6 minute read 18 Feb 2019
Woman holding cards playing camper van

How strategy can be better embedded in strategic transactions

6 minute read 18 Feb 2019

Internal audit can help organizations sieze competitive advantage during mergers, acquisitions, divestments, joint ventures and alliances.

Organizations are turning to internal audit (IA) not only to fulfill core assurance responsibilities, but also to be agile and proactive in support of the company’s key strategic initiatives and transactions. Many organizations view risk only as something to be avoided or mitigated; however, some risks, if properly understood, can enable an organization to seize competitive advantage.

Why should IA be engaged during strategic transactions?

IA has a unique ability to view risks from an independent perspective because the assessment of risk has traditionally been part of its mandate. By teaming with the organization on strategic transactions, IA can help identify cost savings and offer guidance on areas where a loss of opportunity has traditionally occurred or increased investment has been required because of missed issues. It can also spot risks that might not have been considered because of a limited view of operations.

Best practice calls for IA to be embedded throughout the transaction life cycle. Though not all such transactions succeed, the integration of IA could determine, earlier in the process, whether the risks are identified and addressed appropriately.

IA should be part of the program management team regardless of the type of strategic transaction so that it can assess and monitor program management activities and provide insights. IA can also review program management office (PMO) activities to assess its oversight. For example, IA objectives could include determining whether the PMO highlights process gaps, assesses project adherence to timelines, obtains appropriate approvals and identifies areas of future improvements.

Strategic transactions usually take months to complete and IA resources are not unlimited. As a result, a risk assessment and well-thought-out audit plan spanning the entire life cycle will enable IA to focus on key points to deliver maximum value.

IA can act as an advisor to help assess and monitor program management activities, review controls and provide insights while maintaining objectivity.

Mergers and acquisitions

  • Strategy: An organization may have a target in its sights, but before it makes a move, IA should review the corporate strategy process, assess the risks to the organization and evaluate the business case process. This will help support the organization in determining from the start whether the merger or acquisition target aligns with the organization’s corporate growth strategy.
  • Due diligence: During due diligence, IA can assess the valuation process, the risks and internal control environment, and the synergy validation process. This assessment will help enable the organization to determine whether the price is right and provide early insights on any risk or control issues that may exist.
  • Deal approval and close: Before the organization signs the agreement, IA can review the deal approval process to determine if short and long-term goals are defined. IA can also assess the monitoring of the valuation process leading up to close to determine the impact that any changes in the risk and control environment may have on the company.
  • Integration: IA should be part of the integration team and should assess integration design and planning processes, monitor integration execution and assess the transaction value.


  • Strategy: As with M&As, internal auditors can evaluate the corporate strategy for divestments. They should assess whether there is clear ownership of risks by management and whether strong governance over the responsibilities of stakeholders is in place. IA could also help management identify, assess and prioritize potential risks to the control environment.
  • Due diligence: IA could assess the valuation process and provide important insights on the risks and the internal control environment related to strategic (governance and reputation), financial (credit and operational), operations (customer, supply chain and IT) and compliance (regulatory readiness) risks.
  • Deal approval and close: IA should identify whether there are any changes to the control environment and assess the effectiveness of “interim” controls put in place to mitigate risks. IA should also monitor the operation of high-risk controls during the transition.
  • Separation: At the time of separation, IA needs to monitor separation project management, execution of transition service agreements and operational activities, e.g., data transfer and HR initiatives, including payroll. IA should also identify value leakage during separation.
  • Strategy: IA can assess the corporate strategy and whether the objectives and terms of the joint venture or alliance are well defined. IA could also assess whether there is clear understanding and ownership of risks by the participants and whether strong governance over the responsibilities of various stakeholders is in place.
  • Due diligence: Providing a strong foundation for success entails having a clear understanding of the transaction’s goals, scope and road map. The structure, control and responsibilities in a joint venture or alliance can vary widely depending on the transaction objectives and the industry, and they can also be influenced by geography and the regulatory environment. Other variables include the nature of the transaction, such as ownership, structure and control. As a result, the participants’ management teams, joint venture teams and IA should work together to identify and appropriately address the relevant risks, including strategic, reputational, financial, legal, operational and regulatory.
  • Deal approval and close: IA can review the approval process to assess whether short- and long-term goals are defined before the deal closes. IA could also assess the monitoring of the valuation process leading up to close to determine how any changes in the risk and control environment may affect the company.
  • Integration: Governance, oversight and monitoring help form a strong foundation for a joint venture or alliance, and the nature, level and frequency of monitoring and reporting are also vital. IA needs to establish a risk-based approach coordinated with the risk management and IA functions of other transaction participants to periodically assess the performance of the partnership or alliance.


CAEs should be working closely with the board, executive management and corporate development teams to involve IA during the entire strategic transaction life cycle, whether it’s a merger, acquisition, divestment, joint venture or alliance. IA is positioned to add value because of its view across the organization; its understanding of the business; its ability to recommend both a balanced level of controls and, potentially, process improvements; and its independence and objectivity.

IA provides a vital view of deals that many executives may not consider. Without that perspective — right from the start — the organization could find out far too late that the price was not right, that significant risks existed or that it has to spend significant money to fix issues that IA could have helped the organization avoid. IA can also look within its own function not only to respond to changes brought about by the transaction but also to enhance its own activities to bring more value to the organization.


Internal audit has many opportunities to provide business insights and perform advisory reviews either as stand-alone projects or as part of assurance audits. One of the more impactful areas is involvement before, during and after mergers, acquisitions, divestments, joint ventures and alliances. And best practice calls for internal audit to be embedded throughout the transaction life cycle.

About this article