• Internal controls, especially around fraud prevention, are essential for limiting losses, driving efficiency, improving accountability, and boosting company value during investments or M&A deals.
• The “tone at the top” from leadership in fostering an ethical environment, along with proper segregation of duties, are key elements for fraud prevention and strong internal controls.
• Well-established policies and procedures, like Delegation of Authority rules and restricted system access protocols, are also vital for maintaining adequate controls to enable company growth.

~

As the economy stands on shaky legs, private equity and venture capital firms are necessarily careful and strategic when assessing potential investment opportunities. Whether your long-term plan includes acquiring another company, selling your business, or seeking new capital, strengthening your internal control environment — with a focus on preventing fraud — is a powerful way to increase actual and perceived value.

In the following, we will lay out the reasons why fraud prevention is an essential element to proper corporate governance and illustrate key areas to examine whether your internal control environment is built to help your operation succeed.

The Importance of Internal Controls in Fraud Prevention

A robust internal control system is the first step toward managing, mitigating, and uncovering fraud. A strong internal control environment will:

Protect your company’s assets by reducing the risk of theft or misappropriation of cash, inventory, equipment, and intellectual property.

Detect fraudulent activities or irregularities early on and deter employees from attempting fraud in the first place.

Provide cost savings by limiting opportunities for financial losses, costly investigations, and legal expenses associated with fraud.

Drive operational efficiency by providing clear processes and guidelines that reduce the risk of errors or inefficiencies in day-to-day operations.

Improve employee accountability by implementing checks and balances that discourage unethical behavior.

When seeking an investment or undertaking a significant M&A deal, you should have a firm grasp of the strength and quality of your internal control environment. Not only will you reduce the risk of fraud in the near term, but you will also cultivate confidence with potential investors and M&A partners.

Fraud Prevention Starts with the “Tone at the Top”

The first key element to look for in measuring the strength of your internal controls is ensuring a clear and proactive “tone at the top”, meaning an ethical environment fostered by the board of directors, audit committee, and senior management. A good tone at the top encourages positive behavior and helps prevent fraud and other unethical practices.

There are four elements to fraud: pressure, rationalization, opportunity and capability.

Pressure motivates crime. This could be triggered by debt, greed, or illegal deeds. Individuals who have financial problems and commit financial crimes tend to rationalize their actions. Criminals may feel that they are entitled to the money they are stealing, because they believe they are underpaid. In some cases, they simply rationalize to themselves that they are only “borrowing” the money and have every intention of paying it back.

Criminals who can commit fraud and believe they will get away with it may just do it. Capability means the criminal has the expertise as well as the intelligence to coerce others into committing fraud. The board of directors is responsible for selecting and monitoring executive management to ensure best practices are in place to limit the motivations of all four elements of fraud.

Proper Segregation of Duties for Internal Controls

The second key element to look for in your internal controls is a well-established segregation of duties. The idea is to establish controls so that no single person has the ability that would allow them the opportunity to commit fraud. Companies must make it extremely difficult for any single employee to have the opportunity to perpetrate a crime and subsequently cover it up.  

Fraud Controls 

There are three types of controls that help manage the risks of fraud: preventative, detective, and corrective.

• Preventative controls seek to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product. Preventative controls are the best of the three as they are the first line of defense and a backstop to fraud. If designed correctly, preventative controls stop an undesirable event from even happening.  
• Detective controls exist to detect and report when errors, omission, and unauthorized uses or entries have already occurred. Although it is important to identify these adverse events, you are doing so after the fraud has already been committed.  
• Corrective (also referred to as compensating) controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.  

Preventing Misappropriation of Assets 

An important component of segregation of duties is to prevent the misappropriation of assets and reduce fraud risk. Below are some examples of best practices for various types of assets: 

• Cash Receipt: segregate the receipt of cash/checks and the recording of the journal entry in the accounting system into two roles.
• Accounts Receivable: segregate the responsibilities of recording cash received from customers and providing credit memos to customers. (If one person performs both functions, it creates the opportunity to divert payments from the customer to the employee and then cover the theft with a matching credit to the customer’s account).
• Cash Reconciliation: the individuals who authorize, process, or record cash should not perform the bank reconciliation to the general ledger.
• Inventory: individuals who order goods from the suppliers should not have the ability to log the goods received in the accounting system.
• Payroll: segregate the responsibilities of compiling gross and net pay for payroll, with the responsibilities of verifying the calculation. (If a single individual performs both functions, it allows for the opportunity to increase personal compensation and the compensation of others without authorization. It also provides an opportunity to create a fictitious payee and make corresponding payroll checks).

The Importance of Policies and Procedures

The third key element to look for in your investees is well-established policies and procedures. Make sure that any company you consider acquiring has basic policies and procedures in place, such as Delegation of Authority (DOA).

The DOA is a policy where the executive team delegates authority to the management of the company. Individuals should be considered appropriate to fulfill delegated roles and responsibilities. The DOA should be reviewed at least annually. Subsequently, it is important to ensure that the DOA is being followed, and that approvals do not deviate from it. Any such anomalies should be rare and, when they do occur, they need to be reviewed and approved. Constant deviations from the DOA may be a sign that the DOA needs to be restructured.

A second essential policy and procedure is restricted computer and application access. This is to protect sensitive company financials and proprietary data. The company should have a robust control environment and maintain computer logins and password access on a need-to-know basis. Access should only be granted by the owner of the application or system and subsequently logged by the administrator. Now more than ever companies are hiring remote employees. This shift in the dynamic workspace further emphasizes the need for a quality IT controls environment.

How We Can Help

As you prepare your company for future growth, getting an impartial third-party opinion on your internal control environment can be a powerful tool for finding gaps and inefficiencies, and implementing value-added changes.

Our dedicated Public Company teams offer a deep level of industry experience and technical skills. We can help prepare your company for a major capital raise, including going public via an IPO or RTO. Or we can help optimize value for an M&A deal, whether you are buying or selling. Contact us today to access an external, holistic vision focused on helping you grow and succeed

Executive Summary:

• The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
• IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
• Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

1. Is the data complete?  

2. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

1. Match the list of individual debt instruments to the signed agreements.  

2. Validate the reconciliation and each individual schedule for mathematical accuracy.  

3. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

1. Send confirmations to outside counsel (where possible).  

2. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

1. Have you identified the report or saved search that was used?   

2. What parameters were used to generate this report?   

3. In what format is the data exported?   

4. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

1. PDF (portable document format) 

2. Excel  

3. CSV (comma-separated values)   

4. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  

2. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   

3. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

1. Totals (dollar amounts, hash amounts, etc.)   

2. Lines count   

3. Parameters utilized 

4. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

• The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
• The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
• The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
• Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “material” disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why is the SEC implementing this rule change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What are the requirements for risk management, strategy, and governance disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How will the SEC cybersecurity rules affect you?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How we can help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.

Private organizations, while not always smaller, often have limited resources in specialty areas, including accounting for income tax. This resource constraint —the work being done outside the core accounting team — combined with the complexity of the issues, means private companies are ideal candidates for, and can achieve significant benefit from, internal controls enhancements. Thinking beyond the present, the following are five reasons private companies may want to adopt public-company-level controls:

1. Future Initial Public Offering (IPO) – Walk before you run! If the company believes an IPO may be in its future, it’s better to “practice” before the company is required to be SOX compliant. A phased approach to implementation can drive important changes in company culture as it prepares to become a public organization. Recently published reports analyzing IPO activity reveal that material weaknesses reported by public companies were disproportionately attributable to recent IPO companies. Making a rapid change to SOX compliance can place a heavy burden on a newly public company.

2. Merger and Acquisition Deals – If the possibility of the company being sold to an M&A deal exists, enhanced financial reporting controls can provide the potential buyer with an added layer of security or comfort regarding the financial position of the company. Further, if the acquiring firm has an exit strategy that involves an IPO, the requirement for strong internal controls may be on the horizon.

3. Rapid Growth – Private companies that are growing rapidly, either organically or through acquisition, are susceptible to errors and fraud. The sophistication of these organizations often outpaces the skills and capacity of their support functions, including accounting, finance, and tax. Standard processes with preventive and detective controls can mitigate the risk that comes with rapid growth.

4. Assurance for Private Investors and Banks – Many users other than public shareholders may rely on financial information. The added security and accountability of having controls in place is a benefit to these users, as the enhanced credibility may impact the cost of borrowing for the organization.

5. Peer-Focused Industries – While not all industries are peer-focused, some place significant weight on the leading practices of their peers. Further, some industries require enhanced levels of security and control. For example, cannabis companies with a heavy regulatory burden, industries with sensitive customer data like lifesciences, and tech companies that handle customer data, often look to their peer group for leading practices, including their control environment. When the peer group is a mix of public and private companies, the private company can benefit from keeping pace with the leading practices of their public peers.

Private companies are not immune from the intense scrutiny of numerous stakeholders over accountability and risk. Companies with a clear understanding of the inherent risks that come from negligible accounting practices demonstrate their ability to think beyond the present, and to be better prepared for future growth or change in ownership.

Mergers with SPACs have always been an alternative to traditional IPOs. With the IPO market effectively minimized for the time being, SPAC mergers are an increasingly desirable public market liquidity option for private companies.

What the numbers tell us

2020 is a record-shattering year for a revitalized SPAC market. According to data provided by ELLO Capital, there have been 95 SPAC IPOs so far in 2020, raising $37.8 billion (average size: $397 million). That compares with 59 in all of 2019, which raised $13.6 billion (average size: $230 million).

On July 22, 2020, Pershing Square founder Bill Ackman raised $4 billion in the IPO of Pershing Square Tontine Holdings Ltd., the largest SPAC IPO to date. With an initial target of $3 billion, the SPAC included a unique pricing approach: a fixed pool of warrants to be distributed to shareholders who accept a subsequent deal – increasing the take for approvers.

“COVID-19 is likely a direct cause of the acceleration in SPACs this year, as global lockdown policies have restricted travel and the ability to do roadshows. As a result, SPACs have largely replaced traditional IPOs,” said Mark Young, co-founding partner of Bridge Point Capital. “Plus, SPACS appeal to the high-growth technology sector, which has led the market recovery post-February correction, and continue to drive grwoth in the work-from-home economy.”

SPACs: rules of the road

• Speed is the name of the game – Leveraging the market expertise of leadership team, a SPAC can raise funds in a matter of days, without the time and resource demands of a roadshow.
• Minimum value is set – The acquired company/companies must have a minimum value, generally 80% of the fund the SPAC has in escrow following the IPO. Multiple closings, obviously, complicate the otherwise-simple SPAC process and inject completion risk into the transaction.
• The clock is ticking – There’s a deadline reality for both the SPAC and the target: If the SPAC doesn’t close the deal by the deadline, it must return the funds it raised in its offering. On the flip side, getting near the deadline can help give a target company some leverage.
• Valuation risk – Investors in SPACs are very much like IPO investors: there is an expectation that they are buying at a discount and there is significant growth potential around the corner. They are not looking for turnaround stories. In turn, SPACs are perceived as focused on growth verticals.
• Shareholder approval required – The SPAC is a public company that inherits all the baggage – reporting/regulatory demands, liabilities, etc. – of a public company. Approval by target company shareholders likely will be required. And the SPAC would need to file a proxy statement and secure approval from the Securities and Exchange Commission.
• Redemption risk – Here’s an interesting twist: At the time of the transaction, the SPAC’s public shareholders can redeem their stock. The risk: the SPAC’s cash availability – which might be needed to complete the transaction – could take a hit if the redemptions are significant.
• Warrants also in play – Sometimes the purchase price includes stock; the value of those shares are impacted by the associated rights. In most cases, the warrants can be exercised at a premium to the original offering price. What can happen: the valuation of stock included in purchase price may rise above, or fall below, the value of the stock issued to a target. The driving factor: can a deal actually get done.
• Navigate the de-SPAC phase – Definition: the time between the definitive agreement and closing. What needs to be done: communicate details of the transaction to the SPAC’s stakeholders. The goal: optimize the story, educate sales people, engage analysts – protect value.

The record so far

• DraftKings (NASDAQ: DKNG): Shares in the online fantasy and gambling company jumped to $18.69 per share when the merger agreement was announced in December, and then edged up to $19.35 per share on the first day of trading, Since then, the price has climbed to about $44.00 per share before settling back into the $37.00-$40.00 area. Its current market capitalization is over $13.5 billion.
• Virgin Galactic (NYSE: SPCE.N): The Richard Branson-backed competitor to Elon Musk’s SpaceX and Jeff Bezos’ Blue Origin, Virgin Galactic shares currently trade in around $17.00-$20.00, about double their late October day-one level, and more than three times their low of $6.90 per share. The stock has reached a high of $42.49 per share, and the company’s current market capitalization is $3.9 billion.
• Nikola (NASDAQ: NKLA): The green truck company has been on a roller-coaster ride since its late June debut. It has climbed as high as $93.99 at one point and currently trades at about $37.00 per share. Market capitalization is just under $14 billion.

Leading the way is a pending deal from Churchill Capital Corp. III, which has agreed to acquire health-cost management services provider MultiPlan for $11 billion. This would make it the largest ever SPAC deal.

“The healthcare and life sciences industries are two sectors likely to continue driving SPAC growth in the COVID-19 era,” said Nadia Tian, co-founding partner of Bridge Point Capital. “This is because healthcare traditionally outperforms the market in a recession, SPACs allow biotech companies to have more cash on hand than a traditional IPO, and the government and consumers are especially focused on these areas as we search for solutions to the COVID-19 outbreak.”

Final thoughts

Private companies that were planning an IPO or other significant M&A deal before the global economic downturn caused by the COVID-19 pandemic may want to seriously consider a SPAC deal. As with all transactions significant, intensive planning, vetting, due diligence and other considerations must be undertaken.

MGO’s dedicated SEC practice has experience with IPOs, RTOs, M&A deals and the unique characteristics of SPAC acquisitions. To understand your options, and the path ahead, please feel free to reach out to us for a consultation.

Deal structure can be viewed as the “Terms and Conditions” of an M&A deal. It lays out the rights and obligations of both parties, and provides a roadmap for completing the deal successfully. While deal structures are necessarily complex, they typically fall within three overall strategies, each with distinct advantages and disadvantages: Merger, Asset Acquisition and Stock Purchase.
In the following we will address these options, and common alternatives within each category, and provide guidance on their effectiveness in the cannabis and hemp markets.

Key considerations of an M&A structure

Before we get to the actual M&A structure options, it is worth addressing a couple essential factors that play a role in the value of an M&A deal for both sides. Each transaction structure has a unique relationship to these factors and may be advantageous or disadvantageous to both parties.

Transfer of Liabilities: Any company in the legally complex and highly-regulated cannabis and hemp industries bears a certain number of liabilities. When a company is acquired in a stock deal or is merged with, in most cases, the resulting entity takes on those liabilities. The one exception being asset deals, where a buyer purchases all or select assets instead of the equity of the target. In asset deals, liabilities are not required to be transferred.

Shareholder/Third-Party Consent: A layer of complexity for all transaction structures is presented by the need to get consent from related parties. Some degree of shareholder consent is a requirement for mergers and stock/share purchase agreements, and depending on the Target company, getting consent may be smooth, or so difficult it derails negotiations.

Beyond that initial line of consent, deals are likely to require “third party” consent from the Target company’s existing contract holders – which can include suppliers, landlords, employee unions, etc. This is a particularly important consideration in deals where a “change of control” occurs. When the Target company is dissolved as part of the transaction process, the Acquirer is typically required to re-negotiate or enter into new contracts with third parties. Non-tangible assets, including intellectual property, trademarks and patents, and operating licenses, present a further layer of complexity where the Acquirer is often required to have the ownership of those assets formally transferred to the new entity.

Tax Impact: The structure of a deal will ultimately determine which aspects are taxed and which are tax-free. For example, asset acquisitions and stock/share purchases have tax consequences for both the Acquirer and Target companies. However, some merger types can be structured so that at least a part of the sale proceeds can be tax-deferred.

As this can have a significant impact on the ROI of any deal, a deep dive into tax implications (and liabilities) is a must. In the following, we will address the tax implications of each structure in broad strokes, but for more detail please see our article on M&A Tax Implications (COMING SOON).

Asset acquisitions

In this structure, the Acquirer identifies specific or all assets held by the Target company, which can include equipment, real estate, leases, inventory, equipment and patents, and pays an agreed-upon value, in cash and/or stock, for those assets. The Target company may continue operation after the deal.
This is one of the most common transaction structures, as the Acquirer can identify the specific assets that match their business plan and avoid burdensome or undesirable aspects of the Target company. From the Target company’s perspective, they can offload under-performing/non-core assets or streamline operations, and either continue operating, pivot, or unwind their company.
For the cannabis industry, asset sales are often preferred as many companies are still working out their operational specifics and the exchange of assets can be mutually beneficial.

Advantages/Disadvantages

Transfer of Liabilities: One of the strongest advantages of an asset deal structure is that the process of negotiating the assets for sale will include discussion of related liabilities. In many cases, the Acquirer can avoid taking on certain liabilities, depending on the types of assets discussed. This gives the Acquirer an added line of defense for protecting itself against inherited liabilities.

Shareholder/Third-Party Consent: Asset acquisitions are unique among the M&A transaction structures in that they do not necessarily require a stockholder majority agreement to conduct the deal.

However, because the entire Target company entity is not transferred in the deal, consent of third-parties can be a major roadblock. Unfortunately, as stated in our M&A Strategy article, many cannabis markets licenses are inextricably linked to the organization/ownership group that applied for and received the license. This means that acquiring an asset, for example a cultivation facility, does not necessarily mean the license to operate the facility can be included in the deal, and would likely require re-application or negotiation with regulatory authorities.

Tax Impact: A major consideration is the potential tax implications of an asset deal. Both the Acquirer and Target company will face immediate tax consequences following the deal. The Acquirer has a slight advantage in that a “step-up” in basis typically occurs, allowing the acquirer to depreciate the assets following the deal. Whereas the Target company is liable for the corporate tax of the sale and will also pay taxes on dividends from the sale.

Stock/share purchase

In some ways, a stock/share purchase is a more efficient version of a merger. In this structure, the acquiring company simply purchases the ownership shares of the Target business. The companies do not necessarily merge and the Target company retains its name, structure, operations and business contracts. The Target business simply has a new ownership group.

Advantages/Disadvantages

Transfer of Liabilities: Since the entirety of the company comes under new ownership, all related liabilities are also transferred.

Shareholder/Third Party Consent: To complete a stock deal, the Acquirer needs shareholder approval, which is not problematic in many circumstances. But if the deal is for 100% of a company and/or the Target company has a plenitude of minority shareholders, getting shareholder approval can be difficult, and in some cases, make a deal impossible.

Because assets and contracts remain in the name of the Target company, third party consent is typically not required unless the relevant contracts contain specific prohibitions against assignment when there is a change of control.

Tax Impact: The primary concern for this deal is the unequal tax burdens for the Acquirer vs the Shareholders of the Target company. This structure is ideal for Target company shareholders because it avoids the double taxation that typically occurs with asset sales. Whereas Acquirers face several potentially unfavorable tax outcomes. Firstly, the Target company’s assets do not get adjusted to fair market value, and instead, continue with their historical tax basis. This denies the Acquirer any benefits from depreciation or amortization of the assets (although admittedly not as important in the cannabis industry due to 280E). Additionally, the Acquirer inherits any tax liabilities and uncertain tax positions from the Target company, raising the risk profile of the transaction.

Three types of mergers

1: Direct merger

In the most straight-forward option, the Acquiring company simply acquires the entirety of the target company, including all assets and liabilities. Target company shareholders are either bought out of their shares with cash, promissory notes, or given compensatory shares of the Acquiring company. The Target company is then considered dissolved upon completion of the deal.

2: Forward indirect merger

Also known as a forward triangular merger, the Acquiring company merges the Target company into a subsidiary of the Acquirer. The Target company is dissolved upon completion of the deal.

3: Reverse indirect merger

The third merger option is called the reverse triangular merger. In this deal the Acquirer uses a wholly-owned subsidiary to merge with the Target company. In this instance, the Target company is the surviving entity.

This is one of the most common merger types because not only is the Acquirer protected from certain liabilities due to the use of the subsidiary, but the Target company’s assets and contracts are preserved. In the cannabis industry, this is particularly advantageous because Acquirers can avoid a lot of red tape when entering a new market by simply taking up the licenses and business deals of the Target company.

Advantages/Disadvantages

Transfer of Liabilities: In option #1, the acquirer assumes all liabilities from the Target company. Options #2 and #3, provide some protection as the use of the subsidiary helps shield the Acquirer from certain liabilities.

Shareholder/Third Party Consent: Mergers can be performed without 100% shareholder approval. Typically, the Acquirer and Target company leadership will determine a mutually acceptable stockholder approval threshold.

Options #1 and #2, where the Target company is ultimately dissolved, will require re-negotiation of certain contracts and licenses. Whereas in option #3, as long as the Target company remains in operation, the contracts and licenses will likely remain intact, barring any “change of control” conditions.

Tax Impact: Ultimately, the tax implications of the merger options are complex and depend on whether cash or shares are used. Some mergers and reorganizations can be structured so that at least a part of the sale proceeds, in the form of acquirer’s stock, can receive tax-deferred treatment.

In conclusion

Each deal structure comes with its own tax advantages (or disadvantages), business continuity implications, and legal requirements. All of these factors must be considered and balanced during the negotiating process.

Catch up on previous articles in this series and see what’s coming next…

As one of the largest, and fastest-growing stock exchanges in the world, the Nasdaq is a highly-sought after destination for foreign companies seeking access to U.S. public markets. While there will be more rules dictating eligibility for issuing IPOs on the Nasdaq, it is MGO’s interpretation that these changes are not retributive but are instead designed to simply increase transparency and accountability to protect the investor community.

It is our hope that companies from China, and other affected countries, are not discouraged by these new rules and, in fact, feel emboldened. These new rules give companies bright lines in order to have a successful offering and will eliminate much of the subjectivity around the qualifications to go public. With these guidelines in place, issuances that meet the new Nasdaq requirements are expected to be enthusiastically embraced by an investor community with greater confidence that their money is in safe hands.

In the following we will explore the new rules, what they mean, and steps affected companies considering an IPO should take to prepare.

What are “Restrictive Markets?”

At the center of the Nasdaq’s proposed listing requirement changes is a new definition of “Restrictive Markets,” which defines the regions and companies affected by the new rules. According to the Nasdaq’s public notice to the SEC, Restrictive Markets are defined as:

“a jurisdiction that Nasdaq determines to have secrecy laws, blocking statutes, national security laws or other laws or regulations restricting access to information by regulators of U.S.-listed companies in such jurisdiction.”

To determine whether a company is based in a Restrictive Market, Nasdaq will consider the primary location of:

• Principal business segments, operations or assets;
• Board and shareholders’ meetings;
• Headquarters or principal executive offices;
• Senior management and employees; and
• Books and records.

Nasdaq will take a holistic approach to assessing these factors and determining whether a company is based in a Restrictive Market, bearing in mind that a company’s headquarters may not be the office from which it conducts its principal business activities.

This definition (and pursuant rules) would apply to both foreign private issuers based in Restricted Markets and companies based in other jurisdictions that principally administer their businesses in Restricted Markets.

Nasdaq has not officially provided a list of jurisdictions they consider Restrictive Markets.

The details of proposed Nasdaq rules changes

Rule #1: Additional Listing Criteria for Restrictive Market Companies

• For an IPO: A Restrictive Market company must offer a minimum amount of securities totaling at least $25 million; or 25% of the company’s post-market value.
• For a Business Combination: A Restrictive Market company to have a minimum market value of unrestricted publicly held shares following the business combination equal to the lesser of: $25 million; or 25% of the post-business combination entity’s market value of listed securities.
• For a Direct Listing: A Restrictive Market company is only permitted to list on the Nasdaq Global Select Market or Nasdaq Global Market in connection with a Direct Listing.

Reasoning: This rule represents the first time the Nasdaq has created minimum values for an IPO. The Nasdaq justifies the move by commenting that small offerings often do not reflect the true value of the company, and a lack of liquidity can create opportunities for price manipulation, and may make issuances unappealing to institutional investors and the secondary market.

Impact: For over a decade, smaller Chinese companies have pursued IPOs as a liquidity/exit event that provides access to U.S. dollars. The Nasdaq only wants companies genuinely seeking to raise capital and trade shares. Chinese companies only seeking a limited liquidity event will be turned away if they do not meet the float percentage requirements.

Rule #2: “Restricted Market” companies must have senior management or a director with experience with U.S. regulatory and reporting requirements, Nasdaq rules, and federal securities laws. Currently listed companies will have a period to get in compliance, while IPOs must have this member on the leadership team. Compliance will be on-going.

Reasoning: A number of corporate governance issues have created scandals and other disruptions that have cost U.S. investors millions, if not billions, of dollars. By requiring that a member of senior-level management have a qualified understanding of regulatory, reporting and securities laws, Nasdaq intends to ensure there is institutional understanding of applicable rules and requirements.

Impact: Many businesses seeking to go public on the Nasdaq will likely already have a member of leadership with this experience. And if they don’t, rule or not, they certainly should. Nasdaq’s proposed rules allow for an advisory role that meets their standards. This position will be expected to provide on-going guidance related to corporate governance, internal controls, and other securities law concerns.

Rule #3: More stringent criteria for auditors of companies (not only Restrictive Market) applying for IPOs or that are already listed. These criteria include:

• Auditor must be subject to PCAOB inspections.
• Auditor must pass PCAOB inspections, sufficiently respond to inspection requests, and not have significant deficiencies in their conduct or systems of quality controls, as observed by the PCAOB.
• Auditor must be able to demonstrate that it has adequate personnel participating in the audit with expertise applying U.S. GAAP, GAAS or IFRS, as applicable, in the company’s industry.
• Auditor’s training program for personnel participating in a company’s audit is adequate;
• For non-U.S. auditors, whether the auditor is part of a global network or other affiliation providing sufficient, globally common technologies, tools, methodologies, training and quality assurance monitoring.
• Auditor must demonstrate to Nasdaq it has sufficient resources, geographic reach, or experience as it relates to the company’s audit.

Reasoning: Audit quality is at the center of investor confidence in a company and its listed shares on the Nasdaq. Implementing greater controls and expectations for audit providers is a no-nonsense approach to both improving the reliability of listed securities, and improving investor confidence.

Impact: This rules applies to all companies listed on the Nasdaq, and is not specific to Restricted Market entities. The result will simply be greater demand for qualified audit providers that have the expertise, global reach, and sufficient quality controls.

In conclusion

In a year of unprecedented global market disruption caused by external factors, and with the high profile Luckin Coffee accounting scandal rocking investor confidence, Nasdaq’s proposed rule changes are common sense steps toward creating greater transparency and accountability for all listed companies, and especially those originating in countries with laws limiting transparency.

The ultimate goal of these rules and their enforcement is to provide greater stability for both companies and investors. The former must only take the time to carefully consider their path to the IPO and engage qualified auditors and advisors familiar with Nasdaq rules, SEC laws and international reporting requirements.

Everything changes, except when it doesn’t

Time and time again we’ve seen reactions to various accounting scandals, after which new policies, procedures, and legislation are created and implemented. An example of this is the Sarbanes-Oxley Act (SOX) of 2002, which was a direct result of the accounting scandals at Enron, WorldCom, Global Crossing, Tyco, and Arthur Andersen.

SOX was established to provide additional auditing and financial regulations for publicly held companies to address the failures in corporate governance. Primarily it sets forth a requirement that the governing board, through the use of an audit committee, fulfill its corporate governance and oversight responsibilities for financial reporting by implementing a system that includes internal controls, risk management, and internal and external audit functions.

Governments experience challenges and oversight responsibility similar to those encountered by corporate America. Governance risks can be mitigated by applying the provisions of SOX to the public sector.

Some states and local governments have adopted similar requirements to SOX but, unfortunately, in many cases only after cataclysmic events have already taken place. In California, we only need to look back at the bankruptcy of Orange County and the securities fraud investigation surrounding the City of San Diego as examples of audit committees that were established in response to a breakdown in governance.

Taking your audit committee on the right mission

Governments typically establish audit committees for a number of reasons, which include addressing the risk of fraud, improving audit capabilities, strengthening internal controls, and using it as a tool that increases accountability and transparency. As a result, the mission of the audit committee often includes responsibility for:

• Oversight of the external audit.
• Oversight of the internal audit function.
• Oversight for internal controls and risk management.

Chart(er) your course

Most successful audit committees are created by a formal mandate by the governing board and, in some cases, a voter-approved charter. Mandates establish the mission of the committee and define the responsibilities and activities that the audit committee is expected to accomplish. A wide variety of items can be included in the mandate.

Creating the governing board’s resolution is the first step on the road to your audit committee’s success.

Follow the leader(ship)

In practice we see a combination of these attributes, ranging from the full board acting as the audit committee, committees with one or more independent outsiders appointed by the board, and/or members from management and combinations of all of the above. While there are advantages and disadvantages for all of these approaches, each government needs to evaluate how to work within their own governance structure to best arrive at the most workable solution.

Strike the right balance between cost and risk

The overriding responsibility of the audit committee is to perform its oversight responsibilities related to the significant risks associated with the financial reporting and operational results of the government. This is followed closely by the need to work with management, internal auditors and the external auditors in identifying and implementing the appropriate internal controls that will reduce those risks to an acceptable level. While the cost of establishing and enforcing a level of zero risk tolerance is cost prohibitive, the audit committee should be looking for the proper balance of cost and a reduced level of risk.

Engage your audit committee with regular meetings

Depending on the complexity and activity levels of the government, the audit committee should meet at least three times a year. In larger governments, with robust systems and reporting, it’s a good practice to call for monthly meetings with the ability to add special purpose meetings as needed. These meetings should address the following:

External Auditors

• Confirmation of the annual financial statement and compliance audit, including scope and timing.
• Ad hoc reporting on issues where potential fraud or abuse have been identified.
• Receipt and review of the final financial statements and auditor’s reports
• Opinion on the financial statements and compliance audit;
• Internal controls over financial reporting and grants; and
• Violations of laws and regulations.

Internal Auditors

• Review of updated risk assessments over identified areas of risk.
• Review of annual audit plan, including status of the prior year’s efforts.
• Status reports of ongoing and completed audits.
• Reporting of the status of corrective action plans, including conditions noted, management’s response, steps taken to correct the conditions, expected time-line for full implementation of the corrective action and planned timing to verify the corrective action plan has been implemented.

Establish resources that are at the ready

Audit committees should be given the resources and authority to acquire additional expertise as and when required. These resources may include, but are not limited to, technical experts in accounting, auditing, operations, debt offerings, securities lending, cybersecurity, and legal services.

Taking extra steps now will save time later

While no system can guarantee breakdowns will not occur, a properly established audit committee will demonstrate for both elected officials and executive management that on behalf of their constituents they have taken the proper steps to reduce these risks to an acceptable tolerance level. History has shown over and over again that breakdowns in governance lead to fraud, waste and abuse. Don’t be deluded into thinking that it will never happen to your organization. Make sure it doesn’t happen on your watch.