Seven Deadly Sins Of IT Due Diligence

When contemplating a mid-market asset acquisition, buyers should take sufficient time to assess the hidden deal risks within the information technology (IT) landscape. Mid-market companies, particularly those at the lower end of the middle market, may not have the vision, technology architecture, or appropriate staffing and skill mix to support aggressive growth after the acquisition closes.

Effective IT due diligence involves more than filling out asset inventories and checking off boxes, but it does not require a significant amount of time. A small team with deep and broad IT experience can often complete an informal assessment in two to three weeks, and take roughly another week to wrap up a formal report.

The IT due diligence team doesn’t operate in isolation. They convey due-diligence information about their concerns to the financial members of the team so IT issues can be used to gain negotiating advantage. As the IT services contract portfolio is reviewed, they work closely with the legal members of the team to flag additional weaknesses within the contractual obligations of the acquisition target.

The primary role of the IT due diligence team is to translate the risks in the IT landscape into estimates of their financial impact. A skilled due diligence team understands that risks with significant financial impacts can be found within seven crucial areas.

1. Fundamental flaws in the systems and data structures that feed the financial reports. Mid-market companies often have spreadsheet silos containing key financial information. When this information is consolidated to create financial reports, there can often be conflicting views of reality based on differing calculation methods and assumptions from department to department. Dual-entry or manual-consolidation processes create a greater likelihood that the reports will contain errors. It’s important to validate these financial reporting structures and processes before the financial due diligence team begins its investigation of the numbers themselves. Failure to complete this necessary step can seriously undermine the financial due diligence process, allowing the buyer to enter into a bad deal or significantly overpay for the acquisition.

2. IT contracts that have not been renegotiated regularly to obtain more aggressive pricing. After the initial contract is executed with a new vendor, rubber stamp renewals can result in lost opportunities for significant cost reduction. In the telecom and outsourced hosting space, increased competition over the last five years has made it easier to find competing bids that can result in cost savings even when staying with the same vendors. If IT contracts don’t come under scrutiny during due diligence, the company may miss a significant cost savings opportunity.

In addition to pricing issues, many IT services contracts lack appropriately tight wording around Service Level Agreements (SLAs). Furthermore, the vendor needs to demonstrate that it has adequate performance monitoring and customer reporting capability in place, so that service levels can be monitored. Finally, the contracts should contain clearly-stated consequences, in terms of invoice credits, for the service provider’s failure to meet SLAs.

The key points to consider when reviewing SLAs are:

• Is there an SLA for each service or transaction covered in the contract?

• Does each SLA fully document how 100 percent of the transactions, interactions or uptime will be handled?

• If system availability is defined as a percentage of time over a long interval (e.g., monthly), is there also a maximum time of outage specified?

• Are there performance mechanisms and reporting in place to monitor performance against SLAs?

• Are there remedies defined for the vendor’s failure to meet each SLA?

3. Inadequate business continuity and disaster recovery policies and processes. The easiest part of the assessment in this area is to determine if business continuity planning and disaster recovery processes exist. The team must also examine the documented results of disaster recovery drills, and determine the extent to which processes and policies in these areas align with accepted best practices.

The first level of due diligence in this area involves reviewing documented procedures. A deeper assessment must be made, however, and it’s important for the due diligence team to probe for evidence that these procedures are actually being followed. In this case, an ounce of prevention is really worth more than a pound of cure, and the costs of disaster are easy to estimate in terms of daily revenue loss.

4. Outdated or proprietary applications supporting mission-critical business processes. A detailed inventory of all hardware, software, and IT contracts should be part of the due diligence package. The IT due diligence team needs to define the going-forward disposition of each item in the inventory along with a preliminary cost estimate for any required upgrades or replacements of components or contracts that are nearing the end of their service lives.

These risks are often not apparent to due diligence teams without significant IT implementation experience. Failure to identify them before the deal closes could result in significant unplanned capital expenditures in the first year after the deal closes.

If the IT environment contains custom applications, or highly customized packages, the due diligence team must review functional specifications and spot check to ensure that the specs are up to date with the code that is currently in production. Often, documentation lags the production releases, or falls off the radar completely. In that case, the real working knowledge of mission-critical systems may only reside within the development team’s memory, creating huge risks if key staff members leave the company after the acquisition. Situations such as these must be factored into staff retention planning.

In addition to assessing the current application portfolio, the IT due diligence team documents the impact of the missing pieces. If a target lacks a robust “Business Intelligence” framework, for example, headcounts may be unnaturally high because of the amount of effort required to consolidate and create spreadsheet-based reports. (A Business Intelligence framework is the technology that lets managers turn data into meaningful information providing insights into how a business is doing today, and provides the ability to predict where it may be going tomorrow.) In businesses that operate on lean margins, where investors are going to look for ways to aggressively drive costs down, an acquisition will score better as a potential target if it already has a “Corporate Performance Management” solution, software that helps managers formulate strategies for profitable growth, align strategies with operational plans, and actively monitor day-to-day operations

5. IT skill sets and staffing that will not support new plans for growing the business. The business goals of the deal set the direction for the IT roadmap. In addition to estimates for the hardware, software and professional services to support the roadmap, the go-forward budget must include the costs of reshaping the IT organization, through replacement, addition, or retraining.

It’s critical that the new owners take a careful look at the current IT organization and eliminate underperformers or workers whose skills no longer align with the new IT strategy. If current staff can be retrained and retained, the training costs should be part of the cost model.

6. Failure to include or appropriately implement outsourcing of application hosting and IT functions. In-house hosting of all applications and having a dedicated internal support group may not be a long-term cost-effective solution.

Estimating the total cost of outsourcing is not an easy task. It is crucial to include secondary cost factors as part of the model; those include the costs of additional hardware as the business grows, costs of application monitoring software, and costs to implement and maintain customizations to the application. Failure to complete the detailed financial modeling step of the outsourcing vendor evaluation process often leaves companies blindsided by hidden costs that only become apparent after the migration is complete.

7. Lack of formal change control over the IT environment. Lack of a formal change control board, a group that ensures money spent on IT is spent in the best possible way for the whole business, often points to a broken relationship between IT and the business it serves. If the IT department has no formal controls around putting new software code into production, this is a liability. It allows people to influence IT to meet their own needs without considering the impact on the overall architecture. The end result can be an IT environment that wastes money working to maintain and modify code that does not really serve the most pressing business needs. If the current IT environment has grown up in an uncontrolled and under-documented way, upgrade and migration costs may be underestimated. A skilled IT due diligence team can factor this into the cost model.

In addition, the nature of the deal itself, and the investor’s goals for the company may dictate additional areas of focus during IT due diligence. For example, if an acquisition target is going to be a platform company for future acquisitions, it’s wise to look for companies with advanced, extensible technologies in areas that create competitive advantage. An e-commerce platform company that already has a robust Web 2.0 architecture can help future tuck-ins rapidly gain marketshare as customers come to expect more functionality from e-commerce sites.

It’s clear that comprehensive IT due diligence to assess weaknesses and probe the areas defined above goes beyond checking off the boxes. The due diligence team must begin with an understanding of the investors’ goals for the acquisition and conduct a comprehensive evaluation of the entire IT organization and architecture to ensure these goals can be supported forwarding the future. Existing risks become tools for leverage in valuation and shaping the final deal structure. Plans for mitigating those risks are the basis for projecting a year-one IT budget.

While some buyers may still shy away from requesting IT due diligence of this depth for fear that it will slow down the deal, a small, skilled team with a structured methodology can deliver exploratory IT due diligence findings for mid-market targets within a week or two, and provide confirmatory due diligence after the letter of intent is executed within another one to two weeks. The key to success is finding a service provider with the following characteristics:

• Deep experience in delivering the full suite of IT solutions, including infrastructure, software solutions, custom development, and outsourcing;

• Experience with a variety of M&A deals;

• Demonstrated ability to understand investor goals and to understand how the business context shapes the focus of the due diligence effort.

Joanne Wortman has been actively leading M&A integration and due diligence efforts for over a decade, and has been instrumental in developing Edgewater Technology’s M&A integration methodology and toolset. Her experience spans work in financial services, media, entertainment, health care, hospitality and consumer packaged goods. She has managed multiple custom application development, packaged application selection and implementation, and business process improvement initiatives. She also has expertise creating business plans for technology start-ups and assisting them with attaining first-round financing.