Chapter 2 Highlights: M&A and Compliance With The Sarbanes-Oxley Act of 2002 Excerpted From The Complete Guide to Mergers And Acquisitions: Process Tools To Support M&A Integration At Every Level Second Edition, 2007 (Pending Release) Jossey-Bass / John Wiley & Sons By Timothy Galpin and Mark Herndon All Rights Reserved. Not for Distribution 1
Excerpt From Chapter 2: Integration Begins With Due Diligence Due Diligence and Compliance with the Sarbanes-Oxley Act of 2002 Perhaps it is strangely ironic that the Sarbanes-Oxley Act of 2002 (the Act or Sarbanes-Oxley ) never explicitly mentions mergers and acquisitions. Yet it is hard to imagine legislation with more direct impact upon deals and dealmakers than this Act. Enacted in July 2002, largely in response to several high-profile corporate governance and accounting scandals in major public companies, this Act established the most substantial revisions to financial reporting and corporate compliance since the enactment of the Securities Act of 1933 and the Securities Exchange Act of 1934. The Act sets out significant new responsibilities for the board of directors, the audit committee, the management team and the company s external auditors. Under the Act, the Securities and Exchange Commission ( SEC ) was given broad powers to interpret and enforce the new law, and a new regulatory body, the Public Company Accounting Oversight Board (the PCAOB ), was created to support change and compliance with the standards of the Act among the accounting profession. According to Patrick V. Stark, a director of the law firm of Kane, Russell, Coleman & Logan, of Dallas, Texas, and senior practitioner in the areas of securities, mergers and acquisitions and corporate finance, Dealmakers must now carefully consider Sarbanes-Oxley requirements at every stage of the acquisition process from identifying targets to conducting due diligence to negotiating the deal to integrating the new unit. Whereas we used to consider the adequacy of internal controls and financial reporting in the target company as just one of many standard issues to look at, weak controls and lack of compliance have now become significant potential deal-breakers. Among other key sections of the Act, the certification and reporting requirements of Sections 302 and 404 directly impact the traditional approach for acquisition due diligence and integration since these provisions apply to the entire company including recently closed acquisitions. These sections are briefly profiled below: Section 302. This section pertains to corporate responsibility for financial reports and requires quarterly statutory financial reports (10-Q) that include certifications such as: The signing officers have reviewed the report The report does not contain any materially untrue or misleading statements The financial statements fairly present the condition and results of the company The signing officers are responsible for internal controls and have reviewed and reported on these internal controls within the preceding ninety days A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities Any significant changes in internal controls or related factors that could have a negative impact on the internal controls. As a very significant practical impact of the Act, companies must include acquired entities in their Section 302 assessment and reporting beginning with the first quarter in which the acquisition closes there are no exemptions or exceptions allowed. All Rights Reserved. Not for Distribution 2
Section 404. This section establishes the compliance expectations for Management s Assessment of Internal Controls. Requirements include: Issuers are required to publish information in their annual reports (10-K) concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This must specifically state management s assessment of the effectiveness of such internal controls and procedures. The external auditing firm must independently attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting in the same annual report, whether or not this opinion agrees with management s assessment. Compliance with Section 404 requires management to certify on an annual basis that their internal control system is designed and operating effectively including any new acquisitions beginning at the first year-end and 10-K report after closing a transaction. In subsequent clarification, the SEC has acknowledged that in the instance of a material acquisition a company may not have sufficient time to properly assess a target s internal controls and financial reporting between the closing and the date for filing the company s first annual report. Thus, when there is a material business combination, management may exclude the acquired business from the Section 404 controls assessment for a period of up to one year from the date of acquisition and from one annual report. However, this exclusion must be disclosed, and the acquired unit or entity must be carved out of other reporting. The Act is quite clear with regard to the direct personal accountability that resides with both the CEO and CFO of the reporting company. Penalties for failure to comply with the Act can be very harsh, including substantial fines and prison terms. For example, Section 304 requires that the CEO and CFO forfeit their bonuses and any profits made on the sale of the company s stock during the preceding 12 months if the company has to make an accounting restatement due to material noncompliance, as a result of misconduct, with any financial reporting requirement under the securities laws. Likewise, Section 906 contains the provision for substantial penalties up to $5 million and up to 20 years in prison for executives who are found to have intentionally made false certifications pertaining to compliance with applicable securities laws and the fair presentation of the financial condition and operating results of the company. Implications for Acquirers In light of these sweeping requirements and significant stakes, acquirers must rethink their approach to conducting mergers and acquisitions. The goal must now be to confirm whether or not a potential acquisition target s internal controls and financial reporting procedures are in compliance with Sarbanes-Oxley requirements; whether they can be effectively integrated with the buyer s compliant policies and procedures; and at what cost or risk. The following points summarize various legal, accounting and procedural recommendations: Overall M&A Process State corporation law establishes that the responsibility for managing the overall policies and direction of a company, including its mergers and acquisitions, rests squarely with the corporation s board of directors. The M&A function must make sure that the board of directors is directly and formally integrated into the overall M&A business process; that the board specifically ensures that management has adequately considered Sarbanes-Oxley issues and that the board itself has adequately informed itself of all pertinent deal issues. All Rights Reserved. Not for Distribution 3
Target Assessment and Considerations for Potential Sellers Public companies that are potential candidates to be sold and that are already in compliance with the Act may now have a distinct marketing advantage over those that do not, since presumably, the certification requirements may likely be smoother and the resulting integration of controls and reporting may likely be faster and less costly. Review the public target s prior filings to determine if there have been any reported compliance issues, material weaknesses in controls reported or restatements. An interesting study by the investment research and proxy advisory firm Glass, Lewis & Co., found that 1,295 companies filed accounting restatements during 2005. Slightly more than one-half of those companies reporting restatements in 2005 also disclosed at least one material weakness in internal control. Private companies and foreign companies not registered with the SEC as foreign filers may be less attractive as acquisition candidates unless they have voluntary complied with at least some of the requirements of Sarbanes-Oxley. Such companies must expect a much higher level of scrutiny on controls and reporting issues and conduct an internal pre-due diligence to identify and remedy potential disqualifiers. Buyer s considering the acquisition of companies that have little prior compliance experience would be wise to consider the impact on valuation, integration time, resource requirements and cost. Consider the structure of possible transactions. A buyer that intends to purchase an entire smaller target company or purchase only its assets may be able to more effectively transition and integrate the acquired company control and reporting systems onto its own systems than would be possible in a much larger merger of peers. Due Diligence Supplement deal teams with specific expertise in Sarbanes-Oxley compliance including legal, finance and accounting, operations and information technology. Make sure that representatives from each functional team report-out their findings and discuss conclusions in cross-functional sessions in order to fully grasp implications and information discovered. Adapt due diligence materials, checklists, pre-integration risk assessments, valuation models and purchase decision criteria to specifically include the risks and costs of full compliance requirements, including the internal staff resource needs and external advisory fees required to achieve certification status within the necessary timeframes. Get external auditors involved early in the compliance due diligence effort. A specific review of disclosure controls and procedures, internal controls and financial reporting procedures, and potential use of non-generally accepted accounting principles ( GAAP ) should be a phase one due diligence step. What is the target company s compliance IQ? What degree of compliance sophistication does the company have with regard to management experience, qualified advisors, training and general application of internal control concepts? Look at the relative maturity level of the existing controls and procedures. Rank the target s compliance on a scale from 1-5, where 1 is least sophisticated and complete and where 5 is most sophisticated and complete. Consider whether the financial statements of the seller fairly present its true financial condition and operating results. What significant accounting policies does the target use? Has the target used any off-balance sheet financing structures? What is the governance, compliance and ethics culture of the target company? How important and well established are these policies? What kind of messages about governance, compliance and ethics (both spoken and behavioral messages) have been communicated throughout the target and All Rights Reserved. Not for Distribution 4
by whom? What anti-fraud programs are in place? What training or testing has been done regarding integrity, ethics, and compliance with various governance and controls policies? Best practices assessment. With regard to the specific controls, procedures and compliance requirements currently in place.how do these conform to accepted industry best practices? What changes are likely to be necessary? What degree of difficulty or risk? Has the target company extended any personal loans or extensions of credit to its executive officers or directors? Note that all such transactions with those that are to become officers or directors of the surviving entity must be eliminated prior to the closing of the transaction. Are there any other related-party transactions? If the target company is a division or subsidiary of a public company, determine where prior compliance work has taken place and to what extent these resources or policies are managed by division versus corporate resources. Remember, once the deal closes, the buyer becomes solely responsible for all compliance issues of the target company. Therefore, executives must make absolutely certain that a full and complete due diligence of Sarbanes-Oxley and all other compliance issues has occurred. Negotiation and Transaction Agreement Work closely with corporate and external counsel to expand or add new provisions in the definitive purchase agreement that relates directly to the target company s compliance with Sarbanes-Oxley. These may include stronger or additional representations and warranties regarding the target company s compliance or various closing conditions dependent upon satisfying essential compliance requirements. The objectives are to ensure the buyer gains complete information as needed to complete a thorough assessment of the seller s Sarbanes-Oxley compliance, and potentially, to give the buyer an opportunity to terminate the deal in the event that compliance would be too costly or impossible in the required timeframe following closing. Establish the timeframe and schedule for closing the transaction as early in the quarter as possible to provide for as much time as possible to complete the required certification as to controls and financial reporting as determined under Section 302. Integration Planning and Implementation Make Sarbanes-Oxley compliance integration planning a top priority for a cross-functional team that is solely devoted to this task. Start this effort during due diligence and require a comprehensive integration plan and budget well in advance of closing. Plans can be fully developed prior to closing, including the specific procedures and protocols to be used, with implementation set to begin immediately upon closing. Planning for integration of the target s controls and procedures should consider the overall complexity of the target company as well as multiple potential risk factors, including, but not limited to items such as: o Nature of the target business type of entity (public, private, foreign, division, etc.); number of different products or services; number of locations or entities involved; complexity of accounting policies and degree of judgment required for revenue recognition or other accounting entries; number and type of existing information technology systems, etc. o Internal capabilities -- experience level of available internal resources; other competing priorities and projects, etc. All Rights Reserved. Not for Distribution 5
o Project scope what degree of change is necessary to integrate target s controls and procedures; prior training or compliance documentation and procedures already in place, etc. Remember that even with the one-year grace period for compliance with Section 404 certification in the instance of material acquisitions, buyers have -- at most -- one year from the date of acquisition to complete their assessment, remedy and certification of the target s and the combined company s control and reporting procedures. In the event of a non-material acquisition, buyer s must comply and certify within current reporting period. Failure to properly analyze and remedy weak control processes in a target company could result in a material weakness resulting in an adverse opinion by the external auditors which may negatively impact investor opinion of the buyer s stock. Assign a senior executive officer or member of the audit committee of the board of directors to provide personal leadership and accountability for the compliance integration plan. Identify in advance various best-of-breed software modules to provide compliance best practices, Sarbanes-Oxley integration templates, identity management, digital rights management, and all relevant project management functionality such as status tracking, collaboration, document sharing, document retention, performance dash-boarding, etc. All Rights Reserved. Not for Distribution 6