When a company is considering expanding into international markets, growth through mergers or acquisitions is an obvious consideration. Acquiring a pre-existing foreign company provides a ready-made starting point for operations with an established history in the market, but also comes with risks to a U.S. company that cannot be overlooked. While there are many business and legal considerations in making such an acquisition, there are two core areas of technology oversight risks that should always be top of mind: accounting systems and IT infrastructure.

Visibility Into Company Accounting Systems

Many large U.S. companies are accustomed to having a comprehensive accounting application that provides for effective oversight and auditing from a centralized location. A variety of tools can be used for this sort of oversight, but generally they will allow for review of detailed accounting information supporting general ledger entries in addition to more comprehensive “rolled-up” data. Some will also link to items like receipts or purchase orders related to transactions. In certain parts of the world where U.S. companies might seek to expand, accounting systems may be less advanced and provide a significantly lower level of accessibility. Due to variations from country to country in local accounting requirements, concern with GAAP and other U.S. standards may be completely unfamiliar to a target company. Smaller entities may have an almost completely paper-based accounting system, or they may rely on basic tools like spreadsheets maintained by a company employee rather than the kind of multipurpose application that might be used in the United States.

Understanding how the accounting system in the target company functions, where data is stored, who has access to it, where and how supporting documentation is maintained, and what portion of the information will be readily available to the parent company are all key concerns—a company cannot direct and control activity that it cannot see. Once a good understanding of the pre-existing accounting system has been obtained, post-acquisition integration of that system into the pre-existing systems of the company, including any internal audit function, is a crucial internal control for a U.S. company to put into place. Keeping external auditors apprised of this work is also a key consideration.

Access to Email and Other Electronic Data

Most U.S. companies have policies and procedures in place for management of email and other electronic data. Generally, those policies include those governing employer access to data, data backup and restoration, systems for creating legal holds, and other similar tools. Outside of the United States, however, the rules may be substantially different. There may be local laws that impact data privacy in different parts of the world that can vary from country to country and can require localization or otherwise restrict transfer of certain data. The policy that an American company has in place may not work in an international location at all, or may require additional steps to become effective. For example, in some countries, unions or works councils may need to be notified or employees may need to consent individually to any use of potentially “personal” data. The forms used in the United States may not be sufficient in other jurisdictions. Moreover, what constitutes “personal data” can vary materially from jurisdiction to jurisdiction. U.S. entities are familiar with protecting personally identifiable health information, for example, but in other countries even a document we would consider to be exclusively “business related” could be “personal” under local law. Data protection regimes in the EU and China certainly are two items to consider.

How does a company prepare for these issues? It is crucial to obtain a clear understanding of the pre-existing IT infrastructure in a company at the time of purchase. A company can ask questions like: How many email domains are in use? Does the company have a data map in place that details what sort of information sits on which server? Where and how is that data stored? What sorts of document retention policies are in place? How many servers are in use and what is located on each of them? What sorts of internal controls are placed on specific hardware use? Do employees use company telephones or is there a bring-your-own device policy in place? It is also important to understand any pre-existing written policies on these issues so that a company can make decisions about any changes to those policies that may be required. A company must also understand local laws regarding these issues and confirm that their preferred approach complies with those laws. It is also key to global inter-operability to find good local counsel on these issues, and to make sure that local counsel is working carefully with your U.S. counsel to harmonize approaches from jurisdiction to jurisdiction.