Mergers and acquisitions deals are incredibly intricate, and in some cases, practically impossible to predict the aftermath of the deal. This can be bad for the parent company because this opens the door to many other uncertainties.
It is also common to find the target company covering up operational details that could possibly devalue the deal, which can provide problems post-acquisition. To prevent such future occurrences, parent companies take audits and investigations seriously so that they can take appropriate measures.
What Is IT Due Diligence in M&A Transactions?
IT due diligence is all the process involved in investigating and reviewing a business corporation to confirm operational facts about its IT performance, reveal hidden security risks and uncover infrastructure investment needs before continuing with the merger or acquisition process.
IT due diligence is not a witch-hunt process. If anything, it aims to ensure better valuation and that all parties partaking in the transaction are in harmony and set up adequate post-merger measures and contingency plans. It is not a one-task thing, but it is a collection of screening processes across the different levels of the company.
Other aspects of the investigation process include reviewing the target company’s technical products, their cycle and roadmaps, and company systems and culture.
Why Conduct Due Diligence?
IT merger due diligence is mostly only considered when an IT infrastructure backs the services offered by the company of interest. However, that distinction is no longer needed as most companies now run on some form of internet connection.
As such, any limitations, liabilities or risks within systems ultimately become bad for business. Some may see this as common knowledge, but many due diligence processes do not consider the IT side of things. With the frequency of hacks happening, the chances of buying into a company that has been hacked are high.
As a consequence, it is essential to evaluate the IT infrastructure health of the target company and assess integration possibilities and problems. This creates a template for seamless post-acquisition operations.
Principles of IT Due Diligence
The underlying principles guiding IT due diligence before, during or after the duration of the M&A process is to ensure transparency or operations — to investigate what is and what isn’t. Any IT due diligence process should be:
These characteristics are required in equal portions, with no one superseding the other. If any of these principles are not considered, the IT due diligence fails to have the attributes of the others. They are all interwoven.
The Elements of IT Due Diligence
Several factors affect the considerations made during a transaction IT due diligence. For example, there’s no need to conduct a product review for a company without a technical product of its own. This makes M&A transactions unique.
Drawing from our experience conducting due diligence in business transactions for companies undergoing mergers and acquisitions, here are the most common elements to investigate both before and after the transaction.
Pre-Transaction IT Due Diligence Checklist
Before you fully commit to a merger or acquisition, you need the confidence that your businesses will be able to merge your technology and operations successfully. With adequate pre-transaction IT due diligence, you can move confidently to finalize the transaction.
- Understanding the current IT strategy and roadmapping
- Capture IT staffing levels and record any gaps
- Benchmark IT operations, including vendor management, support levels and platform
- Define current core software and license status
- Review network and cybersecurity standards
- Inventory physical hardware and infrastructure
- Ensure policies and procedures are up-to-date and being actively followed by key personnel
Each of these steps helps reduce the possibility of surprises once you've completed an M&A transaction. Keeping these guardrails in sight allows both organizations to clearly communicate any potential challenges or opportunities for synergy between the operations of the companies.
While this isn't an exhaustive list, here are a few additional opportunities for deepening your understanding of the target company's technology landscape.
IT Architecture and Culture
A company’s IT systems, practices and culture provide insight into the potential integrity of its servers and databases. This can be as little as analyzing the programming languages, paradigms, APIs, DevSecOPs practices and integrations with third-party software.
An organization's IT architecture exposes the intentions of those running it; it answers the question (if there was any doubt), “Are they built to last?” Hire a team of experts to peruse the architectural documentation to see what works and how they work. This can be the needed proof of the legitimacy or substandardness of their design.
Essential details to investigate are the networking infrastructure, servers and storage, cloud IaaS infrastructure, and endpoint security. Based on the information obtained, you can decide if the business continuity and contingency plans are sufficient for the threat levels expected or if further reinforcement is required.
Even if all these check out, it provides a list of expectations of the potential risks possible based on the technological choices made and their daily practices. It also helps you decide on the most appropriate integration method and redundancies likely present post-acquisition, hence, being cost-effective in the long run.
Review the security and privacy policies, governance model, IT operations expenses review and current management expectations.
Evaluating the cost structure and models of the target company gives you a better grasp of what operations will look like should the deal go through. This is why it is one of the essential elements on the transaction diligence checklist before sealing M&A deals.
It is almost impossible to use proprietary apps and solutions for all your daily tasks; even the largest tech companies in the world utilize third-party solutions. However, using non-proprietary solutions means you are at the mercy of the vendors’ security practices.
Conducting an in-depth IT due diligence report exposes any red flags that may have been hidden within the target company’s codebase, the security, licensing and compliance concerns. Sometimes, the metadata and software dependencies may be sufficient to pinpoint the vulnerabilities where it all goes wrong.
Based on your findings, you can then decide whether the third-party software vendors’ security, regulatory and compliance standards are standard, would like to stick with them or find a replacement.
Product Line and Product Cycle
Understanding the target company’s products, how long it takes to make them (from start to finish) and the strategy to wean their clients off a product if it is discontinued. Accessing these elements accentuates three main things:
- The cost, revenue and profitability of each product line
- How unique a solution compared to the competition
- Product functionality and if there’s room for improvement
Based on this information, you can hypothesize and estimate the company’s value, growth rate and revenue over a timeframe.
IT due diligence can be more nuanced than observing a product’s associated characteristics and the market exit strategy. Because it is all about risk management, you can go further to analyze the possibility and ease of the competition creating a rival product, supply chain and how the market may change in years to come.
The due diligence report from inspecting the acquired’s products will serve as a template for future product releases post-merger — the best rollout strategies to adopt — and the improvements necessary for existing products to become the market’s favorite.
Intellectual Property Protection
Lawsuits can damage any company’s reputation, especially when spearheaded by a rival brand. This is why it is imperative that elements efficiently utilized by the competition to get at you, like intellectual party infringement, should be eliminated.
Intellectual property infringement exists at the intersection between IT and legal due diligence. Some of the requirements necessary to provide evidence to support or oppose the claims of IP infringement are arrived at by technical means.
By creating an inventory of your copyrights, trademarks, patents, codebases, databases and logos, you protect yourself from IP theft and infringement and track the risks of infringing others’ IP. We like to think of it as a two-way authenticator.
IT Workforce and Experience
IT human resources has evolved over the decade with a slow departure from the more traditional full-time workplace model to remote and contract staffing. Remote work models present several points of entry and failures in the overall security framework of the selling company. Plus, it suggests the lack or deviation from the work culture at the prospective parent company.
Assess their skill level and capability for the roles they play and the positions they hold at the firm. Investigate their credentials and certifications and whether there is a need for training programs or further certification.
If they already adopt the contract model and are in partnership with a managed services provider, you may want to find out about their track record and their experience with transitioning and mergers. Alternatively, you may choose to employ full-time experts to fill in the roles at the company and create a more knit culture. The choice is yours.
Ultimately, your actions should be based on the metrics and objective conclusions from the IT due diligence report. The security and health of your organization should come first. Then, you can think of the costs needed to attain optimum protection.
Post-Transaction IT Due Diligence Checklist
Once you've completed the transaction, the focus shifts to ensuring you have the right tools in place to integrate operations between the two companies. This often includes bringing new vendors on board, re-negotiating licenses and a variety of other more operational technology tasks. This checklist is meant to be a thought starter as opposed to a comprehensive list of due diligence points.
- Defining potentials for synergistic operations and a path forward
- Specific technical diagrams, including changes that would need to be made for integration
- Document growth capacity and changes needed to achieve optimal growth patterns
- Describe automation opportunities
- Summary of security challenges and opportunities
These next steps in the post-transaction world allow your team to define key opportunities that wouldn't necessarily impact the financial or business perspective of the transaction but will be helpful in ensuring operations are consistently maintained throughout the process.
Other Elements of an M&A Due Diligence Process
Accounting and Financial Due Diligence
Inspect the historical financial statements (like the balance sheet) of the target company. Pay special attention to the cash flow, debt, expenditures and working capital; go down the rabbit hole if you have to. What has the financial performance been over the years?
The industry and operational scope of the company should, of course, be considered. And to do this properly, employ financial analysts familiar with the sector to spot the red flags and call bogus business transactions quickly.
With a comprehensive analysis, you can determine whether the target company’s business is all smoke mirrors or if the valuation of the potential deal isn’t inflated.
Successful businesses know well enough not to evade tax, but some do anyway — and the selling company may be one of those evaders. You can uncover the shady numbers in the reported income by doing proper tax due diligence. Critically analyze their tax returns to sniff out every hidden financial information possible so you don’t take responsibility for unforeseen liabilities.
ne Digital Can Be the Bridge Between Comprehensive IT Due Diligence and You
The complex world of mergers and acquisitions can be time-consuming, especially when investigating firms with fragile business plans and structures. Even trickier when the target company is a private equity firm. This is why working with industry-specific teams with expertise and experience is crucial.
The security concerns from public WiFis, routers, spyware and phishing emails have worsened despite technological advancement and increased worker sensitization. With a reputable private equity digital services expert like ne Digital, private equity portfolio companies experience seamless mergers and acquisitions.
Contact us today for your seamless mergers and security risk elimination peculiar to acquisitions.