Skip to main content

Staying in compliance during an M&A transaction

Internal Controls
Staying in compliance during an M&A transaction
4 min read
Mike Starr
Vice President, Governmental and Regulatory Affairs
Published: October 21, 2014
Last Updated: April 25, 2023

If you’re heading into a merger and acquisition (M&A) transaction, you already know that it can be a complex process to navigate. Legal, financial, and cultural issues often take center stage as deals are negotiated, but compliance is equally as important.

As you work through the stages of an M&A transaction, it’s critical to pay attention to both the people side and the process side.

Rumors of a potential M&A transaction can spread quickly throughout both companies involved in the deal. If not checked, these rumors can have a significant impact on shareholder value. They can also have legal ramifications that could affect the deal itself.

Reduce your exposure by controlling access to confidential information. Use a solution that keeps important documents locked and creates an audit trail of who has viewed them.

Most importantly, don’t wait until you hear rumors to address the issue. Communicate clearly and often with executives and key stakeholders about what can be shared and what's off limits. Explain the implications of rumors on the eventual future of the combined organization.

Merging internal controls and Sarbanes-Oxley (SOX) documentation is a key part of any M&A transaction. Initial reviews will determine whether the acquired company has a solid system of internal controls in place and whether its SOX environment is up to par.

Internal control over financial reporting falls under Section 404 of Sarbanes-Oxley, which means it should be top of mind as you proceed.

If the acquired company does not have sufficient controls and documentation in place, there will be a lot of design work required before you can move forward.

Depending on the type of company you have acquired or merged with, there might be significant work to consolidate controls. You'll need to determine whether to change the controls, comply with those of your company, or test the design and effectiveness of the controls as is.

Trying to integrate internal controls and processes across departments, let alone companies, can be a daunting effort. Process bottlenecks arise from:

  • Tracking controls in narratives, flowcharts, and matrices stored across multiple locations and applications
  • Managing changes with a decentralized process of copying, pasting, and emailing information between teams
  • Gathering more certifications and document sign-offs via email, voicemail, and sticky notes

While mergers and acquisitions are not specifically mentioned, Section 302 and Section 404 of Sarbanes-Oxley still apply. Section 302 and 906 of Sarbanes-Oxley legislation require senior management to certify the accuracy of the financial statement and holds senior management both criminally and civilly liable. Section 404 requires management and auditors to establish internal controls and reporting methods.

Reaching compliance of internal controls and SOX Section 404 one year following an acquisition requires a lot of work. Start early, and give yourself adequate time to examine all internal controls, documents, and processes. With an impending deadline to update to the new COSO Framework by the end of your calendar year, you need to be on top of your game.

You need more than the right people to make a smooth SOX integration during a merger or acquisition—you also need the right documentation and certification solution. With a strong recommendation to migrate to the updated 2013 COSO Framework, choosing the right tools can give you increased visibility, improved collaboration, and process efficiency.

Staying in compliance during an M&A transaction can be difficult, but it’s also very feasible. With the right resources, thoughtful planning, and open communication, you can keep rumors to a minimum and make it through to an integrated set of processes. It’s all about taking control and creating a reliable structure that will see you through.

About the Author
Mike Starr
Mike Starr

Vice President, Governmental and Regulatory Affairs

Mike Starr is Vice President of Governmental and Regulatory Affairs. He previously served as the SEC Chief Accountant’s advisor with a focus on investors’ financial information needs and the role of structured data in meeting those needs. Prior to his work with the SEC, Mike served as Chief Operating Officer for Grant Thornton International Ltd., where he oversaw global strategy and public policy. He earned a Bachelor of Science in accounting from Oklahoma State University (OSU), and in 2010 was recognized as an OSU distinguished accounting alumnus and inducted into the School of Accounting Hall of Fame.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at