IT services are rapidly moving to the cloud. Assets on the balance sheet are turning into subscriptions. Ransomware has executive-level attention. Data breaches cost companies millions in fines, customer retention and hidden costs.
If technology is changing rapidly, IT Due Diligence should too
Unless the acquisition concerns a technology company, IT Due Diligence usually does not play a major role. IT is complex and the integration can be dealt with after the deal. But because the future of non-tech companies also relies on digitisation, and because information security and privacy can no longer be ignored, they must be included in the Due Diligence process. IT Due Diligence should focus on assessing the technology backlog in the deal, and the risks that lie beneath the surface. Technological backlog slows down the realisation of a digitisation strategy. Risks can be quantified. This provides information that you want to include in valuing the deal.
The real focus of IT Due Diligence is to assess the technological debt that is included in the deal, and the risks that are hiding under the surface.
IT Due Diligence requires a different approach
IT is not a regulated industry. There is no set way of organising or a reporting regime that must be met. There are best practices and ISO standards, but they leave a lot of room for interpretation. And with trends like virtualisation and cloud contracts, what is an 'asset' anyway? IT Due Diligence is no longer an exercise where a junior in the team simply processes a meaningless checklist. The result being a list of acronyms and network diagrams that suggest detail and expertise, but lacking interpretation.
IT is no longer about technology, but much more about data and security
IT gaat niet langer over technologie, maar veel meer over data en beveiliging. Het is zo abstract geworden dat het vaardigheid en vakkennis vergt om te weten waarnaar je moet zoeken.
Real risks and technology gaps can be exposed by looking at:
- Software
- Contracts and licences
- Information Security
- Privacy and GDPR
- Planned IT Investments
- Human Capital
- Hardware and Network Design
What should IT Due Diligence look for in 2022?
Risk-based, tailored to the transaction, this should include at least:
Software
With off-the-shelf software, the emphasis is on software compliance; is all software licensed? Custom software may require a Quick Scan of the code or a thorough code review. Is the software built to last, or a bunch of spaghetti that is only understood by the local hero who built it? The one who will retire in a year. Also determine the ownership of the intellectual property. Who actually owns the code? With SaaS software, it is all about the contract terms.
Contracts and licences
Start with an overview of all current contracts (...), determine the renewal dates of contracts, and check the General Terms and Conditions for selected contracts for clauses referring to transfer of ownership. This is not self-evident. Also, most software products and cloud services are dependent on underlying Big Tech services. This results in sometimes undetected back-to-back contracts. Are these aligned?
Information Security
Estimate the risk profile of the organisation by applying one of the many available frameworks, such as the NIST Cyber Security Framework, the SANS Top 20 Critical Controls or ISO27002. This is still a desk research approach. If critical, a RED team or ethical hackers could test the practical strength of the security controls.
Privacy and GDPR
This is one of the most misunderstood and misinterpreted topics around information systems. Many have an opinion about the GDPR, few have taken the time to read the EU and local legislation. But it is not that complicated. The GDPR prescribes a series of measures and controls that must be implemented to secure personal data. These can be checked in a structured way. No wizardry required.
Planned IT investments
Assess the current IT architecture and project portfolio. Are the planned investments delivering value, or is it "keeping the lights on"? How big is the gap between the As-Is and To-Be IT landscape. Be wary of ERP implementations and Integration Layer projects. These are notorious for creating too little value.
Human Capital
Assess the professionalism of the IT department. IT is only as good as the people who organise it. A quick look is enough as a starting point; identified positions and average seniority, internal training materials and procedures, certificates and formal training courses. Who are the key people and are they on the payroll or freelance?
Hardware and network design
A list of all assets should be easily retrievable from the inventory system or the CMDB. A simple analysis will quickly give an impression of their completeness and accuracy. Remember that if you don't have all the assets in view, you can't know whether they are adequately protected. The IT department, by the way, should frown when asked about hardware. Most IT hardware will have been virtualised (and then run on other, more powerful computers).
How the network is designed says a lot about the maturity level of the IT organisation. Modern networks are, like the hardware, also virtual, the so-called 'software defined network'. An assessment of this topic gives a clear indication of any technological debt.
If an overview of all assets cannot be provided quickly, there is smoke and therefore fire...
I have managed IT departments and IT programmes in various sectors for many years. I am a certified Information Architect and a Certified Information Systems Security Professional (CISSP). With an extensive network of specialised professionals and companies to call on, I keep the team small and dedicated. A small organisation without overhead to ensure short turnaround times.
If you want to assess the risk and technology debt in your next M&A deal and need it done quickly, I can help.