J O U R N A L ON L I N E 1

FEATURE
W
hen one business acquires another, the prudent
executive needs to consider the overall strategic fit,
but the integration of the information technology
(IT) function across the two disparate entities can also have a
significant effect on the value and effectiveness of the
acquisition. Acquiring a company with a dysfunctional IT
function could mean significant extra costs involved in fixing
the IT issues that have not been taken into consideration in the
acquisition costs. The acquiring company must also decide
how to integrate the acquired companys IT after the
acquisition. If the two companies have incompatible systems,
additional costs may be incurred in merging them.
Research by Yaakov Weber and Nava Pliskin suggests that,
after controlling for the influence of corporate culture,
integration of IT in mergers and acquisitions contributes to the
effectiveness of mergers among companies that make
substantial use of IT.
1
This is significant, because mergers and
acquisitions in general frequently fail to produce the gains in
profitability and market share that investors expect.
2
Unfortunately, the assessment of IT fitness of an acquisition
target continues to be neglected in evaluating the acquisition
target. However strategically sound the acquisition may seem
in financial terms, having to deal with IT problems after the
fact may bring to the surface many additional costs not
accounted for initially. Failure to integrate the IT systems of
the two companies can cause critical operational problems in
the combined entity. Unanticipated IT difficulties can produce
significant deviations from expected acquisition results,
sometimes determining the ultimate success or failure of the
acquisition. An Accenture Consulting study of IT integration
in 57 mergers and acquisitions conducted from 1997 to 1999,
showed that 42 percent of respondents conducted no IT due
diligence before the acquisitionbut the respondents who
performed due diligence produced higher return on sales,
assets and net worth.
3
Therefore, the chief financial officer (CFO) and the IT
manager of the acquiring organization have good reason to
complete a due diligence assessment of the acquisition targets
IT function. Research also suggests that most firms that
conduct repeated acquisitions incur further opportunity costs
by not retaining information from the acquisition process.
4
Organizational learning can provide significant value if
companies that grow by acquisition perform IT due diligence
in-house. However, there is no well-established method of
doing such an assessment.
This article proposes the Information Technology Assessment
Due Diligence (ITADD) framework to guide managers of
acquiring firms in evaluating the IT function of potential
acquisition targets. The development of ITADD is supported by
assessment frameworks used in IT auditing, published articles in
practitioner resources, and advice from professionals with
merger experience and academic expertise. To develop ITADD,
Control Objectives for Information and related Technology
(COBIT), the IT Infrastructure Library (ITIL) and the Committee
of Sponsoring Organizations of the Treadway Commission
(COSO) frameworks were examined for pertinent material,
drawing particularly from COBIT and COSO. Next, practitioner
sites, such as ISACA and Protivitis KnowledgeLeader, were
searched for relevant articles. Individuals and companies who
requested confidentiality contributed examples and sample
documents from actual acquisition projects. The resulting
framework is described below.
ITADD Framework
ITADD examines IT acquisition due diligence tasks in
terms of what needs to be done in the premerger and
postmerger phases.
The purpose of the premerger phase is to determine what
aspects of the acquisition targets IT function have implications
that should be understood before the acquisition. Premerger
assessment tools of ITADD enable the acquiring company to
get a practical feel for the target organizations IT function and
evaluate how much value it adds to or takes away from the
acquisition. For example, if the acquisition target has
significant software licensing issues, this can increase the total
cost of the acquisition.
During the postmerger phase, the IT manager should
systematically evaluate the acquired companys IT function in
detail. He/she should identify all significant risks that need to be
mitigated, including compliance, operational and strategic risks,
so the IT function of the acquired company can be relied on to
meet the acquiring companys business objectives. ITADD
includes a standardized format for taking stock of the IT assets,
and a detailed program for audit of the IT function designed to
bring to light significant issues that need to be addressed to
align the IT strategy with the companys strategic objectives.
ITADD consists of a conceptual framework that is applied
throughout the acquisition process, and a rich set of toolsthe
ITADD Toolkitthat can be used to apply the framework
during the pre- and postacquisition phases.
A Framework for Conducting IT Due Diligence
in Mergers and Acquisitions
By Barrett Sundberg, Zheng-Da Tan, Trey Baublits, Hae-Joon Lee,
Grant Stanis and Huseyin Tanriverdi
J O U R N A L ON L I N E 2
ITADD Conceptual Framework
The conceptual framework identifies critical areas of the
acquired companys IT function that the acquiring company
needs to evaluate. It contains five domains, as shown in
figure 1.
The order in which these domains are shown reflects the
relationships among them. The bottom layer, IT assets,
represents the physical means of implementing the operations.
Operations, a more comprehensive category, includes all
processes by which the IT function provides normal daily
services to the organization. Human capital is placed above
operations, because personnel conduct the operations and have
responsibility for operations design and control. Business
continuity is next, because a good business continuity plan
allows the business to continue even if a catastrophe occurs
that eliminates the IT assets, operations and human capital in a
particular location. Strategy support is on top because of
COBITs guidance, which states that IT strategies must support
the businesss objectives; the other domains are means of
supporting the IT strategy.
Implementation: The ITADD Toolkit
ITADD presumes that an IT assessor (a manager or IT
auditor in the acquiring company) will take responsibility for
assessing the acquired company. ITADD provides a set of
documents called the ITADD Toolkit to be used step-by-step in
conducting the assessment and reporting the results to upper
management. The complete ITADD Toolkit is available for use
at http://groups.yahoo.com/group/itadd.
The individual documents used during the premerger phase
are briefly described in the next section, followed by a
description of the documents used in the postmerger assessment.
ITADD Toolkit: Premerger Phase
Documents used during the premerger phase include:
Preacquisition templateThis functions as the assessors
guide to the premerger phase, describing all areas in which
information must be sought. This Microsoft Word document
lists key questions for examining each of the frameworks
domains. The assessor should obtain answers to as many of
the questions as possible, and can record the information
directly in the template.
QuestionnairesThe objective of the questionnaires is to
facilitate rapid gathering of information. Each assessment
category in the premerger phase has a corresponding
questionnaire that can be individually distributed to
informative personnel at the acquisition target as an e-mail,
download, fax or printed hard copy. The questionnaires
supplement the other methods the assessor may use to obtain
information, such as walk-throughs, telephone interviews,
review of documents from the target and e-mails that include
specific questions. Due to the time pressures of a typical
acquisition, facts are often accidentally omitted, so it is good
to use as wide a range of methods as possible.
ITADD dashboardThe dashboard is an Excel spreadsheet
providing a numeric summary of the assessors judgments
about the fitness of the acquisition targets IT. It consists of
13 questions, each representing a significant aspect of the
assessment categories in the premerger (and, therefore, of the
domains in the pyramid). Having completed this phase, the
assessor rates the targets IT on a scale of one to five for each
question, where five represents excellence. The dashboard
weighs and sums the ratings to produce a scale of 20 to 100,
where 100 represents a well-run IT function positioned for
high reliability and smooth integration, and 20 represents a
risky IT function likely to cause many problems in the
integration process (see figure 2).
Preacquisition report templateThe IT assessor should
provide management a short report summarizing the IT risks
and fitness of the acquisition target. The report template
provides a source document and illustrative examples.
ITADD Toolkit: Postmerger Phase
Documents in the postmerger phase include:
Postacquisition templateThis template is the IT assessors
guide to evaluating the IT function of the acquired company
after the acquisition is complete. Its purpose is to acquire all
information needed to complete a detailed evaluation of the
acquired companys IT function. The goal of this postmerger
analysis is to determine what steps should be taken to reduce
IT-related risks and promote successful integration of the
acquired company.
The template contains separate tabs for each area that the
assessor should investigate after the new company is
acquired. The current iteration of ITADD assumes that the
parent company will conduct a fuller integration of systems
in the end, but that the acquired company will need to able to
function on its own most of the time during the first year,
because full integration of IT between companies may not
happen immediately.
Strategy
Support
Business
Continuity
Human Capital
Operations
IT Assets
Figure 1The ITADD Pyramid
3 J O U R N A L ON L I N E
Five tabs in the post list operational issues that should be
assessed to determine what improvements, if any, are
necessary to ensure the acquisitions short-term reliability:
IT control environment
Program development
Program changes
Access to programs and data
Computer operations
Each of these operational tabs includes several sets of
questions. Each set of questions addresses an issue that should
be examined, and each issue has several specific questions
investigating particular points. Each tab is formatted so the
user can easily input responses, reference documents and
conclusions about actions that need to be taken.
The template also includes seven inventory tabs. Each tab is
a tool for recording different information about a type of
asset that should be evaluated in the acquired company:
End-user software
Hardware
Server software
Systems
Facilities locations (FAC)
Facilities inventory template (tab can be duplicated for
evaluation of physical infrastructure in each location)
FAC Inventory Location 1 (tab prepared for first location)
The assessor should use the operational tabs as a guide for
covering all issues pertinent to short-term operational
reliability of the acquired company. The inventory tabs
should make recording all needed inventory data as easy as
possible.
Post acquisition report templateOnce the assessor has
gathered the necessary information, he/she should again
provide a report to management summarizing the IT status of
the acquisition. This postacquisition report should address all
steps that should be taken to resolve compliance issues and
ensure stable operation during the first year. It should also
mention any specific points that are likely to be of interest to
management.
Conclusion
The ITADD framework provides IT managers and staff with
a focused method of conducting due diligence assessment of
the IT function in companies that are the targets of corporate
mergers and acquisitions. No previous framework has been
established in the IT community that evaluates the IT aspect of
mergers and acquisitions, even though research suggests that
significant business value can be harvested by firms that
successfully perform such due diligence. Effective IT
integration can increase profitability of mergers,
5
and IT
assessment due diligence has been directly related to higher
return on sales, assets and net worth. Yet, many companies still
do not perform it.
6
ITADD allows managers to provide several value
propositions for their companies. Better valuation of the
targets IT assets can provide information that is useful as
bargaining leverage, and contribute to negotiation strategy.
Early detection of potential IT integration problems can
contribute to negotiation strategy as well as operational
Figure 2ITADD Dashboard
Raw
ITADD Question Score Weighted
Domain Category Assessment Criteria (1-5) Score
Strategy Organizational Integrity Is IT adequately funded? 3 3
Support Organizational Integrity Is the IS department, including e-commerce, adequately meeting 2 4
business needs?
Business Continuity Practices Are operational practices adequate to ensure business continuity? 3 3
Business Data Integrity Are information capture, processing, storage and reporting controls 4 4
Continuity adequate to ensure reliable financial reporting?
PPE/Data Center Security Are data center business continuity controls adequate to ensure 3 6
continuity of operations?
Human Capital Are key IT staff members competent to support the business 4 8
Human after acquisition?
Capital Human Capital Would the departure of key personnel create significant business 2 2
continuity issues?
Systems Administration Are key operational responsibilities being discharged? 3 6
Operations
Systems Administration Are capacity and performance adequate to business needs? 3 6
Network Security Has the network architecture been designed and deployed such that it 2 4
provides adequate security?
Hardware Is hardware infrastructure sufficiently capable and up to date to support 3 3
IT Assets
the business?
Application Software Are the primary and dependent business applications functioning 3 3
adequately?
Application Software Are corporate and end-user software licensed and adequately maintained? 2 4
ITADD INDEX: 56
J O U R N A L ON L I N E 4
strategy. Reducing risk of regulatory compliance issues
provides additional value after the acquisition is complete.
Most important, effective assessment enables a successful
integration of the two companies IT functions, providing an
enduring basis for the profitability gains expected by investors
and upper management. ITADDs conceptual framework and
rich toolkit of documents allow managers to perform timely,
effective due diligence assessments of acquisition targets IT
environments. In short, managers who apply ITADD can
harvest significant business value for their firms.
Authors Note
The ITADD framework was developed by Barrett Sundberg,
Zheng-Da Tan, Trey Baublits, Hae-Joon Lee and Grant Stanis
as part of a student project in the IT Audit and Security Course
at the Red McCombs Business School of the University of
Texas at Austin (USA). The project was completed under the
professional supervision of John Freeman and the academic
supervision of Professor Hseyin Tanriverdi. The project won
the Best Student Project Award of the Austin (Texas, USA)
Chapter of ISACA during the fall semester of 2005.
References
Due Diligence Checklist (XI. Information Systems
Organization and Staffing), www.knowledgeleader.com/
InternalAudit/website.nsf/content/ChecklistsGuidesDueDiligen
ceChecklist!OpenDocuments#XI
Hunton, James E.; Stephanie M. Bryant; Nancy A. Bagranoff;
Core Concepts of Information Technology Auditing, John
Wiley & Sons, 2004.
IT Governance Institute, IT Control Objectives for Sarbanes-
Oxley, www.isaca.org/sox, 2004
Protiviti, Work Programs on IT Application Management, IT
Asset Management, IT Data Management, IT Operations
Management, IT Organization and IT Strategy Management,
www.knowledgeleader.com/InternalAudit/website.nsf/content/W
orkProgramsAllWorkPrograms-ByTitle!OpenDocument
Endnotes
1
Weber, Yaakov; Nava Pliskin; The Effects of Information
Systems Integration and Organizational Culture on a Firms
Effectiveness, Information and Management, vol. 30, 1996,
p. 81-90
2
Merali, Yasmin; Peter McKiernan; The Strategic Positioning
of Information Systems in Post-acquisition Management,
Journal of Strategic Information Systems, vol. 2, no. 2, 1993
3
Chang, Richard A.; Gary A. Curtis; Justin Jenk; The Keys to
the Kingdom: How an Integrated IT Capability Can Increase
Your Odds of M&A Success, www.accenture.com, 2002
4
Op. cit., Merali
5
Power, Richard; Dario Forte; Sarbanes-Oxley: Maybe a
Blessing, Maybe a Curse, Computer Fraud and Security,
September 2005
6
Op. cit., Weber
7
Op. cit., Chang
Barrett Sundberg
set up the preventive maintenance assignment and tracking
software for Austin (Texas, USA) Bergstrom International
Airport during his five years of service with the City of Austin.
Zheng-Da Tan
has five years experience in UNIX system administration and
managing data center operations. He is a Red Hat Certified
Engineer and Sun Certified System Administrator.
Trey Baublits
is an associate with the Business Risk Services group of Ernst
& Young. He has two years of experience as an associate for
Accountware LLC, an accounting consultancy in Austin.
Hae-Joon Lee
is an associate auditor at PricewaterhouseCoopers.
Grant Stanis
will start work for the Transaction Services group of
PricewaterhouseCoopers in the third quarter of 2007. He is a
student at the University of Texas at Austin, and works for
State Senator Florence Shapiro. His previous work experience
includes an internship with Deloitte and Touche.
Huseyin Tanriverdi
is an assistant professor at the University of Texas at Austin.
He teaches IT audit, security and business data
communications courses and researches risk/return
implications of IT and business strategies.