Often the due diligence process is stressful, time-consuming and intensive for both buyers and sellers. However, it is also critical to a successful merger or acquisition, for example before a company goes public and starts trading on stock markets.

You would ask why?

The answer is following: the investigative process conducted during an acquisition gives both parties the opportunity to validate assumptions about each other.

Buyers must be vigilant in their pursuit of uncovering any risks, liabilities, or underlying business problems before committing to the transaction. This diligence serves as a safeguard, ensuring that no unpleasant surprises emerge after the deal is closed.

A diligent buyer extends their controls across every detail of the seller’s operations. This includes, but is not limited to, examining the financial health of the business, assessing operational efficiency, evaluating customer satisfaction levels, and analyzing the overall risk exposure. Work ethic and culture is also needed to be assessed.

Key Areas of Focus in IT Due Diligence

IT due diligence typically covers several core areas, including:

Infrastructure and Systems which involves the examination of the hardware, software, and network infrastructure to assess one’s condition and scalability. Via the process, we aim at understanding the main strengths and weaknesses and identifying which areas could be improved or changed entirely.

IT Asset Inventory, more specifically, checking the inventory of all IT assets, including hardware, software licenses, and cloud services, and ensuring that all assets are properly documented and accounted for. Also, the identification of critical dependencies, ownership licensing issues, and the need for software updates, is crucial.

Data and Information Security, mainly the evaluation of measures to protect sensitive data, such as encryption, access controls, and disaster recovery plans.

IT Personnel and Capabilities with the focus on the IT team’s skills, expertise, and capacity to manage and support the technology infrastructure.

Strategic Alignment, meaning one should ensure that the technology strategy aligns with the business objectives and long-term vision.

Compliance and Legal Obligations which involves verifying that relevant industry regulations and standards are adhered to.

The IT due diligence encompasses the process of evaluating businesses, investments, and potential opportunities and brings some key benefits, including risk mitigation and identification of potential risks, such as data security vulnerabilities, compliance shortcomings. It also helps with the identification of opportunities relevant to technological enhancements, cost savings, and operational efficiencies.

Besides, the assessment of one’s cybersecurity strength might help with ensuring the desired robustness of security measures that are crucial to safeguarding sensitive data and business continuity and verifying that relevant IT-related regulations and standards are reflected in the processes and fully implemented.

ICT Strategic Advisory – Factors to Consider

At Deloitte we propose a flexible set of services starting with a strategic health-check assessment, followed by on-going support to be agreed and drawn down as needed. Within the assessments we consider a number of factors that we consider crucial, such as:

• Strategic alignment of ICT with business needs: The existence of a Digital Strategy acting as a roadmap of business technology investment including investment data and technology (ID&T), and workplace systems including for customer relationship management and records management is considered an ideal state. Besides, a strategic project review should be in place, providing for at least monthly oversight of the status and progress of key initiatives, and supporting prioritisation across the project portfolio.
• IT governance: ICT should be considered within a range of one’s activities, including project management, operations and operational risk, cmpliance and cyber security. Roles and responsibilities for ICT should be generally defined and understood, major technology investment decisions should be made in consultation with the board and there should be active focus on maturing cyber security capabilities.
• Support and service management: Service management processes should include typical controls such as testing and scheduling of changes, vendor contracts should be in place with key suppliers, including defined service levels covering core business hours. In relation to that, third party risk assessments should be performed during procurement, and cloud vendor risk assessments should be introduced as well. Also, Internal Audit should provide a level of assurance for ICT controls, with a cyber focus and there should be limited-to-no legacy technology within the environment.
• Team capability and capacity: In addition to a small core ICT team, additional employees with technology-related skills should be located elsewhere within the organisation (particularly the Data & Analytics team and Projects team). There should be a dedicated Cyber Security Analyst to focus on this key risk area.

Rushing or neglecting the due diligence process can have unpleasant consequences. Research has shown that a significant percentage, as high as 90%, of acquisitions fail to meet their pre-acquisition goals when a comprehensive due diligence effort is not undertaken. IT due diligence process is thus an important step to be well-equipped to make informed decisions, mitigate risks, and optimize the outcomes of your business ventures and investments and should not be underestimated.