What you don't know can hurt you: targeted control assessments in due diligence
Ahead of the Deal - Australian M&A Briefing
Key insights
- Act early to safeguard deal value – assessing risk controls before deal close minimises potential exposure, integration headaches, and costly post-deal surprises.
- Expose hidden risks that others miss – only a robust evaluation of a target's risk control environment will uncover systemic non-compliance and operational risk weaknesses that are beyond the scope of 'traditional' legal and financial due diligence.
- Prioritise high-stake compliance areas – focus effort on obligations with major penalties, live regulatory investigations, and critical processes to obtain actionable insights while minimising deal risk.
"Control failures are rarely apparent from a balance sheet, but when they surface post-deal close – either through regulatory action, operational risk incidents or integration gaps – liabilities crystallise, leverage to address them is gone, and remediation can be costly, urgent and unavoidable."
M&A transactions move fast, under intense scrutiny, and with little room for error. 'Conventional' legal, financial and tax due diligence is critical, but often does not delve into all areas of risk in a target's business. What may be outside the scope of traditional due diligence is a clear view of the target's risk control environment: the systems, processes and governance that ensure obligations are consistently met, risks are managed and operational integrity is maintained. Without these insights, a buyer may discover it has acquired something quite different from what it expected.
Weak or ineffective controls can conceal historical compliance gaps, operational vulnerabilities and systemic risks – all of which can emerge after deal close in a way that threatens value, attracts regulatory scrutiny and requires costly remediation. Moreover, periods of change such as during an M&A transaction can give rise to unexpected risks. Systems and controls that functioned effectively in stable conditions (such as pre-acquisition) can break down during the transition, and M&A activity itself can be a source of risk, introducing operational stress and potentially attract heightened attention from threat actors.
With increasing regulatory, investor and media scrutiny on regulatory compliance – and high-profile failures attracting significant negative attention – the assessment of the target's control environment as part of due diligence in a M&A process is often no longer just a 'nice to have', but instead a critical step in verifying the effectiveness of controls, protecting deal value and demonstrating responsible risk management.
Understanding risk controls and their importance
In practical terms, risk controls are a series of repeatable and measurable activities designed to reduce risk, support compliance with obligations and enable a process to consistently achieve an expected outcome. Controls typically fall into two categories: preventative controls which prevent errors or reduce the likelihood of a risk arising, and detective controls which identify issues after they occur so corrective actions can be taken.
Consider a payroll obligation where organisations must pay employees accurately and on time. A robust control environment to support this obligation could leverage:
- preventative controls, which might include an automated payroll system that calculates pay and deductions according to obligations and business requirements, checked by HR and/or finance functions; and
- detective controls, which could involve regular reconciliation comparing payroll outputs against bank transfers and employee records, and/or periodic quality assurance reviews to catch anomalies.
Although these controls might be in place on paper, testing these payroll controls is essential to determine if they are actually effective at mitigating non-compliance. Should there not be any testing during a M&A due diligence process to uncover any control weaknesses or gaps – or should they be observed but left unaddressed – these issues can leave the acquirer bearing the burden of underpayment claims, penalties, back payments and other costly remediation requirements, and reputational damage for the combined organisation.
Where 'traditional' due diligence can fall short
Legal, financial and accounting due diligence is often designed for (and limited to) confirming that the bidder has an accurate understand of a target's contracts, licenses, financial statements and legal structures. While essential for both buyers and (in a vendor due diligence context) sellers, these due diligence processes rarely tests how the business actually operates day-to-day, how processes and controls are executed or whether compliance obligations are consistently met in practice.
This can create blind spots on both sides of a transaction. Buyers may inherit hidden compliance gaps or operational failures, while sellers may overestimate the effectiveness of their controls and not anticipate the areas an acquirer's due diligence team will scrutinise before they become points of negotiation (and miss a chance to rectify any such gaps or potential failures before a sale process gathers steam).
We continue to see gaps and risks arising from organisations with poor control environments such as:
- Regulatory obligations are understood but poorly operationalised in practice. For example, an AML policy may exist, but transaction monitoring parameters may not be calibrated effectively, resulting in suspicious activity going undetected and unreported.
- Delegations and approvals that do not reflect actual practice. Where authority limits are bypassed or undocumented, this can invalidate contractual commitments and undermine governance representations.
- Inconsistent or informal incident management and breach reporting practices. Without structured incident identification and classification frameworks, reportable situations may be mischaracterised or not reported at all.
- Control environment that rely heavily on manual processes or key individuals. If compliance depends on institutional knowledge rather than systemised controls, integration or staff turnover can quickly expose gaps.
These issues rarely surface during more 'traditional' due diligence processes that focus on legal and financial, rather than operational matters – not because they are immaterial but because they are often beyond the scope of customary due diligence. As a result, control weaknesses or failures may remain outside the bidder's awareness, do not feature in valuation discussions or negotiations on sale price and terms, and the cost of controls uplift, remediation or addressing missing controls is rarely factored into the transaction.
Control failures can quickly become substantive issues
Control environments are often framed as an operational or risk management concern, but in practice can give rise to real financial and legal exposure when they fall short. In a share acquisition, liabilities resulting from civil penalty exposure, unpaid statutory entitlements, misleading conduct or AML contraventions (for example) remain attached to a target entity regardless of ownership change. In a typical business or asset acquisition, while pre-transaction liabilities may remain the responsibility of the seller, risk control shortcomings that crystallise into liabilities post-transaction can give rise to real loss and damage to an acquirer (as was the case with Australian Clinical Labs' 2021 acquisition of Medlab Pathology, described below).
Regulators such as ASIC, AUSTRAC and APRA assess the conduct of the licensed entity and post-acquisition discovery of systemic control failures can trigger investigations, civil penalty proceedings, enforceable undertakings or licence conditions. In addition, the failure to identify and report historical breaches can itself constitute a fresh contravention, and in some cases, each day of the ongoing non-compliance may be treated as a separate breach.
While risks can be contractually allocated between buyer and seller, regulatory enforcement operates independently of private agreements. Critically, “we didn’t know” is rarely an effective defence and regulators (or indeed courts) may perceive a failure to understand or assess the control environment as a failure to exercise due care, especially if, in hindsight, any flaws are regarded as having been reasonably discoverable through targeted diligence.
Recent enforcement trends demonstrate this clearly. For example, significant penalties have been imposed where cyber security risks were inadequately governed and foreseeable vulnerabilities were not addressed, reinforcing that failure to review and manage operational risk can crystallise into regulatory sanction after an incident.
Illustrative example – How a cyber control assessment in due diligence might have prevented a $5.8m data breach penalty
In Australian Information Commissioner v Australian Clinical Labs Limited, the Federal Court of Australia imposed a $5.8m penalty after a major data breach occurring in or around February 2022 exposed the personal information of over 223,000 individuals from the computer systems of Medlab Pathology, the assets of which had been acquired by Australian Clinical Labs (ACL) in December 2021. The Court found that ACL had failed to take reasonable steps to protect personal information from unauthorised access or disclosure, and had also failed to conduct a timely assessment of whether an "eligible data breach" had occurred and to notify the regulator as soon as practicable (as it was required to do under the Privacy Act 1988 (Cth)).
This outcome provides a salient example of the potential real-world consequences to an acquirer of a target business' inadequate cyber and privacy controls. It also demonstrates the importance of ensuring that comprehensive due diligence involves not only seeking confirmation that the appropriate licences, contracts and governance frameworks are in place, but also an operationally-focused assessment of potential control weaknesses in IT and cyber security, incident response and breach reporting. Failure to undertake such an assessment, or a failure to put steps in place to seek to mitigate those weaknesses if identified, can expose an acquirer to significant regulatory, customer, reputation and financial risk.
In a case such as this, a structured control assessment focused on cyber readiness – including actual technical safeguards, governance and reporting procedures and incident response capabilities – could have identified the deficiencies in the target business' control environment before completion. Insights from such an assessment allow deal teams to negotiate protective terms, such as requirements to remediate before deal close, or plan for integration priorities that directly address identified gaps swiftly following transaction completion. This may also include identifying steps to be taken to protect against critical weaknesses in the relevant controls prior to full integration into the acquirer's framework.
Making control assessments a core part of effective due diligence – our top 5 tips
1. Start with exposure, not policies
Control assessments should focus on risk areas that are most critical to the target's business such as where failures are most likely to result in regulatory, financial, customer or reputational harm. For example, in a payments business, that may be AML transaction monitoring and suspicious matter reporting to AUSTRAC. In financial services licensee, breach reporting and product governance obligations overseen by ASIC may be higher risk. Key considerations to guide prioritisation include:
- Risk appetite – focus on areas where the acquiring organisation has limited tolerance for risk.
- Obligations with the highest penalties or exposure.
- Live or recent regulatory investigations.
- Historical control weaknesses or incident history.
- Complex or high-volume processes.
2. Trace obligations into processes
For each priority area, link the legal requirement to the operational risk control that supports compliance. If the obligation is to report significant breaches, what system identifies them? Who classifies them? What evidence shows they are escalated? If payroll compliance is critical, is the award interpretation embedded in the system or dependent on manual input?
3. Test control design and operation
Confirm that controls are logically capable of preventing or detecting breaches, and that they operate consistently. This may involve sampling transactions, reviewing exception reports, examining breach registers, or testing system configuration. Evidence of effectiveness is key.
4. Assess governance and oversight
Determine whether control failures have been surfaced to the target's senior management and/or board, and whether remediation has been tracked. Regulators assess whether reasonable steps were taken. Weak escalation and reporting frameworks often convert operational lapses into governance issues.
5. Feed findings into the deal
Insights from the control assessment should inform the scope of the broader due diligence and transaction negotiations, with findings integrated into commercial and legal workstreams to guide not only valuation discussions but also (where necessary) the drafting and negotiation of warranties and indemnities, as well as shaping the bidder's post-closing integration and (if necessary) remediation plans.
Where to focus: current and emerging hotspots ripe for control assessments
Certain compliance areas are particularly high-risk, either because of recent enforcement, recurring operational failures, or evolving regulatory focus. We consider the following areas should be front-of-mind for any control assessment during due diligence:
- Cybersecurity and privacy: Increasingly targeted by regulators with recent cases, including Australian Clinical Labs, showing that weak technical safeguards and delayed incident response can lead to multi‑million-dollar penalties.
- Payroll and employment obligations: Recurring failures in wage compliance, calculation of leave entitlements, and record-keeping have led to significant fines and enforcement action.
- Third-party and outsourcing controls: Oversight gaps in outsourced services or contractors can trigger regulatory scrutiny and operational risk, especially in the financial services space following the implementation of APRA's CPS 230 regarding operational risk management.
- Conduct and pricing issues: Recent ACCC enforcement, which brings not only potential financial penalties but also the risk of significant reputational harm, has highlighted misleading or unfair pricing practices and other consumer-related conduct failures as a key priority for the regulator.
What deal teams should do differently
We consider that the question should no longer be whether to assess risk controls in M&A transactions, but how such assessment is best tailored to the relevant target business and transaction and effectively made part of a comprehensive diligence process – including in particular how early in the diligence process this assessment should start.
Practical steps for deal teams to incorporate control assessments into due diligence, and transaction processes more broadly, include:
- Review upcoming deals: Map planned or potential M&A transactions to identify in advance high-risk areas where control assessments would add the most value – so that you are ready when a deal process begins.
- Clearly signpost the importance of controls assessment – early and often: Where a bidder has determined that controls assessments will be a necessary part of its due diligence process, this should be flagged to the seller / target as early as possible in the process (for example, in any expression of interest or non-binding indicative offer letter) and reinforced in early interactions (such as comments on term sheets or transaction documents) – to ensure that the target will make available, in a timely way, the necessary operational resources and contacts.
- Embed assessment triggers in the deal process: Incorporate check-points in transaction timelines to flag when a control assessment is required - for example pre-signing, pre-closing or post-merger integration.
- Leverage independent validation: Engage with external expertise for high-risk or technically complex areas such as cyber, privacy or third-party oversight, to provide the necessary control assessment assurance and benchmarking.
Authors: Gwladys Ngo Tedga Yagla, Partner, Risk Advisory; Yumo Wang, Executive, Risk Advisory and Joseph Seliong, Executive, Risk Advisory.
Want to know more?
- Controls Modernisation Spotlight
- Cyber readiness lessons from Australian Clinical Labs and Australia's first privacy penalty
