The Critical Role of IT in M&A Due Diligence: Unveiling its Value

When buying a business, it is crucial to understand the business well. It is often not enough to value a company purely based on the financial statements. It also holds significant value to understand the business in more depth so that you gain insights into the product, also known as the business, that you will buy. One key aspect of every modern-day business is IT. To get to know this part of the business, you can include this aspect in the due diligence process.

The Due Diligence Process

The due diligence process is a method to evaluate all aspects of a business opportunity before making a decision. It is often used as a tool when buying a company to gain insight into the operations and risk exposure of a specific business process of the target company. There are many different topics that can be subject to due diligence like financial, commercial, legal, or environmental due diligence, but in this article, we focus on IT and Technology due diligence.

IT and Technology Due Diligence

When conducting due diligence, it is important to understand which aspects of IT need to be investigated. We often make a distinction between the two fundamental aspects of IT. First, IT as a support function in all modern businesses, which is often referred to as IT Due Diligence. Second, IT as a product or business platform, often referred to as Tech Due Diligence. In the following sections, we will dive deeper into the distinction between these two and discuss the aspects investigated in each.

IT Due Diligence

IT Due Diligence is advisable when IT plays a crucial role in achieving the business’s objectives, serves internal customers with IT services, manages the delicate balance between service levels and costs, and ensures business continuity.

Key IT aspects investigated during this process include:

1. IT Strategy & Organisation: Assessing the contribution of the IT organization to corporate value.
2. IT Applications & Data: Evaluating the scalability, reliability, and currency of business applications, with optional considerations for GDPR compliance and a review of the software development process.
3. IT Infrastructure: Examining whether the target operates a modern IT infrastructure platform free from any technology debt.
4. IT Security & Governance: Ensuring the target’s security organization is state-of-the-art with strong cyber capabilities, optionally conducting an outside-in cybersecurity review.
5. IT Contracts & Licences: Verifying whether the target holds all required software licenses and service contracts.
6. IT Projects: Assessing whether projects are aligned with the overall strategy, well-defined, and effectively managed, with optional considerations for carve-out and integration for the target.
7. IT Finance: Reviewing whether IT spending is at an appropriate level and if the target is investing in the right areas.

During an IT due diligence, IT benchmarks may be utilized to compare business processes and performance metrics to industry best practices. Depending on the company’s size, geographical location, and sector, benchmarks specific to these factors may be employed.

Technology Due Diligence

Technology Due Diligence becomes essential when technology plays a pivotal role in the following scenarios:

• It constitutes the product itself or is a key driver of business revenues.
• It caters to the company’s external customers.
• It is expected to provide leading services at a reasonable price.
• It needs to scale with business demand.

The investigation encompasses various aspects of technology:

1. Product & Service Strategy: Ensure that the operations align with both the product strategy and the overall strategy of the target.
2. Architecture & Functionality: Confirm that the tech products offer state-of-the-art functionality and operate on a robust architecture.
3. Development & Deployment: Assess whether the applied development processes are in line with best practices. (Optional: Open Source Code Scan)
4. Cyber Security & App Safety: Verify that the target’s security organization is adequate, with no known vulnerabilities compromising app safety.
5. IP & Contracts: Evaluate the dependability of the target’s processes for managing owned/licensed intellectual property and the services provided/received.
6. Platform & Infrastructure: Check if the tech platform and its underlying infrastructure are scalable and resilient.
7. Technology Costs: Examine whether tech spending levels are appropriate and if the target is investing in the right areas.
8. Operations & Data: Ascertain that the platform operates in accordance with the defined service levels.

The Professionals

Professionals performing IT due diligence are often people with experience in IT and the M&A process. We now see a shift in the market where there are more and more people working specifically in M&A with a focus on IT. They will be involved in the IT due diligence process and later on in the integration process (if needed). Before this trend, it was usually an IT professional working full time in the IT department or an IT auditor who would perform the analysis. However, in the last couple of years, also with the rise of digitalization, it has become clear that there was a growing need for IT professionals who were used to working on M&A projects. There are different goals and stakes at play in an M&A process compared to the setup of an IT Architectural model of a company and/or the day-to-day IT management. Furthermore, an IT due diligence of a company needs to happen fast. Depending on the size of the company, the analysis might need to be completed within one week.

The Reasons Why

There are multiple reasons why it is important to include IT in this phase of the M&A process. First of all, because of the growing digitalization in the last couple of decades, IT has become to play a bigger and bigger role in today’s organizations. And it could be a dealbreaker or a deal maker. For example, if you would buy a company that is in dire need of an update of their ERP system, this could easily cost the company millions of dollars just to keep it up and running. Or if you have no idea how the company manages its IT risks, including IT security risks, it might be devastating. Imagine a bank buying a fintech with poor IT security in place and it connected itself and its customer database to the backend of the fintech. If the IT security is poor, this could lead to a data leak of customer data, and thereby, a big reputation damage to the company.

The second reason is that most often IT will also be one of the post-merger integration workstreams. This, of course, is if there is the will to integrate both companies. It would be one of the important streams since, like in normal business, other departments are often dependent on the IT department and/or want to pursue additional optimizations in their processes and want to do this by making use of IT. This is also why it can be of great value to already take into account and analyze the IT of the target before buying since, the more you know about their IT department, the better you will be able to get an idea of what costs will be needed to integrate the company, what synergies there might be captured, and how fast they will be able to be captured.

Conclusion

As you can see, it is important to take IT into account as soon as possible. It is also not that surprising if you think about it. In the last couple of decades, companies have been spending a lot of money on digitalization. Many of them claim to be getting a lot of value increases through efficiency increases, and the company becomes dependent on it. It seems only logical to take it into account when you want to buy a company. But I believe the reason why it is becoming more and more important is that history has shown acquirers that IT can cost a lot of money to get it right if it is done badly, but it can also be a great source of synergies if it is already done right.