As much as 74% of CEOs believe digital technology drives business growth, and over 80% of successful M&A deals emphasize technology and digital transformation. Today’s business landscape indicates that IT due diligence has never been so critical for the merger and acquisition process. This article explores how companies can maximize business value with comprehensive IT due diligence. Keep reading to discover the following:
- A deep dive into the goals of IT due diligence
- A comprehensive tech due diligence checklist
- 4 steps of the due diligence process
- The best IT due diligence practices
What is IT due diligence?
| IT due diligence investigates IT systems, processes, and infrastructures of target companies in mergers and acquisitions and other business transactions. |
Credit: IT Due Diligence (Deloitte)
Why do IT companies perform due diligence?
IT due diligence fits the broader diligence processes and helps M&A buyers with the following:
- Business context. A potential buyer can evaluate how well the target’s IT capabilities fit into its strategic plans.
- Value creation. Acquirers and sellers conduct IT due diligence to negotiate more accurate deal values. For instance, intangible assets like proprietary software and intellectual property comprise 80% of M&A values.
- Deal breakers. Acquirers may cancel deals due to critical issues, like data privacy concerns or system vulnerabilities, successfully saving money and reputation.
Companies pursue the following goals with IT due diligence:
- Understand IT strategy and financials
- Evaluate IT organization
- Assess IT Infrastructure
- Understand software systems
- Enhance cybersecurity
Understand IT strategy and financials
Technical due diligence investigates the target company’s plans for technology developments, IT investments, and ongoing and planned technology spending. Buyers also evaluate IT commitments and priorities and pursue the following goals here:
- ✅ Understand how the target’s IT strategy supports its general business strategy.
- ✅ Understand which technology developments and investments perform well and which require optimization.
- ✅ Identify cost-saving opportunities.
Evaluate IT organization
Acquirers evaluate how target companies govern their information technology systems. Technical diligence investigates the key personnel, roles and responsibilities of IT teams, reporting lines, and decision-making mechanisms. M&A buyers achieve the following goals:
- ✅ Understand how IT decisions are made in the target company.
- ✅ Understand how to integrate and optimize the target’s IT governance.
- ✅ Evaluate IT culture, including innovation awareness, continuous improvement principles, and accountability.
Assess IT Infrastructure
M&A acquirers evaluate the quality, performance, and scalability of targets’ IT infrastructures. Buyers need this to do the following:
- ✅ Improve and optimize IT assets.
- ✅ Identify the level of interoperability and compatibility of targets’ IT infrastructures.
- ✅ Identify performance and scalability issues and opportunities.
Understand software systems
Acquirers achieve the following goals with software system reviews:
- ✅ Understand key software vendors and software licensing specifics.
- ✅ Understand how IT software applications and systems support targets’ business operations.
- ✅ Evaluate the compatibility of software applications, determine synergies, and explore optimization opportunities.
Enhance cybersecurity
Buyers strongly emphasize the cybersecurity features of target companies to achieve the following:
- ✅ Understand the cybersecurity compliance.
- ✅ Understand the efficiency of the cybersecurity measures.
- ✅ Evaluate cybersecurity risks.
- ✅ Cancel deals if sensitive data outweigh anticipated synergies.
IT due diligence process: 4 steps explained
Let’s describe the general steps of the technology due diligence process:
- Prepare a due diligence environment
- Screen documentation
- Review technology systems
- Report findings
1. Prepare a due diligence environment
Buyers make several preparations before initiating IT due diligence:
- Review scope. Define the IT areas under investigation and the depth of reviews. Tech startups may require more rigorous investigations due to high cybersecurity risks.
- Establish KPIs. Develop baseline criteria and metrics for sustainability, security, scalability, performance, and strategic alignment for the technology systems of your target.
- Make a team. Assemble a due diligence team with strong technology expertise. It’s advisable to involve cybersecurity experts.
2. Screen documentation
Documentation reviews involve the following activities:
- Request documentation. Obtain IT policies, product guidelines, architecture documentation, budget spending reports, etc. You can exchange due diligence checklists to clarify the scope of investigations.
- Analyze documentation. Search for inaccuracies, errors, and inconsistencies. Assess strengths and weaknesses of IT systems.
3. Review technology systems
Pay attention to the following aspects while reviewing technology systems and software applications:
- Find dependencies. Consider interdependencies between software modules, databases, and external libraries and services. Excessive interdependencies hinder performance, business continuity, and security.
- Evaluate code quality. Analyze software code for integrity, complexity, duplications, issues, and compliance with standards. Understand the level of technical debt.
- Analyze security and compliance. Check software systems for vulnerabilities, such as code injections, phishing risks, and insider threats. Document attack vectors and perform penetration testing.
- Conduct site audits. Organize field inspections to check physical technology assets, evaluate IT workflow, and verify documentation findings.
- Screen culture. Interview and survey the target’s stakeholders to understand its IT culture and cybersecurity awareness.
4. Report findings
DD teams participate in the following activities in the reporting stage:
- Review findings. Validate due diligence findings and document issues, opportunities, risks, and considerations.
- Prepare an executive summary. Highlight and summarize critical findings, recommendations, and actionable insights for decision-makers.
- Follow-up with executives. Follow-up sessions provide additional context to due diligence findings and contribute to informed decisions in the M&A lifecycle.
The IT due diligence checklist
Let’s list technical due diligence checklist items under the following categories:
IT strategy and financials
- IT strategic planning documents
- IT roadmap
- IT budget plans
- IT financial statements
- IT investment portfolio
- IT investment justification files
- IT cost allocation model
IT organization
IT governance:
- IT governance framework
- IT policies and procedures
- IT organizational structure
- Review of support and engineering teams
- Infrastructure deployment model
- IT staffing plan and skill inventory
- Employee training programs
- Management process delivery trends for the past several years
- Management process escalation rates
- Management process sprint planning trends
- Management compliance requirements
- Team business continuity principles
IT culture:
- IT department mission and vision statements
Code of Conduct and business ethics documents - Employee initiatives
- IT leadership practices
- Continuous improvement release planning
IT infrastructure
Networks:
- Network diagrams
- Inventory of network protocols
- Network performance metrics and reports
- Network scalability analysis
- Inventory of servers
- Server configuration documents
- Server performance metrics
Data storage:
- Inventory of data centers
- Inventory of storage systems
- Inventory of cloud service providers
- Data backup and recovery policies
- Disaster recovery plans
- Data retention policies
- IT service continuity plans
Equipment:
- Inventory of hardware devices
- Hardware specifications
- Hardware lifecycle management policies and processes
- Hardware utilization metrics
- Hardware documentation
- Inventory of obsolete hardware
Software systems
- Business tools overview
- Review of software architecture
- Inventory of software applications
- Inventory of customer support systems
- Software system documentation
- Software source code and version control documents (if applicable)
- Software configuration documents
- Software development lifecycle documentation (if applicable)
- Software testing and quality assurance reports
- Software maintenance documentation
- Software integration and interoperability documentation
- Software performance metrics and reports
Cybersecurity
Cybersecurity controls:
- Processes
- Standards
- Procedures
- Guidelines
- Incident response plans
- Secure programming principles
Data security measures:
- Intrusion detection and prevention systems
- Network security measures
- Network segmentation
- Firewalls
- User authentication mechanisms
- Role-based access control measures
- Data encryption protocols
- Data loss prevention solutions
- Security information and event management tools
- Data backups
- Equipment security
Compliance and audits:
- Penetration testing reports
- Applicable data privacy and security certificates
- Vendor security audits
- Security compliance audits with auditor correspondence
Contracts and agreements
- Vendor contracts
- Service level agreements (SLAs)
- Software licenses
- Intellectual property (IP) agreements
- Software escrow agreements
- Software maintenance agreements
- Change control agreements
- Data processing agreements
- Non-disclosure agreements (NDAs)
- Outsourcing contracts
4 tips to enhance IT due diligence
- Use professional assistance. PwC has found that acquirers with strong managerial experience or high-quality advisors have 62% higher chances of integrating IT functions successfully.
- Maintain clear lines of communication. An effective communication plan with clear roles and responsibilities and reporting lines ensures successful M&A outcomes (McKinsey).
- Consistently perform cybersecurity checks. Regular cybersecurity tests and incident response planning reduce the total cost of data breaches by $232,000.
- Prepare a virtual data room. Data rooms are the most powerful digital accelerators making due diligence and functional integrations 79% more successful.
Credit: PwC 2023 M&A Integration Survey
What are the best VDRs for IT due diligence?
- iDeals. It’s the best overall provider regarding features, security, and affordability. You can enjoy an unlimited preparation period, eight levels of granular access permissions, automated Q&A workflows, and drill-down activity reports.
- Intralinks. Its data room offers an intuitive user experience, one-click file access withdrawal, and Zoom integration. VDRPro is fully integrated into Intralinks’ M&A solutions, offering high adaptability.
- Venue. It offers powerful data encryption and automatic PII redaction to accelerate document reviews. Venue also offers flexible per-page and auto-renewal plans with instant page count.
Key takeaways
- Acquirers conduct IT due diligence to understand deal values, reduce cybersecurity risks, and gauge technology synergies.
- A technology due diligence checklist centers around IT infrastructure, organization, financials, software systems, and cybersecurity.
- Experienced M&A buyers engage advisors, use data rooms, establish clear communication lines, and conduct cybersecurity tests for successful IT due diligence.