IT Due Diligence – 6 Key Considerations for Private Equity Investors

When private equity investors evaluate whether to acquire a target, assessing IT can be a challenge, especially in today’s dynamic technology landscape.

Ultimately, value creation is at the heart of any investment thesis, and looking at IT from a “business relevance” standpoint is critical to making sound investments. This requires viewing IT as a driver of the broader organization and examining how effectively and efficiently it enables operations and corporate functions. An IT due diligence partner can provide PE investors with this critical business-driven insight, leveraging the following best practices:

Zoom Out to Zoom In

Performing IT due diligence goes far beyond counting IT assets. It instead seeks to broadly and comprehensively evaluate the target’s current state of IT capabilities and solutions to determine whether it will help enable the achievement of the investment thesis. This will help set the stage for successful integration down the line. PE investors should take a “business first” approach to the IT evaluation, asking the following questions:

    • Has the target invested appropriately in IT?
    • Are applications that support critical business functions scalable with the company’s planned growth?
    • Does corporate management have the capability to effectively manage IT costs and planned investments?
    • How does the target manage sensitive customer and employee data?
    • What critical exposures does the company have to cyberattacks or other existential threats?
    • Does the target have a strategy in place to protect critical processes and intellectual property?
    • What is the level and quality of integration of historically acquired businesses?

Uncover Value Through Benchmarking

To understand whether the target’s IT solutions and capabilities are suited to the long-term investment vision, it can be helpful to compare against companies of similar scope or stage in their lifecycle.

Benchmarking against common-sized firms can offer data-backed insights to help PE investors form connections between risks and opportunities. It is critical to review IT strengths, weaknesses and opportunities of portfolio companies through a combination of analytical tools and forward-looking industry perspective. Armed with this intel, PE investors can gain a customized understanding of the business-specific impact of existing IT, the short and long-term risk propositions, and the context within which both exist—all while assessing and confirming value.

Evaluate ERP System Effectiveness

After conducting a deep exploration of the target company’s overarching IT vision and goals and ensuring standardization is a core strategic tenant, evaluating the organization’s current ERP system is a critical next step. ERP systems sit at the center of the IT universe, making them either an essential driver of value or a major roadblock in an acquisition investment. As part of the diligence process, PE investors should do a “health check” of the target’s current ERP system, keeping the following questions front and center.

    • Are applications and database performance interfering with operations or customer needs?
    • Is the ERP system sophisticated enough to support the target’s post-close evolution into a strong platform for integration? Can it support bolt-on acquisitions?
    • If target is a multi-business unit, are ERP solutions standardized across the business and scalable to support strategic growth?

In the event that the target company does not have an ERP system in place, investors should look to determine whether or not their IT infrastructure is enabling key business practices and effective data use.

Scope Out Cybersecurity

Conducting a full cybersecurity audit of the target prior to purchase is not always necessary or strategic, as they are often costly and time consuming. Before moving forward with a deal, however, PE investors must find out how the target is managing cybersecurity, including key capabilities and areas of risk, and whether the business is a sound investment.

Finding out whether the target has engaged a third party for a cybersecurity audit in the last year and/or developed a multi-year prioritized Cybersecurity Improvement Plan based on the findings is the most important step to take. With that intel in hand, investors can then explore questions such as:

    • Does the team include members with cybersecurity certifications?
    • Are there plans in place to help detect, respond to, and recover from security incidents?
    • How robust are protection policies? Is data encryption required?
    • Are there tools and methods in place to prevent and detect insider and external threats?

Assess Data Management

PE investors should evaluate how data is being managed within the target company to uncover risks and opportunities associated with the acquisition investment. Questions to ask include:

    • Where is data stored?
    • Has master data cleansing been initiated?
    • Is data regularly backed up?

Gauge Strength of IT Leadership

The target company’s IT leadership should have strong business acumen and a clear focus on business value creation. To gauge leadership capabilities, PE investors should ask:

    • Does the IT team work together in an open and collaborative manner?
    • Is the IT team right-sized for effectiveness?
    • Does the IT team select solutions that are aligned with the broader IT strategy and track progress against business value-based KPIs?

The days are long gone when leaders could run a business without IT. PE investors know that if IT does not adequately support the portfolio company, value creation may not go as planned, and their investment may be at risk.

IT is not peripheral—it’s core to the success of any investment. Doing the diligence to see whether the target company’s IT function will help or hinder the achievement of the investment thesis is critical to making sure deals are done right.

Download this insight



Managing Director