posture. It makes the job of defending yourself harder when you have multiple systems that haven’t been integrated.”

“You are buying the liability that comes along with the company even if that data breach happened before you got there,” he adds.