It’s nearly midnight. The lawyers, accountants and top management have been working away in secret for months.

The deal is about to be announced – a huge strategic acquisition that will bring the company great benefits and rock the market.

You get a call at 11:59p.m.

The CEO quickly asks, “do we need to do some kind of compliance due diligence before we announce the deal in six hours?”

Or worse, you don’t get the call at all. You find out along with all of the other employees at the all-hands meeting.

Why is compliance so often the last to know about a potential merger or acquisition?

Considering the specter of successor liability for bribery and other compliance-related misconduct, compliance should be the first department called once a merger or acquisition begins to be seriously discussed. But even if we have the luxury of being called, we don’t always know what to do to perform proper due diligence on the target company. Here’s where to start.

Before the deal or as soon as possible: Create a policy

The best time to start working on pre-acquisition due diligence is long before the target is ever in play. Draft a policy laying out the timeframe and activities for pre-acquisition due diligence. Be sure to have senior management sign off on it – or, ideally, the board. Create the expectation that compliance be involved from the start.

Conducting pre-merger and acquisition due diligence

Pre-merger and acquisition due diligence is necessary to achieve 3 objectives:

  1. Define the target company’s compliance risk profile

  2. Uncover red flags

  3. identify any prior or existing violations of key compliance-risk areas

Just as every merger or acquisition is unique, no two compliance due diligence reviews will be the same.  However, a systematic approach to (1) creating a target entity profile, (2) identifying relevant compliance-related risk areas, (3) collecting and reviewing information, and (4) developing a recommendation will result in an effective compliance due diligence review.

Step 1: Create a target entity profile

A threshold issue in designing an effective pre-transaction compliance due diligence review is defining the scope of the review. This requires the creation of a target company profile that documents the known information about the target entity. The profile should include the following information about the target entity:

The target entity profile should be as detailed as possible and will serve as a tool to identify potential issues and compliance risk areas. It is likely that the accountants, lawyers or managers already have much or all of this information. If they don’t, start looking on the target’s website and in publicly-available documents.

Step 2: Identify relevant compliance-related risk areas

The target entity profile should provide a basic risk assessment to identify and prioritize the risk areas and issues that require closer scrutiny. Common compliance-related risk areas or issues include: 

Step 3: Collect and review information

After identifying and prioritizing the risk areas and issues that require closer scrutiny, develop a checklist or questionnaire requesting additional information from the target entity. The questionnaire or checklist should be separated into general compliance and ethics-related questions and targeted questions related to the specific risk areas and issues identified.

Examples of general compliance and ethics-related questions:

Importantly, when appropriate, request the documents related to any affirmative response. For example, if the company indicates that it has a Code of Conduct, a copy should be requested and reviewed.

Here you will ask questions relating to the specific compliance-related risk areas or issues you’ve uncovered. Focus on:

The response to this section of the questionnaire or checklist should include information and documentation.

After all the questionnaire/checklist responses and related documentation have been provided, the information should be closely scrutinized for any red flags, issues of concern, and inconsistencies (as compared to other representations by the company).

Step Four: Develop a recommendation

The final step in the due diligence process is to develop a recommendation. If red flags have come up, for each issue:

If any red flag or issue of concern is of such significance that it cannot be remediated, consider whether you need to discuss stopping the transaction with the management team. 

Due diligence protects your company from massive headaches and fines down the road. The DOJ expects compliance-related pre-merger and acquisition due diligence to be performed, as do many of the world’s regulators.

By putting together a policy early and a checklist as soon as the merger & acquisition target has been announced, you’ll put yourself in a position to be part of the inside team.

This post was co-authored by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting.