Before you buy - Why it is critical to conduct due diligence on the compliance function of target companies
Companies in the middle of an M&A deal obviously know the importance of doing their due diligence: Without it, and without the target company meeting the requirements, there won’t be any deal at all, or the price will change.
Why then are some companies not so strict about their due diligence on a target company’s own compliance function?
They may conduct finance due diligence, tax due diligence, and legal due diligence, but not all companies put the same emphasis on analyzing and understanding a target’s compliance function. Sometimes it’s a matter of deal deadlines and priorities. Other times, the team believes it can fix any problems after the purchase.
As head of Forensic, Risk and Compliance for BDO Germany, I am involved in the due diligence of compliance functions during transactions. I recommend companies examine closely a target’s compliance culture, assess the compliance systems it has in place, and review compliance history for evidence of legal actions or fines.
It’s important to fully understand the compliance processes of the target company, not only because compliance functions can be inefficient and therefore expensive to operate, but also because compliance failure can mean being shut out of certain markets or facing fines.
In early 2017, the U.S. Securities and Exchange Commission settled a case for 13 million dollars related to the Foreign Corrupt Practices Act (FCPA). The SEC alleged that a confectionary company failed to conduct adequate due diligence on a consultant in India. When that company was acquired, the acquiring company failed to conduct adequate due diligence on the firm it bought, both before and after the acquisition.
Let’s look at the three important areas of compliance to be examined during the due diligence that I mentioned before.
Committed to compliance?
I often equate compliance to diets. It’s one of those necessary evils in life. Like a diet, the compliance function can be scientifically sound. The checks and balances may have been designed by experts and tested in the field. But if they’re not used and used properly, the compliance function – like a diet – just doesn’t work.
That’s why I say due diligence in an M&A transaction must also consider the culture of compliance in a company. What is the stance of the management on compliance? Has management signed a code of ethics, is it enforced, and are people sanctioned for non-compliance with the rules, including the top performers?
I also want to know that a CEO has personally spoken about the necessity of compliance during company meetings and stressed how important it is to follow rules and regulations. Sometimes when you buy a company, you can observe that there was a fraud case, such as money laundering or terrorist financing, or corruption. If that has happened, what did the target company do about it? Were people fired?
When we supported a company on due diligence of a target, we found that the target had a problem with corruption and the bribing of public officials and clients. In the end, the responsible general manager had not been fired but had actually received a bonus, which gave the employees the wrong impression. This was part of our assessment of the target’s client for the would-be buyer to consider.
What compliance systems are in place?
The second area to investigate is compliance systems, especially in international companies, where some employees may be tempted to ignore rules applied from a distant headquarters. Here I’d like to add that there are two types of employees who can get a company in trouble with non-compliance: Those who don’t comply with the rules because they don’t know them, and those who don’t comply with the rules because they think they’re bad for the business.
By applying preventive measures, a company can eliminate 80% of compliance breaches by people who are not aware of the rules and regulations. The other 20% needs to be managed by hard internal controls.
One red flag about potentially weak compliance functions comes when we find out that a company has not done its own internal compliance risk assessment. All compliance functions are complex and tailored to a company’s particular business and market niche. If a risk assessment has never been done, it may indicate that the company doesn’t understand its own systems. Personally, I expect a company which is to be acquired to provide such a risk assessment and be able to explain which measures are being used to manage which risks.
What is your compliance track record?
My third point is that acquiring companies need to check compliance history to understand the company’s relationship with regulators and whether any investigations were conducted in the past. If fraud has taken place, which systems allowed this? The target company needs to have substantially reduced the probability that a similar incident could happen again through compliance remediation.
To understand the compliance track record, a comprehensive review of publicly available information is very helpful as well. When assisting with M&A due diligence, we seek the maximum amount of information about the target’s management, including information from social networks, shareholdings, criminal records, and the like.
It makes me think of the work of an investigative journalist, because we do carry out interviews like journalists. But there’s much more, including self-assessments, system checks and the auditing of certain transactions, such as the contracting of consultants and invoices and so on. We’re not a police force, of course. The target company must agree with the acquiring company to allow such checks.
In conclusion, I strongly recommend thorough due diligence of the compliance function of a target company – to make a better purchase decision and to avoid complex and expensive surprises down the road.