The importance of IT due diligence

January 2022  |  COVER STORY | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

January 2022 Issue

Technology permeates almost every aspect of business today, making IT due diligence a key aspect of conducting M&A. It is essential that prospective buyers have a clear understanding of the technology capabilities and potential liabilities they may be acquiring. This includes building a picture of how IT enables and underpins a business. Today, IT systems are fundamental to the operations and processes of an organisation. They may even comprise its most significant assets – as well as an acute source of risk.

Historically, companies often neglected IT due diligence in M&A transactions, but this is much less common today. Overlooking this aspect can negatively impact post-deal financial results. IT costs and integration timescales may be misunderstood, particularly with respect to post-close integration of IT systems.

That said, certain factors will influence the amount of time and resources an acquirer devotes to IT due diligence. According to Jonathan L. Corsico, a partner at Simpson Thacher & Bartlett LLP, while some acquirers are very focused on IT due diligence, others are not focused at all. “It depends on the nature of the industry at play, the sophistication of the acquirer’s own internal IT function, and the general focus that the acquirer takes to integrating target companies,” he says. “Some acquirers are willing to let target IT systems remain essentially standalone for months or years, while others try to immediately merge them with the acquirer’s systems. There are pros and cons to each approach.”

According to Paige Backman, a partner at Aird & Berlis LLP, although IT due diligence has been a significant part of transactions over the last 20 years, the type of IT due diligence has evolved and is more of a determining factor for value and price of many transactions. “The evolution of IT due diligence reflects the trend of entities using software as a service (SaaS) models of leveraging technologies, generally placing greater reliance on third-party hosts or outsourcing relationships as well as cloud based versus on-premises environments.

“As a result, IT due diligence has evolved to make further inquiries into the contract terms and practices of the third parties that have access to the target entity’s IT systems and data. In addition, with the significant rise in IT breaches, IT due diligence has evolved to include cyber risk assessments as a key element in the due diligence exercise,” she adds.

Objectives

Ultimately, the primary objective of IT due diligence is to determine if there are insurmountable risks which could impact the transaction or post-deal integration process. The process involves truly understanding all facets of the target company’s setup, including an overview of corporate software, the existing IT framework and the nature of valuable data.

IT due diligence ensures buyers arrive at a better, more accurate valuation. Results feed into financial models and risk mitigation strategies. It can be used to determine whether the target has the necessary IT assets, resources and processes to support the combined business in achieving its future strategic objectives. It can uncover performance problems, liabilities and key risks. It can also identify IT opportunities and synergies between the acquirer and target systems, as well as potential investment needs. If analysis indicates a substantial impact on the operating model, for example, this information may be leveraged during negotiations with the seller.

“Conducting thorough IT due diligence is necessary to properly assess the value of the target entity, as well as any potential risks and business efficiencies that could be realised should the transaction close,” says Ms Backman. “IT due diligence should further be used to assess the stage of IT system and security development.

“The interested party should use IT due diligence to determine the target entity’s general policies and approach to IT and IT security systems, whether there are a number of legacy programmes patched together, whether the target entity has modernised its IT systems, what the dependence is on third parties in providing and supporting the IT infrastructure or parts thereof, and whether the IT system is based on-premises or in a cloud,” she adds. Indeed, issues surrounding cloud providers and other third-party hosts are set to become more prominent in IT due diligence, particularly as they relate to risk, and representations and warranties outlined in the accompanying transactional insurance documents.

IT due diligence should examine the foundations of value in a target company to provide a better view of the prospects in a potential deal, as well as possible risks that could undermine it.

IT due diligence can determine what technology the target uses and for what purposes. It can assess whether and how technology is used to create or modify goods or services, increase sales, track inputs and outputs, and manage human resources and performance. “IT due diligence discovers how an organisation processes and uses data to maintain and grow operations, and how the organisation manages workflow,” says Ms Backman.

Against a backdrop of increasing regulations, cyber security and data protection are also key areas of scrutiny, owing to the risks they present. “IT due diligence should be used to assess security strengths and risks of not only the target entity, but any third party that has access to the operations and data of the target entity,” suggests Ms Backman. “Interested parties should use the IT due diligence to understand whether the organisation has experienced a breach or may be vulnerable to one. If a breach has occurred in the target entity, IT due diligence should be used to understand what lessons were learned from the breach and whether the target entity strengthened its systems as a result or whether the vulnerabilities still exist.

“IT due diligence should give the interested party a sense for what would be most vulnerable in the event of a breach of the IT systems, what is at risk to be shut down in the event of a ransomware scenario, and what data would be at risk of being copied or exfiltrated in a breach scenario,” she continues. “As entities rely more heavily on hosted or cloud environments, IT due diligence should determine what third parties have access to systems and data, and what IT security protocols are in place protecting the IT systems and data to which a third party may have access.”

IT can make or break a deal. According to Henningsson and Yetton, 45-65 percent of the expected value creation from acquisitions is directly linked to the success of IT integration. Depending on the nature of the target company, IT can be one of the ‘stealth’ issues that arise post-close, suggests Mr Corsico. “How to handle licences of enterprise level software, such as those from Oracle or Microsoft, how to merge computer networks, how to merge accounting systems, and how to maintain security and robustness, such as not allowing weaknesses in one network to infect the other network, can all generate significant unforeseen headaches,” he says.

In addition, by identifying key problems and risks early, acquirers can consider their options and develop mitigation strategies. “IT due diligence should seek to uncover what is being done well by the target entity, what will need to be addressed in the event the transaction closes, and what efficiencies can potentially be introduced after the transaction is closed,” says Ms Backman.

Conducting IT due diligence

The IT due diligence process should be carried out by people who understand the value drivers in both companies’ technology stacks. They will need to answer key questions. How do the target’s IT governance processes, architecture and budget align with the company’s objectives? Are there technology gaps that will require significant investment to fill? What risks and vulnerabilities exist?

“To undertake thorough due diligence, the interested party should assume that the IT due diligence will be intensive and time consuming, will encompass all operations of the business, will be done methodically, and will be started as early as possible,” suggests Ms Backman. “This means ensuring you have people with appropriate experience ready to take the lead on the IT due diligence. Be prepared to dig into every part of the business’s operations, as it will likely be dependent on IT to some extent.”

The depth and focus of the process should be tailored to the goals of the transaction. The IT due diligence team should start by developing a framework setting out the scope of the due diligence effort, ensuring the target’s IT capabilities are prioritised and adequately assessed, and identifying key areas of risk. A comprehensive checklist is the first step companies should take when creating a roadmap to increase investment value.

“Use a good IT due diligence checklist to keep track of what is being asked and assessed, and what the response and assessments are,” suggests Ms Backman. “In addition, have ‘all hands on deck’ meetings with IT experts from both sides on a regular basis to go over findings, and to confirm context and facts. While emails and electronic communication are helpful to exchange information, they often lack the necessary context and details that are important to make assessments on issues and risks.”

In an M&A context, the chief information officer (CIO) will play a fundamental role in IT due diligence. “The CIO, or any person who is in charge of the IT systems for a business, is fundamental in the selection of IT vendors and suppliers, the licensing and contracting process involving IT, and the IT risk and security framework involving the same – a lot of which occurs years before a transaction is considered,” says Ms Backman. “CIOs are critical in decisions regarding vendor selection. They often conduct their own due diligence on IT vendors and suppliers, contract terms that are negotiated, and the processes and security requirements that mitigate risks.”

Given the huge dependency on IT, the role of the CIO continues to increase in importance. Prior to a deal, the acquirer’s CIO may be charged with mapping the company’s IT infrastructure in detail. Before a target candidate is chosen, the CIO must have explicit knowledge of the company’s own systems and architecture. This knowledge will be used to inform the evaluation of the target company’s IT infrastructure, including the level of compatibility between the two.

To complete a through assessment of the target, the acquirer will need access to certain information via stakeholders and documents. The relevant areas will be determined based on the objectives of the transaction and the primary characteristics of the target’s industry, data, IT setup and IT leadership team, including the CIO. The IT team should work closely with the transaction team to plan, execute and deliver necessary data. Acquirers may also seek to conduct interviews with the target company’s CIO and other individuals responsible for IT projects.

As Mr Corsico points out, one specific area of enquiry which has been an issue for many companies is open-source software – and it is likely to only become even more important in the future. “Hiring a third-party consultant to analyse the target’s source code, looking for open-source components, is always a good idea,” he says. “Once those open-source components are identified, the buyer can then analyse if these components will present any issues in the future.”

On completion of the IT due diligence process, the team will need to provide a summary of key findings and recommendations. The focus areas and recommendations should tie back to the goals of the transaction by identifying areas of potential impact, mitigation options and cost implications.

For its part, the seller can also proactively assist an acquirer’s due diligence efforts, and speed up the transaction process. Prior to the sale, it can identify issues and work toward solutions, enabling both parties to resolve any potential roadblocks. It may also prepare a technical report to provide to the buyer as a first step.

Improving IT due diligence

Going forward, technology solutions such as artificial intelligence (AI) may help to streamline IT due diligence. AI and machine learning (ML) technology are already having an impact, due to their power to filter and extract value from volumes of raw digital information. These technologies can sort through millions of data points in seconds and deliver complete data coverage – well beyond the limits of human capability. Such speed is incredibly beneficial during the M&A process. AI is more efficient, more accurate and able to offer the advantage of foresight, all of which are crucial in due diligence.

By investing in IT due diligence, companies can make faster, informed and value-based decisions that directly impact value creation. The use of AI, ML and similar solutions can improve the process of identifying business and technology risk, such as downtime and other IT issues that may need to be fixed either before or after close.

Of course, there are still drawbacks to relying on AI for due diligence. The technology does have its shortcomings, as well as potential security risks and privilege breaches. But the presence of AI in M&A processes will only grow in the coming years. That said, while it can undoubtedly be useful as a supplementary tool, it cannot replace human advisers entirely.

IT due diligence should examine the foundations of value in a target company to provide a better view of the prospects in a potential deal, as well as possible risks that could undermine it. Given companies’ reliance on technology, IT due diligence should not be overlooked in the M&A process.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.