Focus on Fraud in M&A Transactions

Due diligence is a critical part of the merger and acquisition (M&A) process — and an area of particular concern is fraud risk. Financial statement manipulation can sometimes make the target appear more valuable than it really is. Likewise, weak fraud policies, internal controls and cybersecurity practices can be ticking time bombs for an unwary buyer.

A forensic accountant can help a buyer evaluate a target’s fraud risk and look for signs of earnings manipulation and other accounting irregularities. Here are some examples of areas to examine before closing a deal.

Uncovering Accounting Fraud

It’s important to look for red flags that indicate that the target’s financial statements may not provide a true picture of its value. For example, revenue might be overstated if it has increased over time without a corresponding increase in cash flow or receivables. Another red flag of revenue overstatement is unusually strong revenue growth in comparison to the company’s competitors.

Earnings growth coupled with recurring negative cash flows may be a sign that expenses have been understated or that assets have been overvalued. Also be on the lookout for excessive restrictions on auditors’ access to information or personnel, high employee turnover, excessive pressure on management to perform, and an unusually high number of off-balance-sheet or related-party transactions.

Evaluating Fraud Exposure

During M&A due diligence, the buyer should examine a target’s fraud policies and practices to evaluate its exposure to fraud risk. Questions to ask include:

• Does the target’s corporate culture reflect a commitment to fraud prevention?
• Has the target adopted anti-fraud measures, such as a code of ethics and a whistleblower hotline?
• Has the target implemented strong internal controls that are regularly reviewed and tested for compliance?
• Does the target conduct background checks of new hires?
• How has the target addressed previous allegations of fraud?
• Are the target’s accountants, attorneys and other advisors reputable, and what’s the screening process for outside advisors?
• Has the target properly vetted its vendors and third-party service providers, including their anti-fraud policies and internal controls?

If the target’s practices in any of these areas fall short, the buyer should consider conducting additional due diligence. For example, if the target doesn’t conduct employee background checks, the buyer should perform background checks on the target’s executives and other key personnel, including the owners.

Assessing Cyber Risk

Cyberfraud is an area of growing concern. Data breaches can cause safety issues, negative publicity, lost productivity, and compromised personal and corporate data. The average cost of a data breach has risen to a record high of $4.35 million, according to a 2022 study published by independent research group Ponemon Institute. That’s an increase of 2.6% from the 2021 study and 12.7% from the 2020 study.

There are several ways to manage cyber risk. For example, ask whether the target has conducted a risk assessment, adopted a proven cybersecurity framework and trained employees on best practices. Also consider whether software and devices have been updated with the latest security patches, as well as whether there are effective backup and recovery systems in case an attack occurs.

Let the Buyer Beware

Comprehensive due diligence is an indispensable part of the M&A process, but it’s particularly critical with respect to fraud and cybersecurity. Few risks have greater potential to negatively impact the value of a deal.