Read pwc-sox-compliance-ma.pdf text version

Advisory Services M&A Integration

Managing Sarbanes-Oxley compliance during M&A integrations

A v oy ev e d i r S ri s s c

The risks involved

Section 302 of the Sarbanes-Oxley legislation requires most public companies filing periodic financial reports to certify the completeness and accuracy of those reports each calendar quarter, as well as the effectiveness of the disclosure controls and procedures (DC&P) supporting the quality of the information they provide. Section 404 requires a company's management to perform an annual assessment of the design and operating effectiveness of their internal control over financial reporting (ICFR) and to have their ICFR effectiveness audited annually by their external auditor. While neither section makes explicit reference to mergers and acquisitions, as a practical matter both apply to the internal control of a consolidated entity's entire financial statements as of the end of the reporting period, including any entities acquired during that period. Generally speaking, if a deal closes early in the fiscal year, integration can proceed since enough time remains in the year to redefine processes, change control sets, incorporate and test new controls, and train new process and control owners. As we've already noted, the problems occur when deals close too late in the fiscal year for these to happen. A fast integration may provide insufficient time to ensure that new controls (or changes in existing controls) are embedded and tested. Exhibit 1 shows the impact of deal-close timing on SOX testing and integration. The consequences of late deal closure on SOX compliance can be significant, starting with management's inability to sign a "clean" opinion on the effectiveness of controls and the resulting adverse external audit report. In turn, this may lead to an increase in the cost of the transaction due to a need to issue additional stock following a potential decline in stock price. By their very nature, integrations are loaded with all sorts of risks, some of which can do much to raise the specter of SOX non-compliance. While your responsibility to ensure the continued effectiveness of the control environment remains, your ability to do so can be compromised by a whole menu of factors, including employee turnover (especially in finance and legal), rising workloads, an acceleration of process change, the frequency of "Band-Aid" solutions, ongoing systems integrations, changes in job duties, and misalignment of employee incentives. There is, however, one notable exception to the need for compliance: The financial controls of a target are eligible for a one-year exemption from the requirements of Section 404 (i.e., management's annual opinion on the effectiveness of their financial controls), provided what is actually being exempted can be identified and quantified separately. As noted earlier, however, no such exemption is available for internal controls over financial reporting of the buyer's processes and systems. Buyers are still responsible for monitoring the integration impact on their own financial controls, no matter whether the target's processes and controls are successfully kept separate and exempted or integrated into buyer processes and systems.

Exhibit 1. Deal-close, integration, and SOX testing timeline





SOX testing

SOX testing

SOX testing update and year-end tests

Early Deal-close and integration

Late Deal-close and integration

One obvious way to minimize the risk of SOX non-compliance is to manage the timing of the close of a deal. By closing earlier in your fiscal year, you give yourself more time to work through SOX challenges, especially if you are planning for a rapid integration. But managing deal timing is not generally feasible due to a variety of market and transaction-related factors. Alternately, depending on your integration strategy (i.e., if and when to integrate the organization and to what degree, based upon the rationale for your deal), you can choose to keep the processes and controls of the two entities as separate as possible, for as long as possible. Shareholder and market expectations, however, are that value be captured as soon as possible. Ultimately, there are several possible combinations of deal-close timing and extent of integration that give rise to a variety of SOX non-compliance risks. Those combinations, and the resulting levels of risk, are shown in Exhibit 2. Regardless of integration strategy, an early deal-close provides sufficient time to manage SOX implications, thereby resulting in a lower to moderate risk of SOX non-compliance. A late deal-close increases this risk--even if no integration of processes and controls between the two entities is planned--because there is still a need to monitor the impact of the integration on the buyer's controls, especially with regards to consolidation of financial statements and purchase accounting. Remember, buyers are still responsible for ensuring that any process and control changes that arise on their part over the course of the integration satisfy SOX standards. No exemption is available since the integrated process cycles and controls apply to the transaction activity of both the buyer and target.

Exhibit 2. Managing transaction timing to ensure SOX compliance--a relative risk assessment (assuming the election of the one-year exemption)

Timing of deal-close

Late in year

Lower to moderate* risk

Higher risk

Early in year

Lower risk

Lower to moderate risk

Separate processes and controls

Integrated processes and controls

Extent of integration activities

* This assessment of lower to moderate risk is due to the shortened time frame available for establishing and testing processes and controls related to financial consolidation and inter-company elimination.

Meeting the challenge

PwC is committed to process excellence, so our solution to managing the delicate interplay between mergers and acquisitions and SOX is all about effective planning and process: putting the right plans, protocols, and structures in place at the right times to ensure that nothing falls through the cracks, and that every SOX-related impact gets proactively addressed at every point in the process. There is simply no magic bullet substitute for experienced process planning and discipline. Three phases are involved in managing this interplay, corresponding to the phased roll-out of the overall deal effort. We outline these phases, and recommend the activities to accompany each, in Exhibit 3. A couple of important points here: First, while most buyers do at least some due diligence in Phase 1, prior to an acquisition, they rarely pay much attention to SOX issues. We believe it is crucial that buyers gain a thorough understanding of the control environment of their target and develop a high-level plan that assesses the effort required to integrate. Similarly, in Phase 3 (post-integration), it is important that an end-state control environment be established that is sustainable in terms of cost, effort, and effectiveness. It is Phase 2, however--the integration stage--that poses the highest risk to SOX compliance if it is not well executed, and it is here that we believe a focused effort is needed most.

Exhibit 3. Recommended SOX approach by M&A phase

Phase 1

Phase 2

Phase 3

Due diligence and acquisition decision


Post-integration controls environment

· Review past deficiencies and risk to acquirer · Assess transaction timing · Review controls environment and processes · Asses use of one-year 404 exemption rule · Assess expected integration effort and cost

· Assess impact of integration strategy and timing on controls · Leverage Integration Management Office (or finance-only equivalent) to coordinate all integration initiatives impacting controls · Set up a committee to review integration initiatives with SOX impact · Design controls for new M&A activities · Ensure scope of 404 testing covers new M&A activities · Ensure cross-company 302 certification is in place

· Ensure cross-company 302 certification is in place · Ensure 404 controls environment reflects the integrated company and is streamlined for key controls

Roadmap to success

At PwC, our approach involves leveraging a central Integration Management Office (IMO)--or, alternately, a finance-focused program management office (PMO)--to coordinate all planned integration activities likely to impact controls, and establishing a separate SOX integration committee to review, advise upon, and approve integration requests. The committee is charged with establishing a SOX-related integration approval policy and process, and communicating that policy and process to the various functional integration teams (e.g., sales, R&D, manufacturing, HR, legal, etc.) through the IMO or finance PMO. Throughout the course of the integration, each of the functional integration teams is charged with submitting to the SOX integration committee any planned integration activities a team believes may have an impact on SOX compliance. The committee then has a defined period of time, typically 48 hours, within which to respond and provide guidance on how compliance can be preserved. Such a deadline helps to ensure integration teams receive timely feedback so critical business decisions are not delayed. It is important to note that the purpose of a SOX committee is not to block requests for integration activities, but to ensure compliance by recommending the right approach. Exhibit 4 outlines the items that should be included in the committee's charter. While the establishment of an effective SOX committee is critical, it is just as important that all involved in an integration understand the types of risks most likely to undermine SOX compliance. Since controls related to high- and mediumrisk business processes are the ones most likely to be changed during an integration, it is these changes that are most likely to result in a lack of process redefinition, control redefinition, or training--all potential causes of testing failures. The controls with the highest risk of failing tests are: · Controls over combined company consolidation and purchase accounting · New controls over either the buyer's or target's transaction streams · Target controls over buyer transaction streams Controls with a moderate risk of failing tests are those related to transaction streams of the target that will be transitioning to buyer controls.

Exhibit 4. SOX committee charter

Highlights of the charter should include: · A statement of purpose ensuring steps will be taken to minimize the impact of integration activities on SOX controls · A roster of committee membership comprised of a SOX integration project leader, the company's SOX director, and representatives of internal and external auditors · A commitment to meet frequently, deliberate, and establish a quick turnaround time to prevent integration delays · A commitment to ensure the timely execution of any needed updates to the SOX compliance program

An example

The following is an example of an integration request submitted by a functional team, and how the SOX committee might recommend it be performed so as to maintain compliance. Let's assume that the buyer places high value on the target's customer relationship management and order-management processes and tools, and that the buyer decides to migrate its sales and order-management activities into the target environment, thereby better leveraging its own processes, systems, and people skills. Obviously, the internal controls involving order entry--which in turn impacts billing, revenue, receivables, and collections--will be significantly impacted by this decision. SOX would most likely be impacted and the SOX committee would be responsible for helping to preserve compliance. So what could the committee recommend that would support the business purpose of the recommended change but avoid a deficiency in SOX evaluation? First, the committee would need to engage the sales integration team in a dialogue about the available options. One available option may be to delay the migration beyond year-end. Yet another may be to press ahead as planned, confirming the business-critical nature of the change while scoping the requirements to prevent a deficient SOX evaluation. This second option would require a comprehensive assessment effort to ensure that SOX controls over order entry activities and the IT controls that link them to billing are: · Updated for changes in the process flow documentation · Updated for changes in the testing of controls · Performed by adequately trained staff Moreover, the buyer may find that it is able to leverage the SOX controls the target had in place prior to acquisition. Note that every effort is made not to hinder the business objectives involved. Rather, only the manner in which the change is made--not the recommendation itself--is adjusted to avoid a deficiency in the SOX environment. There may, however, be circumstances where the timing is far too short, and resources far too limited, to implement the integration recommendation. In those rare instances, the SOX committee might request that the initiative be held back until the proper SOX environment can be maintained.

In addition to integration planning, all buyers must eventually perform purchase accounting and consolidation activities on the target company. This is why it is essential for acquisitive companies to have key SOX controls in place to ensure financial statement consolidation and purchase accounting is completed accurately. Such controls can be simple in their design and still reach the desired objective. Key areas of activity that require controls include: · Obtaining appropriate approval for the acquisition · Closing the target company's balance sheet · Purchase accounting memorandum, valuation, and entries · Planning for restructuring, reserve calculations, and entries · Consolidating target financials into buyer for initial stub period and the subsequent quarters, and eliminating inter-company activity · Preparing financial disclosures, including notes to financial statements and regulatory filings · Performing post-close activities, including roll forward of the pushdown accounting items and netting of restructuring adjustments · Developing new processes and controls for inter-company activity during the interim integration phase · Executing data migration and account mapping for general ledger consolidation Of course, to the degree possible, you will want to try to leverage existing controls. Exhibit 5 provides a few examples of the types of key controls that are simple to implement yet are essential to maintaining an effective control environment.

Exhibit 5. Controls over M&A linkages

Key area of activity

Example of possible control

· Obtaining appropriate approval for the acquisition · Purchase accounting memorandum, valuation, and entries · Preparing financial disclosures

Board of directors approval (unless the board has delegated approval to others) CFO review and approval No new control required (should be covered by existing financial disclosure checklists and controls)

Regulatory guidance

The guidance provided in this article is based on the SEC Guidance available in Frequently Asked Question number 3 (revised October 6, 2004) of "Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports," released by the Office of the Chief Accountant, Division of Corporation Finance (accessible at controlfaq1004.htm). It is also important to note that the SEC and the Public Company Accounting Oversight Board have recently released guidance that will provide management and external auditors with more flexibility to exercise their judgement. We do not expect that these recent releases will impact the insights shared here.

A final word

In this brief paper we've tried to help you anticipate how SOX compliance can complicate integrations, and the type of process framework you can put in place to meet those challenges. PwC's approach to solving the problem is simple: Be comprehensive and timely in your identification and mitigation of risks. We believe that, ultimately, risk can only be properly mitigated by applying a process similar to the one we describe here. But doing so requires infrastructure-- the right blend of people, process, and other resources to support the integration effort. If the integration infrastructure is insufficient, so will be any effort to manage the risks involved.

For more information about PricewaterhouseCooper LLP's approach to M&A integration, or to speak with someone about how we can help you meet your own unique set of integration challenges, contact Gregg Nahass at 213.356.6245.

M&A integration Sarbanes-Oxley

© 2007 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP (US). DC-VA-ADV2007-03-EJT


18 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate