Posted: April 02, 2014
IT M&A due diligence
One size approach doesn't fit allAudrey Katcher
Today’s businesses are more reliant on information technology (IT) than in any other time in U.S. history.
IT risk is no longer confined to entities involved in processing significant numbers of financial transactions or subject to complex regulation; rather, IT risk is pervasive across all industries in today’s world and is an often overlooked area for due diligence when executing a merger or acquisition.
Given that most studies suggest 70 percent to 90 percent of mergers and acquisitions (M&A) fail, thorough due diligence is an absolute must and IT cannot be overlooked. IT due diligence is not a “one size fits all” approach.
There are different considerations depending upon whether the acquirer is a strategic or financial buyer, and whether the target company is a new platform company or if the target company will be rolled into another company.
A thorough understanding of the strategic purpose for acquiring the target is critical. Additionally, the buyer should have a robust 120-day post-deal plan with a significant component of that plan being IT. The buyer should take the opportunity during due diligence to establish an IT plan for the business going forward.
IT Due Diligence Defined
IT due diligence can generally be thought of as an assessment of the target company’s state of information technology. Throughout this assessment, key questions such as the following should be asked:
- Will we own the technology?
- Do we have to replace the technology?
- What information (including transactional and intellectual property) is important?
- Where is the information? Is it housed with unknown third parties (ie. Dropbox).
- Who has the control of the technology? Is there a limited group with access to “all.”
- Is there a key man risk? The loss of certain key individuals could be detrimental to the company.
- Will we have a gap in IT skills post-deal? If the entity is a carve-out, IT support may be lost.
- Has there been downtime due to technology?
- Is the technology, such as the ERP, scalable?
- Do we have risk related to our web presence that will require additional
What is “technology” for the entity?
- Data center / server room
For companies in certain industries that are collecting personally identifiable information or credit card information, regulatory and reputational risk for a security breach should be of significant concern to a potential buyer. Identifying gaps or weaknesses in security over such information can help inform the buyer as to future costs or risks associated with owning the business.
IT due diligence is critical in assessing the potential for future capital investment in the business. For example, many financial buyers of businesses will require significant amounts of financial data at a disaggregated level to run the business post-transaction.
It is critical to understand, during due diligence, if the company’s systems are going to be capable of providing such information. If the systems are not, the financial buyer will want to incorporate system upgrades into their financial models.
Additionally, if the target company is going to be utilized as a platform for other acquisitions, a buyer will want to know whether the systems be sufficient to accommodate additional businesses being rolled in. The answers to these questions can have dramatic impact on the economics of the deal and can be reasons to walk away from a deal or renegotiate the purchase price.
I have seen many examples where IT due diligence has identified deal issues that have to be overcome either pre-deal or post-deal. Deal makers don’t like surprises. IT can be a source of bad surprises. IT due diligence can help identify what those surprises might be and evaluate an action plan to deal with them.
Always identify the risk factors and begin to put in place an IT road-map for improving the IT operations of the business. This strategy will prove helpful so that on day one post-deal, the buyer is ready to execute and make the necessary improvements and has a real perspective on the capital and expense costs for IT.
It is very important for any buyer to quickly fix any issues identified during due diligence so that everyone can move on to growing and expanding the company; after all, this is how everyone makes the investment pay off.
Audrey Katcher, CPA, CISA, CITP, is a Business Advisory Services Partner at RubinBrown. Audrey has over 20 years of public accounting experience in several industries including, technology, higher education, manufacturing and financial services. Audrey is a Certified Information Systems Auditor (CISA), a Certified Public Accountant (CPA) and a Certified Information Technology Professional (CITP).