ISACA Journal
Volume 5, 2,018 


The Practical Aspect: Mergers and Acquisitions, Should Internal Audit Be Involved in Due Diligence? 

Vasant Raval, DBA, CISA, ACMA, and Chandni Jalan, CISA, CITP, CPA 

Corporations today, especially large corporations, find acquisitions to be a crucial means to achieve their strategy. Depending on the strategic need, this may include several desired outcomes: advancing their footprint in current technology, abating competition by eliminating or undermining a promising start-up that could intensify competition in the future, extending horizons of the company business, or simply fueling further growth when the company seems to stagnate. There are important benefits of acquisition generally not available through any other means, such as catching up with lost time in building competitive edge or harnessing invaluable talent that otherwise would be inaccessible.

Corporate mergers and acquisitions (M&A) are considered significant, from both a strategic and an economic point of view, across almost all sectors of the economy.1 But the opportunities in acquisitions are enmeshed with risk that needs to be identified, assessed and mitigated. Not only hostile acquisitions, but also friendly acquisitions are time-consuming and stressful and require an “army” of people from the management hierarchy and even outside consultants to conduct due diligence and prepare for the initial approach. Time and timing can be very critical to manage. To quote researchers:

M&A is a complex process involving risk that ranges from financial and legal matters to sales and marketing challenges and everything in between. Despite well-established benefits of strategically driven expansion and integration of businesses through M&A, the consolidated organization exposes itself to a number of anticipated, unknown and unintended risk factors.2

Based on a study of acquisitions made by British companies both in the United Kingdom and in the United States, a more proactive role for the internal audit function in acquisition planning is suggested. Researchers observed, “Acquisitions and mergers often fail because insufficient attention is given to conducting an organizational audit of the vendor prior to signing the deal.”3 An international study conducted later found that the internal auditor’s actual participation in strategic planning and specific acquisition planning was 27 percent and 14 percent, respectively.4

Does it make sense to involve internal auditors in due diligence? Here is an example. A Fortune 500 organization decides to significantly improve its strategic advantage by acquiring a five-year-old start-up poised for success. To do so, the acquiring company pays a fortune. In a matter of months, the organization finds that its acquisition was a deceitful overture from the acquired organization’s chief executive officer (CEO). He doctored the financial numbers of his organization to make the picture look rosy and attractive for acquisition. Setting aside the dreams of getting ahead strategically, the acquiring organization had to record a material impairment charge, substantially, all of the acquisition cost, on the acquisition. Phony reseller agreements, back-dated transactions and round-trip transactions were used to inflate accounting numbers, and the acquirer believed it all was real.

Could this have happened if the acquiring organization included in its due diligence team its internal auditors? Clearly, if the problem was detected early on, the buyer would have saved a considerable amount of grief and money that it poured into this acquisition effort. As an acquiring organization enters the due diligence phase, internal audit can assist in managing acquisition risk. Here are some examples:

  • Assess the current risk and control environment. Internal auditors can assess the makeup of the current control structure from a risk viewpoint. For example, is there a disproportionately high number of manual controls compared to automated controls? Why? What if the control environment is not as strong as that of the potential buyer’s? Auditors can assess what impact, if any, this may have on the due diligence and the bidding decision.
  • Review results from internal audits and external audits to determine the current issues at the organization. If management decides to assume the risk and does not take steps to remediate a given deficiency, it is important that the acquiring organization understands the cost-benefit analysis performed and what other entity-level compensating controls are in place that made management comfortable that material misstatements would be detected on a timely basis.
  • Assess the competency (knowledge, skills, experience) and independence of key process/control owners throughout the organization.

Once the acquisition has been completed, an internal auditor should be able to assist in assuring that the integration of the acquired organization into the acquiring organization is effective and efficient. For example:

  • Internal auditors can provide assurance that the acquired business is aligned with the organization’s control environment. How? This starts with a road map that lays out system integration, people integration and process integration, sets the time frame and describes how. A road map is key, as any acquisition takes time to become integrated, particularly if it is a large acquisition. Depending on what the time line looks like, the buyer should ensure that it has strong entity-level controls that will cover the acquired organization as well, so any risk that could lead to a material misstatement is properly mitigated through those entity-level controls (until the acquired organization is fully integrated).
  • The acquired organization may not be fully integrated for a few years. How does this impact the assessment? In what ways would this impact compliance with current regulations (e.g., the US Sarbanes-Oxley Act)?
  • Internal auditors can ensure that the acquired organization does not dilute the control environment, leading to a material weakness or a significant deficiency. Continued training, timely completion of monthly fluctuation analysis, balance sheet reconciliations and other high-level controls are relevant here. Timely onboarding of key stakeholders from the acquired organization is critical to ensure that they understand the company culture, tone at the top, and its commitment to ethical and sound business practices. Also, encouraging open communication is critical, so any issues are discussed and resolved if and when they are identified instead of “looking the other way.”

What does the internal auditor bring to the table that others on the diligence team may not have?

  • Independence/objectivity—The internal auditors would typically find themselves walking a fine line. The control environment is management’s responsibility, so the auditors need to carefully determine the steps they can take to ensure that they do not impair their independence while still being able to assist the organization in risk assessment and, if the acquisition materializes, in a smooth transition. The internal auditors should be mindful of their role as advisors and not assume a management role/responsibility, thus avoiding being in a position of auditing their own work later. For example, if a new system is implemented, the internal audit team can brainstorm with the business/process owners to ensure key risk factors are being considered and the business unit under acquisition consideration designs and implements proper controls to mitigate the risk. Internal audit can provide recommendations on the design, but should not design the control themselves as it is management’s responsibility.
  • New systems and technologies at the acquisition target—If the target organization does not have a good IT map of the current environment, it could lead to several challenges for the acquirer, particularly if it is a line of business that is unique, complicated or one in which the potential buyer does not have much experience/expertise. At times, this is precisely the reason the organization is seeking to acquire the innovator. While the benefits may be nearly certain and rather huge, attendant risk needs to be managed to harness the gains. Internal auditors can effectively assist in reviewing and, if necessary, revising existing organization policies to cover the risk and to ensure that a feasible IT map, extending several milestones beyond the acquisition date, is prepared and management review of it is undertaken and documented.
  • Third-party risk management at the acquisition target—The acquisition target may be dealing with its own network of third parties. It is necessary to determine if the risk of having third parties on board for providing services or products is properly identified and systematically managed. If some risk materializes at the acquired organization level, cascading effects of the compromise could engulf the organization seeking the acquisition. This is the case of vulnerability inheritances.5 For example, at the organization under acquisition, weaker controls around third parties (e.g., not having a proper inventory of all third parties used; not requesting and/or reviewing Service Organization Controls [SOC] 1 reports, if applicable; finding that recent contracts and term agreements are not available) could certainly lead to financial exposure in cases where there are clauses that are binding and would carry over to the potential acquirer.
  • Cost saving and organizational restructuring—These are typical pressures that emerge in the post-acquisition/integration stage. Internal auditors can anticipate some of these and respond more effectively if they are also involved in earlier stages of the acquisition process.

A comprehensive study of the role of internal auditing during M&A has been conducted.6 It classified the process of M&A into four stages—strategy development, due diligence, post-acquisition integration and post-acquisition audit—and suggested best practices for internal auditors’ involvement in each stage. For example, the strategy development stage includes the practice of auditing the process used in assessing and managing risk and offering advice on systems and processes that could reduce acquisition risk. In stage three, post-acquisition integration, best practice would be to prepare a checklist of activities necessary to actualize expected value from the acquisition.

Perhaps because this is not a routine exercise in internal auditing and forensics, the role of auditors in M&A is not a commonly held discussion. However, the skills that the auditors have and use normally within the organization are equally applicable and, perhaps, add much more value to non-routine exercises such as M&A. If anything, the payoff is likely much bigger and the opportunities to mitigate risk that knocks at the door are truly worth assigning to the audit staff. After all, they know their organization well and should be able to tell if the risk of acquisition can be effectively managed. Prevention here has huge value compared to the cure.


1 Khazanchi, D.; V. Arora; “Evaluating IT Integration Risk Prior to Mergers and Acquisitions,” ISACA Journal, vol. 1, 2016,
2 Ibid.
3 Lees, S.; “Auditing Mergers and Acquisitions—Caveat Emptor,” Managerial Auditing Journal, vol. 7, no. 4, 1992,
4 Selim, G. M.; S. Sudarsanam; M. K. Lavine; Mergers, Acquisitions, and Divestitures: Control and Audit Best Practices, The Institute of Internal Auditors Research Foundation, USA, 2002
5 Raval, V.; S. Shah; “Third-Party Risk Management,” ISACA Journal, vol. 2, 2017,
6 Dounis, N.; “The Role of Internal Auditing During Mergers & Acquisitions: The European Union Experience,” The Institute of Internal Auditors Research Foundation, USA, January 2007

Vasant Raval, DBA, CISA, ACMA
Is a professor of accountancy at Creighton University (Omaha, Nebraska, USA). The coauthor of two books on information systems and security, his areas of teaching and research interests include information security and corporate governance. He can be reached at

Chandni Jalan, CISA, CITP, CPA
Can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.