Friday, March 15, 2019

A Comprehensive Guide to Due Diligence Issues in Mergers and Acquisitions

By Richard D. Harroch, David A. Lipkin, Richard V. Smith, and John Cook

Mergers and acquisitions typically involve a significant amount of due diligence by the buyer. Before committing to the transaction, the buyer will want to ensure that it knows what it is buying, what obligations it is assuming, the nature and extent of the seller’s contingent liabilities, problematic contracts, litigation risks, intellectual property issues, and much more. This is particularly true in private company acquisitions, in which the seller has not been subject to the scrutiny of the public markets.

Recent M&A activity and litigation have highlighted the need for a buyer to conduct careful due diligence as to potential risks, especially investigating financial statements, data breach and cybersecurity issues, intellectual property issues, and potential employment law and sexual harassment liability.

The following is a summary of the most significant legal and business due diligence activities the buyer will undertake in a typical M&A transaction involving a privately held company. A buyer will employ additional highly specialized due diligence activities, beyond those set forth below, when investigating companies in regulated industries, such as telecom, banking, insurance, or finance.

By planning for the buyer’s due diligence activities carefully and properly anticipating the related issues that may arise and risks that the buyer may identify, the seller will be better prepared to negotiate mitigation measures and successfully consummate a sale of the company.

1. Financial Matters

The buyer will be concerned with all of the seller’s historical financial statements and related financial metrics as well as the reasonableness of the target’s projections of its future performance. Topics of inquiry or concern will include the following:

  • What do the seller’s annual, quarterly, and (if available) monthly financial statements for at least the last three years reveal about its financial performance and condition?
  • Are the seller’s financial statements audited, and, if so, for how long? Does the audit report include a “going concern” qualification?
  • Do the financial statements and related notes set forth all liabilities of the seller, both current and contingent?
  • Are there internal controls over financial reporting issues?
  • Are the revenues and margins for the business growing or deteriorating?
  • Are the seller’s financial projections for the future and underlying assumptions reasonable and realistic?
  • How do the seller’s projections for the current year compare to the board-approved budget for the same period?
  • What normalized working capital will be necessary to continue running the business?
  • How is “working capital” determined for purposes of the acquisition agreement? (Definitional differences can result in a large variance of the dollar number.)
  • How much is the seller investing in research and development? Is this amount sufficient?
  • What capital expenditures and other investments will need to be made to continue growing the business, and what are the seller’s current capital commitments?
  • What is the condition of tangible assets and liens thereon?
  • What indebtedness is outstanding or guaranteed by the seller, what are its terms, and when does it have to be repaid?
  • Are there any unusual revenue recognition issues for the seller or the industry in which it operates?
  • What is the aging of accounts receivable, reasonableness of reserve for doubtful accounts, and are there any other accounts receivable issues?
  • Should a “quality of earnings” report be commissioned?
  • Are the capital and operating budgets appropriate, or have necessary capital expenditures been deferred?
  • Has EBITDA and any adjustments to EBITDA been appropriately calculated? (This is particularly important if the buyer is obtaining debt financing.)
  • Does the seller have sufficient financial resources to both continue operating in the ordinary course and cover its transaction expenses between the time of diligence and the anticipated closing date of the acquisition?
  • Do any of the letters from auditors cause concern?
  • Do any of the letters from counsel to auditors cause concern?
  • Does the seller have net operating losses? How much is available for use by the buyer post closing?
  • What seasonality in revenue and working capital requirements does the company typically experience?
  • Are there any restrictions on the seller’s cash or repatriation taxes due in connection with foreign subsidiaries?

2. Technology/Intellectual Property

The buyer will be very interested in the extent and quality of the seller’s technology and intellectual property. This due diligence will often focus on the following areas of inquiry, among others:

  • What domestic and foreign patents (and patents pending) does the seller have?
  • Has the seller taken appropriate steps to protect its intellectual property (including confidentiality and invention assignment agreements with current and former employees and consultants)? Are there any material exceptions from such assignments (rights preserved by employees and consultants)?
  • What registered and common law trademarks and service marks does the seller have?
  • What copyrighted products and materials are used, controlled, or owned by the seller?
  • Does the seller’s business depend on the maintenance of any trade secrets, and, if so, what steps has the seller taken to preserve their secrecy?
  • Is the seller infringing on (or has the seller infringed on) the intellectual property rights of any third party, and are any third parties infringing on (or have third parties infringed on) the seller’s intellectual property rights?
  • Is the seller involved in any intellectual property litigation or other disputes (patent litigation can be very expensive), or received any offers to license or demand letters from third parties?
  • What technology in-licenses does the seller have and how critical are they to the seller’s business? How might these licenses affect or restrict the business of the buyer or any of its affiliates? Are royalty obligations affected by the sale of the seller to the buyer?
  • Has the seller granted any exclusive technology licenses to third parties?
  • Has the seller historically incorporated open source software into its products, and, if so, does the seller have any open source software issues?
  • What software is critical to the seller’s operations, and does the seller have appropriate licenses for that software (and does the seller’s usage of that software comply with use limitations or other restrictions)?
  • Has the seller disclosed, or is it contractually required to disclose, any source or object code?
  • Is the seller a party to any source or object code escrow arrangements, and has any such code been released from escrow?
  • What indemnities has the seller provided to (or obtained from) third parties with respect to possible intellectual property disputes or problems?
  • Are there any other liens or encumbrances on the seller’s intellectual property?
  • Has the seller received subsidies or support from governmental authorities or universities? Is there any obligation to return subsidies upon a change of control of the seller?
  • Has the seller used any intellectual property owned or claimed to be owned by any university or other educational institute?
  • Does the seller’s software include any disabling codes, bugs, viruses, or other material problems or defects, and does the seller use industry standard practices to detect any such problems or defects?
  • Does the seller have sufficient IT systems, including computer, information technology, and data-processing systems and facilities, for existing and currently anticipated future needs?

3. Customers/Sales

The buyer will want to fully understand the seller’s customer base, including the level of concentration of the largest customers as well as the sales pipeline. Topics of inquiry or concern will include the following:

  • Who are the top 20 customers and what revenues are generated from each of them?
  • What customer concentration issues/risks are there?
  • Will there be any issues in keeping customers after the acquisition (including issues relating to who the buyer is)?
  • How satisfied are the customers with their relationship with the seller? (Customer calls will often be appropriate.)
  • Are there any warranty issues or obligations with current or former customers?
  • What repair, indemnification, and/or liquidated damages obligations does the seller owe to its customers?
  • What is the customer backlog?
  • What are the sales terms/policies, and have there been any unusual levels of returns/exchanges/refunds?
  • How are salespeople compensated/motivated, and what effect will the transaction have on the financial incentives offered to employees?

4. Fit with Strategic Buyer

A strategic buyer is concerned not only with the likely future performance of the seller as a stand-alone business; it will also want to understand the extent to which the seller will fit strategically within the larger buyer organization. This can also be the case where the buyer is a private equity buyer that has one or more existing portfolio companies in businesses related to those of the seller. Related questions and areas of inquiry will include the following:

  • Will there be a strategic fit between the seller and the buyer, and is the perception of that fit based on a historical business relationship or on future expectations?
  • Does the seller provide products, services, or technology the buyer doesn’t have?
  • Will the seller provide key people (is this an acqui-hire?) and, if so, what is the likelihood of their retention following the closing?
  • What integration will be necessary, how long will the process take, and how much will it cost?
  • Will the transaction be accretive to or dilutive of the buyer’s earnings?
  • What cost savings and other synergies will be obtainable after the acquisition?
  • What marginal costs (e.g., costs of obtaining third-party consents) might be generated by the acquisition?
  • What revenue enhancements will occur after the acquisition?

5. Material Contracts

One of the most time-consuming (but critical) components of a due diligence inquiry is the buyer’s review of all material contracts and commitments of the seller. The categories of contracts that are important to review and understand include the following:

  • Guaranties, loans, and credit agreements
  • Customer, reseller, and supplier contracts
  • Agreements of partnership or joint venture; limited liability company or operating agreements
  • Contracts involving payments over a material dollar threshold
  • Settlement agreements
  • Past acquisition agreements
  • Equipment leases
  • Indemnification agreements
  • Employment agreements
  • Exclusivity agreements
  • Agreements imposing any restriction on the business activity of the seller or the right or ability of the seller (or buyer after closing) to compete in any line of business or in any geographic region with any other person
  • Agreements containing “most favored nation” provisions
  • Real estate leases/purchase agreements
  • License agreements
  • Powers of attorney
  • Franchise agreements
  • Equity finance agreements
  • Distribution, dealer, sales agency, or advertising agreements
  • Union contracts and collective bargaining agreements
  • Government contracts
  • Contracts the termination of which would result in a material adverse effect on the seller (including, for example, acceleration of indebtedness upon a change of control or liquidated damages provisions)
  • Any approvals required of other parties to material contracts due to a change in control or assignment

6. Employee/Management Issues

The buyer will want to review a number of matters in order to understand the quality of the seller’s management and employee base, including:

  • Management organization chart and biographical information
  • Sexual harassment or discrimination policies or allegations
  • Sexual misconduct allegations or culture issues
  • Summary of any labor disputes
  • Information concerning any previous, pending, or threatened labor stoppage, slowdown, picketing, or other similar labor activity
  • Employment and consulting agreements, loan agreements, and documents relating to other transactions with officers, directors, key employees, and related parties
  • Schedule of compensation paid to officers, directors, and key employees for the three most recent fiscal years showing separately salary, bonuses, and non-cash compensation (e.g., use of cars, property, etc.)
  • Summary of employee benefits and copies of any pension, profit sharing, deferred compensation, and retirement plans
  • Evidence of compliance with IRS Section 409A in connection with incentive equity issuances
  • Summary of management incentive or bonus plans not included above as well as other forms of non-cash compensation
  • Likelihood of need for compliance with IRS Section 280G (“golden parachute”) rules in connection with any potential acquisition
  • Employment manuals and policies
  • Involvement of key employees and officers in criminal proceedings or significant civil litigation
  • Plans relating to severance or termination pay, vacation, sick leave, loans, or other extensions of credit, loan guarantees, relocation assistance, educational assistance, tuition payments, employee benefits, workers’ compensation, executive compensation, or fringe benefits
  • Appropriateness of the seller’s treatment of personnel as independent contractors vs. employees
  • Carve-out plans in the event of a change in control of the seller
  • Employee compliance with obligations to prior employers (such as non-compete and non-solicit provisions)
  • Compliance with employment rules, including wage and hour, overtime, immigration, child labor, employment discrimination, and disability rules and regulations
  • Whether there are agreements/incentive arrangements in place with key employees to be retained by the buyer, and whether they will be sufficient to retain key employees
  • The extent to which layoffs and resultant severance costs will likely be incurred in connection with the acquisition, and whether the buyer or the seller bears these costs
  • Accrued but unpaid bonuses or commissions
  • Employees on medical, maternity, paternity, adoption, or other leave
  • Deferred compensation arrangements
  • Historical employee and consultant turnover
  • Whether employees may be contractually and legally terminated at will without payment of severance or other payments

7. Litigation

An overview of any litigation (pending, threatened, or settled) or arbitration involving the seller is typically undertaken. This review will include the following:

  • Filed or pending litigation, together with all complaints and other pleadings
  • Litigation settled and the terms of settlement
  • Claims threatened against the seller
  • Consent decrees, injunctions, judgments, or orders against the seller
  • Attorneys’ letters to auditors
  • Insurance covering any claims, together with notices to insurance carriers
  • Matters in arbitration or mediation

8. Cybersecurity and Data Privacy

It has become increasingly imperative that a buyer considering an acquisition fully investigate and identify cybersecurity and data privacy risks and liabilities posed by the transaction. It is equally important that the seller anticipate cybersecurity and data privacy issues. Notably, because a seller may not even be aware of a prior or current compromise of the seller’s data that may be pertinent to the deal, it is also incumbent upon the buyer to engage expert third parties to conduct due diligence in this area. Appropriate cybersecurity or privacy counsel should be consulted in any particular M&A due diligence investigation.

At a minimum, the buyer’s due diligence investigation should focus on the following:

  • Identifying the particular types of privacy and cybersecurity risks the seller faces given its industry sector, geographic reach, and the nature of the products and/or services that it manufactures, develops, or provides
  • Understanding the network and system architecture and data flows, including the use of cloud providers and third-party applications
  • Understanding the extent to which the seller gathers and uses personal information, especially customer personal information and highly sensitive proprietary information, including information provided by business partners and/or governmental agencies
  • Reviewing commitments and representations made by the seller to its users and customers in connection with privacy and security issues, including contractual obligations
  • Recognizing whether the buyer will need to obtain any consents to use personal or private information of the seller post-closing
  • Asking whether the seller has experienced any prior cybersecurity incidents, including data breaches, and how it has responded to such incidents
  • Determining whether the seller has a written security program that meets current regulatory and industry standards and best practices, including with respect to organizational (policies), operational (processes), and technical controls
  • Assessing the buyer’s potential liability, compliance posture, and/or notification obligations that might exist after completion of the acquisition

In addition, there are several other types of due diligence inquiries and procedures that a buyer may wish to undertake in connection with its investigation of data privacy and cybersecurity issues set forth below.

Review of Selling Company Policies and Contracts

The buyer will often request and review copies of various policies, contracts, and other documents of the seller, including the following:

  • Current and older versions of the seller’s privacy policies
  • Whether and to what extent the seller has deviated from its privacy policies
  • Current and older versions of any Terms of Use agreements
  • Telemarketing and email marketing policies
  • Security policies, including but not limited to the seller’s Information Security Policy, Acceptable Use Policy, and Data Classification Policy
  • Results of security audits and assessments, vulnerability scans, and penetration tests
  • Privacy and security program maturity plans
  • Privacy impact assessment processes and assessment reports
  • Certifications (e.g., ISO 27001/2, PCI DSS, SOC) and audit records
  • A list of business-to-business customer contracts, particularly with public companies in the financial, health, energy, telecommunications, and other highly regulated industries
  • Contracts with the seller’s vendors, suppliers, and providers
  • Incident response plans and playbooks
  • Privacy and information security training materials, and a description of the training program
  • Employee background investigation processes and policies, and onboarding processes
  • Organization and reporting structure as it relates to the security function, and any information regarding executive management of cybersecurity and privacy risk
  • GDPR-related compliance materials, as applicable
  • Software development processes and documentation
  • Insurance policies protecting the seller from cybersecurity or data breach losses (including claims history)
  • Whether there are appropriate systems of internal accounting controls to guard against fraudulent requests for money

Review of Procedures to Protect Data

The buyer may also inquire of the procedures the seller has put in place to protect its and its employees’, customers’, and business partners’ data and information as well as its networks and systems. For example:

  • Does the seller have a written cybersecurity program that establishes administrative, operational, and technical controls to mitigate security risks?
  • Does the seller have appropriate policies, including at a minimum an Information Security Policy, an employee-facing Acceptable Use Policy, and a Data Classification and Handling Policy?
  • Does the seller conduct regular risk assessments, and vulnerability and penetration testing of systems?
  • Does the seller have dedicated security personnel?
  • Does the seller perform an annual risk assessment relating to privacy and cybersecurity?
  • Does the seller train its employees

    from neb biz feed 1 https://ift.tt/2T5oZBH
    via Nebula Biz Local Loans

No comments:

Post a Comment