Looking under the rocks
DUE DILIGENCE AFTER SARBANES-OXLEY
By Mark R. High
Consider the acquirer. Armed with a fistful of dollars, or a healthy stock
price, it scans the horizon, looking for targets. Then it spots an
attractive candidate, makes its intentions known, works out a
confidentiality agreement, and the dance is on.
Generally speaking, whether the target is a specific asset (such as a
building), a division, or an entire enterprise, the next step is due
diligence. That means pulling out that due diligence checklist that you
have been using for a decade or more. Sure, it has been refined over the
years. You have filled in the environmental section. Around 1999, you
started addressing the software and intellectual property issues.
(Hopefully, you have deleted those Y2K questions.) But not much has changed
in this area, at least until now.
And so we look at Sarbanes-Oxley yet again. When viewed from this angle, we
can see a government-mandated disclosure process that is monitored by
auditors, certified by top-level executives under penalty of prison,
reviewed by the SEC, and enforced by the plaintiffs' bar. More reports and
more information means there are more sources to learn about a target. As a
buyer, what's not to like?
Keep in mind that Sarbanes-Oxley (SOX) does not apply only to large
publicly traded corporations; privately held companies can also be subject
to SOX. Lenders and customers can each require a company to adopt SOX-style
procedures. A company's accountants and D&O insurance carriers can also
prompt a company to do it.
Many companies will even voluntarily comply with at least some of the SOX
requirements. If the target was anticipating going through an initial
public offering, it may have begun putting procedures in place to prepare
for the big event. Similarly, a company that had put itself on the market
might have decided that it would be a more attractive acquisition candidate
if it has SOX-style procedures in place.
A quick romp through the relevant federal laws and regulations may be in
order. Most of these actually pre-date SOX, but the current disclosure
climate has brought a new focus to these requirements. There are three main
sources for federal corporate disclosure requirements: Regulation S-K, FASB
No. 5, and SOX.
Regulation S-K — Regulation S-K issued by the SEC acts as an
instruction manual for public companies filing their annual, quarterly and
interim reports. Several items of Reg. S-K call for information an acquirer
would be interested in.
Item 101 requires reporting companies to describe their businesses,
products and competition as well as report on their financial position by
industry segments. Companies must discuss transactions outside of the
ordinary course, R&D activities, intellectual property, backlog,
foreign operations and the anticipated costs and effects of environmental
compliance — both current and projected.
Item 103 calls for companies to disclose any large nonroutine legal
proceedings to which they are a party, and even some routine matters that
exceed certain thresholds. Also, Item 303 requires a company's management
to discuss known trends, events and uncertainties that could have a
material effect on its business (the so-called Management Discussion &
Analysis, or MD&A, report).
Item 402 calls for a detailed review of the company's executive
compensation, employee contracts, benefits, options and so on. Item 404
focuses on related party transactions. Material contracts are to be
included as exhibits to the periodic filings, so, many times, credit
agreements, joint venture agreements, even real estate leases are on the
public record.
FASB No. 5 — Statement of Financial Accounting Standards No.
5: Accounting for Contingencies, issued by the Financial Accounting
Standards Board, deals with disclosing loss contingencies. Observing FASB
No. 5 is part of complying with generally accepted accounting principles,
and is a key element in the audit letter process. It requires a company to
establish a loss contingency in its financial statements if (1) available
information indicates that it is probable that the company has suffered a
loss, and (2) the amount of that loss can be reasonably estimated.
Even if a loss is only possible, or the value of the loss suffered cannot
be reasonably estimated, it must be described in a footnote to the
company's financial statements. In general, financial statement footnotes,
while perhaps not as fascinating as the latest Tony Hillerman novel, can
contain many interesting clues of their own.
Sarbanes-Oxley — While Regulation S-K and FASB No. 5 have
been around for many years, the new provisions receiving all the publicity
come out of the Sarbanes-Oxley Act, adopted in 2002. Most important for
this article are Sections 302 and 404.
Section 302 of SOX requires the chief executive officer and the chief
financial officer of a company to personally certify certain items about
the annual or quarterly report being filed. In summary, they must certify
that
they have read the report, the report fairly presents the company's financial condition and results
of operations, to their knowledge, the report contains no untrue statements or omissions
of material fact that would make the statements misleading, and they are responsible for and have evaluated the company's disclosure
controls and procedures, and internal controls over financial
reporting.
Thus, a company's senior officers must learn about the company's
liabilities and satisfy themselves that the company's periodic reports meet
SOX requirements. This personal responsibility is causing senior executives
to demand more detailed information and future cost estimates from, for
example, environmental managers. Under Section 906 of SOX, senior officers
can be subject to potential criminal liability if they falsely, knowingly
or willfully make an inaccurate Section 302 certification.
Under Section 404, a company has to establish and maintain adequate
internal control structures and processes to allow for accurate financial
reporting. In the company's annual report, senior executives need to assess
and report on the effectiveness of these internal control structures and
processes. Further, the company's auditors must provide an independent
report on management's assessment.
Taken together, these measures require reporting companies (and companies
otherwise observing these requirements) to:
review and, if necessary, adopt new liability assessment and reporting
practices; regularly obtain and evaluate insurance company risk assessments for the
company's properties; include environmental matters in their Item 303 MD&A; discuss pending and threatened litigation and regulatory enforcement
actions in their periodic reports; disclose and value contingent liabilities in their financial statements,
including those related to legal, operational, warranty and environmental
issues; implement and periodically evaluate Section 404 internal controls and
procedures; perform the actions called for by their internal controls and procedures,
including maintaining internal records, establishing milestones for
regularly evaluating known problem areas, searching out new problem areas,
and providing reports up and down the management chain; have all of the above reviewed, evaluated and certified to by senior
management; and have all of the above formally reviewed and audited by their
accountants.
Any company with an interest in acquisitions has to look at that list of
information sources and be glad. Many companies are now generating
information that is much greater in both quantity and quality than that
available even just two years ago. Not only is the new disclosure regime
causing companies to look more closely at themselves, the requirements of
SOX Sec. 404 have resulted in a paper trail of reports, reviews,
evaluations, assessments and reassessments that have never before been
available.
Savvy acquiring companies (and their lenders) will jump at the chance to
learn about their targets from the inside. Savvy targets will keep in mind
that even reports that are being generated for "internal" review
may actually become available to outsiders. (A developing issue is whether
attorney-client privilege can be used to keep certain internal review
documents confidential. This is complicated by the fact that many of these
internal reports are disclosed to outside auditors as part of their
internal controls review.)
Acquirers need to pull out their due diligence checklists and adapt them to
the new informational reality. In particular, acquiring companies need
to:
expand their review of publicly available information to include the EPA
ECHO list and periodic reports filed by the target with the SEC; specifically inquire about their target's internal review processes and
procedures; review the target's internal operational, real estate, intellectual
property, insurance, litigation and environmental policies; examine the internal committees charged with monitoring and assessing the
target's SOX compliance, including getting a list of committee members and
their functions; consider whether other internal procedures might touch on managerial,
financial and operational issues (for example, as part of the target's
accounting and legal functions); inquire about what is generally known as the Disclosure Controls
Committee, a general oversight committee that may gather and evaluate
information generated by the internal review structure; obtain all minutes, reports, memoranda and valuations generated by these
internal procedures; and review the work papers and reports generated by the target's auditors
while assessing the company's internal controls.
Information gathered this way not only tells the buyer about the company
itself; it can also be used to value the transaction better, that is, to
help establish whether the purchase price is right. It can help value and
allocate risks coming out of the transaction, making for a more accurate
and meaningful indemnification provision. It can also serve as a check on
disclosure provided by the seller in the transaction's base purchase
agreement.
In a recent situation we were involved in, our client was purchasing one
plant from a public company that owned several plants around the country.
In reviewing the selling company's SEC filings, we noticed a pattern to the
hazardous materials that the seller identified as being found at some of
its other facilities. Based on that review, we expanded the list of
materials to be looked for in our Phase II environmental review, and the
seller was forced to admit that this increased scope was reasonable in
light of its prior experiences.
After acquiring a business or property, the acquiring company will have to
include the new assets in its future reporting and integrate the new assets
into its existing internal controls and procedures. If the acquisition is
significant, or consists of a stand-alone business, the buyer may have to
develop new internal controls and procedures to cover the new assets. As we
get further into this process, buyers may find themselves having to
evaluate procedures that the target has developed, which may be more
complicated than working from a clean slate.
The SEC seems to have given acquiring companies some leeway to exclude the
recently acquired business from management's report on the internal
controls over financial reporting. Even in this situation, the buyer needs
to identify the acquired business, disclose that it has left the acquired
business out of its report, and indicate the significance of the acquired
business.
Despite the delay allowed in the SOX Sections 302 and 404 internal controls
reporting, companies cannot delay reporting an acquisition's more
substantive effects. Depending on the size of the acquisition, that may
result in significant reporting concerns in discussing capital expenditures
under Reg. S-K Item 101, legal proceedings under Item 103, and known trends
and events under the Item 303 MD&A, not to mention the loss contingency
evaluation required under FASB No. 5.
In this light, pre-acquisition due diligence must be considered as part of
the post-acquisition reporting process. On a more practical basis,
acquiring companies may want to look at the calendar when scheduling
transaction closings, to gain a few more weeks to integrate the acquired
entity and its potential problems into the buyer's financial
reports.
Thus, recent developments have brought significant change to the way due
diligence issues need to be handled. They have also presented counsel, both
in-house and outside counsel, with significant opportunities to demonstrate
the importance of their functions to senior management.
On the internal compliance side, counsel will be called on to prepare
internal controls and procedures that are both comprehensive and workable.
Once those procedures are in place, preparing detailed yet concise reports
will help management provide the SOX Section 302 certifications. In
evaluating the potential liabilities that may exist, counsel can play a
vital role in fostering communication among managers, engineers and
accountants to arrive at a proper reserve valuation. All of these functions
must be performed on time, as missing an SEC filing deadline can be very
damaging to a reporting company and its management.
On the acquisition side, counsel should make sure that due diligence
checklists cover all the new information sources and get involved in the
due diligence process at the outset — and stay involved. It is
important to keep an eye on the reporting calendar, and anticipate
post-closing reporting requirements while doing the pre-closing
review.
Counsel for sellers, or potential sellers, should review (or establish)
reporting processes and systems, and prepare (or monitor) the resulting
reports as though the client were the subject of a due diligence request.
Certainly, a company with effective internal procedures and controls in
place will be more valuable than one without controls.
Above all, counsel needs to stay visible, available and involved during an
acquisition. Information becomes more valuable every day; counsel have
access to some of the most valuable information a company can have.
Monitoring, organizing and distributing that information is a critical
function that, when done well, can benefit a company and all its
constituents.
High is a member at Dickinson Wright PLLC, in Detroit. His e-mail is
mhigh@dickinsonwright.com.
|
