A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners of the need to engage in robust pre-acquisition due diligence.
This was expanded again in the 2017 Evaluation but the 2019 Guidance made even more clear the need for a robust compliance presence in the pre-acquisition phase. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets. Pre-M&A due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
This language was followed up with additional questions posed by the DOJ.
Due Diligence Process – Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process? Such an early assessment will inform the transaction evaluation. What is the process on how to plan and execute a strategy to perform pre-acquisition due diligence in the M&A context?
Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. Typically, this would be the target’s CCO if the company is large enough to have full time position.
Collect relevant documents. Obtain a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all Joint Venture (JV) contracts, due diligence on JVs and other third-party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high-risk countries. If the acquisition target company uses a sales model of third parties, obtain a complete list. It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries. The following is a seven-step process you can use.
Review the compliance and ethics mission and goals. Here you need to review the Code of Conduct or other foundational documents a target has to gain some insight into what they publicly espouse.
Review the specific elements of the target’s compliance regime. This includes a number of additional elements:
Oversight, CCO authority and operational structure of the compliance program. Here you should assess the role of Board, CCO and, if there is one, the Compliance Committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources? Review high-risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
Written standards, including internal controls, policies, procedures and Code of Conduct. In this analysis, you should identify industry practices and legal standards that may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles, if any. Lastly, you need to know how everything is distributed and what the enforcement mechanisms for compliance policies are. Additionally, you need to validate, with HR if there have been terminations or disciplines relating to compliance.
Education, training and communication. Here you need to review the compliance training process, as it exists in the company, both the formal and the informal. You should ask questions, such as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for its intended purpose, including both internal and external training for third parties and if it is targeted to the proper audience and effective. Is it effective? You should also evaluate the training delivery channels, for example is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws. You will need to interview the acquisition target company personnel responsible for its compliance program to garner a full understanding of how they view their program. Some of the discussions that you may wish to engage in include visiting with the target company’s GC, its senior executive head of sales and head of internal audit regarding all corruption risks. You should also delve into the target’s compliance efforts, and any other corruption-related issues that may have surfaced.
Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit(s). You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high-risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high-risk countries which your company does business. What ongoing monitoring tools is the target using?
Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to turn to who does the investigations to determine how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.
Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations? Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto? Further, you may be required to self-disclose any FCPA violations that you discover. There may be other reporting issues in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer?
Enforcement practices/disciplinary actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?
Checkup. Periodically evaluate your M&A review procedures’ effectiveness benchmarked against any legal proceedings, anti-corruption enforcement actions, opinion releases, or other relevant information.
If there are red flags raised in this process, this warrants further investigation. They include if the target has ineffective elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny from the compliance perspective. Structurally, if the company did not have a formal Ethics and Compliance Committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board or CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.
After your compliance due diligence review and interviews, the final step in the pre-acquisition process is to develop the risk assessment as a base document. From this document, company management can use this pre-acquisition risk assessment to ascertain will be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected after acquisition. Finally, it will assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant, and they should be thoroughly evaluated in the decision-making calculus as a part of your acquisition price.
Three key takeaways:
- The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
- Periodically review your M&A due diligence protocol.
- If red flags appear in pre-acquisition due diligence, they should be cleared.