control, and governance
A chief audit executive frets over his apparent exclusion from a due diligence review team.
C.W. McCall is the chief audit executive of a large motor freight transportation company in Canada. The organization has grown from a small regional carrier to a billion-dollar enterprise, with transportation hubs across all of North America. C.W.'s team comprises a seasoned group of auditors with a mix of financial and IT backgrounds, many of whom have been with the company since the early stages of its development.
While eating lunch recently with the company's controller and other members of the finance department, C.W. overheard one of them mention that the CEO was organizing a "scouting party" to evaluate a prospective joint venture. C.W. called the controller later that day and learned that the alliance under consideration involved one of the company's major service providers. In lieu of a formal mergers and acquisitions (M&A) department, the CEO had assembled a due diligence team comprising members of key company functions — legal, accounting, logistics, and quality management — and was planning a group trip to the provider's headquarters next week.
After hanging up the phone, C.W. begins to wonder why he wasn't asked to join the team. Does management believe that internal auditing lacks the skills to evaluate a potential partner's operations, or was the audit function's omission just an oversight? What if the company hires an outside consultant? How should C.W. handle this situation, especially considering the scouting trip is scheduled for the following week?
Was C.W. overlooked or specifically excluded from the party? Either way this situation needs rectifying, and it requires that he put on his "marketing hat" before meeting with the CEO.
Presumably, the other leaders in the scouting party are experienced and knowledgeable in their respective fields — to earn a spot on the team, C.W. needs to distinguish himself among these professionals. He should emphasize his ability to serve as the CEO's eyes and ears, protecting him from cross-functional silos and miscommunications that naturally arise from complex due diligence activities. He could also highlight his ability to keep the CEO apprised of risks surrounding the provider's control environment.
Before meeting with the CEO, C.W. should do his homework. He should obtain company information from the Internet and review the service provider's public financial statements, if applicable, including management's report on internal controls. He also should review the existing service provider contract and related transaction volume and dollars, and ask the account manager responsible for the service provider relationship about the provider's culture, key personalities, and history. If available, C.W. should obtain a Statement on Auditing Standards No. 70 report to understand the underlying information system controls as well. Moreover, to help convey experience and subject matter knowledge, he should prepare a thorough due diligence checklist and commit it to memory before the meeting.
C.W. should also mention that M&A and joint venture activities are among the primary risk events precipitating company stock drops, making this particular alliance a significant risk to the company and the CEO's reputation. Acting as the CEO's eyes and ears, C.W. can serve as an impartial observer over the due diligence activities. He can also perform an internal control risk assessment based on discussions with the service provider's internal audit group and review of the group's past audit reports. C.W.'s primary message should be that he can help establish a strong understanding of the service provider's control environment and ensure that messages delivered to the CEO are fair, balanced, and complete. This information will help protect the CEO when he provides his final recommendation to the board.
C.W. has a right to be concerned about his exclusion from the scouting party. Proper due diligence is an exercise that can't be overlooked, and it is imperative that the company engages the right mix of managers in its efforts.
Internal auditing should be involved in the due diligence process for several reasons, including:
C.W. should contact the CEO and try to obtain more information about the potential joint venture and scouting party. He should remain calm but determined and find out whether he was just inadvertently overlooked or purposely excluded. Depending on the CEO's response, C.W. may need to make a case for his inclusion on the team. He should be prepared to outline the services internal auditing can offer to help ensure an effective assessment is performed.
C.W. should also discuss the benefits of using internal auditing as opposed to engaging outside consultants for due diligence services. He has a seasoned team with experience in finance and IT, as well as intimate familiarity with the company and its history, goals, vision, and values. And depending on where the potential target is located, the internal auditors may be able to lend insight from their experience on previous audits. C.W. should also determine whether he can cite potential cost savings associated with performing the work in-house.
If C.W. was deliberately excluded from the team, he should consider whether pervasive concerns may have led to the decision. Is the internal audit function valued by the organization? If not, where did the lines of communication break down? What other pressing company news is failing to reach C.W.'s desk? Regardless, a meeting with the CEO is imperative, and it will help answer many of C.W.'s questions. He may also want to consider meeting with the audit committee chair for additional insight.
When determining whether he should be included in the scouting party, C.W. should first consider internal auditing's existing roles and responsibilities — specifically in the areas of risk management and internal control. If he concludes that auditing should be part of the process, then he needs to bear in mind the importance of effective communication.
C.W. should attempt to meet with the CEO directly to address his questions and concerns. If a meeting cannot be arranged, he should discuss the matter with the individual to whom he reports — provided it is not the CEO. When deciding who to communicate with, C.W. should keep in mind the confidential and sensitive nature of an acquisition.
Legitimate reasons may exist for internal auditing's omission from the due diligence activities. The CEO might not be aware of the audit group's expertise in certain areas, or he may feel that the due diligence group is already well represented. He might also believe that internal auditing does not have the resources to absorb additional workload, or that due diligence work might lead to audit independence or objectivity issues.
Whatever the reasons, C.W. should be prepared to discuss them with the CEO without becoming defensive or taking them personally. He should also keep in mind that this situation could serve as an excellent marketing opportunity for the audit department. C.W. should explain his department's strengths and discuss how internal auditors can add value to this type of evaluation. Although internal auditing might not be asked to participate in the initial due diligence trip, the department could be called upon to provide expertise later in the acquisition process. At a minimum, the conversation could provide C.W. assurance that the due diligence team is well represented.
Ultimately, the role of internal auditing is to serve the organization. If the CEO decides not to include the audit function in the due diligence project, and that decision does not cause elevated risk to the organization, then C.W. should accept it. He should also keep in mind that, depending on internal auditing's reporting relationship, significant proposed changes to the department's role, responsibilities, or audit plan may need to be communicated to the audit committee.
How would you handle this scenario? Continue the discussion by sharing your comments below.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.