There’s perhaps no segment of business operations that’s evolving and changing as rapidly as information technology (IT).
As IT impacts nearly every business function, it’s imperative to conduct a thorough due diligence of the target company’s information technology systems and operations to understand what you stand to inherit with your acquisition as well as what you may need to do to address significant gaps and issues that may inhibit future growth.
Many companies overlook IT due diligence, either because they fail to recognize its value, or because the target is relatively small.
Many companies overlook IT due diligence, either because they fail to recognize its value, or because the target is relatively small. However, size alone should not determine whether you conduct IT due diligence. We recommend performing IT due diligence if the target meets any of the following criteria:
- $30M threshold
If the target is a manufacturer, distributor, or service organization with revenues of at least $30 million and for whom technology plays an important aspect of the business (inventory control, traceability, etc.), it merits IT due diligence. At such a size, scalability and technology management create an increased risk and cost for the acquiring firm.
If the target’s core assets or service offerings are technology based, conduct IT due diligence, irrespective of revenues. Custom developed applications for the marketplace can introduce unique risks to an acquiring firm. Ensuring Software Development Lifecycle (SDLC) standards are in place and followed enhances the likelihood of quality solutions
- Regulatory compliance
If the target company operates in an industry that is subject to regulatory compliance (FDA, ITAR, DOT) there are elevated risks if technology solutions are not appropriately deployed. Evaluating current processes and tools will identify potential gaps in the existing transactions and outline potential costs to resolve existing gaps.
- Consumer facing
If the target organization facilitates business to consumer transactions, perform IT due diligence. A company that conducts online sales transactions and handles credit card data, for instance, faces significant compliance risk as well as future scalability concerns as the organization grows.
Three principal considerations
There are three principal considerations associated with your target’s information technology: gaps, risks, and costs. The goal of any comprehensive IT due diligence process should be to identify and assess their impact.
Assess the target for any technology, staffing, or licensing gaps that you may need to address over the next three to five years, with a firm understanding of their underlying costs and potential impact on the business.
Understand the risks related to the IT environment. Are adequate safeguards in place related to employee training and access? Do processes align with best practices, or at a minimum, do they comply with industry standards? Is there existence of custom developed business applications or business solutions that are no longer supported by the vendor? Elevated risks could impact your purchasing decision.
Determine the IT costs, both recurring and non-recurring, over the next five years of a potential hold period. For instance, if the target employs 100 people who each work at an old computer running outdated software, replacing the hardware and software will bear a substantial cost.
Three assessment areas
We recommend reviewing three core elements during the IT due diligence process: business applications, traditional IT components, and IT governance processes.
- Business applications
Business applications help “run” the business and include ERP solutions and business intelligence. Both must be current and fully supported by their software vendor. Beware of companies whose business applications are common (i.e. Excel); despite their ubiquity, they may not provide sufficient visibility into the company’s performance.
Determine whether the applications include the requisite licenses and contracts. Pirated software (copied applications that are in violation of copyright laws) is illegal and non-compliant with licensing requirements. As, such, it presents a significant legal risk to you as well as a steep replacement cost.
Additionally, if there is a goal to assimilate the new target company to an existing portfolio then special consideration will need to be placed in evaluating how redundant applications will be handled. Maintenance of multiple ERP solutions typically increases cost of support staff while reducing efficient reporting capabilities.
- Traditional IT components
Traditional IT applies to a company’s IT infrastructure and includes networks, servers, security, communication software, and staffing. Assess these components to determine if the performance, size, and capabilities are appropriate for the target’s business and its requirements.
Note whether there are elements that need a refresh or capital investment. For those items that require software maintenance patches, analyze their refresh schedule to make sure it’s dependable and that all updates are current.
Review documentation and logging of all hardware, too, including servers, switches/routers, and security devices. Finally, examine the basic IT hardware, especially computers; while a laptop may function for a decade or more, we recommend a refresh cycle of three to five years. Anything older and you should consider its replacement cost in your final valuation.
- IT governance processes
IT governance concerns how the target makes and administers IT decisions. For some, this may include a forward-looking strategy for IT, with a project oversight office that’s in close contact with IT to approve IT funding. Additionally, IT governance controls how the target supports its end users. Some organizations maintain a help desk that manages hardware and software issues of the company’s employees. Review what, if anything, the target has in place, and consider what you may need to contribute to the post-integration entity.