How to Stay Audit-Ready After Mergers & Acquisitions (M&A)
By: Barbara Donatien
Mergers and acquisitions don’t just reshape business landscapes—they also reshape your compliance posture. When companies merge or one acquires another, systems will integrate, cultures will blend, and data will flow across new boundaries. Amid the excitement of growth, it’s easy for SOC compliance to be overlooked. But compliance is not something that pauses just because of a merger or acquisition. All of the requirements related to SOC still apply when companies merge.
After a merger or acquisition, your existing SOC report may no longer reflect your organization’s updated risk landscape or operational structure. It’s often necessary to conduct a new SOC assessment to evaluate the combined environment and confirm that all systems, processes, and controls continue to meet SOC compliance standards.
Considerations After M&A
Post-merger and acquisition, a company should take the following into consideration:
- New turf: A merger or acquisition may add new systems, services, or locations to the organization’s operations.
- Control chaos: A merger or acquisition may introduce totally different controls, policies, risk assessments, and entity-level controls that need to be integrated or replaced.
- Integration headaches: Newly acquired operations may introduce risks such as data migration issues, inconsistent vendor risk management, differing incident response processes, etc.
These considerations must be addressed to determine if they fall within the scope of the SOC report. After assessing these considerations, it is best to loop in your auditor early to share your findings. This collaborative approach will help you stay in front of any scope changes and actively manage your compliance posture.
How BARR Can Support Audit-Readiness After M&A
As your auditor, BARR Advisory can provide provisional support while maintaining independence. Here are the steps we take to ensure you are audit-ready:
- Redefine the audit scope: This includes identifying all new and old in-scope applications, infrastructure components, business processes, data repositories, and customer-facing services from acquiring and acquired entities.
- Regulatory considerations: Our team will inquire about any new regulatory considerations because, in some cases, regulatory considerations may impact the scope of the examination.
- Reconfirm customer commitments and in scope criteria: The merger and acquisition can change or introduce new customer commitments depending on what the acquired company offers (e.g., new SaaS platforms, customer services, etc.). For SOC 2, this can potentially lead to expanding the scope to include additional criteria.
- Conduct a full SOC readiness assessment: Don’t assume existing controls carry over cleanly. After assessing the above, we will look to address questions like: Are access rights managed using the same rules? Are configurations the same? Is encryption consistently applied?
- Identify gaps: Once readiness is complete, we will provide you with a prioritized list of observations and recommendations using a risk-based approach to prioritize your remediation efforts.
This readiness assessment should be used as your compliance integration roadmap. From here, you should be able to set realistic remediation timelines for when inherited systems will meet SOC expectations. Remember, integration efforts take time, and some systems and controls won’t align immediately. The key is to prioritize compliance early so your post-merger journey runs smoothly and supports lasting success.
Interested in more information about how to initiate a readiness assessment post-merger and acquisition? Contact us today for a free consultation.
About the Author
As a manager of BARR’s attest services practice, Barbara Donatien serves as the lead for planning and executing client risk assessments and information technology audits against standards like SOC 1, SOC 2, SOC 3, and ISO 27001. Barbara is a Certified Information Systems Auditor (CISA) and an ISO 27001 Lead Auditor.