Skip to Content

IT Due Diligence Checklist

Last modified by Drunk Monkey on 2020-08-12 21:06

Original article from here:
https://www.duedil.com/blogs/it-due-diligence-checklist

Conducting IT due diligence when taking over or merging with another company is key to a smooth transitional period. It may not be the most interesting or enjoyable task, but it’s important that the process isn’t rushed. Being as thorough as possible will not only save you time later on, but will also highlight any potential issues that will need to be fixed before the sale goes ahead.

The main aim of carrying out this type of due diligence is that it helps you to build a clear picture of what the target company’s IT infrastructure is like and find out whether it’s similar to your own to determine what changes may need to be made when the merger/acquisition takes place.

As part of the IT due diligence process you will need to make a visit to the acquired company’s workplace to see their technology setup first-hand. However, to ensure that the visit is as productive as possible, it is best practice to send an outline of the onsite delivery process you hope to take.

The key elements that need to be included in your due diligence are:

  1. Hardware
  2. Software
  3. Internet and telecom systems
  4. Cyber & Network Security
  5. Customer support systems
  6. IT Support Staff
  7. Company products & services

1. Hardware

The most important aspects to consider when it comes to hardware is what hardware do they do they actually have, who owns it, and how much is it worth.

You will need to make a record of the following hardware:

  • Desktops, laptops and tablets
  • Mobile and desk phones
  • Servers
  • Storage devices
  • Mainframe computers

Once you have drawn up a comprehensive inventory, you must then find out details on the manufacturer and model number, how much they are currently worth and whether they are leased or owned by the company.

2. Software

Once you have collected all the relevant information on hardware, you should do the same for software. Finding out which anti-virus software, data management systems, SLAs and hosting systems the company uses is particularly important.

  • Security systems
  • Anti-virus systems
  • Operating systems
  • Email software
  • CRM systems
  • Payroll software
  • Data management systems
  • Software licensing agreements
  • Databases
  • Outsourced software development agreements
  • All software for internal use
  • Storage management (e.g. cloud systems)
  • Operating systems (e.g. Windows, Chrome etc.)
  • Open source software
  • Information on software development processes

3. Internet and telecoms system

Examining the company’s existing network and telecoms set-up will help you to understand which methods of communication are favoured by their employees and how their computer systems are organised.

  • Internet provider and contracts
  • Information on hosting environment
  • Log of planned (and unplanned) network downtime over a set period
  • Storage backup systems (including information on cloud-based programmes)
  • A diagram of the network set-up
  • A description of the internal communication system

4. Cyber & Network Security

The security of the company needs to be thoroughly scrutinised; this is one area where you really cannot afford to cut corners.

It’s especially important to gauge the vulnerability of the company to a cyber attack in order to assess whether their cyber security needs to be bolstered.

  • Intruder detection programmes
  • Security of online payment systems
  • Data encryption program
  • Tests results for system vulnerability checks
  • Information on previous security breaches (and what measures were put in place to prevent another)
  • Cyber security insurance and certificates
  • Staff training programmes on security
  • Network Firewall settings and maintenance
  • Remote access software
  • Background checks for all employees
  • Policy on acceptable use for hardware and software
  • Policy on remote working
  • Information on which non-employees are granted access to important company data
  • Log of any hardware without anti-virus software
  • Policy on company passwords
  • Plan for disaster recovery and security breaches
  • Information on database record storage
  • Vendor updates

5. Customer Support Systems

The main objective of gathering information on the company’s customer support systems is to determine how IT is utilised to interact with their customer base. The key areas to assess when it comes to customers are:

  • How do customers access technical support?
  • What technical support is offered to customers?
  • What are the most common technical questions that customers ask?
  • How new customers are integrated into the IT system

6. IT Support Staff

A key element in the smooth running of your IT infrastructure is the number of staff employed to provide technical support. Finding out about the roles and responsibilities of IT personnel will help you to determine whether you’re doubling up on roles or need to employ additional IT support staff.

  • Full list of all IT personnel and their individual roles and responsibilities
  • Confidentiality and intellectual property agreements for staff
  • List of employees who have had access to source codes in the last 3 years
  • Staff training programmes
  • Chart showing how the IT department is organised
  • List of vacancies that need to be filled over the next year

7. Company products & services

You will also need to identify all products that have been created for both internal and external use, and find out who within the company has access to the products. This will help you to get a better understanding of who owns the software, and which staff are involved in its creation/development.

  • Software that the company has sold
  • Software that has the company is still responsible for
  • Products that are currently being developed by the organisation
  • Industry certification
  • All software that the company has developed where the source code no longer exists
  • A demonstration of all software

Original article from here:
https://crosslaketech.com/technical-due-diligence-checklist-why-acquiring-firms-need-it/

Technical due diligence is a highly recommended component of the technology company investment cycle, whether you are a Private Equity firm, investment bank, or acquiring company. Find out why, as well as some of the mandatory areas to explore with this technical due diligence checklist.

Would you buy a new home without having it inspected by a seasoned professional? Most people wouldn't. The cost of a home inspection is negligible compared to the cost of the home, and can provide significant peace of mind or even modification of the sales price to accommodate any defects or needed maintenance. Why not just do the inspection yourself? For starters, most people do not possess the expertise to inspect the fine details themselves. Additionally, every construction is different, so inspection is a bit of an art – you have to have a good eye and the wisdom to know what to look for. Previous experience building houses is helpful or even mandatory. Most people cannot be experts in all aspects of home construction, including structure, plumbing, electrical, general maintenance, and overall quality and aesthetics. With all these variables, hiring an outside third party to help evaluate and protect your investment intuitively makes sense.

The same concepts hold true when investing in a software company. In a list of 20 due diligence activities necessary before a merger or acquisition, Forbes notes technical due diligence and intellectual property review as number two. Leaders of acquiring companies like Private Equity (PE) firms, or even other technology companies, are well versed in financial concepts, but may not be technology gurus. Using a third party to help evaluate the technical aspects of the target software company is akin to using a professional home inspector.

Most acquiring firms have a set of investment objectives in mind when acquiring a new technology company. Performing technical due diligence to evaluate the product, architecture, processes, and organization helps ensure that those objectives are met prior to closing the investment. Additionally, a detailed look at these aspects helps validate any assumptions the investment firm has made, such as the ability to scale the number of users 10x in 3 years.

Why not just do a basic technical due diligence yourself, particularly if you are a software company acquiring another software company? Firstly, competitive intelligence may be at stake and a third party with a signed non-disclosure agreement can help preserve that integrity. Secondly, using a third party with team members of varying expertise, an objective view, and the ability to compare hundreds of companies to the target adds further value to the diligence process.

A refined technical due diligence process is quick, efficient, and answers the investment questions in easy-to-understand terms with sufficient detail. Target companies are typically analyzed from three perspectives:
 

  • Technical risks to the investment coupled with the cost to mitigate
  • Opportunities for growth post-investment close to help meet objectives
  • Strengths of the company that should be preserved and/or built-upon moving forward

Each of these perspectives is analyzed from the following categories. Included below are some sample questions to ask and answer:
 

  • Product strategy and product portfolio
    • Does the product strategy fit with the investment company's growth objectives?
    • What are the product strengths, weaknesses, opportunities, and threats (SWOT) to help validate a reasonable direction is possible?
    • How does the company determine the product roadmap and what will add the most business value?
  • Product function and quality
    • Are there obvious quality problems with the product, such as performance issues, that may be expensive to fix?
    • Does the product fulfill end user goals in a usable way or is an expensive UI revamp necessary?
  • Architecture & Code
    • Is there anything in the architecture that is an impediment to meeting growth objectives?
    • Are there legacy components in the software that require replacement? How much will this replacement cost?
    • Are there third party or open source components that may be problematic from the legal or technical view?
    • Is the code written in a maintainable way such that others can be productive in the code base quickly?
  • Processes, Practices and Tools
    • Are there opportunities for efficiency gains and/or cost reduction?
    • Will the existing practices scale appropriately with company growth?
    • Are there existing skills gaps that inhibit efficient delivery?
  • People & Organization
    • Are the right people in the right roles to meet investment objectives (particularly leaders)?
    • Who are the people critical to the business and must be retained with the acquisition?
    • Are there significant gaps in the organization that must be filled to meet investment objectives?
    • Is the level of R&D spend appropriate for the company size? Are there opportunities for reduction?
  • IT/Operations/DevOps
    • Are there opportunities for cost reduction, such as a move from locally managed resources to the cloud? What is the cost in doing so?
    • Is there a suitable business continuity plan in place, and if not, what risk is undertaken and what is required to implement one?
    • Are the expenditures reasonable given company size?
    • Are deployment practices efficient with minimal risk of human error?
  • Product Support
    • What are the top support call generators that may be indicative of product problems?
    • How many escalations make their way to the development team?
  • Professional Services
    • Are implementation times long potentially indicating lack of configurability/customization in the product?
    • Are there opportunities for product enhancement to scale to larger number of customers requiring less on the services side?