I recently read a great quote from the CIO at Dell: “There is no business without IT right now. We don’t support the business – we are part of the business.” While most due diligence efforts won’t focus on companies the size of Dell, the fact remains that technology now plays a key role in almost all businesses.
If you accept this premise, then you should consider how much attention technology receives when you’re evaluating an investment. If it’s not any less important that customer contracts or financial projections, then don’t treat it as an afterthought.
Too often I’ve seen that technology due diligence consists of a brief period at the end of the overall due diligence process that focuses on things like documenting the existence of IT assets like servers and laptops, and maybe a quick review of the data center.
While acknowledging the need to get a deal done as quickly as possible and to start the process of integration, below are some additional IT due diligence steps that I think should be required in specific IT-related acquisitions.
Source Code Review
If there is proprietary technology involved in the operations or products of the target company, it’s critical to have a source code review performed by an expert in the particular programming language used to develop the target’s technology.
The best IT consultants are truly fluent in only a handful of languages, so it’s worth the added expense to be sure a real expert is reviewing the code, even if that person isn’t involved in the overall IT due diligence process. You want to know that good development practices were used, that the design is scalable and that there are no obvious security concerns.
A source code review can also identify any third party and open source components that are used in the target’s software. It’s very important to ensure that any open source components are used within the terms of their license.
If the systems or websites of the target store any sensitive data, it’s worthwhile to have a penetration test performed. This means hiring a resource to evaluate the security of the website and associated network infrastructure. In some cases, the testing firm will attempt to breach the network defenses and to access systems and data. You want to know about any vulnerabilities, and the potential cost to correct them, before you’re the owner. Penetration testing is a highly specialized service not typically part of standard IT due diligence efforts.
Industries such as healthcare and finance are subject to various government regulations when it comes to secure storage and transmission of data, retention requirements and encryption. If the target accepts and processes credit cards on their own, a separate set of security requirements must be in place and verified.
Unless your IT due diligence expert is familiar with the relevant requirements, you’ll probably want an additional resource who is a specialist in these industry-specific issues to review them.
Having someone meet with the IT staff of the target company who can speak their language can be the most valuable part of an IT due diligence effort. These employees tend to be more open with fellow technicians, and can provide a wealth of information around the target technology’s strengths and weaknesses. In addition, familiarity with key IT staff skills sets can assist in integration planning.
With just a little extra effort, IT due diligence can come closer to reflecting the importance that IT plays in most businesses today. The relatively small incremental cost is well worth the investment.