Key elements of an audit tender

Graham Hall, author and audit tender consultant at Marc Hall Consulting, shares his experience in the selection of a data room and the challenges of populating it


n 2018, I was tasked with defining and subsequently managing an external audit tender for Nestlé SA covering its consolidated financial statements and encompassing more than 180 countries and more than 750 legal entities requiring a statutory audit.

Whilst the Swiss requirements for auditor rotation are not in line with those now adopted by the EU and are limited to lead partner rotation every seven years, the investor community are ever more vigilant in seeking a fresh set of eyes over the published financial statements.

I would now like to share a few of the key things that I believe made the tender process I was responsible for delivering a joy for everyone involved, and despite the process being a true learning experience, it all seemed to go remarkably well.

Perhaps the most important learning I followed was that once the decision is made by a company’s audit committee and board to tender the audit, it is crucial to communicate this decision across the entire finance community, and to thus ensure everyone is engaged in and supportive of the upcoming process.

This is particularly important in the preparation and population of a secure data room, which will be your vehicle in sharing a plethora of information and data about the company to enable the would-be audit firms to provide a considered and informed proposal.

The first step in the process of creating your data room is, of course, your choice of data room provider. I sought the help and guidance of our M&A team in this regard, relying on their extensive experience of working with several providers.

There are many potential providers, all of which will assure you of the security and user-friendliness of their proposed application.

In arriving at your choice of data room provider, it is important to first decide what the key attributes of your chosen data room should be. There were eight attributes that I was looking for:

  1. Security (to be validated by your in-house IT security team);
  2. Option to restrict download to selected files;
  3. Speed of accessing files;
  4. Price, normally fixed up to a certain number of pages. However if you were to sign up for a long-term relationship, then the pain and challenges of choosing a data room provider every time you launch a project would be negated and thus this element of kicking off a project will be replaced by a call to advise the provider of the need for another data room;
  5. Q&A functionality, ensuring all questions were blind to external users as to the questioner while providing full transparency and visibility to all users of the question and responses;
  6. Reporting functionality available to the project manager (PM) or head of accounting, enabling them to monitor the data loads and then monitor the activity in the data room of all users;
  7. The ability to determine who within the audit team – including the corporate team, the partners, managers, and the audit juniors of the audit provider – had rights to upload and review documents. The option to restrict access to certain parts of the room, especially HR data, was key. Having this feature enables more members of the audit team to be involved, thereby easing the burden on certain individuals.

Graham Hall, author and audit tender consultant, Marc Hall Consulting

In my case, four potential providers were asked to pitch for the assignment, all having been provided with the above list of key attributes we were looking for.

The standout proposal was provided by Sterling Virtual Data Rooms. This in no small way was due to the security inherent in the solution being highly regarded by our internal security team.

The Sterling team were available 24/7 to address questions of the internal team as they populated the data room.

In addition to the eight selection criteria I had identified, it was also important that the data room we selected was user-friendly and did not become a constant source of angst as we and the potential audit teams navigated the wider process. The fact that when we visited some of the key markets around the world, the local audit teams were able to join meetings with a good understanding of the local business, its footprint and performance, demonstrably showed they had spent many hours in the data room and built a good understanding of Nestlé in the markets.

The Sterling team, from top to bottom of the organisation, were open to feedback and determined to deliver a best-in-class data room solution. As PM I knew I could rely on them to support my own contributors, and possibly even more importantly, the audit firms, which generally left me free to focus on navigating everyone through the audit tender process.

Having chosen the provider and created an Index of information to be loaded, it is important for the PM to identify and secure the support and engagement of the contributors of the required information to be loaded into the data room. In achieving this, you will absolutely need the support of your group CFO in ensuring the identified resources treat this with the appropriate level of priority, and that their own line managers acknowledge and support this.

The amount of information you place into your data room can often be the cause of intense debate. I was often challenged over whether we were sharing too much information – was it relevant, was it too sensitive to share? My response was "time will tell", although the level of security in our chosen data room was highly robust.

The proof of the pudding would be seen in the number of questions we received, and ultimately in the quality of the final proposals.

In the Nestlé audit tender data room, we loaded more than 55,000 pages of information and received only nine questions, so I passionately believe we provided an appropriate level of granularity.

The quality and completeness of data loaded into the data room is key to the delivery of a transparent and comprehensive process. To ensure this, the PM should review all the data, actively challenging the quality if they feel it is unclear or likely to cause confusion. Classic causes of confusion are often the prevalence of acronyms, which while commonly used by the company or the function using them, are likely to be incomprehensible to the firm’s personnel.

To add to a robust review of the data, I found that an effective model was to gather all contributors in a room and ask everyone to ensure they were not sat next to anyone from their own department or function. I would then advise them that they should shake hands with the person sat on their right, because over the coming week they will be required to review and feedback on the quality and clarity of the data that person has loaded.

These peer reviews proved invaluable. If your data is not clear to a person who is familiar with the company but not the function, then how are the firm’s personnel going to understand it?

In advance of the data room going live, it is highly beneficial to everyone participating in the process to organise a short online training session with each of the firm’s teams. Your data room provider should be happy to provide and facilitate this; in my case the Sterling VDR team were always available and proactive in providing support and guidance.

The go-live of the data room signifies the formal start of the tender process; further data loads should be minimal and primarily in response to questions.

To maintain the momentum of the internal team, the PM should provide weekly reports, showing the activity of the firms as they navigate their way through the data.

Many data room solutions have an inbuilt functionality whereby you can limit the number of questions that can be raised by each firm, either by day, week, or the end-to-end process. I, perhaps courageously or possibly out of blind stupidity, chose not to place any limit on the number of questions.

However, my decision was largely influenced by another inbuilt control that I chose to rely on towards ensuring that only relevant and quality questions were raised. This control required all firms to appoint moderators who would review and approve all questions raised by that firm’s personnel, prior to them going live in the data room.

It was also made clear to the firm’s lead partners that the quality and relevance of their questions would be an indicator of the quality of their team. I was also clear that there were no "stupid questions"; therefore, the converse of the indicator as to the quality of the firm’s teams was the quality of the information we loaded into the data room. It is worthy of note that over the course of our tender, we received a grand total of nine questions, three of which related to files a firm was unable to open!

To ensure the quality of answers was given the same degree of review as was the case with the original questions, the PM was moderator of all answers. As a result, only when an answer was approved would it become live and viewable by all the firms’ teams.

Image: LR Price Publications

For those of you tasked with defining and managing an external audit tender for your company, I had many learnings as I navigated the Nestlé audit tender process. I hope the sharing of a few of my own experiences will help you on your own journey.

Indeed, during the travels to introduce the audit firms to the wider Nestlé world, I wrote a book to document all that I learnt, which will be published in summer 2021 by LR Price Publications. It is entitled An Audit Tender, a True Journey of Discovery and has been listed by many leading booksellers, including Waterstones and Amazon.

Good luck in your journey, and enjoy every minute of it.