IT due diligence is a critical component of understanding how a target company’s IT department can support future growth and use technology as a strategic capability.
IT due diligence can uncover key risk areas and investment needs for your technology environment. Learning your organization’s areas of vulnerability could in turn play a key role in an upcoming merger or acquisition (M&A).
Our article covers the following:
- What Is IT Due Diligence?
- Why Is IT Due Diligence Important?
- What Is Reviewed During an IT Due Diligence Assessment?
- Who Performs IT Due Diligence?
- How Does IT Due Diligence Benefit M&A Transactions?
- How Could Cybersecurity Influence a M&A Decision?
What Is IT Due Diligence?
An IT due diligence review provides a thorough investigation of the following:
- IT strategy
- Department level financials
- Executive leadership and staff capabilities
- Business process and application architecture review
- Technology infrastructure and service operations
- Disaster recovery planning
- In-flight and planned technology projects
- Data management practices
- Cybersecurity resources, processes, and tools
Why Is IT Due Diligence Important?
IT tends to be a key indicator of business value, and the most resource-intensive function in the organization. IT due diligence is a focused evaluation of how the company has invested in IT as a strategic capability.
It attempts to answer the following:
- Can IT scale for rapid business growth?
- Where do additional IT investments need to be made?
- What is the risk profile of the technology infrastructure?
- How vulnerable is the company to a cyberthreat?
- How have past IT investments impacted business performance?
Due diligence can also uncover sources of synergy value by identifying redundant systems, duplicate licenses, and consolidation of third-party providers, which could support a more competitive purchase price offer to the organization.
What Is Reviewed During an IT Due Diligence Assessment?
IT due diligence focuses on six key areas:
- IT Strategy and financials. How is IT managed as a strategic asset?
- Leadership and staff capabilities. Does leadership drive change?
- Business application. How does IT enable business strategy?
- Technology infrastructure, disaster recovery, and business continuity. Does IT adopt leading practices?
- Cybersecurity and vulnerability. How does IT protect the company?
- Ongoing and planned IT investments. Does IT stay ahead of business demand?
IT is a complex environment; uncovering key risks requires a thorough evaluation of past decisions, current operations, and future investments.
A key attribute of well-managed IT departments is how involved they are with driving business strategy. Looking at IT through both technical and business lenses offers clarity on how IT enables business leaders to create more value to their customers.
Underfunded IT departments commonly have constraints that limit the ability to be a strong business partner; this issue often appears in the form of a capacity-constrained team that can’t keep up with day-to-day operations—let alone add business value.
Who Performs IT Due Diligence?
Due diligence is performed with highly experienced professionals, with relevant industry background and who have either managed an IT operation or have been involved with M&A diligence and integration multiple times. These practitioners view a company very differently and focus on the deal strategy and how IT can enable value.
Since time is critical, IT diligence follows a defined sequence of activities that maximize time with management.
The four steps for successful diligence include:
- Understand the buyer’s investment strategy and the ways IT will be a critical enabler of growth.
- Conduct diligence on the buyer’s IT environment to know how an acquired IT infrastructure will integrate.
- Conduct diligence on the target to uncover key financial and operational issues and assess the capability of the leadership team.
- Summarize findings from both a technical and business perspective along with an investment strategy that will be supported by an integration roadmap.
The steps usually occur during a two- to three-week period.
How Does IT Due Diligence Benefit M&A Transactions?
IT due diligence could play a strategic role when it comes to M&A. It could make the acquisition very attractive to a potential parent company, or give it a reason to walk away.
Dealmakers understand that well-run IT organizations produce valuable high-quality data that can provide insights into the customer experience, operational performance, and real-time financial metrics.
Companies who position their strategy for cybersecurity could create a competitive advantage that makes their organization an easier decision to buy.
IT due diligence is more than just a review of the quality of the equipment, reliability of applications, and the ability of the team to keep the lights on. Even if it uncovers risks, having strategies in place to address the issues and a financial model that considers important investments in the first few years of the organization’s dealings can take an average-performing company to another level.
For more information on how you can support your M&A transaction, please see our M&A due diligence checklist.
How Could Cybersecurity Influence a M&A Decision?
While cybersecurity has long been an important component of IT diligence, the increased use of digital platforms, payment methods, and intellectual property (IP) drives a need for deeper assessments of an organization’s readiness to external threats.
Cybersecurity considers all aspects such as internet-facing web applications that may serve as an entry point to the network and other systems, software packages that contain inherent security vulnerabilities, and software development groups that don’t always have secure code development training and tools to meet specific regulatory requirements.
On the infrastructure side, cybersecurity looks at networking devices that could be inadequately configured to protect IT infrastructure, network and systems architecture that could introduce vulnerabilities inadvertently, and servers and workstations that could be susceptible to cyberattacks due to insufficient vulnerability and patching processes.
For a more in-depth look at the role cybersecurity due diligence can play during a transaction, read our article.
From a business perspective, enterprise risk management doesn’t always adequately address cyberthreats. Employees might not be aware of the phishing threats. Incident response and disaster recovery plans might not exist, and aren’t always properly drafted to assist with timely recovery following a security incident or disastrous event. Security organization isn’t always staffed or structured to meet regulatory requirements and address security needs.
All these factors could influence a company’s decision to accept the risk of a target business. Incorporating cybersecurity and IT due diligence learnings into your organization’s structure before the buyer takes ownership could be vitally important.
We’re Here to Help
If you have any questions about how your organization can improve its IT due diligence prior to a M&A transaction, please contact your Moss Adams professional.