IT due diligence

What is IT due diligence and why should you conduct it?

WHAT

It can be a challenge to get a clear and comprehensive understanding of the risks and opportunities related to the target’s IT organisation and IT platform prior to a merger or acquisition.

To ensure better valuation and risk mitigation and to determine whether IT has the necessary assets, resources and processes to support the business in achieving its future strategic objectives, it is essential to perform an IT due diligence.

An IT due diligence should therefore aim to uncover performance, liabilities, key risks and opportunities as well as potential investment needs.

Thus, an IT due diligence is the process of reviewing and evaluating the target’s IT strategy, IT architecture, application portfolio, infrastructure, IT procedures and security, IT organisation and IT financials.

WHY

IT and business are becoming increasingly intertwined, making it difficult to succeed with one without succeeding with the other.

Now more than ever, companies depend on IT to support business operations, manage transactions and enable new business opportunities.

Nevertheless, many due diligence projects still lack the required emphasis on IT – this despite the fact that 45-65%* of the expected value creation from acquisitions is directly linked to the success of IT integration.

Hence, it is a necessity to have an adequate focus on due diligence to uncover any potential risks and synergies in IT and prevent any hiccups in the transaction or during a potential integration later.

HOW

To derive relevant and valuable insights from an IT due diligence, it is essential to get access to certain information via key stakeholders and documents. The IT areas that need to be emphasised will be determined based on objectives of the transaction and the primary characteristics valid for the target’s industry.

• It requires access to the target’s data, IT setup and IT leadership team, including the CIO.
• Normally, the it due diligence would take 2-3 weeks, given that the target has the capacity to provide necessary information in that time frame.
• In order to conduct an IT due diligence, a combination of deep technical expertise and industry knowledge is required.

Implement’s IT due diligence framework revolves around seven key areas with four supporting elements

Description

• The IT due diligence framework used consists of seven primary domains (centre) and four supporting domains (sides).
• The primary domains reflect a subset of a company’s IT ability to support the daily business operations.
• The supporting or secondary domains provide the boundaries and guidelines for the primary domains.

IT strategy

An assessment of how well the IT strategy and roadmap align with the business aspiration and strategic objectives.

Key questions

1. How do the target’s IT strategy and governance align with the overall business strategy?
2. How does the target leverage emerging technologies, and what capabilities do they currently have to succeed with this?
3. What are the required and planned investments in IT going forward, and how does that align with the overall IT roadmap?

Data sources

• Interview with CIO and management team.
• Internal documentation, e.g. IT strategy, IT governance, roadmap and business strategic initiatives.

Analyses - example

IT strategy and governance

• What is the target’s current IT strategy?
• How does the strategy align with the business priorities and ambition?
• How does IT govern critical assets, resources and activities to ensure continuous alignment and maximise business value?

IT/digital focus

• How are IT/digital capabilities used in the context of the target’s business?

• Where does IT play a key role in supporting value creation?

• What is the focus and relation to new technologies?

IT strategic roadmap

• What strategic IT initiatives are planned going forward?
• What is the focus and relation to new technologies?
• How is the IT roadmap aligned with the business strategy?

Strategic IT/digital capabilities

• What are the required capabilities to deliver on the strategy?
• Are the IT capabilities developed according to the IT and business strategy?
• What areas will the target invest in going forward to ensure IT is fit for the future?

Project portfolio management

An assessment of how well the IT project portfolio is executed (including health check) and aligned with the overall strategy

Key questions

1. How does the target’s IT project portfolio align with the overall business and IT strategy?
2. What governing mechanisms exist to support effective portfolio management?
3. How are business demands managed and how well are they translated into solutions?
4. What is the state of health of the project portfolio (KPI perspective) and how efficient and effective is the target at executing the project?

Data sources

• Interview with CIO and person responsible for IT project and portfolio as well as managers from line of business.
• Documentation of IT and business portfolio, business cases and IT project reporting, methodologies and governance.

Analyses - example

Project portfolio management

• What does the current project portfolio consist of and how well does it align with the strategy?
• What governing mechanisms are put in place to ensure prioritisation and continuous alignment (e.g. strategy board meetings, portfolio meetings etc.) towards strategic objectives?
• What governing mechanisms are put in place to manage progress, resources, budget and risks?

Managing the business expectations

• What functions, processes and tools are in place to manage business requirements?

• How does IT engage with business to co-drive requirement specifications?

• How has IT performed in the latest corporate/customer satisfaction survey?

Project portfolio execution and health

• What capability and capacity does the target possess to execute both tech-oriented and business-oriented projects?
• Does the target follow any best practice methodology or framework for project management?
• At what pace and with what degree of agility is the target able to execute the project (launching prototypes/MVPs)?
• How are the ongoing projects performing (cost, time, scope, resources) compared to initial business case?
• How does the target follow up on benefit realisation after project delivery?

Architecture and applications

An assessment of the health of the application portfolio and the underlying architecture.

Key questions

1. What are the core business applications and services, and how are they maintained?
2. What supporting applications are in place, and how are they maintained?
3. How is the IT architecture structured, and how does it support scalability, performance and roadmap?
4. How does the IT architecture and applications affect business outlook and risks?

Data sources

• Interviews with CIO/CTO, Head of IT Architecture, Head of Development and Head of IT Operations.
• Internal documentation, e.g.: application landscape and AL-state, license and contractual agreements, development processes, architecture and integrations.

Analyses - example

Application landscape

• What are the core applications, critical data and integrations that support the business?
• Which applications are developed in-house or outsourced, and which are planned for migration?
• What is the level of customisation vs standardisation?
• What is the license/contractual agreement?

Application portfolio assessment

• What is the technical fitness and strategic fit of the core applications?
• What is the operational cost per application, and are any updates/replacements planned?
• Which applications are reaching end of life and can pose a risk to the business operations?
• Source code inspection.

IT architecture and tech stack

• What key components does the architectural layer consist of, and are there any risks, vulnerabilities or technical debt?
• How scalable and adaptable is the architecture to allow for new features and adoption of new tech?
• How does the target develop and maintain the IT architecture?

Integrations

• What are the outgoing and ingoing integrations of the core applications and IT services?
• Which external integrations are business critical, and do some of them pose a business risk?

IT infrastructure and operations

An assessment of the IT infrastructure and how well it supports current operational demands as well as future initiatives and expansions.

Key questions

1. What is the general state of the IT infrastructure (servers, cloud etc.)?
2. How well do IT operations support the current purpose?
3. How well is the IT infrastructure suited for future initiatives?
4. How much legacy is in place that will have to be replaced in the short/medium/long term?

Data sources

• Interviews with CIO/CTO, Head of IT architecture and Head of IT Operations.
• Internal documentation, e.g. tech stack, servers and network, service desk procedure, log from service desk on number and severity of incidents /problems.

Analyses - example

IT infrastructure and cloud feasibility assessment

IT procedures and security

An assessment of the maturity level of the security and how well IT can withstand unintentional loss of information.

Key questions

1. What IT documentation is in place, available and of good quality?
2. What are the security procedures and processes (e.g. disaster recovery, penetration tests, OSS scans etc.)?
3. What security standards have been implemented?
4. How well are data and risks protected and managed?

Data sources

• Interview with CIO and person responsible for risk and IT security.
• Internal documentation, e.g. IT security policy and governance, risk assessments, data management processes and service management processes.
• External reports, e.g. IT audits.

Analyses - example

IT security

• What is the level of detail of IT documentation?
• Is the IT documentation available to necessary people?
• Are penetration tests done?
• Is SCA/OSS scanning performed?
• Is real-time monitoring available?
• What security standards has the target implemented?
• What is the overall maturity level of the IT security?

IT procedures

• What are the procedures for handling personal data? Are they GDPR compliant at all levels?
• Who has access to backups and production environment?
• What is the incident response plan?
• What disaster recovery procedures are in place?
• What is the procedure/cadence for backups/ readbacks?
• What is the procedure of MDM to ensure high data quality?
• Does the target perform a yearly IT audit, and in that case, what were the key findings?

People and organisation

An assessment of the organisational structure and resources and how well they support the business operations.

Key questions

1. What does the organisational structure look like? Is the organisation formed in a way that is suitable for supporting business operations and growth (e.g. agile teams etc.)?
2. What resources and competencies are required to support the business?
3. Which employees are critical to the operations of the target (i.e. key man risk)?
4. What is the target’s IT-HR situation and strategy (e.g. recruitment etc.)?

Data sources

• Interview with CIO.
• Internal documentation, e.g. IT capabilities and competencies as well as employee management processes, organisational chart and headcount.

Analyses - example

Key IT-HR metrics

• What is the IT employee churn rate?
• What percentage of employees are functional vs technical workers?

IT organisational structure

• What does the organisational setup look like?
• Does the IT setup support bimodal operations?
• Are teams organised in a way that e.g. supports agile development or DevOps?

Key competencies

• What is the plan for development of key IT capabilities and competencies?
• Is there an annual development cycle for each IT employee?

Key man risk

• How many employees are critical to operations?
• How easily could critical employees be replaced?

IT financials

Are past and planned IT expenditures in line with the IT strategy and business aspiration?

Key questions

1. Are past IT expenditures in line with planned investments?
2. Do planned IT investments align with the strategic aspiration and roadmap?
3. What estimated OPEX and CAPEX are needed to support the IT strategy?
4. Does IT spend align with the expected level within the industry?

Data sources

• Interviews with CIO and CFO.
• Internal documentation: IT spending.
• External market research, e.g. benchmark against industry peers.

Analyses - example

IT financial assessment

• How are IT costs allocated, monitored and controlled?
• What is the current and forecasted OPEX/CAPEX level?
• In what areas does the target plan to invest going forward?
• How has OPEX/CAPEX developed over time?
• Are there any planned decommissioning of legacy technology leading to cost savings?
• What are the planned investments to replace existing technology?

IT due diligence project plan (2-3 weeks)

Approach

In the first phase, we focus on building the right foundation, i.e. mobilising the right resources and identifying key focus areas and hypotheses.

Following this, we conduct a series of data collection activities. During this process, we test and validate key assumptions – which the chosen hypotheses are based on – and develop the actual report.
In the final phase, we refine the report based on new insights.

"Since IT due diligence is very often severely constrained in terms of time and access to acquisition target personnel, it is often beneficial to articulate a number of critical IT hypotheses to test early and then broaden the capability overview to extend coverage as time and resources permit."
Implement, M&A with Impact, 2018

IT due diligence summary report

The IT due diligence report shows the key findings of the investigated areas and main conclusions