Pre-Acquisition Due Diligence Program For Evaluating Target Companies In M&A

by Thomas Fox

7K0A0223I am just back from our nation’s capital attending the Society of Corporate Compliance and Ethics (SCCE) 2013 annual Compliance and Ethics Institute. If you have a chance to attend next year’s event in Chicago I urge you to do so. The sessions were first rate, topical and had great insights. The networking and sharing of information was also great. While the vendors were there to market their own products and services they were clearly part of the overall solution, so kudos to every company that showed at the event. Hats off to everyone on Team SCCE for doing a great job. Finally, to Roy Snell, Matt Kelly was right; you take the casual, hip look up to the next level, I wish I had your style.

One of the sessions I attended was entitled “Compliance Due Diligence In Multi-National Transactions: Mergers & Acquisitions and Third Parties”, led by Louis Perold, Legal Compliance Manager at Sasol Ltd., and Krista Muszak, Senior Compliance Analyst at Paychex, Inc. In this session, they laid out the steps that you should take when looking at an acquisition from the compliance perspective.

I.                   Review

They suggested a five step process which I thought was well laid out to show you how to plan and execute a strategy to perform pre-acquisition due diligence in the merger context. The process was as follows:

  1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. They suggested that typically this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
  2. Collect relevant documents. The documents suggested that you begin with are a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all JV contracts and due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents.
  3. Review the compliance and ethics mission and goals. Here they said you should look at the Code of Conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
  4. Review the seven elements of an effective compliance program, as below:

A. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources?

B. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards which may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles for compliance policies, if any. Lastly, you need to know how everything is distributed and what are the enforcement mechanisms for compliance policies? The speakers pointed out that you should check with HR for terminations or discipline relating to compliance

C. Education, training and communication. Here you need to review the compliance training process as it exists in the company; both the formal and the informal. You should ask such questions as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels. Is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws.

D. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit.

E. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to then turn to who does the investigations and how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.

F. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations. Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto?

G. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Review the periodic evaluation of the program’s effectiveness. Under this they suggested a review of the target’s internal audit reports or outside investigations if they were performed.

II.        Red Flags

The speakers provided a short list of red flags that, should you determine exist, need to be further investigated and cleared. They listed the following:

  • Ineffective compliance program elements
  • Company in financial difficulty
  • Frequent breach of policies and procedures
  • Inactive compliance and ethics committee
  • No access to the board
  • No regular reports to the board
  • CCO not allowed direct access to the Chief Executive Officer (CEO)
  • Lack of independence
  • Frequent requests to waive policies
  • No consistent consequence management for violations

III.             Evaluation

The speakers also provided a ranking system which can be used to think through and evaluate the information that you have obtained. They proposed the following.

  • Level 1 – Absent. There is no commitment to compliance illustrated by no dedicated resources, no formal compliance policy and the absence of a compliance program.
  • Level 2 – Reactive. There is commitment to address compliance issues when major breaches arise.
  • Level 3 – Foundational. While there is commitment to address compliance issues when major breaches arise, there is no formal compliance program but policies and monitoring activities are put in place to prevent the reoccurrence of major breaches.
  • Level 4 – Proactive. There is a commitment to have a strong compliance program in place with dedicated resources and a clear assessment of all risk areas. The program encompasses ongoing monitoring and measurement as well as proactive and preventative elements.
  • Level 5 – Embedded. The compliance program pervades the organization in every respect: strategically, culturally and operationally. Every staff member is aware of and takes appropriate responsibility for the effective implementation of the compliance program and its ongoing improvement.

I found their program a very useful session on how you should think through performing due diligence on a target in the acquisition context. With the Department Of Justice’s (DOJ’s) emphasis on pre-acquisition due diligence, as set out in last year’s FCPA Guidance, I think more companies will need to strengthen this portion of their compliance program.

And once again, a big thanks to SCCE for a great week at the Compliance and Ethics Institute 2013.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.