IT due diligence
A key criterion for assessing the attractiveness of an investment or acquisition target is the quality and scalability of its IT assets. This is likely to be true for any business but is especially true in the tech sector where the technology in use can be a critical differentiator.
It is becoming increasingly important that any due diligence undertaken incorporates an effective review of the target’s IT facilities and resources. The approach the target has adopted to date may not be robust enough to support the published business plan or may simply not be sufficiently mature to support the level of investment sought. An expert, independent assessment can provide a potential investor with a high level of assurance that the IT assets are likely to be scalable and resilient.
Our team of IT experts has many years’ experience in assessing the strengths and weaknesses of the IT assets in a potential investment or acquisition target. We are IT professionals and can engage with IT resources on their level, are able to understand both the technical and operational aspects of a business and will offer assurance on a wide range of software applications and across a broad range of technologies.
We will review the following key components of the target’s IT assets which involves the approach to cyber-security and infrastructure, key personnel, software applications and databases supporting the operational and financial processes and the software development lifecycle and technical roadmap.
The scope of our work will vary depending on circumstances, but our objective is to look at the core IT-related activities and strategies and assess their effectiveness, appropriateness, reliability and scalability, including several key areas summarised as follows with further details provided below:
This involves looking at physical IT assets (including date of purchase) owned or leased including PCs, servers, and other general telecommunications equipment (e.g., PBXs, routers, switches), together with copies of the relevant support agreements. We look at software products owned or leased including the current version being used, when it was last upgraded and how the current version relates to the latest version offered by the relevant supplier. For each software product, a copy of the software licence and maintenance agreements will be examined, as well as the technological infrastructure, including servers, network and data centres (used to operate and support the software applications in use) and the level of resilience built into all aspects of the IT solution.
We will review third parties with whom data is exchanged, the purpose and frequency of the sharing and the scope of data involved and third parties who provide a service/facility that any software development environment or application software relies upon for operational purposes. For each third-party interaction, a copy of the SLA that describes the respective responsibilities is also reviewed.
IT operating model
We look at the organisation chart, the responsibilities of the people on the chart, the level of experience of the main people within the IT function and the key suppliers of IT and telecoms services and copies of relevant contracts.
Application development methodology
Further aspects to review include the technology used to develop the platform including programming languages, databases, content management systems, source code management tools, reporting tools etc. This also includes the deployment methodology for different products, clients etc; the level and quality of technical documentation (e.g. Entity Relationship Diagram, Data Flow Diagram, Data Dictionary) and how it has kept up to date; and the software development lifecycle and change management protocols. A review of bugs identified in the past 12 months will be assessed, the current application software roadmap and ensuring service level agreements are in place with clients.
Procedures need to be in place for making planned system changes and updates including development, testing and deployment. This also includes procedures for making emergency changes including development, testing and deployment – and end-user involvement in specifying, testing and signing off changes.
IT service delivery performance
The quality of the service experience over the past 12 months will be reviewed including instances of any outages/downtime on the operational and financial platforms. Copies of any service reports that are produced will be looked at, including the problem resolution process and the views of the service provided from a few key clients.
The approach to ensuring data security and confidentiality is achieved will be examined including physical access controls, system access controls, field-level or role-based controls, data encryption etc.This includes reviewing a copy of any security assessments including penetration testing and a review of any system breaches over the past 2 years.
A review of how the Payment Card Industry Data Security Standard requirements are met will be examined and a review of how GDPR (and/or equivalent) requirements are met. We will look at the IT disaster recovery plan, details of the most recent disaster recovery test and a copy of the information security policy.
CVs, employment contracts and job descriptions of the key individuals responsible for the design, development, deployment and support of the software applications and IT operating environment will be reviewed.
A review of the highest concurrent, daily and monthly volumes processed by the platform to date will be looked at, including a review of the maximum concurrent, daily and weekly volumes the current infrastructure is designed to support. Details of any volume testing undertaken in the past 12 months will be assessed together with a review of which components would need to be upgraded/replaced to support higher volumes than currently supported; as well as a review of how the application and database design allows for potential additional future functionality e.g. currencies, brands, sales tax regimes.