In a fast-paced deal environment it is imperative that all acquirers—including private equity firms and corporate acquirers—complete the right due diligence program. Traditionally this entailed a review of the company’s financials, taxes, operations and legal standing. However, with technology becoming such a central component of company operations, another layer of due diligence is needed: IT and cyber due diligence.

While every deal is unique, each should incorporate some level of IT due diligence. It’s important to note that this is not relegated to certain industries. Across all industry verticals technology is both an enabler of top-line growth and bottom-line savings, as well as a first line of defense for security and privacy concerns.

“It’s like buying a house. You wouldn’t buy a house without an inspection, unless it’s a complete tear down,” says Craig Coffaro, director, Transaction Advisory Service, RSM US. “There are two main things the inspector is looking for: risks and exposure. It’s the same with IT due diligence. We want to identify those risks and areas for improvement to calculate the investment needed to mitigate those issues.”

For a smaller middle-market company, this doesn’t have to be a drawn-out, expensive process. A diligence assessment takes 1.5 to 2 weeks from start to finish. And it can generate an outsized return by mitigating operational risks and identifying investments needed to achieve the revenue objectives identified in the investment thesis.

For IT due diligence to be effective it’s imperative to have a solid understanding of the buyer’s investment thesis. “This is absolutely critical because it becomes the north star for the recommendations we make. For example, if the investment thesis is to increase revenues by 2-3x over the hold period, our recommendations need to directly support that,” says Coffaro.

Coffaro goes on to say that adding ‘best-in-class’ technology for technology’s sake is never the answer. “In fact, that often makes the issues worse. You need to have a balanced approach and to spend money where it makes sense and will drive value. The question becomes what is going to drive value?” says Coffaro.

IT due diligence should evaluate the integrity, fit and viability of business applications, infrastructure and IT organization, strategy and internal controls. Some areas, like the viability of the company’s IT organization, strategy and internal controls, may be fine. Others, like the fit of business applications, may need to be dealt with in the next year or so but aren’t priorities. And some, like the integrity of the infrastructure, may require an immediate investment. By organizing the results of IT due diligence in this way, firms can make the necessary short- and long-term plans and prioritize appropriately.

It’s important for buyers to understand the following:

· What systems does the company have in place?

· Can systems support 2-3x growth?

· Are the core systems stable, supportable, and scalable?

· Is there deferred CapEx or OpEx?

· Is the IT leader the right person for the future growth needs?

· Does the ecommerce system have the right functionality?

· Is the technology team well-sized and appropriately skilled?

· Is there an opportunity to use IT to reduce operating costs?

· Are there cost-takeout opportunities in systems or staff?

· Does the ERP enable efficient operations?

Uncovering useful data: Another benefit of IT due diligence

IT due diligence does not only help buyers understand the company’s technology platform, but can also provide insight into a company’s data. Estimates say that the volume of data companies produce today doubles every two years. Some companies do not even realize the data they are collecting is meaningful. Applied in the right way, this data can provide a deeper understanding of a company’s historical performance and enable better forecasting by identifying trends in their customer base and the market. This can add tremendous value at any company. IT due diligence helps an organization understand what data they are collecting and how they are using it. This analysis and review allows an IT due diligence provider to offer up any potential inefficiencies or gaps observed.

Without a pre-close understanding of IT capabilities, a 100-day improvement plan may take a year or fail to be achieved at all because of all the IT issues that have to be addressed. Moreover, before the right systems are in place, management won’t be able to generate meaningful reporting to make informed business decisions to grow revenue, making an efficient and effective IT improvement plan a critical element of success.

Smart investors and company owners know IT due diligence is critical to minimize costly and debilitating front-office and back-office technology risks, but also is vital to ensure total transaction growth realization and deal synergy achievement.
Module