Mergers And Acquisitions In The Age Of Sarbanes-Oxley

Like many elements of corporate life, mergers and acquisitions will never be the same now that The Sarbanes-Oxley Act of 2002 is in full force. The law and the heightened sense of accountability of corporate boards of directors and senior executives is causing companies to carefully reconsider how they manage every element of M&A transactions, from the buy decision to the post-deal integration.

“The biggest impact has been at the top of the organization in terms on the focus on accountability,” says Paul Reszutek, northeast regional managing partner for Deloitte & Touche's Merger & Acquisition Services. “There is a greater degree of involvement at the board level with greater emphasis on due diligence because the stakes are higher.”

In Reszutek’s experience, boards are focusing on whether a deal is consistent with the company’s strategy, and are asking more detailed questions about the management of the transaction. For example, after due diligence, the board might ask for the top five or ten risks associated with the transaction, and why management is comfortable taking on those risks. “The board wants to feel comfortable that management is doing all the right things,” he says. “The fundamental reasons for killing a deal haven’t changed, but boards are setting the bar for approval higher.”

Companies are also realizing that transactions require close attention to the potential impact on the buyer’s overall Sarbanes-Oxley compliance. In one example discussed with Compliance Week on condition of anonymity, a company that had discovered a material weakness in a target company nearly scrapped the deal. After all, the revelation of a material weakness in the internal controls of the target company could have had an adverse affect on the acquiring company’s stock. “Sarbanes-Oxley had become the top issue related to doing the deal,” says John McPhee, a partner in the transactions services practice of KPMG. Although the deal was eventually completed, the acquiring company proceeded with great caution and carefully planned the announcement of the material weakness in the target company—which was planned to remain a standalone entity after the acquisition—so that it was clear that the acquiring company was not surprised by the situation and had factored it into the deal.

Roberts

None of this is particularly surprising to executives managing M&A transactions in the age of Sarbanes-Oxley. “When you acquire a company, you are taking on new numbers,” says Kent Roberts, executive vice president and general counsel of McAfee, a $936 million technology company based in Santa Clara, Calif. Roberts maintains that Sarbanes-Oxley becomes an issue even in the “buy/not buy” decision, and has put internal controls front and center throughout M&A transactions. “Our CFO is not interested in an acquisition if there is a chance it will result in having to report a material weakness in internal controls because we can’t integrate the acquisition quickly enough,” says Roberts. “We need to be able to make commitments to the board and the CEO that integration will occur at a certain pace and that the company will be able to maintain the value proposition that made the target company interesting in first place.”

More Due Diligence

If SOX-related issues permeate M&A transactions, the exact nature of those issues depends on the companies involved; namely, whether the acquisition target or merger partner is a public U.S. company that has been complying with Sarbanes-Oxley, or a private or foreign company that has not. “One of the big concerns in M&A is that you don’t want to buy into a problem,” says Roberts. “Careful due diligence is designed to smoke out those problems.”

In many companies, the due diligence and integration teams now include representatives from internal audit, accounting, and IT, to ensure that the company knows exactly what it is getting in terms of internal controls, financial structure, and financial systems, and how quickly and easily it can integrate the acquired company. For example, FTI Consulting now includes members of its Section 404 compliance project team in the due diligence process. “In the past, we didn’t go to that level of detail in looking at internal control weaknesses during due diligence,” says Ted Pincus, executive vice president and CFO of the $427 million consulting firm based in Annapolis, Md.

Noonan

Companies are particularly careful when acquiring private companies. “We emphasize scrutiny of the financial structure of acquisition targets and how well the company in question is maintaining it; in many cases, private companies have less sophisticated financial structures and they tend to emphasize income avoidance,” says Michael Noonan, director of investor relations for Forgent Networks, a $15 million software company based in Austin, Texas. “We don’t want to inherit any problems and we don’t want to acquire a company with unsound financials.”

The systems and processes involved can also cause problems during the integration phase of the deal. During Forgent Networks’ acquisition of a scheduling software company, it spent considerable time getting the back office systems working together. “Roll-ups of small companies are likely to be more difficult going forward just because of financial controls,” says Noonan. This is especially true for smaller public companies whose resources are already stretched thin by day-to-day operations and compliance demands.

What To look For

When a deal involves a public company, due diligence begins with a request for the internal control documentation created to comply with Sarbanes-Oxley Section 404. Of course, not all companies have yet certified their internal controls as required under Section 404, so the usefulness of this material remains to be seen. “A lot depends on the quality of documentation,” notes McAfee’s Roberts. “I’m reserving judgment because it is the first year of Section 404 compliance, and it is unclear whether Section 404 documentation will makes things easier from a due diligence perspective.”

During due diligence, companies now focus on understanding the compliance issues they might face after the transaction is completed and how difficult it will be to manage those issues. The goal is to develop a high level assessment of the work required so that the company can begin to plan and budget for that work. For example, if a company is acquiring all or part of a public company, the due diligence team can conduct an analysis to see how the acquired company’s internal controls and financial structure line up with that of the buyer. If the acquisition target is a foreign company, due diligence would also focus on whether the target company has a board-level audit committee, an internal audit function, and policies governing financial reporting. “Some countries have less transparency in financial reporting and controls,” says McPhee at KPMG, “so it could take longer to deal with these issues when buying companies in those countries.”

Murray

Private companies are usually more problematic because their infrastructure tends to trail their growth. As a result, many have internal controls that are less mature than large public enterprises, and in many cases the controls are not well documented or tested. “At a minimum, acquirers are looking for an appropriate corporate governance structure,” says Robin Murray, a partner with 3i, a venture capital firm in Menlo Park, Calif. How much companies require beyond that depends on the size of the acquisition target compared to that of the acquirer. “The larger the target company is relative to the acquirer, the more important these issues become,” says Murray.

Sullivan

The state of the target company’s internal controls and documentation are likely to factor into the deal negotiations, especially if they reveal a serious deficiency or material weakness. If the potential risks of buying private companies with poor internal controls becomes too great, private companies can take steps to deal with those issues proactively. “I think we will see private companies dusting themselves up and paying more attention to internal controls as they position themselves as acquisition targets,” says Mike Sullivan, an attorney with Howard Rice Nemerovski Canady Falk & Rabkinin, a law firm based in San Francisco. In addition to making the company more appealing, this preparation could positively affect the price of the deal because the acquirer will not be as concerned about risks or the potential cost of integration.

Faster Integration

Companies no longer have the luxury of time when it comes to post-deal integration—speed is now the key to success. Some companies bring the acquired company onto their financial systems immediately, and work to complete integration within 90 days. “It is foolish to have two different finance structures,” says Sullivan.

It is also common for companies to get compliance professionals involved in the integration process from the very beginning. “The goal is still to achieve cost reductions and a smooth integration, but involving compliance and internal control people can help to make sure that the company doesn’t do anything during integration that will undermine the internal control structure,” says Reszutek at Deloitte and Touche. “It would be a mistake to complete integration and have the compliance people look it over afterward; it is important to get it right the first time.”

THE SOX EFFECT

According to experts, the requirements of the Sarbanes-Oxley Act of 2002 are likely to have an effect on mergers and acquisitions in three main ways.

Due Diligence—Certifications required under Sections 302 and 404 of the Sarbanes-Oxley Act must cover the whole company, including recent acquisitions. Therefore, companies can develop an approach to due diligence that will provide a high level overview of any potential compliance issues the merger or acquisition will create for the buyer, and how long it will take to address those issues and at what cost. Companies should also be prepared for a due diligence that is more extensive and takes longer.

Weak Controls—Before approaching a target company, buyers should determine what impact, if any, weak internal controls within that company might have on their willingness to go through with a deal.

Integration—Companies should have an integration plan in place before the deal closes to ensure the company can fulfill its quarterly certifications with confidence and on time. Integration should focus not only on financial systems and internal controls, but also cultural and human resource issues. Controls and processes only work when people use them.

Synopsys, a $1.1 billion company in Mountain View, Calif., that develops software for semiconductor design, focuses on speeding up integration by putting the acquired company on its own system as soon as the deal is closed. “We never continue a parallel system and we never rely on the other company’s financial system,” says Synopsys CFO Steven Shevick. As a result, the company has made few changes to the way it manages acquisitions, except in one area: “We try not to close deals in the fourth quarter,” he says.

When it comes to evaluating a potential acquisition target, Shevick tends to focus primarily on whether the company can put necessary internal controls in place and how much it will cost to do so, particularly if an acquisition target operates in an unfamiliar geography, in an unfamiliar business, or has an unusual corporate structure. At the same time, “poor internal controls often indicate that it is a poorly run company, so we are unlikely to pay as much,” says Shevick.

But even if a target company has sub-par reporting, the buyer still needs to determine whether it wants to assume the cost of “clean up,” while also not losing sight of the bigger picture and the long-term goals of the transaction. “We wouldn’t avoid acquiring a company if its products and people were worth having,” says Shevick.

Pincus

Faster integration is also on the agendas of many other companies, as well, partly due to the opportunities for risk avoidance. “In many cases, the acquired company has systems and procedures that are significantly different from ours,” says Pincus of FTI Consulting. “The risk in keeping different systems is that you may not be able to document controls or find problems,” he adds. “Rather than keep those systems and procedures in place, we bring them immediately onto our systems and discard theirs. That takes a lot of planning, so we combine integration planning with due diligence.”

However, just bringing the acquired company onto the company’s systems and procedures is not enough. “We know that our systems and procedures are in compliance with 404, but we can’t assume that people will be complying with those systems and procedures,” says Pincus. “You also need to look at the people involved, including their attitudes and cultural differences—how flexible people are, how different the way we do things is from what they have done.”

For example, individuals at the acquired company might have had more leeway in authorizing certain transaction or negotiating discounts with customers, or might have been more lax in collections or when revenue is recognized. “SOX will force companies to look at some issues like cultural differences earlier than they might have in the past,” says Pincus.

Overall, executives and experts believe that Sarbanes-Oxley requirements will yield some benefits when it comes to managing mergers and acquisitions. “The existence of SOX forces companies to conduct greater due diligence and focus on other issues that increase their ability to create meaningful value from the transaction,” says Pincus. In this regard, “Sarbanes-Oxley is generating tremendous benefits but at enormous cost.”