Are you getting ready for a merger or acquisition? Do not forget about IT due diligence!

During mergers and acquisitions, companies usually go through the process of evaluation and build an objective view of the potential investment subject. This means the process of due diligence is historically focused on financial, tax, and legal aspects. Whereas IT processes, property, and information security are often overlooked, even though they are key areas. In today’s time of informational technologies, the due diligence process should always contain an examination of activities, systems, processes, principles, and IT methods.

To acquire complex information about investment objects it is necessary to conduct an analysis of IT infrastructure and an assessment of the level of informational security.

Main reasons to perform IT due diligence

• Elimination of potential risks for more aspects of due diligence: financial, tax, legal, and business. Not only IT systems, but also ERP systems are connected to all business aspects so if these systems are started with imperfections it can influence other departments and so even on the final decision
• Investments in IT and costs of IT are some of the main expenses of every company. A potential buyer should understand the IT expenses of the new company and any additional investments before making their decision.

The first step during doing analysis is the identification of the main informational assets. In a broader sense asset are information in different forms (paper and electronic documents, database, and data files, etc.) and the means of processing them (software, hardware, IT systems, and services). Every modern company uses different IT systems that join to form informational assets. Not all assets have the same value to the company and that’s why different assets are secured by different tools. From a financial and resource management perspective, setting priorities plays an important role in how different assets are secured.

The next important step is a classification of information based on how much it would damage the company if it was unavailable or endangered. Distinct groups of information are necessary to establish separate methods and requirements for the level of security of information. Classify not just the outcome information (data), but also the means of its processing. Classification of information sources also allows you to judge the economic feasibility of implemented security means.

A potential investor should also pay attention to regulatory documents describing the processes of leading IT and the function of information security. These documents should include an overview of principles and internal standards. The potential absence of principles of unification and standardizing of the used equipment and software infrastructure brings heterogeneity in the IT space. With this heterogeneity comes additional connected expenses for maintenance and SW from different producers.

While analysing the operating activity of the IT department, it’s necessary to evaluate the key specialists that are participating in the management and development of IT systems and services that are important for the company’s mission. This evaluation should include an analysis of professional competence and doubling IT functions. Insufficient analysis of the operating activity of the IT department can lead to loss of key competencies and, due to that, additional expenses for needed specialists or for redirecting the function to external technical support.

During the integration of IT spaces from merging companies, problems connected to different levels of development processes and information security can occur. These problems may include use of different standards of services, types of informational systems, methods of management, etc. Due to this complexity, it is important to give a lot of time to unifying processes in order to build a homogenous IT space for organization of IT, management of IT, and information security. This can require substantial investments.

Within the analysis of IT infrastructure, it is also necessary to analyse the current state of IT security. This analysis should include the study of current processes and evaluation of the effectiveness of used tools of information security, such as cryptographic protection, protection from malware, managing updates, vulnerability, security networks, etc. This analysis allows you to evaluate the current state of information security and the level of vulnerability of IT infrastructure against current threats.

Based on the conclusions from the analysis of IT structure, different variations of the incoming integration of IT spaces from the bought company and mother company should be formulated and evaluated. Generally, we can differentiate 3 main scenarios:

1. Leave everything as it is: In the short-term, this is the fastest and least expensive solution. However, keep in mind that in a few years investments will be necessary and—at this point—they can often be even higher. This option also means isolation of the IT space of the bought company.
2. Partial integration. This scenario assumes a partial optimization of primary critical IT processes. In comparison with full integration, it means more acceptable expenses in short term, but there is a possibility of degradation of some functions of IT processes
3. Full integration. This variation means optimizing all IT processes of the bought company. This option is the most demanding for the initial investment, but long-term, this approach provides predictable economic expenses for the development of IT processes of the joining company.

For a well-done and high-quality analysis from the IT perspective, it is necessary to engage specialists with sufficient knowledge, experience, and competence in the areas of organizing IT processes, leading the security of information, and analysing/evaluating informational threats. So do not hesitate to turn to a specialist. What can we offer in this area?

• IT organization and IT processes – securing of organizational structure of the IT department and mapping out the processes in the company
• IT strategies, projects, investments – analysis of the current role of IT in the company, current expenses, and potential investments into IT
• ERP system, business systems, and software – making an overview of all systems and software that maintain the organization of IT

Our specialists in IT due diligence offer you a clear overview of the IT side of the potential investment object. They will identify and evaluate key threats in technologies and will analyse their potential impact on the entire business.