Assessing Information Technology (IT) risks, capabilities, and maturity during due diligence is critical to understanding whether a company’s technology infrastructure can support an investment thesis. In an increasingly dynamic technology landscape, determining whether IT is creating or destroying value is more important than ever before. In every business, IT should be viewed as a driver of the broader organization and must be examined closely to ensure it is effectively and efficiently enabling operations. While sector and technology expertise are often needed to conduct a thorough review of IT, investors can reference the following best practices as they consider a more thorough review of IT:
Performing IT due diligence goes far beyond counting IT assets. It should broadly and comprehensively evaluate the current state IT capabilities and solutions to determine whether they will support the achievement of the investment thesis. This will help set the stage for successful integration down the line. Investors should take a “business first” approach to the IT evaluation, asking questions, such as:
To understand whether the Target’s IT solutions and capabilities are suited to the long-term investment vision, it can be helpful to benchmark with a relevant peer group on key IT value drivers including:
ERP systems sit at the center of the IT universe, making them either an essential driver of value or a major roadblock. As part of the diligence process, investors should do a “health check” of the target’s current ERP system, keeping the following questions front and center:
If the target company does not have an ERP system in place, investors should look to determine whether their IT infrastructure is enabling key business practices and effective data use.
Conducting a full cybersecurity audit of the target prior to purchase is not always necessary or strategic, as they are often costly and time consuming. During diligence, find out how the company is managing cybersecurity. Have they engaged a third party cybersecurity audit in the last year and/or developed a multi-year prioritized Cybersecurity Improvement Plan based on the findings? With this intel in hand, investors can then explore questions such as:
Investors should evaluate how data is being managed within the target company to uncover risks and opportunities associated with the investment. Questions to ask include:
The target company’s IT leadership should have strong business acumen and a clear focus on business value creation. To gauge leadership capabilities, Investors should ask:
The days are long gone when leaders could run a business without IT. PE investors know that if IT does not adequately support the portfolio company, value creation may not go as planned, and their investment may be at risk.
IT is not peripheral—it is core to the success of any investment. Doing the diligence to see whether the target company’s IT function will help or hinder the achievement of the investment thesis is critical to making sure deals are done right.