AWS Cloud Operations Blog
Improving Mergers & Acquisitions Due Diligence with AWS Audit Manager
The purpose of this narrative is to provide guidance for Mergers & Acquisitions (M&A) Due Diligence stakeholders on how to leverage AWS Audit Manager to support compliance and risk assessments during technical due diligence. The target audience of this guidance includes practitioners that support diligence, integration, corporate development (CorpDev), technology/IT, auditing, and advisory activities during the M&A lifecycle. This guidance will discuss common challenges in M&A compliance due diligence, how does AWS Audit Manager help solve M&A compliance due diligence challenges, and how to get started with Audit Manager.
About M&A Compliance Due Diligence
Mergers and Acquisitions (M&A) activities are complex and significant events that can make or break a company’s corporate strategy. Compliance due diligence, or assessing the target’s cloud technology state in adherence to regulatory and compliance obligations, can have massive implications to transaction success if overlooked. Thoroughly evaluating technology risks and opportunities of the target’s IT estate is an important step in the transaction lifecycle.
Gartner’s Audit Leadership Council states that 76% of project team members reported new or evolving risks as a result of changes in core business areas throughout their organizations.
3 in 4 audit departments learn about changing processes in their business behind schedule which ends up disrupting existing controls or creates the need for new controls. 4 in 5 audit departments agree they apply their risk remediation coverage too late to change business processes. While the Gartner report (Audit at the Speed of Business) covers the importance of compliance auditing in a variety of business scenarios, this data also conveys the importance of compliance auditing during the M&A deal lifecycle. M&A stakeholders need to be aware of potential compliance risks, risk impact, and remediation strategies while conducting M&A activities. Neglecting rigorous compliance due diligence during the transaction exposes organizations to potential risks such as:
- Unaccounted liabilities
- Increased cybersecurity and ransomware attack radius
- High remediation costs
- Legal liabilities
- Regulatory actions
- Transaction timeline delays
- Regulatory sanctions
In addition to mitigated risks, robust compliance due diligence also generates key learnings that improve outcomes of future M&A transactions:
- Building institutional knowledge
- Tracking key metrics
- Updated risk frameworks
- Improved IT system governance and security
- Process refinements
- Stronger documentation
- Enhanced integration planning
The lessons learned create a flywheel effect where each M&A transaction strengthens compliance diligence expertise of the organization while improving outcomes for the next one.
Challenges in M&A Compliance Due Diligence
Traditional compliance due diligence processes are reactive, difficult to scale, and prone to mistakes. M&A stakeholders need to be aware of the specific challenges faced in the due diligence when evaluating IT environments and systems.
- Manual and time-consuming evidence collection – Gathering compliance evidence from a variety of sources in a complex IT environment is manual and labor-intensive. Stakeholders may need to extract thousands of configuration data points, user activity logs, security findings, and policy documents.
- Limited visibility into IT environments – Target companies security and compliance posture across all environments are hard to visualize, especially with short due diligence timeframes.
- Siloed data and systems – Without centralized compliance platforms and workflows, consolidating compliance data into structured formats for due diligence reviews is challenging and time-consuming.
- Inconsistent diligence processes – Due diligence may be conducted differently across M&A transactions based on team experience.
- Unstructured evidence and data – The required compliance data for diligence can come in many different formats. PDF reports, slide decks, spreadsheets, emails, infrastructure monitoring and observability metrics, and other formats are difficult to analyze, consolidate, and share efficiently.
- Tracking issues and actions – It is difficult to identify, log, track, assessing, and resolve specific issues that are found during the diligence reviews. This results in manual processes and decreased time-to-value of the diligence assessment.
- Collaboration and hand-off – A lack of collaboration between stakeholders can severely impact the success and efficiency of a compliance due diligence assessment.
- Maintaining integrity of reports – Organizations may face issues with the altering of assessments, resulting in lack of integrity of diligence reports.
- Limited continuity post-close – Compliance Due Diligence assessments are often only conducted as part of pre-close exercises, and stakeholder visibility into compliance posture and risk remediation tends to end after the transaction closes.
M&A stakeholders should to be evaluating solutions that can solve these challenges, risks, and blockers early in the deal lifecycle.
What is AWS Audit Manager and how does it solve M&A challenges?
When discussing the evaluation of a customer’s environment as part of a M&A transaction, the majority of AWS customers environments are contained within an organization and created using AWS Organizations. AWS Audit Manager helps organizations continuously audit their AWS environments by automating the manual processes of evidence collection. This provides visibility into security and compliance across accounts, services, and large-scale AWS environments. These large-scale environments can be viewed as multi-environment AWS account hierarchies created by AWS Control Tower or AWS Organizations enabled with multiple Organization Units (OUs) for each department that have Service control policies applied at each OU / nested OU. Every OU can have different permission sets based on if the account is used for testing, developing, staging, or used for production.
When auditing multi-environment AWS Organizations with Audit Manager, the service provides an assessment report that summarizes the selected evidence that was collected for an assessment. It contains links to PDF files with details about evidence of regulatory standards. Assessment reports compile evidence to ensure compliance readiness prior to completing a M&A transaction and facilitates collaboration amongst all M&A stakeholders.
M&A activities are multi-faceted and involve companies conducting audits on complex IT environments. These audits may include reports generated on infrastructure hosted on-premises and/or potentially in a multi-environment AWS Organization. For these types of audits, collaboration is important to enabling the continuity of compliance lineage is important for the success of an efficient transaction.
For a company in the cloud due diligence phase for a M&A transaction, there may be a scenario where the target company IT infrastructure is a multi-environment in AWS Organizations. Audit Manager streamlines and standardizes the compliance due diligence for these M&A scenarios by automating manual tasks, structuring data, and facilitating collaboration. This makes the process more efficient while maintaining integrity and security. By leveraging AWS Audit Manager, organizations can significantly streamline compliance in the cloud, assess risk, and enable more rapid scaling and innovation.
Audit Manager helps address common AWS compliance technology due diligence challenges in M&A deals with:
- Automated evidence collection: AWS Audit Manager gathers evidence from a variety of AWS services, replacing the manual collection of vast amounts of data.
- Visibility, reporting, and dashboards: Central Dashboard capabilities give compliance visibility across accounts and regions. Admins are able to review and analyze evidence, delegate reviews, track issues, and generate summarized reports of diligence findings.
- Standardization and repeatability: Automation and pre-built framework/control libraries bring consistency across M&A transactions and can be tailored for individualized use cases.
- Security, collaboration, and access control: AWS Audit Manager improves streamline audit stakeholder collaboration. Admins can delegate access controls to reviewers and collaborators, annotate evidence with supplementary, and ensure the preservation of integrity of audit reports.
- Continuous compliance monitoring: With AWS Audit Manager, assessments can be run continuously throughout the M&A lifecycle by maintaining visibility into risks and compliance during the entire transaction lifecycle.
Getting started with AWS Audit Manager
AWS Audit Manager provides a User Guide that provides a step-by-step tutorial for initial set up. However, in order to start using AWS Audit Manager an admin must have the following prerequisites:
- An active AWS account with the following permissions setup. For users who need full access, use the AWSAuditManagerAdministratorAccess managed policy.
- Once the correct permissions are setup, you need to enable Audit Manager via the Audit Manager API, AWS CLI, or using the AWS Management Console.
How does AWS Audit Manager Work?
AWS Audit Manager uses a collection of pre-built / custom-defined controls for corporations in specific industries to ensure they are following their compliance standard requirements. These frameworks are used as an implementation of AWS Audit Manager assessments, which allows Audit Manager to automatically assess the resources defined in the scope of the audit being conducted. Audit Manager conducts evidence collection from accounts and resources and shares compliance readiness during the due diligence phase of a potential M&A transaction. This ensures that both companies are aware of the compliance strengths and risks when identifying a migration strategy pre-transaction while maintaining collaboration for the entire M&A lifecycle duration. Additionally, Audit Manager provides 30 different frameworks to choose from and M&A stakeholders are given the ability to create custom frameworks to generate assessment reports based on various compliance needs.
AWS Audit Manager for Buy-side / Sell-side entities
Conducting cloud due diligence can be a complex process for the buy-side entity as they look to ensure that synergy levels are defined, risk is considered, and all IT infrastructure regulatory standards are accounted for. Often times sell-side entities have complex IT infrastructure requirements which creates different synergy levels from the buy-side entity. For example, sell-side entities can involve needing different compliance framework readiness that the buy-side entity is not prepared for. Additionally, the buy-side entity can have a multi-account organization structure with different dev, stage, and production accounts in different AWS accounts.
Audit Manager makes it easier for M&A stakeholders to continuously audit the AWS usage of these multi-account account M&A transactions by integrating directly with AWS Organizations. AWS Organizations enables granular visibility to security, compliance, and budgets by consolidating multiple AWS accounts into centrally managed organizations. Audit Manager improves the cloud due diligence process by providing cohesive collaboration for M&A stakeholders during complex multi-account product portfolio transactions.
By enabling AWS Organizations on Audit Manager, an admin user can set up a delegated administrator account for the sell-side entity. They can then generate an assessment report that can view the evidence collection of all AWS accounts within the scope of the audit to be conducted as cloud due diligence. This allows the buy-side entity to gain the visibility of the synergy levels of the potential M&A transaction.
Supporting all phases of M&A Lifecycle with AWS Audit Manager
AWS Audit Manager supports all phases of the M&A lifecycle from the “Due Diligence” phase to post-transaction. Given enhanced organizational hierarchy is a best practice for companies interested in M&A activities in the cloud. it is recommended that organizations conducting M&A activities are assessing the compliance and risk of all AWS environments in each prospective account against relevant control frameworks for their industry. AWS Audit Manager generates assessments compliance reviews for both buy-side pre-acquisition or pre-close risk and compliance reviews. This information is used by necessary parties to verify regulatory requirements are met/being met in the audited organization which allows teams to analyze the risk and compliance thresholds that the organization may be crossing if they were to integrate with the potential target company.
Conclusion and Additional Resources
AWS Audit Manager solves common challenges faced by organizations in M&A compliance due diligence. Audit Manager allows M&A stakeholders the ability to automate evidence collection, increase visibility and reporting into compliance auditing, introduces standardization and repeatability into due diligence processes, ensures integrity of assessments, and supports continuous compliance monitoring throughout the transaction lifecycle. Furthermore, organizations with strong compliance due diligence practices can maximize the return-on-investment (ROI) of their transaction, monitors potential legal and regulatory risks, have better chances of valuing the deal appropriately, and prevent future issues in the integration phase.
We encourage stakeholders to start by assessing their current compliance due diligence processes for the cloud, and to identify areas for improvement. To learn more about AWS Audit Manager, refer to the Audit Manager Documentation and Frequently Asked Questions (FAQs). To gain additional insight on cloud-enabled M&A, please refer to AWS Executive Insights: Mergers & Acquisitions.
About AWS Mergers & Acquisitions Advisory
The AWS Mergers & Acquisitions Advisory Team (AWS M&A Advisory) is a group of subject matter experts and thought leaders at AWS with mergers & acquisitions expertise. If your organization is going through an M&A transaction and would like to learn more about how AWS supports customers throughout the transaction lifecycle, please reach out to the AWS Mergers & Acquisitions Advisory Team through your organization’s aligned AWS Account Manager with this link.