An IT due diligence should paint a clear picture of how IT helps the Target run and whether there are any “deal breakers” that would cause the Acquirer to abort the transaction or to seek a price reduction (for instance, due to significant capital expenditure being required to upgrade IT systems).
IT DD is becoming increasingly more important as technology becomes a greater component of growth and scale in many companies. At a fundamental level, however, IT can “make or break” a company. For instance, products, services, customers, staff, e-commence, databases and servers are central to the business operations of many companies and all reliant on a well-functioning IT environment.
To the uninitiated, IT DD can seem daunting and very tech-heavy. It is therefore advisable to seek the guidance of a dedicated IT consultant or external IT partner. Prior to doing so, or as part of the due diligence scoping process (defining what exactly due diligence will cover), consideration should be given to the Target’s:
- ability to scale
- ability to integrate
- approach to security and disaster recovery
- infrastructure & hardware and
- IT operating budget.
Technology is increasingly becoming the driving force of growth and scale – it should not be overlooked in due diligence.
Ability to Scale
It is likely that the Target company will have “something” that the Acquirer does not. That includes but is not limited to customers in different markets, a strong brand, a niche product, patents, technology or a combination of the above. Whatever the motivating factors(s) providing the rationale for the acquisition, the overall objective will be for it drive profit increases and generate greater shareholder returns. A key consideration when undertaking an acquisition should therefore be how the Target will fit with the Acquirer’s (or new organization’s) growth plans.
For the Target to contribute to profitability, it will need to have the capacity to scale/handle growth. If the Target’s IT infrastructure cannot support growth, the new organization will not be able to scale as planned and profitability will be thwarted. Furthermore, significant costs may be incurred to get the Target into a position where it can scale and support growth.
Ability to Integrate
IT integration is crucial to successful M&A. However, it is often identified as a root cause of failed transactions. Running an inefficient overall due diligence process can be a contributing factor to failed IT integration and the realizing of synergies. For this reason, identification of critical Day One and post-integration risk is an important consideration during the DD phase.
Said differently, addressing key issues such as which platforms the new organization will run on and the best approach to IT integration should be considered during due diligence, rather than post-closing. Taking this approach reduces uncertainty about how the Acquirer will integrate the Target’s IT capabilities and help provide a big picture of what the new organization will look like at the earliest stage possible.
IT integration costs are often the largest ancillary cost factor incurred in M&A. If costs are not considered during DD, the new organization’s IT capabilities may not be realized or significant IT integration delays and/or cost overruns may occur. DD findings can and should be used to estimate the largest contributors to IT integration costs (for instance, servers, networks, storage, CRM systems and IT infrastructure, etc.).
It is notable that the nature of due diligence will be quite different if the Acquirer plans to replace the Target’s systems with its own systems (ERP, CRM, standard hardware/operating systems, etc.). If they do, due diligence should focus on understanding the costs of such a transition (which can be significant). If the Acquirer is happy keeping the Target’s existing systems, the process will be simpler and costs much lower.
Approach to Security & Disaster Recovery Plan
Due diligence should uncover the Target’s approach to IT security and “cyber security.” Over time, cyber security has commanded greater attention considering the threat posed by a range of attackers. An attack on a company’s IT systems can lead to the loss of highly-confidential information, the uncovering of trade secrets and customer details, the leaking of research and development (R&D) initiatives, inaccessible networks and ultimately, the stalling of business operations. In an M&A context, a cyber attack during the acquisition process could lead to the collapse of a transaction.
Alternatively, if the Acquirer was to discover that the Target has previously been the subject of a past cyberattack, this could reduce the value of the deal or lead to it being aborted (depending on the severity of the attack). If, hypothetically, the Target were to be subject to a cyber attack during the post-merger integration (PMI) phase, this could lead to the Target being “off-line” until systems, servers, etc. could be restored and made functional again. Such a scenario could wreak havoc with a 100-Day Plan and lead to significant value attrition.
Whether cyber crime or a man-made disaster, due diligence should reveal whether the Target has a documented disaster recovery plan and, perhaps more importantly, a business continuity plan.
Infrastructure, Hardware, Software & IPs
While perhaps obvious, it is imperative that the Acquirer understands exactly what business assets they are purchasing/what will come with the Target – covering general IT infrastructure, hardware, software and intellectual property – and the quality of any such assets. In terms of IT infrastructure and hardware (covering, for instance, computer workstations, servers, printers, storage devices, network devices, etc.), consideration should be given to the age and condition of any assets, user capacity (is there scope for expansion?), annual running costs, any maintenance/performance issues, life expectancy and whether any significant upgrades are required (some companies may hold off asset investment if they are anticipating a sale). If infrastructure/hardware is found to be aging, the Acquirer could incur significant additional costs to retire obsolete assets and upgrade them (if servers and data are involved, a costly data migration project could also be necessary).
From a software perspective, it is important to ensure that the Target is using an enterprise version of any software. This covers operating systems, general applications, CRM and ERP and - depending on the nature of the Target’s operations - more complex and even bespoke applications.
From an intellectual property (IP) perspective, the Acquirer should be absolute in its understanding of the IP assets transferring with the Target and of the rights the Acquirer will be granted to any such IP (including that under license). For instance, the Acquirer should ensure it would be able to utilize IP assets without infringing on any third party intellectual property rights – often referred to as "freedom to operate.”
IT Operating Budget
Due diligence should include a review of the IT operating budget – past and future – covering, for instance, hardware and software, whether assets are owned or leased, maintenance contracts, use of sub-contractors and planned CAPEX to support the Target’s business plan. In terms of historic expenditure, due diligence should cover investigation into any material IT expenditure (such as on new servers), inquiry into any unexplainable recurring costs and an assessment of overall IT spend.
This process can also reveal what areas of IT have been neglected – therefore helping to expose where expenditure may be incurred in the future. Furthermore, a review of future IT spending will help the Acquirer clarify Target’s capital and operating budgets and establish whether any major IT projects, or project requiring IT, are planned.
The right approach to IT due diligence can set a deal up for success (or failure if approached incorrectly). IT due diligence is a critical process of any M&A activity and needs to be given sufficient commitment – it should uncover the Target’s dependence on IT/technology and identify risks, capabilities/strengths, weaknesses/needs, opportunities and capital & financial requirements for the continuance of successful business operations. Ultimately, the outcome of IT due diligence could provide a make or break situation for the Acquirer when it comes deciding whether to pursuing a deal or not.