I’m happy to report that the 2018 edition of the IT Due Diligence Guide has been released.

The need to include an IT review during M&A due diligence is greater than ever. Identifying IT shortcomings that can jeopardize a merger or acquisition and put a company’s future at risk is critical. Other less serious issues that are uncovered can still carry a high price tag to address, and it’s important to find these problems prior to the deal closing.

According to the Boston Consulting Group, 63% of acquisitions are completed by companies that purchase no more than one company per year. It’s not reasonable to expect that such companies have resources dedicated to M&A available, let alone an IT due diligence expert. The IT Due Diligence Guide can help fill that gap.

2016 and 2017 saw the trends of substantial data breaches and related public relations disasters continue. Ransomware attacks spread rapidly and were covered by the mainstream news. Some companies have even begun to keep a stock of bitcoins on hand to pay the ransom.

Many security experts now see hacking as something that can’t be prevented, accepting the fact that it’s almost inevitable when a skilled and determined criminal is involved. The focus is now more on being able to quickly detect and mitigate security incidents.

In the 2018 edition, the IT Due Diligence Guide has been further expanded and reorganized to address the latest IT security and operational concepts. Questions have been added and explanations have been revised.

Not everything in IT due diligence is focused on cybersecurity, however. In fact, most of the book is related to other issues. With the cost of the average data breach reaching over $3.6M however, IT security needs to be a key focus of any transaction if major unanticipated costs and risks are to be avoided.

In addition, given the fact that over 80% of ransomware attacks in early 2016 were experienced by healthcare organizations and considering the special concerns related to IT due diligence in healthcare, a new section dedicated specifically to that industry has been added in this new edition. This includes a healthcare IT due diligence checklist only available with the book. Much of this content is relevant to any company that operates in a heavily-regulated industry or manages highly-sensitive data.

Using the IT Due Diligence Guide and the related tools included with the book, both seasoned due diligence professionals and those working on behalf of the infrequent investor can uncover the technology risks and opportunities in any company.

If a potential acquisition target does business in the European Union or stores data related to EU-based individuals, it’s important to evaluate the company’s readiness for the EU General Data Protection Regulation (GDPR) during IT due diligence.

In May 2016, the European Union finalized the General Data Protection Regulation (GDPR). It will go into effect in May 2018.

The GDPR is intended to increase the security of the personal data of EU citizens and to create protocols that must be followed by all companies doing business in the EU, regardless of the location in which they operate.

This means, for example, that US companies that offer products and services to individuals in the EU fall under these regulations. Regardless of Brexit, the UK has indicated that it intends to "opt-in" to GDPR.

While large companies around the world have been preparing for GDPR compliance, many smaller companies have probably not even heard of it as of late 2017.

It’s likely that best practices for compliance for smaller business will be a moving target as the implementation date approaches, but here are some things to consider when discussing GDPR with your target company during IT due diligence:

• All companies processing personal data must obtain consent from the user after first clearly explaining exactly how it will be used. A user agreement or privacy policy without proof of its being read will not suffice.
• Companies with at least 250 employees or whose business is primarily focused on processing personal data must appoint a "data protection officer" (DPO) whose responsibility is to oversee enforcement of GDPR. This can in theory be either an employee or consultant. Either way, with an already-existing shortage of qualified IT security professionals, creating new demands for these skills will only make it harder to hire and recruit DPOs.
• The GDPR requires the DPOs at affected companies to perform "privacy impact assessments" to identify and mitigate risks related to the processing of personal data.
• The GDPR will likely require applications to be redesigned to add data encryption and to reduce collection of unnecessary data.
• Fines related to noncompliance with the GDPR can be huge – in some cases up to 4% of the company’s prior year worldwide revenue.

If an acquisition target is impacted by GDPR, compliance can potentially be very expensive and these costs should be considered very carefully when it comes to the transaction price and implementation budget.

For more information, see the official EU personal data protection page.

Are you a software entrepreneur planning your exit strategy? If you expect to be looking for investors or an acquirer in the next 12-18 months, you can give yourself a leg up by performing a mock IT due diligence audit on your own company now.

An IT due diligence audit will reveal to a potential investor that you’ve recently “patched up” your company. You’re much better off to put best practices in place that become a normal part of your operations and company IT culture well before your exit. Try to look at your company as an investor will. Going through this effort can have many benefits.

1) Identify Deficiencies

Is there any unlicensed software in use at your company? Take care of it now. Are there any missing non-compete or other employee agreements? You don’t want to be in the position of asking your star software developers to sign something on the eve of the sale of your company, when it’s more important to you than it is to them.

A source code review will almost certainly be done if you’re a software company. It can be well worth it to hire a consultant for a day or two to give you a high level impression of your company’s code. Your consultant’s opinion will most likely be very similar to an investor’s expert. If the news isn’t good, get to work on it now.

Take a good look at your customer contracts. If they don’t address a change of control, you should modify new agreements to specifically allow you to sell the company without the customer’s permission and without the customer’s ability to terminate the contract. Get a lawyer to help.

2) Reduce Expenses

The process of reviewing your business with an outsider’s perspective may help you identify ways to save money. If you examine your important contracts, you might determine that there are cheaper options for web hosting, phone service, etc. Maybe your insurance coverage is more extensive than it needs to be. Consider the terms of any upcoming long-term contracts. Don’t saddle your company with a five year IT equipment lease if you plan to sell out in a year.

3) Be Ready for an Audit

Some things can’t be corrected overnight.

Think about systems that might be audited later. Would you be comfortable if a potential investor audited your security or terminated employee policies for the past 12 months? If not, put good processes in place now so they’ll be fully established by the time they might be audited.

Are you properly accounting for software development and maintenance costs? These are complex issues, and it’s very hard to go back later to make adjustments and have clean, auditable data after the fact. Get it right well before you’re talking to investors, and you’ll be less likely to experience unpleasant surprises or disagreements when it comes to IT-related accounting issues.

If you really need to spend some money to address an IT need, try to do it gradually over the coming 12-18 months. An investor can easily recognize that you starved the company of needed resources to make your profitability look better, but a big expense incurred just before you try to get a deal done won’t necessarily be helpful either.

4) Possibly Receive a Better Price

Fixing an issue you identify in a mock IT due diligence audit usually comes with a known price. You’re close to the situation and understand it better than an acquirer. If an investor finds the problem later, they may be concerned enough to walk away from the deal, and if not, they may want to reduce the price of the deal more than is necessary to address this single issue, since they’ll wonder if others exist. Take care of it now and it won’t be up for negotiation later.

5) Reduce Stress

The due diligence process related to selling your company can be a very stressful time. If you have all of your IT processes documented and running smoothly, it will be one less thing for you to worry about, and will give you more time to focus on the financial and legal issues.

Not every company will need to produce every item in our IT Due Diligence Checklist, but knowing what will be requested of you, and addressing any identified deficiencies, can go a long way towards preparing you for the due diligence process related to your exit strategy. As an added bonus, this preparation will help your company to come across as much more professional than the average takeover candidate.

During an IT due diligence effort, it’s not unusual to find that the target company has made different choices when it comes to programming languages or operating systems.  Beyond these obvious disparities, however, there may also be cultural incompatibilities. These need to be understood, and when possible, addressed.  Otherwise, you may find that you’ve just acquired a company where every key employee will be gone in six months.

Here are some issues that you should consider while you go about the more technical work of IT due diligence.  They may not seem important in the scheme of things, but you can be sure they are VERY important to at least some of the employees at the company being acquired.

As usual, I’ll refer to the company being evaluated as TargetCo and the purchasing or investing company as AcquiringCo.

Tech Personality Types

If you’ve spent any time around software developers and other tech employees, you’ve figured out that they can be a colorful bunch.  Infoworld has a great article on programmer personality types.  Here’s a very accurate overview of IT personality types from ComputerWorld UK – my favorite is “The Human Roadblock”.

Many small companies take on the personalities of their strongest employees.  If you’re buying a startup where the mentality is to come up with an idea for a cool new feature, work 24/7 to develop it and then roll it out to see what the customers think, it won’t take too many times for those employees to run into “The Human Roadblock” before they figure out that AcquiringCo isn’t for them.

“Fast and Loose” Environment vs. ”Well Documented / Methodical”

In most startup IT companies, the overriding goal is to get the product to market ASAP.  To achieve this goal, things like well-commented code, backups and system documentation can go out the window.  Other formalities at AcquiringCo such as product management, system analysts and QA may also come as a shock to TargetCo’s employees.   If AcquiringCo is an established organization with strict processes in place for its operations, you can count on employees of TargetCo seeing these as nothing but needless bureaucracy.

High End Employees vs. Cheapest Available

Companies can have wildly divergent hiring strategies.  Some companies may prefer fewer, expert employees and others hire an army of lower level staff, hoping to find diamonds in the rough.  If you’re acquiring a company with the latter mentality, be aware that there can be a lot of turnover on the way to a stable workforce, so HR and recruiting resources need to be considered.  On the other hand, if you are that company with many less-experienced employees and you’re acquiring a company with a handful of industry visionaries, be aware that they may very well be unhappy in an environment where they aren’t challenged and inspired by their peers.

Software Development Methodology

There are many established software development methodologies, and new ones come in and go out of fashion frequently.  Software developers can become quite attached to their chosen method, sometimes almost to the point of evangelism.  If this is the case at TargetCo, and AcquiringCo enforces a different approach, this can be a sure path to tension.

Offices vs. Cubicles or Open Work Areas

Tech employees can be very sensitive to their working environment.  Their jobs often require a lot of concentration, and certain companies provide individual offices to most or all of their tech staff.  If you’re buying such a company and plan to make room for more employees by moving everyone to new office space with cubicles, to some employees that could be as bad as telling them they can expect a 50% pay cut.

What can you do about these potential cultural conflicts?

First, be sure they are mentioned in your due diligence report.  In my opinion, the job of the person performing IT due diligence is to identify any issues that can impact the success of the transaction, not simply the quality of the source code and age of the servers.  In severe cases, the cultural differences may be significant enough to abandon the deal.

Second, when there are real cultural concerns that may cause you to lose key TargetCo employees after the deal closes, it’s advisable to lock up those individuals with employment contracts or other incentives.  In addition to keeping the key members of the TargetCo staff around, if they’re happy they can be cheerleaders for AcquiringCo and this can help retain the rest of the staff.

Third, don’t change for change’s sake.  If there’s not a compelling reason to standardize software development methodologies, for example, don’t force TargetCo to convert.

Finally, after the transaction closes, place an emphasis on communication with the acquired employees.  While this should be the case in any transaction, pay particular attention to the cultural issues that were identified during IT due diligence.  If you need to make a change in a sensitive area, clearly explain why and emphasize other policies or benefits that may be new and positively received.  Consider surveys and town hall meetings so the employees can at least feel that they’ve been heard during the process, even if they aren’t thrilled with the outcome.

IT due diligence is about more than bits and bytes.  Cultural and people issues can be even more important than the technology when it comes to the ultimate success of the transaction, so it’s critical that they be considered during the due diligence effort.

Although IT due diligence has many benefits when it comes to determining and confirming the value of a technology transaction, it can prove to be at least as valuable in planning the post-transaction integration. Here are some ways IT due diligence can assist in the integration process.

Staffing

If the target company is being folded into the acquiring company, it’s critical to have a good sense of the strengths, weaknesses and personalities of the target company technology staff. This will allow you to make better decisions when planning an integrated IT or software development team.

If you determine through IT due diligence and integration planning that there will be skill gaps in the combined company, proper budgeting can take place and recruiting can begin sooner.

If a premise of the transaction is that IT staff cuts and the related expense reduction will be possible, IT due diligence can identify whether this is truly feasible. For example, are there key proprietary systems or tools used by the target company that are maintainable by only the person who developed them? That person had better not be on the list of people to be terminated after the transaction closes. IT due diligence can confirm whether staff reductions are feasible, and if so, the best way to achieve them.

If the target company staff will be required to conform to acquiring company standards in the areas of coding, security and other technology processes, training can be planned prior to deal close so the integration of the teams can begin right away.

Identify the Path to the Full Value of Anticipated Cost Savings and Economies of Scale

Many technology transactions assume that there will be expense reductions in areas such as telecom contracts, hosting, hardware, software licensing, etc. IT due diligence can confirm that these potential savings exist, and identify the path to achieve them.

Licensing is an important area to review. There may be a cost involved in transferring key software licenses to a new organization. Don’t assume that an “enterprise” license simply converts to the new, larger enterprise without additional license fees.

The transaction financials may presume that Internet connections or phone systems can be combined or that data center hosting arrangements can be consolidated. Such contracts are often costly to terminate early. For example, many telecom contracts contain a provision that effectively requires full payment of the remaining contract term at the time of early termination. IT due diligence can identify such contracts.

Similarly, a termination notice date for an expensive contact may arrive just after the transaction close date. If IT due diligence occurred prior to closing, this date should have been identified and the integration priorities planned to accommodate contract termination and the technical and operational steps required to achieve the expense reduction.

Provide Needed Planning Time

When a public company is involved in the transaction, it’s often difficult for the two parties to cooperate in the integration planning process prior to the deal closing. In the case of private parties, there may be more flexibility. In any case, at least the acquiring company can begin to make integration plans based on its due diligence.

The integration of even a small company may take three to six months. A plan for such a long effort takes time to develop. If the planning can take place prior to the deal closing, it makes it more likely that the integration can get off to a good start and ultimately be successful.

Depending on the intent of the integration, the following issues may need to be addressed in the integration plan:

• Post- transaction product strategy and offerings
• Physical space (offices, data hosting, etc.)
• Phone system and network integration
• Security and coding standards
• Technology conversions
• Risk identification
• Integration plan metrics

As you can imagine, it’s better to start working on these things prior to the transaction closing, and with a detailed understanding of the underlying technical issues at the target company. This understanding comes from technology due diligence.

Objective Opinion or a Head Start on Relationship Building?

There are pros and cons to having a third party undertake your transaction’s IT due diligence effort.

If a third party is used, you’re more likely to get an objective opinion as to the technology resources, staff and IT challenges facing BOTH the acquiring and target organizations.

If you use internal staff at the acquiring company, you risk a bias towards the resources and methodologies at the acquirer but you gain the opportunity to start relationship building prior to the deal. This pre- and post-close continuity can go a long way toward easing the nerves of the target company’s staff during the integration. To gain this benefit, it’s important to consider the issues around the onsite visit discussed in the IT Due Diligence Guide. You can read about the need for a good cover story that doesn’t create later distrust in the sample content from the book.

Either approach to IT due diligence can add real value prior to the transaction close.

Conclusion

A successful IT integration requires the acquiring company to hit the ground running. Without IT due diligence, you have two choices: you can start the integration immediately without a good plan or after a delay with a good plan. With a solid IT due diligence effort, you can start immediately with a good plan.