In today’s highly regulated business environment, it’s harder than ever to get a clear and comprehensive view of the total cost of ownership (TCO), and the risks associated with a potential acquisition. A key contributor to this acquisition risk is overlooking information technology infrastructure and security issues, which often leads to unanticipated IT spend and possible regulatory compliance issues.
So, how do you understand the cost and risk involved with IT investments and possible regulatory or software compliance issues? The answer is IT due diligence.
IT due diligence assesses:
- A target acquisition’s current state of technology
- Issues related to maintaining its current technology
- Financial implications of a technology plan
- Opportunities for leveraging existing technologies
- Initiatives necessary to accomplish a successful merger
- Business risks
Results are analyzed and recommendations are made to enable an investor to make the best possible business decision regarding a potential acquisition. Data is collected by reviewing all available information from the target’s IT department, touring facilities (including data centers) and conducting one-on-one interview sessions with the IT management team.
The whole process usually requires four to six weeks, depending on the specific situation. For example, if the acquisition target company relies heavily on custom, proprietary software code, the process is more complicated. Such unique code may need to interface smoothly with more-standard code used by the acquiring company, a challenge with its own associated costs and risks.
The process begins with an IT assessment summary that complements the work performed by financial, legal, and operational analysts. This exercise validates TCO, analyzes risk and provides benchmarking information, enabling a more informed decision.
The assessment summary should include:
- Architecture analysis
- Transition investment
- Infrastructure analysis
- Remediation requirements
- Applications analysis
- Security risk analysis
- Service support analysis
- Security analysis
- Information asset analysis
- Criticality definitions
- TCO analysis
- System criticality
- Organization overview
- Threat, vulnerability and impact analysis
- Operating expense analysis
- Risk register
- Capital expense analysis
- Executive presentationBenchmark comparison
To maximize the investment and yield the most accurate results, take a holistic approach by examining IT infrastructure and applications, IT security, service delivery and service support. By scrutinizing all of these areas, an investor can calculate the IT TCO and evaluate the IT organization’s efficiencies (or inefficiencies).
Best practices leverage proven methodologies and industry benchmark data to map IT strengths, weaknesses and hidden deficiencies that can impact acquisition priorities. Such data may come partially from public sources of industry standards but should be augmented by data your provider has gained through its own experience in the field. This allows an investor to better understand the current state of the target’s IT organization and help to identify and prioritize possible future IT investment requirements that may affect valuations.
It is important to know, too, that thoroughly assessing IT issues requires specialized experience. Look for providers who have done numerous assessments before and who are technology-focused. Without that skill set, it can be easy to overlook potentially costly details. For example, mission-critical software may require individual seat licenses for each user, and these licenses may cost thousands of dollars each. No one wants to discover after the acquisition is closed that they now must cover a potentially huge and unexpected licensing cost.
Similarly, telecomm infrastructure should be comprehensively studied. Many companies simply pay their telecomm bill each month without thinking much about it because doing so is a lot less hassle than actually scrutinizing the contract and figuring out if the company has what it really needs or is paying more than it should. In truth, many companies do pay too much; they’re stuck with old contracts that are hard to break and often pay for services and features they don’t use. All of which an acquiring company should know before closing the deal.
From the technology perspective, the assessment includes all strata of IT infrastructure:
- Examination of inventories, diagrams, standards and technical implementations
- Evaluation of all applications and databases including business criticality and supportability
- Assessment of IT service delivery and support functions
- IT organization structure and support of critical business processes
Stay tuned for Part 2, which takes a deeper dive into security risk analysis.