Compliance due diligence is really no different than regular due diligence. It just has a slightly different objective and therefore employs a different methodology. Moreover, compliance due diligence is both retrospective and prospective in nature and thus extends beyond legal due diligence. The primary goal of compliance due diligence is to ascertain whether the specific legal and economic risks that are material to a company have been identified and whether a compliance management system with informational, training and control components has been established to appropriately respond to these risks. In other words, legality is not the sole focal point. The ethical behavior of employees and management also matters, which safeguards an entity’s reputation, a corporate value with growing significance, and helps to avoid or at least reduce liability risks.
Compliance due diligence always begins with identifying the legal and economic risks that are material to the target company. The sector in which a specific company operates and its individual circumstances are import factors in this regard. Is the company active in a regulated sector like pharmaceuticals, waste management or banking? Is it a manufacturing enterprise and therefore exposed to product liability risks? Is it mostly involved in exports? Are there any internal policies on issues the company deeply values, such as environmental protection and social justice, that impose stricter requirements on its operations than existing laws prescribe?
Experience shows that the purchasing, sales and accounting departments are the main areas of focus in compliance due diligence, since liability risks and even criminal risks like corruption, antitrust violations, fraud and embezzlement that could jeopardize the continued existence of the company can be greatest there. However, staff involvement in these departments is key, so as not to give the impression that all of the employees in these departments are under suspicion. Company and industry-specific risks like environmental liability or product liability must not be pushed into the background. In addition, many companies today often underestimate the IT risks associated with their computer and Internet usage.
Besides substantive reviews, functional reviews of an acquiree’s compliance management system, assuming it has one that is, are also part of compliance due diligence. Compliance management systems should be stringent, internally consistent and capture all important divisions and departments. Other items to clarify include what kind of information and control structures there are and whether employees are regularly and appropriately trained. Of great relevance to buyers is examining the system for weaknesses that could produce previously unidentified liability risks. Auditing Standard 980 of the German Institute of Public Auditors (IDW) provides guidance for performing compliance audits. If an investee has not yet established a compliance management system, there may be concerns about its compliance culture and liability risks that need to be addressed in the purchase price or through guarantees.
The results of compliance due diligence have a large bearing on the further progress of contract negotiations and may, in the worst case scenario, e.g., with serious antitrust violations, corruption or product liability risks, cause the negotiations to be broken off. Even if negotiations continue, the results will be incorporated into the contract, say in the list of guarantees and warranties provided or in indemnification clauses. The price will also be affected.
In practice, the trend away from due diligence focused solely on legal, tax or financial issues in favor of a compliance-based due diligence has proven effective. Buyers get a more comprehensive look at their target companies, reducing the risk of bad investments and facilitating the target company’s integration into the buyers’ corporate organization. Thus, the added time and expense associated with compliance due diligence is time and money well spent.