What is technology due diligence and why is it important © dr pete technology experts london

www.drpete.co.ukwww.drpete.co.uk

What is IT (Technology) Due Diligence?

A high level checklist Roelof Iball & Paul McCormack

Senior Consultants, Dr Pete Technology Experts

www.drpete.co.ukwww.drpete.co.uk

Contents

1. What is IT Due Diligence?

2. Why bother with ITDD?

3. Who undertakes the ITDD?

4. Understand the process of ITDD

5. People

6. Infrastructure

7. Software

8. Processes and controls

9. Documentation

10. Strategy and Management

11. Need help?

www.drpete.co.ukwww.drpete.co.uk

Due diligence is the name given to an investigation to provide reassurance that a transaction is fair and true, before completion. The concept has been in place for many years and is important for IT systems in particular, as they affect the smooth running and efficiency of the business.It is commonly performed in the following circumstances:● A company (Acquirer) is buying another company (Target), whole

or in part.

● A company is raising money, either via loan or equity, and the lender (e.g. bank or prospective shareholder) wants assurance that IT is effective and is value for money.

● Owners/shareholders wants to demonstrate that systems are fit before selling part or all of the business, or receiving an investment. (Vendor ITDD)

What is IT Due Diligence (ITDD)?

www.drpete.co.ukwww.drpete.co.uk

● Imagine buying a house without a survey - you would ask a surveyor to assess the house to make sure it is in good condition and to avoid expensive repair bills and to strengthen your bargaining position.

● All businesses now rely on technology (even if it is only a smartphone), it is imperative to ensure systems are adequate.

● For example, a failure in key business systems (e.g. eCommerce, warehousing, communications, manufacturing, logistics) could be expensive and damage your reputation.

● Businesses experiencing a disaster scenario have a high failure rate; the business could effectively be worthless.

Why bother with ITDD?

www.drpete.co.ukwww.drpete.co.uk

An ITDD may be performed internally or externally:● An IT director or chief technology officer

from the Acquirer may investigate the Targets technology setup.

● However, a preferred approach for both parties would be to undertake an independent IT DD to:

o Ensure impartiality for both vendor and acquirer.

o Offer transaction experience.

o Bring additional resource that may not be available internally.

Who undertakes the ITDD?

www.drpete.co.ukwww.drpete.co.uk

To complete the assessment, the independent ITDD assessor will need information from the IT Team.

● Staffing - skills, expertise, key-person dependency issues.

● Technology - architecture and extensibility, scalability, robustness, security.

● Processes & procedures - policies, governance, documentation (systems and strategic papers), suppliers and contracts.

● Strategy and management - a review of strategic plans and management information.

A formal report on findings and recommendations will provide a clear snapshot of the current IT situation and its capability to support the business strategy.

Understand the process of ITDD

www.drpete.co.ukwww.drpete.co.uk

The Due Diligence Process

www.drpete.co.ukwww.drpete.co.uk

ITDD Example Checklists

www.drpete.co.ukwww.drpete.co.uk

People

☐ Do IT staff have the right skills available to support the systems?

☐ Check there are no key-person dependencies (especially in critical system support and/or software development).

☐ Is there staff cover for service availability demanded by the business?

☐ Is there reporting on analysis of staff turnover, appraisal processes, development and training plans?

☐ Are procedures/processes documented including a staff guide?

☐ Does everyone have a current job description and how do salaries compare to the market rates?

People are often the biggest risk and cost; it’s important that the right capabilities exist and are appropriately deployed.

www.drpete.co.ukwww.drpete.co.uk

Infrastructure

☐ Is the hardware old and in need of imminent replacement?

☐ Is the current hardware (and firmware) appropriate, supported and scaleable?

☐ Are systems robust, reliable and resilient - including infrastructure such as data centres and internet provision?

☐ Do reports exist for security breaches (virus outbreak, network hacks, data loss, physical impediment such as fire or flood)?

☐ Have the systems been tested for vulnerabilities?

☐ Is there an up-to-date record of all IT assets, including equipment and licenses?

☐ Is there a backup regime; has a data restore been recently tested?

☐ Are plans in place for business continuity and disaster recovery?

Are the current hardware/infrasture systems capable of supporting the business strategy?

www.drpete.co.ukwww.drpete.co.uk

Software

☐ Is the software very old and in need of imminent replacement?

☐ Is the software current and supported?

☐ Are there any proprietary/ bespoke systems?

☐ Is any software developed in-house, and if so, is it developed using a recognised software development framework (SDLC)?

☐ Is the source code carefully maintained?

☐ Understand the ownership of any IP (intellectual property).

☐ Does the helpdesk/service desk system fulfil its requirements to provide (and report) IT support to the business?

☐ Is licensing adequately controlled and managed?

Understand the software utilised in the business, its effectiveness and ownership.

www.drpete.co.ukwww.drpete.co.uk

Processes and controls

☐ Key IT suppliers: Understand contracts & exit plans. Identify alternative suppliers and any mitigation plans.

☐ Are key supplier performance metrics reviewed regularly? Benchmark costs to ensure value for money and hold regular reviews (quarterly).

☐ Are Access Control measures in place, including password policy and “break- glass” measures?

☐ Is there a policy for BYOD (bring your own device)?

☐ If WiFi is available, is there segregation between staff and guests?

☐ Has the business gained any assessment certification, such as ISO 27001?

☐ Are helpdesk and ITIL / Cobit adopted?

Understand procedures and authority to carry out the BAU (business as usual).

www.drpete.co.ukwww.drpete.co.uk

Documentation

☐ Is there a published SOP (standard operating procedures) guide?

☐ Are documents up-to-date and version controlled?

☐ Is there an IT standard product catalogue that’s published and known across the business?

☐ Do documents exist relating to service level agreements (SLA) with suppliers and internal business groups?

☐ Are bespoke software systems adequately documented?

☐ Is documentation available for IT strategy, project management and change control?

Understand how documentation supports the IT operation.

www.drpete.co.ukwww.drpete.co.uk

Strategy and Management

☐ Is the IT strategy planning process in place?

☐ How is the strategy or roadmap documented?

☐ Is the IT budgeting reasonable and adequate?

☐ To what extent does technology feature at the Board level?

☐ Is the IT strategy aligned with the business strategy?

IT is critical to efficiency and staying ahead of the competition. IT DD should address the following questions:

www.drpete.co.ukwww.drpete.co.uk

● Our checklist is a simplified snapshot/highlight of typical questions, to provide food for thought.

● In reality, every business will be different - for example, online gaming will be different to eCommerce - in terms of types of systems and peak usage and security.

● We have over 30 experts, many from the Big 4 IT audit practices, who have undertaken technology ITDD.

● We can tailor a cost effective plan based on your requirements in the UK or around the world.

Need help?

www.drpete.co.uk

Roelof Iball

Senior Consultant

Roelof is a seasoned IT professional, corporate (BP, Ernst & Young, Rentokil Initial, BDO) IT problem solver, experienced across a range of industries encompassing both mid-size and enterprise organisations.

Reporting on IT investment and performance issues for private equity and corporate finance due diligence.

Paul McCorma

ck

Senior Consultant

Paul is a seasoned IT professional, having served as a Head of IT for a variety of corporates. Prior to joining DrPete, Paul was an an IT Consultant advising clients of BDO LLP. He also undertook a discrete project assignment for Google.

Paul has worked in many diverse sectors, from natural resources, to property management and cryogenics, providing IT reviews, due diligence and IT project management services.

About the authors

www.drpete.co.uk

Our services

DrPete Inc provides Consulting service in the following technology areas:

Our clients

www.drpete.co.uk

We use the latest cloud apps and technology paradigms.

DrPete Technology Experts: Thought leadership

We are members of the European Cloud Industry body - Eurocloud, where we have presented.

Our firm is regularly featured as thought leaders. We have been featured in broadsheets such as the Financial Times, the Guardian, and leading portals like the Huffington Post.

We have regular columns in CloudPro and Techradar.

Providing inspirational technology remedies to business challenges