IT Due Diligence – 6 Key Considerations for Private Equity Investors
When private equity investors evaluate whether to acquire a target, assessing IT can be a challenge, especially in today’s dynamic technology landscape.
Assessing Information Technology (IT) risks, capabilities, and maturity during due diligence is critical to understanding whether a company’s technology infrastructure can support an investment thesis. In an increasingly dynamic technology landscape, determining whether IT is creating or destroying value is more important than ever before. In every business, IT should be viewed as a driver of the broader organization and must be examined closely to ensure it is effectively and efficiently enabling operations. While sector and technology expertise are often needed to conduct a thorough review of IT, investors can reference the following best practices as they consider a more thorough review of IT:
Zoom Out to Zoom In
Performing IT due diligence goes far beyond counting IT assets. It should broadly and comprehensively evaluate the current state IT capabilities and solutions to determine whether they will support the achievement of the investment thesis. This will help set the stage for successful integration down the line. Investors should take a “business first” approach to the IT evaluation, asking questions, such as:
- Has the target invested appropriately in IT?
- Does the target have a strategy in place to protect critical processes and intellectual property?
- Are applications that support critical business functions scalable with the company’s planned growth?
- What critical exposures does the company have to cyberattacks or other existential threats?
- Does corporate management have the capability to effectively manage IT costs and planned investments?
- How does the target manage sensitive customer and employee data?
- What is the level and quality of integration of historically acquired businesses?
Uncover Value Through Benchmarking
To understand whether the Target’s IT solutions and capabilities are suited to the long-term investment vision, it can be helpful to benchmark with a relevant peer group on key IT value drivers including:
- Service delivery efficiency
- Infrastructure, application and data reliability and scalability
- Governance and risk management
- Team and partner capabilities
Evaluate ERP System Effectiveness
ERP systems sit at the center of the IT universe, making them either an essential driver of value or a major roadblock. As part of the diligence process, investors should do a “health check” of the target’s current ERP system, keeping the following questions front and center:
- Are applications and database performance interfering with operations or customer needs?
- Is the ERP system sophisticated enough to support the target’s post-close evolution into a strong platform for integration? Can it support bolt-on acquisitions?
- If target is a multi-business unit, are ERP solutions standardized across the business and scalable to support strategic growth?
If the target company does not have an ERP system in place, investors should look to determine whether their IT infrastructure is enabling key business practices and effective data use.
Scope Out Cybersecurity
Conducting a full cybersecurity audit of the target prior to purchase is not always necessary or strategic, as they are often costly and time consuming. During diligence, find out how the company is managing cybersecurity. Have they engaged a third party cybersecurity audit in the last year and/or developed a multi-year prioritized Cybersecurity Improvement Plan based on the findings? With this intel in hand, investors can then explore questions such as:
- Does the team include members with cybersecurity certifications?
- Are there plans in place to help detect, respond to, and recover from security incidents?
- How robust are protection policies? Is data encryption required?
- Are there tools and methods in place to prevent and detect insider and external threats?
Assess Data Management
Investors should evaluate how data is being managed within the target company to uncover risks and opportunities associated with the investment. Questions to ask include:
- Where is data stored?
- Has master data cleansing been initiated?
- Is data regularly backed up?
- What data is sensitive?
- Are there any regulatory compliance requirements?
- Where do we store our most critical digital intellectual property?
Gauge Strength of IT Leadership
The target company’s IT leadership should have strong business acumen and a clear focus on business value creation. To gauge leadership capabilities, Investors should ask:
- Does the IT team work together in an open and collaborative manner?
- Is the IT team right-sized for effectiveness?
- Does the IT team select solutions that are aligned with the broader IT strategy and track progress against business value-based KPIs?
The days are long gone when leaders could run a business without IT. PE investors know that if IT does not adequately support the portfolio company, value creation may not go as planned, and their investment may be at risk.
IT is not peripheral—it is core to the success of any investment. Doing the diligence to see whether the target company’s IT function will help or hinder the achievement of the investment thesis is critical to making sure deals are done right.