Recent statistics reveal that between July and September 2021, there were over 1,000 mergers and acquisitions (M&A) deals in the technology services sector in the United States. The combined total number of M&A deals from across industries including finance, commercial services, and manufacturing reached 4,789 in that period. Performing IT due diligence before an M&A is a critical step to ensure better risk mitigation, improved valuation, and financial modeling. The primary objective of an IT due diligence process is to assess whether there are complex risks that could affect the transaction or post-transaction integration.
This blog discusses the basics of IT due diligence during mergers and acquisitions.
What Is IT Due Diligence?
IT due diligence or technical due diligence in M&A is the in-depth analysis and auditing of an organization’s technological infrastructure, architecture, and processes with a focus on a security assessment. IT due diligence could include a review of:
- How the organization manages and protects sensitive data
- Security testing
- Software licensing
- Open source components
- Technical risks and more
Who Performs IT Due Diligence in Mergers and Acquisitions?
Although most people assume IT due diligence is an explicit function of the buyer, the company being acquired should also do their due diligence. Notably, experts reveal half of all M&A deals fail due to issues that arise during due diligence processes. If the company being sold performs due diligence first, typical issues could be identified and rectified before the buyer gets involved. Due diligence also equates to a higher value deal for the seller and a more optimized and streamlined due diligence process for the buyer.
The Benefits of IT Due Diligence to the Buyer
For the buyer, technology due diligence is critical for guaranteed peace of mind during an M&A deal. It enables the buyer to gain a comprehensive understanding of the target company’s IT capabilities, technology assets, data protection strategies, and overall cybersecurity measures. Also, it helps the buyer identify significant current and future risks that could impact their operations, such as legacy systems integration issues.
IT Due Diligence Checklist
IT due diligence checklist provides an organized way to analyze the IT components of a company you are acquiring through sale or merger. The checklist ensures no part is left behind or overlooked during the auditing processes. A checklist also provides better insights on critical areas, including obligations, liabilities, problematic contracts, and more. You can broadly divide your IT due diligence checklist into two parts: IT security and IT environment and administration:
IT Due Diligence Security Checklist
IT due diligence targets the technological aspects of the company you are reviewing. Your checklist should include:
Description of Any Past Cyberattacks/intrusions
Determine whether the company you wish to acquire has experienced cyber-attacks and intrusions in the past. Specifically, find out the event’s impact on the company, including the potential loss of confidential information and the impact of inappropriate or malicious content. This will help you identify existing security vulnerabilities to better understand the specific cybersecurity risks the company faces.
A Detailed Summary of Critical Security Policies
Your next step is to assess the essential security policies of the company you are acquiring. Cybersecurity policies are crucial because cyberattacks and data breaches are costly. Specifically, find out whether there is a System Security Plan (SSP) and the Plan of Action and Milestones (POAM) in place. An SSP reveals how an organization meets security requirements, while POAM reveals how it PLANS to address and fix known weaknesses. You should also find out whether these tools are up-to-date and if they are being executed.
Security Gap Analysis
Assess the company for any security gaps, including the resolution or timeframe to resolve any issues identified. Some steps to help you identify security gaps include conducting external penetration tests. You should also test the company’s backup and recovery readiness.
Asses Business Continuity and Disaster Recovery Policies
Analyze the organization’s existing business continuity and disaster recovery (BCDR) policies and procedures. A perfect continuity and disaster recovery plan should help the organization prepare for potentially disruptive cyber security or real-world events. It minimizes the impacts of an event so the organization can continue its business operations with little or no disruption.
Determine Data Privacy Policies and Procedures
Data privacy policies are crucial for compliance with various privacy legislation, including HIPAA, FINRA, GDPR, and CCPA. It details how a website visitor’s personal data may be used. It also provides crucial information on how the company collects data and what they do with that data.
Assess Sensitive Data Protection
Conduct an overview of how the organization protects sensitive information in the environment, including personally identifiable information (PII), protected health information (PHI), controlled unclassified information (CUI).
Determine the Data Governance Policies and Procedures
Data governance refers to an information management concept covering data availability, usability, consistency, data integrity, and data security. In essence, the ideal data governance policy should outline how the organization carries out data processing and management to ensure the organizational data is accurate, accessible, consistent, and adequately protected from malicious actors. Find out the Data Loss Prevention (DLP) tools and policies the organization leverages to implement data governance policies and procedures.
Assess the Legacy Systems
Do an inventory of out-of-date and end-of-life software used by the organization’s legacy systems. Legacy systems typically lack the ability to implement additional layers of security, translating to reduced security. Find out the reasons why legacy systems are still used by the company, the specific legacy systems being used, and to what extent it is worth maintaining them.
Examine Threat Monitoring Techniques
Examine details of threat monitoring methods and tools the company uses in its IT environment. The ideal threat monitoring tools should give IT teams visibility into the network. This includes monitoring specific actions of users accessing the network to better protect their IT environment.
Evaluate Endpoint Protections
Create a summary of all endpoint protections, including threat monitoring, anti-malware, mobile device management, and data loss prevention policies and tools. Do a comprehensive evaluation of each of the endpoint protections to determine their robustness.
Assess the Mobile Device and Mobile Application Security Policies and Tools
Mobile device management (MDM) policies are crucial in preventing mobile device security threats and data breaches. Assess the company’s mobile device and mobile application security policies and tools. The ideal mobile device and mobile application security policy should establish clear rules of how mobile devices are used and secured within the organization.
IT Due Diligence Environment and Administration Checklist
[caption id=“attachment_163745” align=“aligncenter” width=“640”] A woman writing code and looking at a computer screen while working in a dim office.[/caption] When performing due diligence on the IT environment, take into consideration the following factors:
Summary of Critical IT Resources (Hardware/Software/People)
Assess all the critical IT resources the company owns, including:
- Hardware: Determine what hardware the company has, who owns it, and what it’s worth. Make a record of all hardware, including desktops, laptops, mobile and desk phones, servers, storage devices, and others. Next, find out the crucial details on the model number, manufacturers, current value, and whether they are owned by the company or leased.
- Software: Find out the type of security systems, CRM systems, anti-virus software, SLAs, data management software, and hosting systems the company leverages. Other software to analyze include payroll software, databases, outsourced software development agreements, and more.
- IT support staff: Find out the number of staff employed to provide technical support and their specific roles and responsibilities. This will help you determine whether you need to recruit additional IT support or downsize the team. You should also find out staff training programs, intellectual property agreements for staff, and the details of employees with access to source code.
Overview of Customer/Client-Facing Systems, Including Associated Costs
Gather information on the company’s customer support systems to understand how the company utilizes IT to interact with its customers. Some crucial areas to assess when it comes to customers include:
- How customers access technical support
- The technical support offered to customers
- How new customers are integrated into the IT system
- Lastly, common questions that customers ask
Policies and Practices for Purchasing and Maintaining Software
Find out the standard methods and procedures the company uses to purchase software from different vendors. The ideal purchasing and maintenance policy should, indeed, remove ambiguity around purchasing products and services from vendors.
Assess Vendor Contracts
Vendor contracts establish the business relationship between third-party IT service providers and the company. Find out the existing agreements, including support, services, upgrades, and their expiration dates. Additionally, compile a list of all 3rd party IT contractors and consultants and the annual costs associated with hardware upkeep, including refreshes and upgrades.
Assess the company’s technologies to perform repetitive tasks, including business process management (BPM) and robotic process automation RPA. Establish whether these technologies are up-to-date and if they are meeting your business needs. Additionally, calculate the return on investment (ROI) that the automation tools bring to the organization.
How Long Does an IT Due Diligence Process Take?
The duration of IT due diligence largely depends on your goals. Generally, expect the process to last for between 1 and 2 months. This duration allows your team to complete a comprehensive evaluation of the business, including its technical aspects. To avoid unnecessary delays in this process, ensure adequate preparation, including acquiring the right tools and skills beforehand.
Get Professional Help to Conduct IT Due Diligence
IT due diligence when merging or taking over another company is crucial for a smooth transition period. Although this process is long and tedious, it is vital that it is not rushed. Being as thorough as possible saves you headaches later on by ensuring all potential issues are highlighted and fixed before an M&A deal is sealed. If you have further questions or need help with your IT due diligence process, contact Agile IT. We offer reliable and high-quality managed IT services to businesses and organizations customized to meet the needs of your business. Whether you need Microsoft cloud migrations, identity modernization and management services, cloud security and compliance, desktop support, and more, Agile IT has got you. Contact us today to learn more about our services.