Article
Executive Resource
Insight Hub
Ext. Publication
VideoFifty Ways to Evaluate Technology at a Target Company
Create an account or log in to View Executive Resources and Locked Content.
Log InSign Up
What’s Inside
Although every merger & acquisition (M&A) transaction involves some level of due diligence related to finances, legal issues and customer service, IT and cybersecurity due diligence are often overlooked or discounted.
This is a missed opportunity for the acquiring organization. By gaining a deeper understanding of the people, processes, technology and associated risks of the target company’s information systems, IT due diligence can add to the overall value of the deal by providing valuable data points for transition and integration plans, informing the acquirer of hidden costs or future investments that will have to be made, and ensuring better risk mitigation.
Key Points
Gathering the information needed to understand the target’s technology environment can be challenging. Buyers and sellers need to obtain specific details about a number of different areas:
- Organization and staffing
- Operational procedures
- Infrastructure and end-user devices
- Technical debt (aging hardware and systems)
- Security practices
- Software
- Proprietary tools
- Technology-based products
Weaver’s guide to IT and cybersecurity due diligence provides both some basic process suggestions and an IT Due Diligence checklist that leaders can use to gather the most critical information.
Why it Matters
A thorough IT due diligence process that covers all of the areas included on the downloadable checklist may seem daunting, but it will lessen the risks associated with the transaction and save you significant headaches and surprises once the acquisition is finalized.
View all content.
Sign in or create a free account to view all Executive Resource Center content.
Log In Create AccountAlthough every merger & acquisition (M&A) transaction involves due diligence related to finances, legal issues, and quality of earnings, the issue of IT operations and cybersecurity due diligence is often discounted or overlooked entirely. This perspective is a missed opportunity for the acquiring organization. By gaining a deeper understanding of the people, processes, technology and associated risks of the target company’s technology landscape, IT due diligence can add to the overall value of the deal. It provides valuable data points for transition and integration plans; informs the acquirer of talent needs or redundancy, hidden costs or future investments that will have to be made; and ensures a more transparent risk profile.
Gathering the information needed to understand the target’s technology environment can be difficult due to time constraints, limited access to target personnel, and being uncertain on what information to even request. But the real challenge is evaluating all of the collected data points to identify relevant risks to completing the transaction or integrating and operating the target’s technology footprint post-acquisition.
An effective IT due diligence process accomplishes three things: first, it identifies key integration and/or separation areas that could impact the value or viability of the deal. Second, it evaluates disparate technical components and practices — as well as everything and everyone required to run the technology — in order to uncover hidden threats or operational or security risks. Finally, effective due diligence provides advance planning for integration activities after the acquisition is complete.
These are some of the key questions to ask as part of due diligence:
- Do existing technology solutions meet the current needs of the business?
- Are systems of the target compatible with the systems of the buyer, or will the integration require a high level of manual effort?
- What is the level of complexity associated with a carve-out of technology from a parent company or integration onto current platforms?
- Are there key employees or suppliers of the target that need to be secured as part of the transaction process
- Has the target implemented reasonable cybersecurity practices?
- Have there been any reported security incidents or unaddressed critical security vulnerabilities?
Completing the IT Due Diligence Checklist
The process begins with a comprehensive IT due diligence request list designed to gather details about the target company’s IT environment — whatever side of the transaction you’re on.
Acquiring entities can use this checklist to get started on the IT due diligence effort. This collection of information typically occurs after the signing of a Letter of Intent (LOI) and may also involve discussions with senior level representatives of the target’s IT function. Given the relative short timeframe for the LOI phase of an acquisition, speed is of the essence in gathering and analyzing the requested information. Due to the time constraints, it is important to tailor the list of requested items based on the type of business being targeted for acquisition. The value comes from assessing the information to home in on potentially relevant potential issues and risks.
For an active seller, the list can be used to gather these items quickly for placement into a deal room. Having this information readily available for a prospective buyer can make the due diligence process more efficient and timely, also lessening the burden on the seller’s IT team during what can be stressful time. For a company that is exploring the possibility of being acquired, the information gathered from this request list may help provide insight into the current technology footprint and point to short-term improvements that could help “prep the house” for sale.
Use Weaver’s downloadable IT Due Diligence Request List to help you identify and gather the IT information needed for an M&A transaction.
The checklist is designed to elicit specific details about these broad categories:
Organization and Staffing
- Size of the IT/technology organization
- Critical roles within the IT/technology organization
- Unique skills possessed by limited number of staff
Operation Procedures
- Existence of security and technology related policies, standards and procedures
- Use and dependency of third-party service providers within IT operations
- End-user support model
Infrastructure (Servers, Network and Storage) and End-User Devices
- Hosting locations (on-premises, co-located, cloud)
- Vulnerability and patch management activities
- Use of high-availability architecture for critical systems
- Existence and testing of disaster recovery plans
Technical Debt
- Aging hardware
- Out-of-support operating systems
- Out-of-support application and database versions
Security Practices
- Monitoring and logging capabilities
- Execution of vulnerability scanning and penetration testing activities
- Deployment of end-point protection solutions
- Incident management plans
Software Used to Manage and Enable Business Operations
- Back-office systems (general ledger, human resources, timekeeping, payroll)
- Supply chain/inventory management
- Communication and collaboration
- Operational Technology (OT) solutions (e.g. SCADA / ICS)
Proprietary or Unique Tools or Solutions
- Internally developed or custom applications
- Applications written in obscure or little-used languages
Technology-Based Products
- Existence of software or other tech solutions provided to customers
- Use of open source code in those solutions
- Product management and development methodologies
- Roadmaps
- Feature backlog
- Known bugs, issues
- Secure coding practices
- Quality assurance and testing procedures
Once the document request lists are completed, the information can be used to identify and evaluate the impact on the target’s value, as well as potential issues with any existing long-term IT service contracts or transferability of software licenses. It will also help pinpoint significant risks to address post-acquisition and potential impacts to the planned integration approach. It will enable you to identify key IT staff members and/or partners to secure during the acquisition.
A thorough IT due diligence process that covers all of the areas included on the downloadable checklist may seem daunting, but it will lessen the risks associated with the transaction and save you significant headaches and surprises once the acquisition is finalized.
Need help navigating the complexities of an M&A process? Weaver’s IT Advisory Services professionals can help. See our website at weaver.com or contact us for a complimentary consultation.
©2022