Navigating IT Due Diligence

During M&A activities, the IT due diligence process plays a crucial role in assisting buyers. The purpose of the process is to understand a company’s IT capabilities, assess risks, and contribute towards evaluating its overall value. Intentions are always to uncover as many details as possible, but still it is a “due diligence” and not a detailed audit which means, like anything in life, there will always be limitations in terms of time, allocated resources and shared/documented information. Hence it is a good idea to understand strategic and industry specific context (why). This can help you logically split the process into generic evaluation (Basic Hygiene) ánd focused questions around the insight derived from the context.

Asking “Why”

Before starting with IT due diligence, it’s essential to begin with a thorough debriefing on the strategic understanding of the acquisition. If you are part of a big corporate, chances are that you were not part of the initial discussions yet (not to imply that all IT professionals are hidden away like in the show The IT Crowd) and hence, it is highly recommended that you try to cover any gaps in understanding the “why” of the acquisition. (If that is not the case then congrats! You are at the right place.) Knowing strategic context is pivotal in defining an effective IT due diligence checklist. A due diligence checklist can potentially be endless but the context can help narrowing down the focus points. For example, the due diligence process for a software company, such as one offering SaaS services, will entail different focus areas and risk analyses compared to that of a physical product company.

Basic Hygiene

Following are important generic pointers for a due diligence process:

IT Infrastructure: Assessing the IT infrastructure involves an examination of its core components which includes hardware elements like servers, networking equipment, workstations and laptops, alongside cloud services. A critical consideration is whether the infrastructure aligns with the acquiring company’s strategic objectives, design and operational processes. This further includes factors like the hosting location of systems, the overall health of the infrastructure, and the effectiveness of disaster recovery procedures. Consider (and document) the cost that may occur due to any misalignments and gaps. Any liabilities or future costs uncovered during this assessment can significantly impact the ongoing price negotiations.

Software: While the previous section primarily emphasizes hardware assessment, due diligence about software is equally important. This means an examination of the overall software architecture, legacy systems, third-party software integrations, intellectual property and recurring operating expenses. Operating expenses should include any ongoing licence fees, with a particular focus on understanding the duration and subscription costs for Software as a Service (SaaS) solutions. In my personal opinion, people are quick to approve a small subscription fee for a cloud service and then keep buying add-ons which which can be like death by a thousand cuts for your budget targets.

Security & Compliance: Given significant attention in security and compliance topics, this aspect of assessment should be a no brainer. You should inquire about any known security compliance issues, plans to fix it and history. Do not be too polite to not ask about potential liabilities arising from data breaches. Inquire about the measures in place. Even though security teams have a reputation of over-thinking, it is a very good idea to support and listen to them.

IT Organization: When it comes to the headcounts, the Finance team will be faster than you! From IT’s perspective, it is important for you to understand IT organisational structure, key competencies, delivery methodologies (such as Agile), and the skillset of their team. Depending on your context, the presence and dynamics of onshore and offshore teams can be a significant aspect to consider.

The above list outlines the essential areas that must be evaluated during the due diligence process. As an outcome of the above process, a report should be compiled based on the above findings to report any risks, recommendations, and mitigations. Mitigations are especially helpful during the negotiation of the deal or post-merger activities.