Due Diligence: Beyond the Financial Statements

Due diligence of an acquisition always begins with the careful examination of the financial statements, but now demands a complete evaluation of internal controls and transaction integrity. Unlike finely polished financial statements, internal controls and transaction integrity are hard to spin; any varnish quickly wears off when scrutinized.

After living through failed acquisitions and now an increased regulatory environment, corporate risk executives are refining their due diligence processes. By measuring transaction integrity and the effectiveness of internal controls, this new due diligence provides a view into the selling company's operational discipline and overall culture for tolerating policy violations.

This new emphasis on due diligence is directly linked to deal-making executives who recognized their past mistakes or to avoid others' mistakes. For example, after HFS Inc. merged with CUC International Inc. in 1998, the newly formed Cendant found accounting irregularities inflated CUC's earnings by $500 million and accounting errors masked another $200 million. When the scandal broke, Cendant lost more than $13 billion in market value and spent $2.83 billion to settle nearly all of the litigation. While Cendant has stabilized, the scandal damaged the reputation of its CEO and its brand-name subsidiaries to the point that its future was questioned; getting the company back on track was a huge business distraction.

Bain & Company conducted a December 2002 survey of 250 executives with mergers and acquisition responsibility that concluded that 70% of these executives were not satisfied with the rigor of their due diligence processes. Due diligence can measure a company's transaction integrity and effectiveness of controls by first considering the documented controls and then focusing on the business processes directly linked to financial integrity – procure-to-pay, order-to-cash, and financial reporting. In practice, this process scrutinizes the accounts payable, accounts receivable, and general ledger financial systems and the transactions within each.

Documentation and Training

Rigorous due diligence runs the risk of offending the executives and managers from the selling company who are likely to be integrated into the acquiring company. While proper risk analysis demands this invasive process, the acquiring company should take a “nothing personal” approach and use the requirements of Sarbanes-Oxley (SOX) as the impetus for evaluating transaction integrity and internal controls, which starts with the documentation.

A public company that is satisfied with its SOX compliance should closely consider the condition of the selling company's SOX compliance. If the selling company is at risk of not meeting its deadlines for documentation, the acquiring company must consider the extra costs to complete these compliance efforts as part of the acquisition integration costs. Beyond documentation, due diligence should focus on employee training. Without proper training programs in place, documented controls are likely to remain ineffective. The acquiring company should factor any training costs into its overall integration costs.

In addition to these direct costs associated with documentation requirements and training, acquiring companies should factor these deficiencies into the overall risk of the acquisition. Specifically, corporate risk executives should identify why documentation and training lags industry standards and determine if the selling company lacks the appropriate “tone at the top” — the attitude set by executives for acceptable business practices.

Audit and Monitor for Transaction Integrity

While the financial systems are the most obvious places to begin the due diligence of transaction integrity, executives should be cautioned that a complete audit of all systems is not always easy. A March 2004 survey from the Hackett Group, an Atlanta-based research firm, reported that the average $1 billion company operates 48 separate financial systems and manages 2.7 ERP (enterprise resource planning) systems.

For this reason, the evaluation of transaction integrity should focus on a few key areas of accounts payable, accounts receivable, and general ledger. Specifically, risk executives should audit the previous year's transactions within each system and directly monitor transactions for 30 to 90 days to identify:

• Duplicate payments and vendor management issues in the procure-to-pay process;
• Channel stuffing in the order-to-cash process;
• Duplicate or fictitious fixed assets and mismatched timing of revenue & expenses in financial reporting; and
• Segregation of duties violations throughout all financial processes.

Procure-to-Pay

Duplicate payments are a fact of life for most enterprises. Accepted industry studies have reported duplicate errors as approximately 2% of total payables. However, an unusually high number of duplicate payments can be a sign that the company's financial operations suffer from overlooked erroneous processes, a lack of attention to detail, and ineffective controls. To recover the losses from these duplicate payments, enterprises invest in recovery audits and collection services, which typically charge approximately 35% of the recovered payments. Rather than returning the cash and payment back from a duplicate payment, vendors who receive the duplicate payment often extend a credit to the double-paying buyer who suffers unneeded pressure on its cash flow. However, 10% to 20% of duplicate payments are never recovered, which means that the average enterprise suffers an annual cash drain equivalent to 0.1% to 0.2% of its total payables.

The due diligence of the procure-to-pay process should draw upon internal audits to determine the selling company's duplicate payment rate and recovery costs. More importantly, due diligence should consider the trends. A rising rate of duplicate payments indicates that the company is largely ignoring the problem. A steady rate could mean that the company accepts duplicates as a cost of doing business. A declining rate of duplicate payments usually indicates an overall corporate effort to eliminate costly errors and continually look to improve support operations.

Like duplicate payments, an unusually high number of duplicate vendors can be a sign that the company's financial operations suffer from overlooked erroneous processes, a lack of attention to detail, and ineffective controls. Large enterprises often face this common error where a single vendor or contractor is registered in the financial system more than once. Besides a management headache when consolidating records, duplicate information can lead to greater errors and make it more difficult to detect improper activity or fraud in regard to the vendor or contractor.

Order-to-Cash

Recording channel sales with no identified end buyer is a common scheme to deceptively inflate sales. Channel stuffing can be practiced individually by sales representatives trying to make quota or enterprise-wide by companies trying to dupe investors or would-be buyers. As a recent example of “cultural” channel stuffing, in late 2003, Symbol Technologies admitted to inflating revenue by $234 million over a 5-year span. As a result, in June 2004, Symbol agreed to pay $138 million to settle class action law suits from shareholders and fines from the SEC.

Due diligence of the order-to-cash process should focus on how sales are recognized. Purchased orders received from channel sales should include the end buyer, and controls should be in place to prevent a sales order from being processed without this vital information.

Financial Reporting

Within financial reporting, the due diligence process should monitor transaction integrity in the general ledger system to match the timely recognition of revenue and expenses. Transaction integrity in financial should be validated against efforts that delay the recording of expenses to boost current profits or early recognition of expenses to boost future profits. The due diligence of financial reporting should also include careful inspection of the integrity of fixed asset transactions. Common forms of errors or misconduct in financial reporting manipulate general ledger transactions to record fixed assets more than once or record fictitious assets. Monitoring for transaction integrity can identify duplicate fixed assets and assets that are booked without record of receipt or ownership.

Segregation of Duties

Internal controls most effective in ensuring transaction integrity are typically segregation of duties. The basic concept is to prevent one person from carrying out multiple steps in a financial transaction that could allow that person to defraud the company for personal gain. A rigorous due diligence of accounts payable and accounts receivable should include tests on how payments and sales are processed. Due diligence should focus on how purchases, payments, and sales orders are approved. For example, controls should be in place to prevent a single person from approving a purchase order and validating receipt of goods. In scrutinizing sales recognition, the acquiring company should evaluate the controls over who authorized the sale as opposed to who collected commission.

However, due diligence should not limit itself to the testing of how these processes are “supposed to happen.” The acquiring company should talk to the employees in the accounts payable and accounts receivable operations and ask about ways to “push through” sales orders or purchase orders to circumvent the controls when urgency requires.

Don't be shocked when you identify employees who can circumvent the controls. Every organization faces the risk of application-facing employees or users who exercise their knowledge of system rules and procedures to “game” systems to commit fraud. Even ethical employees can violate application policies to work around inefficiencies within a system but unwittingly reveal opportunities for damaging errors, misuse, and abuse.

Conclusion

A thorough due diligence process is likely to uncover at least some minor problems with internal controls. Businesses that spend the time and money to fully implement strong internal controls within business applications and financial processes must also allocate the resources to maintain those controls. However, this due diligence process and evaluation of transaction integrity should provide a glimpse into the financial operations of the selling company. By identifying effectiveness of controls and transaction integrity, the acquiring company can factor these risks as they integrate employees from the acquired business. Enterprises should evaluate software solutions that address these concerns before and after making acquisitions. It may help prevent a scandal as damaging as the HFS-CUC merger.

In the end, companies that fail to implement transaction integrity analysis into their due diligence expose their business to new levels of scrutiny from both investors and regulators. While market confidence is always a concern, businesses should know when they're about to step into a pending regulatory investigation from an acquisition.

Due diligence of an acquisition always begins with the careful examination of the financial statements, but now demands a complete evaluation of internal controls and transaction integrity. Unlike finely polished financial statements, internal controls and transaction integrity are hard to spin; any varnish quickly wears off when scrutinized.

After living through failed acquisitions and now an increased regulatory environment, corporate risk executives are refining their due diligence processes. By measuring transaction integrity and the effectiveness of internal controls, this new due diligence provides a view into the selling company's operational discipline and overall culture for tolerating policy violations.

This new emphasis on due diligence is directly linked to deal-making executives who recognized their past mistakes or to avoid others' mistakes. For example, after HFS Inc. merged with CUC International Inc. in 1998, the newly formed Cendant found accounting irregularities inflated CUC's earnings by $500 million and accounting errors masked another $200 million. When the scandal broke, Cendant lost more than $13 billion in market value and spent $2.83 billion to settle nearly all of the litigation. While Cendant has stabilized, the scandal damaged the reputation of its CEO and its brand-name subsidiaries to the point that its future was questioned; getting the company back on track was a huge business distraction.

Bain & Company conducted a December 2002 survey of 250 executives with mergers and acquisition responsibility that concluded that 70% of these executives were not satisfied with the rigor of their due diligence processes. Due diligence can measure a company's transaction integrity and effectiveness of controls by first considering the documented controls and then focusing on the business processes directly linked to financial integrity – procure-to-pay, order-to-cash, and financial reporting. In practice, this process scrutinizes the accounts payable, accounts receivable, and general ledger financial systems and the transactions within each.

Documentation and Training

Rigorous due diligence runs the risk of offending the executives and managers from the selling company who are likely to be integrated into the acquiring company. While proper risk analysis demands this invasive process, the acquiring company should take a “nothing personal” approach and use the requirements of Sarbanes-Oxley (SOX) as the impetus for evaluating transaction integrity and internal controls, which starts with the documentation.

A public company that is satisfied with its SOX compliance should closely consider the condition of the selling company's SOX compliance. If the selling company is at risk of not meeting its deadlines for documentation, the acquiring company must consider the extra costs to complete these compliance efforts as part of the acquisition integration costs. Beyond documentation, due diligence should focus on employee training. Without proper training programs in place, documented controls are likely to remain ineffective. The acquiring company should factor any training costs into its overall integration costs.

In addition to these direct costs associated with documentation requirements and training, acquiring companies should factor these deficiencies into the overall risk of the acquisition. Specifically, corporate risk executives should identify why documentation and training lags industry standards and determine if the selling company lacks the appropriate “tone at the top” — the attitude set by executives for acceptable business practices.

Audit and Monitor for Transaction Integrity

While the financial systems are the most obvious places to begin the due diligence of transaction integrity, executives should be cautioned that a complete audit of all systems is not always easy. A March 2004 survey from the Hackett Group, an Atlanta-based research firm, reported that the average $1 billion company operates 48 separate financial systems and manages 2.7 ERP (enterprise resource planning) systems.

For this reason, the evaluation of transaction integrity should focus on a few key areas of accounts payable, accounts receivable, and general ledger. Specifically, risk executives should audit the previous year's transactions within each system and directly monitor transactions for 30 to 90 days to identify:

• Duplicate payments and vendor management issues in the procure-to-pay process;
• Channel stuffing in the order-to-cash process;
• Duplicate or fictitious fixed assets and mismatched timing of revenue & expenses in financial reporting; and
• Segregation of duties violations throughout all financial processes.

Procure-to-Pay

Duplicate payments are a fact of life for most enterprises. Accepted industry studies have reported duplicate errors as approximately 2% of total payables. However, an unusually high number of duplicate payments can be a sign that the company's financial operations suffer from overlooked erroneous processes, a lack of attention to detail, and ineffective controls. To recover the losses from these duplicate payments, enterprises invest in recovery audits and collection services, which typically charge approximately 35% of the recovered payments. Rather than returning the cash and payment back from a duplicate payment, vendors who receive the duplicate payment often extend a credit to the double-paying buyer who suffers unneeded pressure on its cash flow. However, 10% to 20% of duplicate payments are never recovered, which means that the average enterprise suffers an annual cash drain equivalent to 0.1% to 0.2% of its total payables.

The due diligence of the procure-to-pay process should draw upon internal audits to determine the selling company's duplicate payment rate and recovery costs. More importantly, due diligence should consider the trends. A rising rate of duplicate payments indicates that the company is largely ignoring the problem. A steady rate could mean that the company accepts duplicates as a cost of doing business. A declining rate of duplicate payments usually indicates an overall corporate effort to eliminate costly errors and continually look to improve support operations.

Like duplicate payments, an unusually high number of duplicate vendors can be a sign that the company's financial operations suffer from overlooked erroneous processes, a lack of attention to detail, and ineffective controls. Large enterprises often face this common error where a single vendor or contractor is registered in the financial system more than once. Besides a management headache when consolidating records, duplicate information can lead to greater errors and make it more difficult to detect improper activity or fraud in regard to the vendor or contractor.

Order-to-Cash

Recording channel sales with no identified end buyer is a common scheme to deceptively inflate sales. Channel stuffing can be practiced individually by sales representatives trying to make quota or enterprise-wide by companies trying to dupe investors or would-be buyers. As a recent example of “cultural” channel stuffing, in late 2003, Symbol Technologies admitted to inflating revenue by $234 million over a 5-year span. As a result, in June 2004, Symbol agreed to pay $138 million to settle class action law suits from shareholders and fines from the SEC.

Due diligence of the order-to-cash process should focus on how sales are recognized. Purchased orders received from channel sales should include the end buyer, and controls should be in place to prevent a sales order from being processed without this vital information.

Financial Reporting

Within financial reporting, the due diligence process should monitor transaction integrity in the general ledger system to match the timely recognition of revenue and expenses. Transaction integrity in financial should be validated against efforts that delay the recording of expenses to boost current profits or early recognition of expenses to boost future profits. The due diligence of financial reporting should also include careful inspection of the integrity of fixed asset transactions. Common forms of errors or misconduct in financial reporting manipulate general ledger transactions to record fixed assets more than once or record fictitious assets. Monitoring for transaction integrity can identify duplicate fixed assets and assets that are booked without record of receipt or ownership.

Segregation of Duties

Internal controls most effective in ensuring transaction integrity are typically segregation of duties. The basic concept is to prevent one person from carrying out multiple steps in a financial transaction that could allow that person to defraud the company for personal gain. A rigorous due diligence of accounts payable and accounts receivable should include tests on how payments and sales are processed. Due diligence should focus on how purchases, payments, and sales orders are approved. For example, controls should be in place to prevent a single person from approving a purchase order and validating receipt of goods. In scrutinizing sales recognition, the acquiring company should evaluate the controls over who authorized the sale as opposed to who collected commission.

However, due diligence should not limit itself to the testing of how these processes are “supposed to happen.” The acquiring company should talk to the employees in the accounts payable and accounts receivable operations and ask about ways to “push through” sales orders or purchase orders to circumvent the controls when urgency requires.

Don't be shocked when you identify employees who can circumvent the controls. Every organization faces the risk of application-facing employees or users who exercise their knowledge of system rules and procedures to “game” systems to commit fraud. Even ethical employees can violate application policies to work around inefficiencies within a system but unwittingly reveal opportunities for damaging errors, misuse, and abuse.

Conclusion

A thorough due diligence process is likely to uncover at least some minor problems with internal controls. Businesses that spend the time and money to fully implement strong internal controls within business applications and financial processes must also allocate the resources to maintain those controls. However, this due diligence process and evaluation of transaction integrity should provide a glimpse into the financial operations of the selling company. By identifying effectiveness of controls and transaction integrity, the acquiring company can factor these risks as they integrate employees from the acquired business. Enterprises should evaluate software solutions that address these concerns before and after making acquisitions. It may help prevent a scandal as damaging as the HFS-CUC merger.

In the end, companies that fail to implement transaction integrity analysis into their due diligence expose their business to new levels of scrutiny from both investors and regulators. While market confidence is always a concern, businesses should know when they're about to step into a pending regulatory investigation from an acquisition.