It’s nearly midnight. The lawyers, accountants and top management have been working away in secret for months.

The deal is about to be announced – a huge strategic acquisition that will bring the company great benefits and rock the market.

You get a call at 11:59p.m.

The CEO quickly asks, “do we need to do some kind of compliance due diligence before we announce the deal in six hours?”

Or worse, you don’t get the call at all. You find out along with all of the other employees at the all-hands meeting.

Why is compliance so often the last to know about a potential merger or acquisition?

Considering the specter of successor liability for bribery and other compliance-related misconduct, compliance should be the first department called once a merger or acquisition begins to be seriously discussed. But even if we have the luxury of being called, we don’t always know what to do to perform proper due diligence on the target company. Here’s where to start.

Before the deal or as soon as possible: Create a policy

The best time to start working on pre-acquisition due diligence is long before the target is ever in play. Draft a policy laying out the timeframe and activities for pre-acquisition due diligence. Be sure to have senior management sign off on it – or, ideally, the board. Create the expectation that compliance be involved from the start.

Conducting pre-merger and acquisition due diligence

Pre-merger and acquisition due diligence is necessary to achieve 3 objectives:

1. Define the target company’s compliance risk profile

2. Uncover red flags

3. identify any prior or existing violations of key compliance-risk areas

Just as every merger or acquisition is unique, no two compliance due diligence reviews will be the same.  However, a systematic approach to (1) creating a target entity profile, (2) identifying relevant compliance-related risk areas, (3) collecting and reviewing information, and (4) developing a recommendation will result in an effective compliance due diligence review.

Step 1: Create a target entity profile

A threshold issue in designing an effective pre-transaction compliance due diligence review is defining the scope of the review. This requires the creation of a target company profile that documents the known information about the target entity. The profile should include the following information about the target entity:

• Industry

• Geographic location of main offices

• Annual revenue

• Countries/regions where the entity conducts business (e.g., sales, manufacturing, procurement, etc.)

• Type of customers (e.g., consumers, businesses, wholesalers, retailers, etc.)

• Third-party relationships

• Known problems or issues

The target entity profile should be as detailed as possible and will serve as a tool to identify potential issues and compliance risk areas. It is likely that the accountants, lawyers or managers already have much or all of this information. If they don’t, start looking on the target’s website and in publicly-available documents.

Step 2: Identify relevant compliance-related risk areas

The target entity profile should provide a basic risk assessment to identify and prioritize the risk areas and issues that require closer scrutiny. Common compliance-related risk areas or issues include: 

• bribery and corruption

• antitrust/competition

• data privacy/protection

• trade sanctions

• import/export controls

• modern slavery and human trafficking

• money laundering

• government relationships

• workplace health and safety

• conflicts of interest

Step 3: Collect and review information

After identifying and prioritizing the risk areas and issues that require closer scrutiny, develop a checklist or questionnaire requesting additional information from the target entity. The questionnaire or checklist should be separated into general compliance and ethics-related questions and targeted questions related to the specific risk areas and issues identified.

Examples of general compliance and ethics-related questions:

• Does the company have a Code of Conduct? If yes, is the code of conduct available in the local language of each of the countries where the company has employees?

• Does the company provide Code of Conduct training to its employees? If yes, how often is the training provided and how is the training delivered?

• Does the company retain attendance records of its Code of Conduct training?

• Does the company have an internal hotline for employees to report misconduct or ask questions? If yes,

  • How many reports were received through the hotline for each of the last three years?

  • What types of reports have been reported through the hotline over the last three years?

  • How does the company publicize the hotline?

  • Is the hotline accessible in all countries where the company has employees? 

  • Is the hotline in the local language of each of the countries where the company has employees?

  • Does the reporter have the option to report anonymously?

• Are there any other mechanisms by which employees can report misconduct or ask questions?

• Has the company performed a compliance risk assessment in the last five years?

• Does the company have policies and procedures related to the compliance program? If yes, please identify every compliance-related policy and procedure.

• Has the company been the target of any investigations, lawsuits, or enforcement actions within the prior five years?

Importantly, when appropriate, request the documents related to any affirmative response. For example, if the company indicates that it has a Code of Conduct, a copy should be requested and reviewed.

Here you will ask questions relating to the specific compliance-related risk areas or issues you’ve uncovered. Focus on:

• how the risk area is assessed by the company

• the high-risk business activities related to the risk area

• the existence of policies, procedures, and training programs addressing the risk area

• the use of compliance-related contract provisions in third-party contracts to manage the risk

• the controls and processes in place to mitigate the risk

• the monitoring or auditing activities implemented to measure compliance with applicable policies, procedures, and controls and the overall effectiveness of the applicable policies procedures, and controls

• financial records, statements, and accounting books, including any government and third-party payments where relevant

• investigations, lawsuits, and enforcement actions initiated against the company related to the risk area

The response to this section of the questionnaire or checklist should include information and documentation.

After all the questionnaire/checklist responses and related documentation have been provided, the information should be closely scrutinized for any red flags, issues of concern, and inconsistencies (as compared to other representations by the company).

Step Four: Develop a recommendation

The final step in the due diligence process is to develop a recommendation. If red flags have come up, for each issue:

• specify the significance of the issue (e.g., low, medium, and high)

• identify the next steps for addressing or remediating the issue

• recommend whether the next steps should be completed before the transaction is completed, or should be incorporated as part of the post-transaction integration plan. 

If any red flag or issue of concern is of such significance that it cannot be remediated, consider whether you need to discuss stopping the transaction with the management team. 

Due diligence protects your company from massive headaches and fines down the road. The DOJ expects compliance-related pre-merger and acquisition due diligence to be performed, as do many of the world’s regulators.

By putting together a policy early and a checklist as soon as the merger & acquisition target has been announced, you’ll put yourself in a position to be part of the inside team.

This post was co-authored by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting.