A private equity firm in view of a target company operates on the basis of multiple forms of due diligence in assessing it: accounting, personnel, clients, and much more. A smoothly running firm requires ongoing checks and balances in each area that have consistent, clear criteria and protocols for verification, correction, and amendments. But many private equity firms do not carry the same degree of meticulous oversight in their information technology (IT) due-diligence processes for a target company if they have them at all. Sometimes they relegate their IT considerations to an outside firm that may not work closely enough to maintain healthy practices and protocols.
This article will focus on the principles and best practices for healthy private equity IT due diligence, providing both a private equity due diligence checklist and private equity due diligence process. Ultimately, private equity due diligence for technology is no different than from any other aspect of healthy company operations: it assesses needs, risks, opportunities, and areas for compliance and correction in order to ensure the firm operates smoothly.
What is private equity due diligence?
Private equity due diligence with respect to information technology is a process of assessing the overall information and technology content, standards, and practices of a potential company for acquisition.
As IT is a primary indicator of a business’ value, as well as being the most resource-sensitive component of the organization, IT due diligence is focused on evaluating how a company has built one of its primary strategic functions to clarify this in light of a business’ overall value, scalability, and potential for integration or re-development.
What are the 3 P’s of due diligence?
The three P’s of due diligence generally include assessments of personnel, processes, and privacy controls.
It is important to review a company’s personnel to ensure that they are operating with appropriate decision-making, industry-specific knowledge and experience, proper expertise, sound judgment, and intimate familiarity with the company’s IT operations.
A critical component of the due diligence process is the detailed review of a manager’s operating and compliance practices and controls, which directly inform IT operation risk.
The protection of a company’s client data is a very high priority for operational due diligence. These are codified into controls that must be individually assessed for healthy IT due diligence.
These include the restrictions on employee access to client/customer information; data encryption; data theft resources; controls for remote data access; cybersecurity evaluations for vendors; data and security training; cybersecurity insurance; and so on.
How do private equity firms do due diligence?
Private equity firms do due diligence by answering a variety of detailed questions like those above, but in general, the due diligence process attempts to answer questions that accord with the below themes:
- Can a company’s IT scale successfully and help the company achieve rapid growth?
- Where do additional IT considerations or implementations need to be made?
- What is the overall risk picture for the company’s technology system?
- What are the company’s vulnerabilities to cyber-attacks?
- How have past IT implementations affected the business’ performance either positively or negatively?
What are the big questions an IT due diligence process answers about a company?
In general, the due diligence process is observing six key areas of health for a company’s IT infrastructure.
IT Strategy and business application: How is IT governed as a strategic component of the business’ operations and growth?
Leadership/staff roles and capacity: Does leadership manage growth and generate significant business progress using their IT processes?
Business strategy: Does IT directly empower the company’s business strategy or serve as a neutral player or hindrance?
Tech infrastructure, breach recovery, and business stability: Does the company’s IT utilize the best practice for each situation?
Cybersecurity: How does the company’s IT safeguard the company’s assets and resources?
Future IT implementations: Does the company’s IT anticipate and adjust to upcoming business growth and needs?
What is involved in an IT due diligence checklist?
Here are the essential components of an information technology due diligence checklist.
In general, an IT due diligence checklist when assessing a target company will assess these items:
- IT strategy and methods
- Company and department-specific financial details
- C-Suite leadership and staff roles and infrastructure
- Business processes and technology architecture assessment
- Technology infrastructure/applications and service operations
- Disaster/breach recovery protocols
- In-progress and future technology initiatives
- Data-management protocols
- Cybersecurity tools, practices, and standards
IT strategy and methods
Here, a private equity firm will do due diligence by understanding the basic technology components that comprise the organization's infrastructure. What is the nature of the data this technology is utilizing? How is it processing this data, storing it, transmuting it, transmitting it between parties, organizing it for business purposes, safeguarding it, and so on?
Due diligence will look at the standards and features of the technology infrastructure to determine where there might be areas of weakness, manageability, waste, inefficiency, unnecessary duplications, cybersecurity risks, and more.
This element of due diligence is tasked with determining whether the company is acquiring, storing, protecting, analyzing, and utilizing data in a meaningful way that is conducive to sustainable and efficient growth, the ability to integrate with other technology systems, and more.
Company and department-specific financial details
During this element of the process, a firm will assess how the organization is integrating IT spending into its larger budget and priorities.
This will look at the overall proportion and budget for IT, comparing it against baselines established by other companies on a spectrum, and will assess whether there are instances of disproportionate spending, a lack of attention to important categories, and so on.
For example, if a target company shows in its financials that its research and development spending outweighs its customer support spending by a factor of 20 or 25, this is an indication that there is something misaligned in the company's priorities and procedures for spending.
This form of due diligence will also look at a company's spending on IT infrastructure at the department level to understand whether there is cohesiveness and consistency of spending priorities from one department to the next.
C-Suite leadership and staff roles and infrastructure
In this element of the due diligence process, a firm will look at the overall organizational chart and personnel behind a company. It will assess who is leading which departments, their qualifications and experience in leading these departments, their track record in history, their delegation and assignment processes, how decisions are executed and what controls and processes are put into place, and more.
This due diligence will assess what a company considers important for its IT execution by analyzing how an idea or initiative moves through the company in terms of approvals, evaluations, testing, and so on, and which departments and staff members are integral to the implementation of this idea or initiative in question.
It observes who has authority in the controls process, and who makes decisions in the event of adverse situations such as data loss or breaches. It observes the overall composition of power and authority to look for negative trends such as too much power or authority being concentrated into one individual or one department.
Business processes and technology architecture assessment
Here a private equity firm will look at the interplay between a target company's overall technology architecture and how it contributes to the business execution of the company, from client management to onboarding to payments to customer service, and more.
This due diligence process is looking for areas in which there may be an inefficient usage of funds or resources within the technology architecture that do not immediately and clearly create an efficient business process.
For example, a company might invest a significant amount of money into a new application that may not be functional for 1 to 2 years, devoting a disproportionate amount of human capital and resources to developing this tool, while neglecting an important client management need that is being handled in a subpar way because of outdated technology.
This due diligence looks at the overall composition of the technologies in the target company and asks where there are opportunities to cut certain technological elements, improve others, and so on, so that the business will operate with an optimal proportion of spending and revenue generation, with client maintenance and retention being a primary control.
Technology infrastructure/applications and service operations
Here the due diligence will focus on how precisely the different elements of a company's technology infrastructure work together to execute the terms of a client agreement.
It also looks at how the overall IT processes work together to help the company operate smoothly. If every element combines to make things easier for people, this is a good outcome. If there are elements of the technology infrastructure that require more maintenance than they would require if they didn't exist, this is a problem.
Disaster/breach recovery protocols
This element of the due diligence process looks at the controls, protocols, and procedures a company uses when it encounters a data breach or other disaster event.
Has the company encountered a data breach before? If so, what steps did the company take to isolate threats, evaluate vulnerabilities, perform damage control, understand the causes of the breach, implement safeguards and preventive measures, incorporate training and new learning, and fortify its current systems?
Does the company align with leading practices for breaches and data controls? Does it properly educate employees on best personal practices and policies for emails, privacy, and related vulnerabilities?
In-progress and future technology initiatives
Here the due diligence process looks at the company to determine how it is growing and adjusting relative to its industry, competitors, customer trends, and so on. Is the company devoting too much, too little, or just the right amount of attention and resources to future technology and new implementations or modifications to its infrastructure that are appropriate for growth?
Is the company using outdated or inefficient processes, data storage protocols, information processing, and so on? Does its budget and spending reflect a healthy balance of technological maintenance and growth to accommodate customer changes?
Moreover, is the company adopting healthy data policies and controls as it grows and takes on new technology? Is it aligning its cybersecurity protocols with the market and responding to potential threats in a preemptive way with its growing tech infrastructure?
Here the due diligence is asking how the company manages, transmits, protects, utilizes, and modifies data to serve the interests of the client and facilitate healthy business growth.
Is customer data collected in an efficient way? How is it used to maintain and manage the customer relationship? What data is generated from the initial customer data, and how does this new data inform processes within the company to generate a meaningful product or service that can scale over time? Are there inefficiencies in how data is acquired, changed, stored, transmitted, and so on?
Cybersecurity tools, practices, and standards
Due diligence will focus on the software, protocols, practices, and safeguards in place for cybersecurity and data loss prevention.
It will look in a comprehensive form at how security protocols are set up, how breaches are prevented, how human error interacts with technology systems and where vulnerabilities might occur and have occurred, and how employee training is managed to help align with best practices for data security, how client data is encrypted, stored, and transmitted safely, and so on.
Want to learn more? Speak with an expert member of our team about our IT due diligence services.